Skip to content

Allow targeting nodes in CilumNetworkPolicy #19121

Closed
#26924
Closed
Allow targeting nodes in CilumNetworkPolicy#19121
#26924
Labels
area/agentCilium agent related.help-wantedYou can help! Post a detailed plan on the issue or create a PR to solve this issue.kind/community-reportThis was reported by a user in the Cilium community, eg via Slack.kind/featureThis introduces new functionality.pinnedThese issues are not marked stale by our issue bot.sig/policyImpacts whether traffic is allowed or denied based on user-defined policies.
@eddycharly

Description

@eddycharly
eddycharly
opened on Mar 11, 2022

Proposal / RFE

Cilium already supports a couple of methods to specify endpoints policies https://docs.cilium.io/en/stable/policy/language/#layer-3-examples.
Some Kubernetes constructs are supported too https://docs.cilium.io/en/stable/policy/kubernetes/.

In certain scenarios it can be useful to filter on nodes.

As an example, allowing egress from master nodes of a cluster to nodes that host ETCD proves to be difficult today.

Something like this might work if the IP adresses in the toCIDR statement are for nodes that belong to the cluster:

apiVersion: cilium.io/v2
kind: CiliumClusterwideNetworkPolicy
metadata:
  name: etcd
spec:
  nodeSelector:
    matchLabels:
      node-role.kubernetes.io/control-plane: ''
  ingress:
  - fromEntities:
    - kube-apiserver
    toPorts:
    - ports:
      - port: '2379'
        protocol: TCP
      - port: '2380'
        protocol: TCP
  egress:
  - toCIDR:
    - 172.19.0.6/32
    - 172.19.0.7/32
    - 172.19.0.9/32
    toPorts:
    - ports:
      - port: '2379'
        protocol: TCP
      - port: '2380'
        protocol: TCP

Policy verdict log:

Policy verdict log: flow 0xa6c1d821 local EP ID 2007, remote ID kube-apiserver, proto 6, egress, action audit, match none, 172.19.0.7:57124 -> 172.19.0.9:2380 tcp SYN

Something like this will work if the kube-apiserver and ETCD run on the same nodes:

apiVersion: cilium.io/v2
kind: CiliumClusterwideNetworkPolicy
metadata:
  name: etcd
spec:
  nodeSelector:
    matchLabels:
      node-role.kubernetes.io/control-plane: ''
  ingress:
  - fromEntities:
    - kube-apiserver
    toPorts:
    - ports:
      - port: '2379'
        protocol: TCP
      - port: '2380'
        protocol: TCP
  egress:
  - toEntities:
    - kube-apiserver
    toPorts:
    - ports:
      - port: '2379'
        protocol: TCP
      - port: '2380'
        protocol: TCP

Although this is quite confusing as one would expect this to NOT work as the destination is definitely not targeting kube-apiserver.

Describe the solution you'd like

It would be nice to be able to use node selector in policy rules.

Something along those lines:

apiVersion: cilium.io/v2
kind: CiliumClusterwideNetworkPolicy
metadata:
  name: etcd
spec:
  nodeSelector:
    matchLabels:
      node-role.kubernetes.io/control-plane: ''
  ingress:
  - fromEntities:
    - kube-apiserver
    toPorts:
    - ports:
      - port: '2379'
        protocol: TCP
      - port: '2380'
        protocol: TCP
  egress:
    # select nodes based on node labels
  - toNodes:
    - matchLabels:
        node-role.kubernetes.io/etcd: ''
    toPorts:
    - ports:
      - port: '2379'
        protocol: TCP
      - port: '2380'
        protocol: TCP

See original slack discussion https://cilium.slack.com/archives/C01JALNQAR1/p1647017730769119 too

Metadata

Metadata

Assignees

No one assigned

    Labels

    area/agentCilium agent related.help-wantedYou can help! Post a detailed plan on the issue or create a PR to solve this issue.kind/community-reportThis was reported by a user in the Cilium community, eg via Slack.kind/featureThis introduces new functionality.pinnedThese issues are not marked stale by our issue bot.sig/policyImpacts whether traffic is allowed or denied based on user-defined policies.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions