-
Notifications
You must be signed in to change notification settings - Fork 3.8k
kube-apiserver policy matching does not work with tunneling mode #18049
Copy link
Copy link
Closed
Labels
area/datapathImpacts bpf/ or low-level forwarding details, including map management and monitor messages.Impacts bpf/ or low-level forwarding details, including map management and monitor messages.area/k8sImpacts the kubernetes API, or kubernetes -> cilium internals translation layers.Impacts the kubernetes API, or kubernetes -> cilium internals translation layers.kind/bugThis is a bug in the Cilium logic.This is a bug in the Cilium logic.sig/policyImpacts whether traffic is allowed or denied based on user-defined policies.Impacts whether traffic is allowed or denied based on user-defined policies.
Description
Metadata
Metadata
Assignees
Labels
area/datapathImpacts bpf/ or low-level forwarding details, including map management and monitor messages.Impacts bpf/ or low-level forwarding details, including map management and monitor messages.area/k8sImpacts the kubernetes API, or kubernetes -> cilium internals translation layers.Impacts the kubernetes API, or kubernetes -> cilium internals translation layers.kind/bugThis is a bug in the Cilium logic.This is a bug in the Cilium logic.sig/policyImpacts whether traffic is allowed or denied based on user-defined policies.Impacts whether traffic is allowed or denied based on user-defined policies.
This is a known issue at the moment when traffic from the kube-apiserver (i.e. hostNetwork pod on kube-apiserver host, CRD webhook) reaches out to a pod (Cilium endpoint). The reason why it doesn't work is because the
cilium_hostIP (router IP) that the traffic goes out from is associated with ID 6. Since traffic from the kube-apiserver host will be expected to have ID 7, this causes policy drops.