Ingress rule with named port not resolving to numerical port on target Pod in PolicyEndpoint #81
Comments
|
Moving this to Network Policy controller repo. Fix for this issue in NP controller is currently being rolled out to all the clusters. Will update here once the rollout is complete. |
|
Update: Specifically from above example: Expected: But got: |
|
@yndai Any particular reason behind specifying a static Pod IP as opposed to using Pod/Namespace selectors? Pod IPs are ephemeral, so trying to understand the use case here. Right now, we don't support named ports when pod IPs are specified as static IPs in the NP resource (and also don't support Service VIPs for static pod IPs).. |
|
@achevuru I think you might be misunderstanding my example (correct me if I am wrong): In my net policy I have an ingress rule for a CIDR range (not pod ip): In the PolicyEndpoint I expect a rule like this: But I get: However, this CIDR ingress rule is not created. If I change the network policy rule to target the numeric port like so, then it works: In my net policy I have an ingress rule for a CIDR range (not pod IP): Basically, the issue persists for ipBlock rules, but was fixed for podSelector rules. |
|
@yndai Understood. We should be able to extend the named port support to |
|
@achevuru Thank you, and yes, I understand the caveats |
|
Another note for anyone else possibly facing this: ingress:
- ports:
- port: https
protocol: TCPUnder the hood this maps to a CIDR rule on |
<!-- Thanks for sending a pull request! Here are some tips for you: 1. Ensure you have added the unit tests for your changes. 2. Ensure you have included output of manual testing done in the Testing section. 3. Ensure number of lines of code for new or existing methods are within the reasonable limit. 4. Ensure your change works on existing clusters after upgrade. --> **What type of PR is this?** <!-- Add one of the following: bug cleanup documentation feature --> bug **Which issue does this PR fix**: #81 **What does this PR do / Why do we need it**: Allows named ports when using IPBlocks (ingress rules only) **If an issue # is not available please add steps to reproduce and the controller logs**: **Testing done on this change**: <!-- output of manual testing/integration tests results and also attach logs showing the fix being resolved --> Manually applied Cx config and policyendpoint looks fine ``` Spec: Ingress: Cidr: 172.17.0.0/16 Ports: Port: 80 Protocol: TCP Cidr: 192.168.8.106 Ports: Port: 443 Protocol: TCP Pod Isolation: Ingress Pod Selector: Match Labels: App: target Pod Selector Endpoints: Host IP: 192.168.98.89 Name: target Namespace: default Pod IP: 192.168.125.203 Policy Ref: Name: allow-web-traffic Namespace: default ``` Using allow all in ingress rule ``` Spec: Ingress: Cidr: 0.0.0.0/0 Ports: Port: 80 Protocol: TCP Port: 443 Protocol: TCP Cidr: ::/0 Ports: Port: 80 Protocol: TCP Port: 443 Protocol: TCP Pod Isolation: Ingress Pod Selector: Match Labels: App: target Pod Selector Endpoints: Host IP: 192.168.98.89 Name: target Namespace: default Pod IP: 192.168.116.203 Policy Ref: Name: allow-web-traffic Namespace: default ``` **Automation added to e2e**: <!-- List the e2e tests you added as part of this PR. If no, create an issue with enhancement/testing label --> 1. NP allowing ingress from IPBlock + 2 named ports 2. NP allowing ingress from all CIDRs + 2 named ports **Will this PR introduce any new dependencies?**: <!-- e.g. new K8s API --> No **Will this break upgrades or downgrades. Has updating a running cluster been tested?**: No **Does this PR introduce any user-facing change?**: <!-- If yes, a release note update is required: Enter your extended release note in the block below. If the PR requires additional actions from users switching to the new release, include the string "action required". --> Yes ```release-note Allow for using named ports when using IPBlocks for the ingress source. ``` By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
What happened:
Summary: When creating a
NetworkPolicywith an ingress rule that allows traffic to a named port on a target pod, the ingress rule is not created in the resultingPolicyEndpoint(and traffic is not allowed either).Additional details:
NetworkPolicyworks finePodand that sourcePodhas the same named ports, the rule also works fine (regardless of the numerical values declared in the source pod) (See the "Anything else we need to know" section)What you expected to happen:
When specifying a named port in a
NetworkPolicyrule, the port should be mapped to the corresponding numerical port on the targetPod, if available.How to reproduce it (as minimally and precisely as possible):
Example:
kubctl apply -fon:We expect this in the resulting
PolicyEndpoint:But instead got this:
Anything else we need to know?:
Another weirdness: if the source
Poditself has the same named ports defined in the ingress rule, the rule that specifies the sourcePodactually works as expected!e.g. if you delete the source pod in the above example and apply this instead:
We now get:
The CIDR source rule is still missing, however. This makes me think that there is an incorrect check against the source
Podwhen mapping named ports to their numerical values instead of the targetPod.Environment:
kubectl version):Server Version: version.Info{Major:"1", Minor:"27+", GitVersion:"v1.27.8-eks-8cb36c9", GitCommit:"fca3a8722c88c4dba573a903712a6feaf3c40a51", GitTreeState:"clean", BuildDate:"2023-11-22T21:52:13Z", GoVersion:"go1.20.11", Compiler:"gc", Platform:"linux/amd64"}amazon-k8s-cni:v1.16.0-eksbuild.1aws-network-policy-agent:v1.0.7-eksbuild.1cat /etc/os-release):Amazon Linux 2uname -a):Linux ip-10-1-61-179.ec2.internal 5.10.192-183.736.amzn2.x86_64 aws/aws-network-policy-agent#1 SMP Wed Sep 6 21:15:41 UTC 2023 x86_64 x86_64 x86_64 GNU/LinuxThe text was updated successfully, but these errors were encountered: