Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix NP not working on hairpin Service connection #5687

Merged
merged 1 commit into from
Nov 13, 2023
Merged

Fix NP not working on hairpin Service connection #5687

merged 1 commit into from
Nov 13, 2023

Conversation

GraysonWu
Copy link
Contributor

Fix #5681

Network policy didn't work when using a server Pod to establish a connection to the service provided by itself. This hairpin service connection initiated through a local Pod will be SNATed to the gateway IP, which will prevent it from being correctly categorized by the network policy during the Ingress rule enforcement.

This commit added a bypass flow to always allow the hairpin service connection to address this issue. Given we don't consider self-access blocking to be a valid case.

@hongliangl
Copy link
Contributor

It means that NetworkPolicy will never block hairpin connections. Is that right?

@GraysonWu
Copy link
Contributor Author

It means that NetworkPolicy will never block hairpin connections. Is that right?

Yes. But you still can use toService or something to block it on the "egress side" when it hasn't been categorized as hairpin traffic.

@luolanzone luolanzone added the action/backport Indicates a PR that requires backports. label Nov 9, 2023
luolanzone
luolanzone previously approved these changes Nov 9, 2023
View reviewed changes
Copy link
Contributor

@luolanzone luolanzone left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

tnqn
tnqn reviewed Nov 9, 2023
View reviewed changes
pkg/agent/openflow/pipeline.go Outdated Show resolved Hide resolved
test/e2e/networkpolicy_test.go Outdated Show resolved Hide resolved
tnqn
tnqn previously approved these changes Nov 13, 2023
View reviewed changes
Copy link
Member

@tnqn tnqn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@tnqn
Copy link
Member

tnqn commented Nov 13, 2023

The changed test is failing

@GraysonWu
Fix NP not working on Hairpin
70f3e1b 
Fix antrea-io#5681

Network policy didn't work when using a server Pod to establish a
connection to the service provided by itself. This hairpin service
connection initiated through a local Pod will be SNATed to the
gateway IP, which will prevent it from being correctly categorized by
the network policy during the Ingress rule enforcement.

This commit added a bypass flow to always allow the hairpin service
connection to address this issue. Given we don't consider self-access
blocking to be a valid case.

Signed-off-by: graysonwu <wgrayson@vmware.com>
@GraysonWu
Copy link
Contributor Author

/test-all

tnqn
tnqn approved these changes Nov 13, 2023
View reviewed changes
Copy link
Member

@tnqn tnqn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@tnqn tnqn merged commit 9144983 into antrea-io:main Nov 13, 2023
49 of 56 checks passed
@tnqn tnqn added the action/release-note Indicates a PR that should be included in release notes. label Nov 13, 2023
@tnqn
Copy link
Member

tnqn commented Nov 13, 2023

@GraysonWu please backport it to 1.12-1.14

This was referenced Nov 13, 2023
Merged
Merged
Merged
Merged
@GraysonWu GraysonWu mentioned this pull request Nov 16, 2023
Closed
@tnqn tnqn mentioned this pull request Jun 25, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tnqn tnqn tnqn approved these changes

@luolanzone luolanzone luolanzone left review comments

@hongliangl hongliangl Awaiting requested review from hongliangl

Assignees
No one assigned
Labels
action/backport Indicates a PR that requires backports. action/release-note Indicates a PR that should be included in release notes.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

NetworkPolicy doesn't work when the Pod access its own Service's ClusterIP
4 participants
@GraysonWu @hongliangl @tnqn @luolanzone