-
Notifications
You must be signed in to change notification settings - Fork 208
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(connectivity): Add node-local-dns entitiy match for local ip usage case #997
Conversation
ping @aditighag |
Thanks for the PR @eminaktas. Could you please add a short description why the change is needed and/or an issue reference to the commit message? |
Thanks for the comment @tklauser . It's done. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Barring the connectivity/manifests/client-egress-to-entities-world.yaml
, I don't think enabling access to the world
entity is recommended, it's too permissive.
See cilium/cilium#20683 (comment).
Does #995 fix this? |
Hi @squeed Yes, it does. However, it might introduce a security issue because this commit uses the Kubespray's default nodelocaldns IP is |
@eminaktas #995 no longer opens access to |
@squeed I guess I misunderstood you. #995 fixes only when node-local-dns is deployed as k8s service. This commit is to fix when node-local-dns is deployed with local IP. |
#995 only extends the connectivity tests for LRP based node-local dns deployment. It doesn't have the identity issue because LRP works with pod ips, not the 169.254... address. |
I added a comment here for something that I noticed. |
5101272
to
71759cb
Compare
71759cb
to
8dc0a10
Compare
I am kindly pinging for this case @squeed @aditighag. I updated the PR to prevent failing the connectivity test for the environment where nodelocaldns is configured with a local IP labelled world by Cilium. In addition, I updated the policies with the narrowest authorization, so the packages do not drop. I am looking forward to your feedback 👀 |
Rather than adding blanket world access, can you wait for #1267 then template the node local dns address in? And, is there an easy way for cilium-cli to autodetect the dns IP? Or, are we just being too picky here, @aditighag? |
Oh bah, this might not work. See cilium/cilium#16308 Fine, I give up :-) |
@eminaktas I thought we discussed it on the other PR, see - cilium/cilium#20683 (comment). Did something change after your reply - cilium/cilium#20683 (comment)? |
Hi, @aditighag |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi @eminaktas! I went over all the policies that the PR is modifying, and it looks we seem to relax them only for DNS traffic going to node_local pods. I deployed a couple of policies, and validated that rest of the traffic to world
is blocked.
While it's not ideal to poke holes in the connectivity manifests as the world
identity is fully permissive, until we have better support to add custom identities, we probably need this workaround. We should follow up on -cilium/cilium#18644 (comment). This also includes making LRP as stable so that users won't have to deal with such IP addresses in their cluster.
I've requested changes at one place, rest of the changes are fine.
@@ -14,6 +14,16 @@ spec: | |||
- kube-apiserver | |||
- toEndpoints: | |||
- {} | |||
# When node-local-dns is deployed with local IP, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why not narrow this down further -
- matchExpressions:
- { key: 'k8s-app', operator: In, values: [ "node-local-dns", "nodelocaldns" ] }
- { key: 'io.kubernetes.pod.namespace', operator: In, values: [ "kube-system" ] }
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, I added and tested there wasn't any issue. thanks.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The new change caused a failure for Multicluster
test. You can find the logs here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I did not understand the why Multicluster
test failed. So, I took the change back.
8dc0a10
to
7f1b977
Compare
Commit 505d7ef does not contain "Signed-off-by". Please follow instructions provided in https://docs.cilium.io/en/stable/contributing/development/contributing_guide/#developer-s-certificate-of-origin |
505d7ef
to
7f1b977
Compare
Thanks for the help @aditighag. |
7f1b977
to
0b4bebc
Compare
0b4bebc
to
c85c5b2
Compare
…e case Signed-off-by: eminaktas <[email protected]>
c85c5b2
to
943eb8d
Compare
When node-local-dns is deployed with local IP,
policies fail to verify that the connection goes to
node-local-dns. This change allows such DNS
traffics in the connectivity test policy yamls.
Signed-off-by: eminaktas [email protected]