Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[v1.26] Ingress policy enforcement #442

Merged
merged 3 commits into from
Dec 2, 2023
Merged

[v1.26] Ingress policy enforcement #442

merged 3 commits into from
Dec 2, 2023

Conversation

sayboras
Copy link
Member

Backport of #351 on v1.26

@sayboras sayboras changed the base branch from main to v1.26 November 27, 2023 10:57
@jrajahalme @sayboras
fix: Set close reason detail, flush on proxylib close
a209246 
Envoy can assert fail if local close reason is not set:

  envoy bug failure: !local_close_reason.empty(). Details: Local Close Reason was not set!

Set error detail on local close to prevent this.

Also Flush on proxylib close so that any remaining data is not cut off.

Signed-off-by: Jarno Rajahalme <[email protected]>
@jrajahalme @sayboras
policy: Enforce ingress policy for Ingress
3c3a2ec 
Add enforce_policy_on_l7_lb to bpf_metadata config to maintain backwards
compatibility by explicitly turning on policy enforcement on Ingress to
support older Cilium releases on the same Envoy build.

Store the original source identity for enforcing ingress policy for
Ingress, that otherwise only enforces the egress policy, as it operates
on the egress path. Now both ingress and egress policies for the ingress
identity are enforced when enforce_policy_on_l7_lb is configured as
'true'.

Ingress arrives to Cilium nodes at node ports, which are meaningless for
Cilium Network Policies. To remedy this the destination port of the
selected backend is used also in ingress path policy enforcement. Note
that this destination port may be different from the one the traffic was
first received at the external load balancer.

Signed-off-by: Jarno Rajahalme <[email protected]>

info: patch template saved to `-`
@jrajahalme @sayboras
bpf_metadata: refactor Config::getMetadata(), error out on invalid input
784cbe5 
Refactor Config::getMetadata() processing of L7 LB config to be more
explicit and to error out on invalid config so that invalid traffic does
not accidentally slip through.

Adjust tests accordingly and add new tests to cover the new
'enforce_policy_on_l7lb' option.

Signed-off-by: Jarno Rajahalme <[email protected]>
@sayboras sayboras force-pushed the tam/backport-ingress-endpoint branch from 62d0c91 to 784cbe5 Compare November 27, 2023 11:00
@sayboras sayboras marked this pull request as ready for review November 27, 2023 12:19
@sayboras sayboras added the dont-merge/preview-only DON'T MERGE label Nov 28, 2023
@sayboras sayboras changed the title Ingress policy enforcement [v1.26] Ingress policy enforcement Nov 28, 2023
@sayboras sayboras removed the dont-merge/preview-only DON'T MERGE label Dec 2, 2023
@sayboras
Copy link
Member Author

sayboras commented Dec 2, 2023

Testing was done along with the below PRs, merging soon.

cilium: cilium/cilium#29447
cilium-cli: cilium/cilium-cli#2126

@sayboras sayboras merged commit 38b645b into v1.26 Dec 2, 2023
3 checks passed
@sayboras sayboras mentioned this pull request Dec 2, 2023
Closed
@sayboras sayboras deleted the tam/backport-ingress-endpoint branch December 2, 2023 12:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jrajahalme jrajahalme jrajahalme approved these changes

Assignees
No one assigned
Labels
backport/1.26
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@sayboras @jrajahalme