Enhance L7 NetworkPolicy to support TLS protocol #4932
Conversation
hongliangl
force-pushed
the
20230312-l7-tls
branch
2 times, most recently
from
fab937c
to
ac943e8
Compare
hongliangl
added
the
action/release-note
hongliangl
force-pushed
the
20230312-l7-tls
branch
2 times, most recently
from
50ba5ea
to
4366978
Compare
|
@hongliangl I didn't see any doc update in this PR, do you plan to create a separate PR to update L7 NP doc for tls protocol? |
Will add a doc later. I'm not sure if this PR could be merge in v1.12. If we plan to merge this PR, I can add a doc quickly. |
| if tls.SNI != "" { | ||
| keywords = append(keywords, fmt.Sprintf(`tls.sni; content:"%s"; nocase; pcre:"/%s$/;"`, tls.SNI, tls.SNI)) | ||
| } | ||
| return strings.Join(keywords, " ") |
There was a problem hiding this comment.
Do you need a slice keywords here? seems there will be only one string.
There was a problem hiding this comment.
We could add more key words in the future.
Thanks for reviewing this PR, will address the comments and update antrea-l7-network-policy.md later |
| @@ -320,6 +321,14 @@ type HTTPProtocol struct { | |||
| Path string `json:"path,omitempty" protobuf:"bytes,3,opt,name=path"` | |||
| } | |||
|
|
|||
| // TLSProtocol matches TLS requests with specific SNI. If the field is not provided, this | |||
There was a problem hiding this comment.
What does "TLS requests" refer to?
There was a problem hiding this comment.
I follow the style of HTTP like the following in existing code:
// HTTPProtocol matches HTTP requests with specific host, method, and path. All
// fields could be used alone or together. If all fields are not provided, this
// matches all HTTP requests.
type HTTPProtocol struct {
// Host represents the hostname present in the URI or the HTTP Host header to match.
// It does not contain the port associated with the host.
Host string
// Method represents the HTTP method to match.
// It could be GET, POST, PUT, HEAD, DELETE, TRACE, OPTIONS, CONNECT and PATCH.
Method string
// Path represents the URI path to match (Ex. "/index.html", "/admin").
Path string
}
Is the comment "TLS requests" confused in some degree? If so, could you give some suggestions? Thanks a lot @jianjuns
There was a problem hiding this comment.
I think TLS handshake is okay for me.
There was a problem hiding this comment.
Is it "TLS handshake requests"?
There was a problem hiding this comment.
I searched for the words TLS handshake requests but found no usage of TLS handshake and requests together. How about just TLS handshake?
There was a problem hiding this comment.
Then let us use "handshake packets". "handshake" is a process that includes rounds of message exchanges.
hongliangl
force-pushed
the
20230312-l7-tls
branch
4 times, most recently
from
fc32b93
to
1fd3087
Compare
docs/antrea-l7-network-policy.md
Outdated
| @@ -7,7 +7,9 @@ | |||
| - [Prerequisites](#prerequisites) | |||
| - [Usage](#usage) | |||
| - [HTTP](#http) | |||
| - [More examples](#more-examples) | |||
| - [More examples - HTTP](#more-examples-http) | |||
There was a problem hiding this comment.
This is inconsistent with the actual section name. TOC check should be failing.
And I feel redundant to append HTTP when its parent section is already HTTP. If you are trying to avoid section name conflict, the second anchor of the second section will have "-1", and toc generator tool will do it automatically.
There was a problem hiding this comment.
I didn't know that we could generate TOC by calling make toc. I have updated and checked.
docs/antrea-l7-network-policy.md
Outdated
| apiVersion: crd.antrea.io/v1alpha1 | ||
| kind: NetworkPolicy | ||
| metadata: | ||
| name: ingress-allow-tls-request-to-api-v2 |
There was a problem hiding this comment.
The name doesn't reflect what the policy really does
There was a problem hiding this comment.
Updated to ingress-allow-tls-hanshake
docs/antrea-l7-network-policy.md
Outdated
| apiVersion: crd.antrea.io/v1alpha1 | ||
| kind: NetworkPolicy | ||
| metadata: | ||
| name: allow-http-only |
There was a problem hiding this comment.
Updated to allow-tls-only
docs/antrea-l7-network-policy.md
Outdated
| apiVersion: crd.antrea.io/v1alpha1 | ||
| kind: ClusterNetworkPolicy | ||
| metadata: | ||
| name: allow-web-tls-access-to-internal-domain |
There was a problem hiding this comment.
web should not be part of it. this rule doesn't indicate web at all.
