Kubernetes network policy with node ip cidr doesn't work

[lzang]

Bug report

General Information

• Cilium version : 1.8
• Kernel version: 4.19

How to reproduce the issue

1. Create a policy rule to allow a pod to talk to all nodes. cidr 10.128.0.0/20 is the node cidr.

kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: allow-kubelet-from-test-pod
spec:
  podSelector:
    matchLabels:
      k8s-app: test-pod
  policyTypes:
  - Egress
  egress:
  - to:
    - ipBlock:
        cidr: 10.128.0.0/20
    ports:
    - protocol: TCP
      port: 10255

2. curl the node from the pod, and found that the connection is rejected, instead of being allowed.

The issue is because the node ip is translated to host identity, not the cidr identity. However, kubernetes network policy doesn't have a node selector. So to allow pods to talk to host in either direction using k8s network policy, only cidr can be used. The current behavior is inconsistent with what is supposed to work with k8s network policy.
https://github.com/kubernetes/kubernetes/blob/master/staging/src/k8s.io/api/networking/v1/types.go

[joestringer]

Some excerpts from me on the Slack thread with minor edits for clarity:

There's the "pure" policy argument in the background here: The policy is defining accessibility between constructs defined in kubernetes terms, abstracted away from the physical infrastructure. If you intend to allow traffic to a host or hosts in the cluster, then defining a policy at that higher level of abstraction is more correct; otherwise depending on your underlying infrastructure IP addresses you then have to change the policy. Or worse, you bring a policy from another environment and you don't change the CIDRs and end up unintentionally allowing connectivity where the policy intent was never to allow connections to some remote location. This kind of "unintentional allow based on policy being inconsistent with the infrastructure" is a baseline problem that we avoid with the current approach because users are forced to declare their intent by adding explicit "to host" / "to remote-node" allows.

Notes from the code perspective which may be useful background:

• In the datapath there is exactly one identity associated with an IP and we evaluate policy purely based on that. This bounds the datapath complexity, performance and so on. This is intentionally not a multi-phase lookup process.
• At the ipcache layer (pkg/ipcache in the agent), there is a notion of precedence where possible IP/Identity conflicts are "flattened" to select one or the other.
• I would generally prefer to avoid fixing this with a flag, Cilium already has a large number of varying configuration options and it's already difficult to test and validate correctness across all of them.

The current datapath approach and also the "one identity per IP" are intentional designs to provide per-packet guarantees for efficient forwarding. We should look at this problem from the user perspective and not jump straight to the conclusion that modifying the datapath code is the correct fix. I can think of perhaps three or more designs that could potentially solve this issue without modifying the datapath implementation:

1. Make the host identity dynamic within the agent so that it has labels for the CIDR associated with the node, allowing toCIDR selectors to select it. There would be a single combined identity for the host that has the labels of the CIDR + the reserved:host label to allow policy selection to select that identity regardless of whether the policy is defined as toEntities or toCIDR.
2. Detect NetworkPolicy import that selects IPs associated with the host and inject new generated policies into the internal daemon policy repository to allow traffic to the host entity when the NP allows traffic to the host IP
3. In the policy repository import of such NP toCIDR policies, check toCIDR selectors for host IPs and potentially modify them to also select the host entity when the IP is one of the host's IPs

[joestringer]

For (1) above, the downside is that there may be multiple IPs associated with the host and it may become complicated to ensure that all such CIDRs become part of the set of labels for the host identity. I think that in principle it should work though, on startup for every IP associated with the host we would convert the IP into a list of labels such as cidr:0.0.0.0/0, ... cidr:192.168.0.1/32 (for all prefixes). Then we would need to de-duplicate any overlaps, then modify the host identity to contain all of these labels.

For (2), there's a nice property that the policy would not be modified and the host identity would remain with the current set of labels. The logic to generate the new internal policy to match the host IPs should be fairly straightforward and independent code. I believe we do similar things for toServices already. Downside is that every time that a policy is inserted with match on the CIDR of the host, we need to detect that and generate the policy; furthermore ensure that cleanup occurs and so on when the policy is deleted; and if it's modified, make sure that the generated policy is kept up to date or removed. If such policies were added/removed often then there's also associated policy import churn, though I'd imagine that's unlikely to be a huge issue.

[joestringer]

(3) is a bit unclean because it's effectively talking about munging existing policies, user input. That can get into weird territory when the user modifies the policy again and so on. Probably fine to steer clear of that option unless there are aspects of the other two that are bad enough for us to look at other approaches.

[joestringer]

I should probably also note for those who find this issue from a search:

The simplest fix for this is to import a CiliumNetworkPolicy with a toEntities: host / toEntities: remote-node match per the documentation:
https://docs.cilium.io/en/v1.8/policy/language/#access-to-from-local-host

[joestringer]

One more datapoint based on the K8s NP docs:

ipBlock: This selects particular IP CIDR ranges to allow as ingress sources or egress destinations. These should be cluster-external IPs, since Pod IPs are ephemeral and unpredictable.

Cluster ingress and egress mechanisms often require rewriting the source or destination IP of packets. In cases where this happens, it is not defined whether this happens before or after NetworkPolicy processing, and the behavior may be different for different combinations of network plugin, cloud provider, Service implementation, etc.

https://kubernetes.io/docs/concepts/services-networking/network-policies/#behavior-of-to-and-from-selectors

It's a bit ambiguous, it could be argued that node IPs are also ephemeral and unpredictable due to scaling up/down clusters. It could also be argued that These should be cluster-external IPs provides no guarantee that internal IPs would be allowed by the policy.

But I think the broader question is really around whether we provide useful and consistent mechanisms for users to allow the traffic they intend in this case. And when I say "traffic they intend", I'm interested to get a definition that doesn't rely on physical addressing. "toEntites: host" / "toEntities: remoteNode" makes sense to me because k8s defines hostNetwork and if you run things on the host or in hostNetwork then we can define a policy that allows traffic to those peers without relying on their IP addresses. That way, like we do with pod policies, Cilium can automagically detect what physical addresses correspond to those entities and apply policy in a way that will apply the same regardless of the underlying IP addressing schemes in use. Then if that "automagic" is too magic, ideally we provide introspection / interaction mechanisms to observe and influence the mappings.

Driving that more concretely, assuming such a policy model in Cilium, we would then make clear declarations in our interpretation of K8s NetworkPolicy that say something like "Cilium interprets the undefined behaviour in ipBlock to apply ipBlock to entities X, Y, Z.".

[joestringer]

One useful delineation between approach (1) and approach (2) occurred to me. It's not so much about how this approach will solve the reported issue here for the treatment of the local host, but may be more impactful for other identities like remote-node (or the other identities, really).

Approach (1) broadly says, we can modify the labels associated with the (host) identity, and hence rather than mapping for instance security ID 1 -> reserved:host we map it to reserved:host,cidr:....,cidr:.... That way, when the policy generation code runs over all identities, any policy that selects certain CIDRs will match the internal cidr labels in the host identity. That will subsequently populate the policy maps in the datapath. When the packet arrives, the ipcache mapping => will resolve the IP to an identity that was selected by the CIDR policy. If we want that same identity to be matched by other policies, then we "just" need to extend the identity with all of the related IP (and CIDR block) labels so that when the label-matching implementation in the Cilium CIDR policy resolver logic runs, it will select those identities.

Approach (2) instead says, when we receive policies matching specific CIDRs, let's inject new policies into the internal policy repository which match on the entities instead (cf. https://docs.cilium.io/en/v1.8/policy/language/#entities-based). If we want this to match on the host, it's fairly straightforward, we determine the host IPs, then do a CIDR prefix check, and decide whether to inject the toEntities: host policy. From there, everything is the same as today if we just create the policy to allow traffic tot to the host. Pretty similar impact in general.

However, in approach (2), when it comes to other identities such as remote-node, then we need to decide how we will whitelist the remote-node entity. Do we whitelist it if at least one IP associated with a remote-node is matched in the CIDR policy, in which case we are allowing more remote nodes than the ipBlock policy specified? Or do we validate that all remote node IPs must match the ipBlock before injecting the policy to match on remote-node entity? Probably the latter. But we'll still retain a quirky behaviour that simply adding an ipBlock match for a single remote node's IP won't allow traffic to that remote node.

So I think it'd be worthwhile to consider which of the special identities (https://docs.cilium.io/en/v1.8/concepts/terminology/#special-identities) we intend for the ipBlock to match on. It already matches on reserved:world, for which the description on that page matches the "cluster-external IPs" wording from the kubernetes spec above. I don't think it currently matches on any of the remaining identities.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

[stale]

This issue has not seen any activity since it was marked stale. Closing.