CFP: per-node identities

[oblazek]

Cilium Feature Proposal

Is your feature request related to a problem?
Yes, currently it is not possible to allow/block access from/to nodes by their labels. The only way one can do that is by specifying remote-node identity, but this also allows access from nodes in remote clusters (in a clustermesh).

  ingress:
  - fromEntities:
    - remote-node

Describe the feature you'd like
It should be possible to allow/block only specific nodes by their labels in CNPs.

apiVersion: v1
kind: Node
metadata:
  labels:
    kubernetes.io/role: worker

(Optional) Describe your proposed solution

There are a few parts of the solution:

1. NodeManager currently doesn't have a way to allocate ID so we would need to extend the IPCache interface with a known method AllocateIdentity() which allocated IDs based on labels and this would be then pushed to ipcache. The current remote-node identity is hardcoded here and then inserted into ipcache so we could replace this with proper ID. The problem related to this is that ipToIdentityCache is a map of IPs and their identities so single IP can basically be present only once. It's a question how the upgrade path would look like and the case when users would want to have both options available. This
   brings us to 2nd point.

2. For the upgrade path we would imo need a new flag - something like --enable-per-node-identity which would supersede the "old" remote-node entity, but I haven't thought this through properly how old and new way could work together (meaning both options supported at the same time).

3. CNP would need a new section to allow only specific labels unrelated to endpoints. The question is if it should be somehow related to user-defined-entities or this as these should also be referenced by labels even though they have nothing to do with Node objects. A easy solution would be to add something like fromNodes with the same LabelSelector as EndpointSelector uses.

  endpointSelector:
    matchLabels:
      k8s-app: backend
  ingress:
  - fromNodes:
    - matchLabels:
        kubernetes.io/role: worker

[pchaigno]

2. For the upgrade path we would imo need a new flag - something like --enable-per-node-identity which would supersede the "old" remote-node entity

We would also need to support an upgrade path without packet loss. So nodes running with the new mode would have to understand encapsulated packets coming in with a remote-node identity.

1. The current remote-node identity is hardcoded here and then inserted into ipcache so we could replace this with proper ID.

What would the node IDs look like in the datapath? Would you use a subset of bits to indicate node IDs? Which bits would you use?

[joestringer]

I had briefly wondered about this, broadly I see two approaches:

1. Allocate global identities for nodes like how pod identities are allocated. Then all nodes learn about these identities.
2. Allocate local identities on each node for each other node's labels. Do not transmit these on the wire.

I'm not sure I have a strong opinion on either approach yet. Broadly, (2) is less likely to interfere with other agents or require certain behaviour from existing agents in the cluster. (1) can have some nice properties about being closer to the way that pod identities work. We could for instance have nodes allocate an identity for their own node on startup after syncing with k8s.

One of the eventual complexities is that in the datapath, we need to make some decisions about how to handle packets towards remote nodes, and today we do this using identities. If nodes all have different identities, then this function may become more complex:

cilium/bpf/lib/identity.h

Line 14 in 69e4c69

static __always_inline bool identity_is_remote_node(__u32 identity)

This could be done with some pre-defined bit patterns, or by adjusting this function to use a map to determine which identities represent nodes.

2. For the upgrade path we would imo need a new flag - something like --enable-per-node-identity which would supersede the "old" remote-node entity

We would also need to support an upgrade path without packet loss. So nodes running with the new mode would have to understand encapsulated packets coming in with a remote-node identity.

Be aware that at the same time, during upgrade there are nodes with both new and old versions. So when the node with the new version transmits a packet with its own identity to an old node, the old node needs to understand how to handle the traffic from the new node.

3. CNP would need a new section to allow only specific labels unrelated to endpoints. The question is if it should be somehow related to Add support for user-defined entities #3553 or Add centralized CIDRSet objects to be referenced by Cilium network policies #10349 as these should also be referenced by labels even though they have nothing to do with Node objects. A easy solution would be to add something like fromNodes with the same LabelSelector as EndpointSelector uses.

CiliumClusterwideNetworkPolicy already has a NodeSelector kinda like this, we could reuse this.

One more question for your use cases - are you interested in this for "which nodes can my pod access" or "which nodes can my nodes access"? The former would be configured in CNP, while the latter would be CCNP.

[pchaigno]

Allocate local identities on each node for each other node's labels. Do not transmit these on the wire.

Today, we sometimes need to transmit the remote-node identity on the wire when running tunneling mode and doing a request from hostns@node1 to pod@node2. It may not be too hard to fix by keeping REMOTE_NODE_ID there and teaching the receiving side to lookup the inner source IP in its ipcache when seeing REMOTE_NODE_ID.

[oblazek]

Thanks a lot for the insights.. our usecase is mostly "which nodes can my pod access" (i.e. the CNP), but sure.. we would be super happy with CCNP as well.

[oblazek]

It may not be too hard to fix by keeping REMOTE_NODE_ID there and teaching the receiving side to lookup the inner source IP in its ipcache when seeing REMOTE_NODE_ID.

i.e. pretty much this.. dfa42c7

[oblazek]

Hi guys, if possible please assign to me :) I will shortly send a PR (currently working on e2e tests).