There was a problem hiding this comment.
Updated to allow-tls-handshake-to-internal
| @@ -356,7 +356,7 @@ spec: | |||
| template: | |||
| metadata: | |||
| annotations: | |||
| checksum/config: 7eb0f1e65f7eb3e35b0739d6064b92b7621af0f4e41813c35bfdee71ceaefbe2 | |||
| checksum/config: | |||
There was a problem hiding this comment.
No. I found that in MACOS, sha256sum used in multicluster/hack/update-checksum.sh is not available. I have regenerated the manifest files with alternative shasum -a 256.
pkg/apis/controlplane/types.go
Outdated
| // SNI indicates the domain name in the TLS hello message, allowing the server to match it with the correct digital | ||
| // certificate for that domain. |
There was a problem hiding this comment.
"allowing the server to match it with the correct digital certificate for that domain."
I don't think we have this functionality? We just check if the actual SNI matches the one set in the policy.
There was a problem hiding this comment.
Removed allowing the server to match it with the correct digital certificate for that domain.
| time.Sleep(networkPolicyDelay) | ||
|
|
There was a problem hiding this comment.
Check www.google.com is not reachable now.
There was a problem hiding this comment.
Changed to apis.google.com.
hongliangl
force-pushed
the
20230312-l7-tls
branch
6 times, most recently
from
403767b
to
ace16ad
Compare
docs/antrea-l7-network-policy.md
Outdated
| @@ -201,6 +203,92 @@ spec: | |||
| - http: {} # automatically dropped, and subsequent rules will not be considered. | |||
| ``` | |||
|
|
|||
| ### TLS | |||
|
|
|||
| A typical layer 7 NetworkPolicy for TLS protocol is as below: | |||
docs/antrea-l7-network-policy.md
Outdated
| matchLabels: | ||
| app: web | ||
| ingress: | ||
| - name: allow-tls # Allow inbound TLS/SSL handshakes to server name "foo.bar.com" from Pods with app=client label. |
There was a problem hiding this comment.
"handshake requests" or "handshake packets"
docs/antrea-l7-network-policy.md
Outdated
| action: Drop | ||
| ``` | ||
|
|
||
| **sni**: The `sni` field matches the TLS/SSL Server Name Indication (SNI) field included in the TLS/SSL handshake process. |
docs/antrea-l7-network-policy.md
Outdated
| port: 53 | ||
| - name: allow-tls-only # Allow outbound SSL/TLS handshakes towards "*.bar.com". | ||
| action: Allow # As the rule's "to" and "ports" are empty, which means it selects traffic to any network | ||
| l7Protocols: # peer's any port using any transport protocol, all outbound SSL/TLS handshakes towards other |
docs/antrea-l7-network-policy.md
Outdated
| sni: "*.bar.com" # will not be considered. | ||
| ``` | ||
|
|
||
| The following NetworkPolicy blocks network traffic using an unauthorized application protocol regardless of port used. |
docs/antrea-l7-network-policy.md
Outdated
| matchLabels: | ||
| app: web | ||
| ingress: | ||
| - name: tls-only # Allow inbound SSL/TLS requests only. |
pkg/apis/controlplane/types.go
Outdated
| @@ -330,6 +331,13 @@ type HTTPProtocol struct { | |||
| Path string | |||
| } | |||
|
|
|||
| // TLSProtocol matches TLS handshakes with specific SNI. If the field is not provided, this | |||
There was a problem hiding this comment.
handshake requests or packets
Signed-off-by: Hongliang Liu <lhongliang@vmware.com>
hongliangl
force-pushed
the
20230312-l7-tls
branch
2 times, most recently
from
0f2aa1d
to
1b4d153
Compare
docs/antrea-l7-network-policy.md
Outdated
| @@ -75,7 +77,7 @@ welcome feature requests for protocols that you are interested in. | |||
|
|
|||
| ### HTTP | |||
|
|
|||
| A typical layer 7 NetworkPolicy for HTTP protocol is as below: | |||
| An example of layer 7 NetworkPolicy for the HTTP protocol is like below: | |||
There was a problem hiding this comment.
Done, thanks for reviewing this PRs.
Signed-off-by: Hongliang Liu <lhongliang@vmware.com>
hongliangl
force-pushed
the
20230312-l7-tls
branch
from
1b4d153
to
2063059
Compare
|
/test-all |
No description provided.