Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(connectivity): Add node-local-dns entitiy match for local ip usage case #997

Merged
merged 1 commit into from
Jan 24, 2023

Conversation

eminaktas
Copy link
Contributor

@eminaktas eminaktas commented Jul 28, 2022

When node-local-dns is deployed with local IP,
policies fail to verify that the connection goes to
node-local-dns. This change allows such DNS
traffics in the connectivity test policy yamls.

Signed-off-by: eminaktas [email protected]

@eminaktas eminaktas requested a review from a team as a code owner July 28, 2022 12:06
@eminaktas eminaktas requested a review from squeed July 28, 2022 12:06
@eminaktas eminaktas temporarily deployed to ci July 28, 2022 12:06 Inactive
@eminaktas
Copy link
Contributor Author

ping @aditighag

@tklauser
Copy link
Member

Thanks for the PR @eminaktas.

Could you please add a short description why the change is needed and/or an issue reference to the commit message?

@eminaktas
Copy link
Contributor Author

Thanks for the PR @eminaktas.

Could you please add a short description why the change is needed and/or an issue reference to the commit message?

Thanks for the comment @tklauser . It's done.

@tklauser tklauser requested a review from aditighag July 28, 2022 14:32
Copy link
Member

@aditighag aditighag left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Barring the connectivity/manifests/client-egress-to-entities-world.yaml, I don't think enabling access to the world entity is recommended, it's too permissive.
See cilium/cilium#20683 (comment).

@squeed
Copy link
Contributor

squeed commented Sep 2, 2022

Does #995 fix this?

@eminaktas
Copy link
Contributor Author

eminaktas commented Sep 12, 2022

Does #995 fix this?

Hi @squeed

Yes, it does. However, it might introduce a security issue because this commit uses the world label to allow the nodelocaldns requests. Like @aditighag mentions that it's too permissive. To prevent it, Cilium should label the nodelcaldns as host.

Kubespray's default nodelocaldns IP is 169.254.25.10. It creates a network interface on the node to provide a connection to nodelocaldns.

@squeed
Copy link
Contributor

squeed commented Sep 12, 2022

@eminaktas #995 no longer opens access to world. Does it fix your use case, or do we need further work? @aditighag ?

@eminaktas
Copy link
Contributor Author

eminaktas commented Sep 12, 2022

@eminaktas #995 no longer opens access to world. Does it fix your use case, or do we need further work? @aditighag ?

@squeed I guess I misunderstood you. #995 fixes only when node-local-dns is deployed as k8s service. This commit is to fix when node-local-dns is deployed with local IP.

@aditighag
Copy link
Member

@eminaktas #995 no longer opens access to world. Does it fix your use case, or do we need further work? @aditighag ?

#995 only extends the connectivity tests for LRP based node-local dns deployment. It doesn't have the identity issue because LRP works with pod ips, not the 169.254... address.

@eminaktas
Copy link
Contributor Author

I added a comment here for something that I noticed.

@eminaktas eminaktas temporarily deployed to ci December 22, 2022 15:05 — with GitHub Actions Inactive
@eminaktas eminaktas temporarily deployed to ci December 22, 2022 16:09 — with GitHub Actions Inactive
@eminaktas
Copy link
Contributor Author

I am kindly pinging for this case @squeed @aditighag.

I updated the PR to prevent failing the connectivity test for the environment where nodelocaldns is configured with a local IP labelled world by Cilium. In addition, I updated the policies with the narrowest authorization, so the packages do not drop.

I am looking forward to your feedback 👀
Thanks 🙏

@squeed
Copy link
Contributor

squeed commented Jan 3, 2023

Rather than adding blanket world access, can you wait for #1267 then template the node local dns address in? And, is there an easy way for cilium-cli to autodetect the dns IP?

Or, are we just being too picky here, @aditighag?

@squeed
Copy link
Contributor

squeed commented Jan 3, 2023

Oh bah, this might not work. See cilium/cilium#16308

Fine, I give up :-)

@eminaktas eminaktas requested a review from aditighag January 3, 2023 19:10
@aditighag
Copy link
Member

@eminaktas I thought we discussed it on the other PR, see - cilium/cilium#20683 (comment). Did something change after your reply - cilium/cilium#20683 (comment)?

@eminaktas
Copy link
Contributor Author

Hi, @aditighag
Actually, there is no change Cilium still can't mark the local IPs with a host label. I think this is currently the only solution for the test cases. Also, this will save time for other people. Like @squeed asked, are we just being too picky on this?

Copy link
Member

@aditighag aditighag left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @eminaktas! I went over all the policies that the PR is modifying, and it looks we seem to relax them only for DNS traffic going to node_local pods. I deployed a couple of policies, and validated that rest of the traffic to world is blocked.
While it's not ideal to poke holes in the connectivity manifests as the world identity is fully permissive, until we have better support to add custom identities, we probably need this workaround. We should follow up on -cilium/cilium#18644 (comment). This also includes making LRP as stable so that users won't have to deal with such IP addresses in their cluster.
I've requested changes at one place, rest of the changes are fine.

@@ -14,6 +14,16 @@ spec:
- kube-apiserver
- toEndpoints:
- {}
# When node-local-dns is deployed with local IP,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why not narrow this down further -

- matchExpressions:
          - { key: 'k8s-app', operator: In, values: [ "node-local-dns", "nodelocaldns" ] }
          - { key: 'io.kubernetes.pod.namespace', operator: In, values: [ "kube-system" ] }

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, I added and tested there wasn't any issue. thanks.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The new change caused a failure for Multicluster test. You can find the logs here.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I did not understand the why Multicluster test failed. So, I took the change back.

@eminaktas eminaktas temporarily deployed to ci January 10, 2023 09:36 — with GitHub Actions Inactive
@maintainer-s-little-helper
Copy link

Commit 505d7ef does not contain "Signed-off-by".

Please follow instructions provided in https://docs.cilium.io/en/stable/contributing/development/contributing_guide/#developer-s-certificate-of-origin

@eminaktas eminaktas temporarily deployed to ci January 10, 2023 09:41 — with GitHub Actions Inactive
@eminaktas eminaktas temporarily deployed to ci January 10, 2023 09:49 — with GitHub Actions Inactive
@eminaktas
Copy link
Contributor Author

Hi @eminaktas! I went over all the policies that the PR is modifying, and it looks we seem to relax them only for DNS traffic going to node_local pods. I deployed a couple of policies, and validated that rest of the traffic to world is blocked. While it's not ideal to poke holes in the connectivity manifests as the world identity is fully permissive, until we have better support to add custom identities, we probably need this workaround. We should follow up on -cilium/cilium#18644 (comment). This also includes making LRP as stable so that users won't have to deal with such IP addresses in their cluster. I've requested changes at one place, rest of the changes are fine.

Thanks for the help @aditighag.

@eminaktas eminaktas temporarily deployed to ci January 10, 2023 10:01 — with GitHub Actions Inactive
@eminaktas eminaktas temporarily deployed to ci January 13, 2023 10:34 — with GitHub Actions Inactive
@eminaktas eminaktas temporarily deployed to ci January 19, 2023 12:56 — with GitHub Actions Inactive
@maintainer-s-little-helper maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Jan 19, 2023
@aditighag aditighag requested review from a team and removed request for a team January 19, 2023 21:38
@tklauser tklauser merged commit e6ef23e into cilium:master Jan 24, 2023
@eminaktas eminaktas deleted the world-entitiy branch January 24, 2023 13:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
ready-to-merge This PR has passed all tests and received consensus from code owners to merge.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants