Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Ingress policy enforcement v1.25 #402

Closed
wants to merge 3 commits into from

Conversation

jrajahalme
Copy link
Member

Backport of #351 on v1.25

@jrajahalme jrajahalme marked this pull request as draft October 13, 2023 12:39
[ upstream commit f7871bb ]

Flush on proxylib close so that any remaining data is not cut off.

Signed-off-by: Jarno Rajahalme <[email protected]>
[ upstream commit 553af5a ]

Add enforce_policy_on_l7_lb to bpf_metadata config to maintain backwards
compatibility by explicitly turning on policy enforcement on Ingress to
support older Cilium releases on the same Envoy build.

Store the original source identity for enforcing ingress policy for
Ingress, that otherwise only enforces the egress policy, as it operates
on the egress path. Now both ingress and egress policies for the ingress
identity are enforced when enforce_policy_on_l7_lb is configured as
'true'.

Ingress arrives to Cilium nodes at node ports, which are meaningless for
Cilium Network Policies. To remedy this the destination port of the
selected backend is used also in ingress path policy enforcement. Note
that this destination port may be different from the one the traffic was
first received at the external load balancer.

Signed-off-by: Jarno Rajahalme <[email protected]>
[ upstream commit ee919e1 ]

Refactor Config::getMetadata() processing of L7 LB config to be more
explicit and to error out on invalid config so that invalid traffic does
not accidentally slip through.

Adjust tests accordingly and add new tests to cover the new
'enforce_policy_on_l7lb' option.

Signed-off-by: Jarno Rajahalme <[email protected]>
@jrajahalme jrajahalme force-pushed the ingress-policy-enforcement-v1.25 branch from 48eb671 to 3639622 Compare October 13, 2023 13:13
@sayboras
Copy link
Member

This might not require anymore once the below PRs are merged

cilium/cilium#28853
cilium/cilium#28854
cilium/cilium#28855

@sayboras
Copy link
Member

sayboras commented Dec 2, 2023

Closed in favor of #442

@sayboras sayboras closed this Dec 2, 2023
@sayboras sayboras deleted the ingress-policy-enforcement-v1.25 branch December 2, 2023 12:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants