Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

GA network policy does not reject if there is not a single source pod matching a policy #85

Closed
lorenz opened this issue Jul 28, 2017 · 4 comments · Fixed by #86
Closed

GA network policy does not reject if there is not a single source pod matching a policy #85

lorenz opened this issue Jul 28, 2017 · 4 comments · Fixed by #86
Labels
bug

Comments

@lorenz
Copy link

lorenz commented Jul 28, 2017

Version: c85e02a (current master)

How to reproduce:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: test-network-policy
spec:
  podSelector:
    matchLabels:
      np-test: protected
  ingress:
    - from:
      - podSelector:
          matchLabels:
            np-test: allowed
      ports:
      - protocol: TCP
        port: 80
  1. Run a pod (like nginx) with np-test: protected
  2. Run a pod (something like busybox:musl) with np-test: allowed which which can successfully access the server
  3. Run a pod without any labels which cannot access the server
  4. Remove the np-test: allowed pod
  5. Now the unlabeled pod can access the server

In iptables it seems like the issue is that on the network policy chain the source filter is dropped when there are no sources which fails open and not closed.
@bzub
Copy link
Collaborator

bzub commented Jul 28, 2017

Thanks for the very detailed bug report! We're looking into it now.

@bzub bzub added the bug label Jul 28, 2017
@bzub
Copy link
Collaborator

bzub commented Jul 29, 2017

I'm also seeing behavior where networkpolicy does not get enforced until a pod that matches ingress whitelist rules is created/labeled. It seems that perhaps this is the root issue, policy enforcement depends on a whitelist match resource existing first.

Here's a script that expects the networkpolicy manifest @lorenz posted, tests various scenarios, shows errors when expected behavior is not seen, and logs iptables and ipset between each test stage: https://gist.github.com/bzub/7d7f3f1704b2b7e04819c4b5232de8fb#file-np-test-sh

I've put the output of one run here: https://gist.github.com/bzub/7d7f3f1704b2b7e04819c4b5232de8fb#file-00-results-output-txt

and the detailed iptables/ipset logs are attached to this ticket here:
np-test-logs.tar.gz

murali-reddy pushed a commit that referenced this issue Jul 29, 2017
GA network policy does not reject if there is not a single source pod…
922c9f5 
… matching a policy

Fix ensures below two cases are explicitly handled

 - in the network policy spec for the ingress rule, its optionsl to give 'ports' and 'from' details
   when not specified it translates to match all ports, match all sources respectivley

 - user may explicitly give the 'ports' and 'from' details in the ingress rule. But at any given point
   its possible there is no matching pods (with labels defined in 'from') in the namespace.

Before the fix both the cases were handled similarly resulting in unexpected behaviour

Fixes #85
@murali-reddy murali-reddy mentioned this issue Jul 29, 2017
Merged
@lorenz
Copy link
Author

lorenz commented Jul 29, 2017

Confirmed working with the mentioned merge, thanks!

@murali-reddy
Copy link
Member

Thanks @lorenz for confirming.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
3 participants
@murali-reddy @bzub @lorenz