L4 protocol policy needs to have always port

[eloycoto]

Hi,

I figured this week that if you have a policy that only allows TCP, it didn't work. You need to specify always the port too.

Example pod manifest:

https://raw.githubusercontent.com/cilium/cilium/master/examples/minikube/demo.yaml

Example policy:

{
  "apiVersion": "cilium.io/v2",
  "kind": "CiliumNetworkPolicy",
  "metadata": {
    "name": "Protocolonly",
    "test": ""
  },
  "specs": [
    {
      "EndpointSelector": {
        "matchlabels": {
          "id": "app1"
        }
      },
      "Ingress": [
        {
          "FromEndpoints": [
            {}
          ],
          "ToPorts": [
            {
              "Ports": [
                {
                  "protocol": "TCP"
                }
              ]
            }
          ]
        }
      ]
    }
  ]
}

CNP Describe:

root@k8s1:/home/vagrant# kubectl describe cnp protocolonly 
Name:           protocolonly 
Namespace:      default      
Labels:         <none>       
Annotations:    kubectl.kubernetes.io/last-applied-configuration={"apiVersion":"cilium.io/v2","kind":"CiliumNetworkPolicy","metadata":{"annotations":{},"name":"protocolonly","namespace":"default","test":""},"specs":[...
API Version:    cilium.io/v2 
Kind:           CiliumNetworkPolicy                        
Metadata:                    
  Cluster Name:              
  Creation Timestamp:   2017-12-08T12:05:08Z               
  Generation:           0    
  Resource Version:     3383 
  Self Link:            /apis/cilium.io/v2/namespaces/default/ciliumnetworkpolicies/protocolonly                       
  UID:                  08a75379-dc10-11e7-b129-080027900c72                                                           
Specs:                       
  Endpoint Selector:         
    Match Labels:            
      Any : Id: app1         
  Ingress:                   
    From Endpoints:          
    To Ports:                
      Ports:                 
        Port:                
        Protocol:       TCP  
Status:                      
  Nodes:                     
    K 8 S 1:                 
      Error:            Invalid CiliumNetworkPolicy specs: Port must be specified                                      
      Last Updated:     2017-12-08T12:05:08.092627427Z     
Events:                 <none>                             

[manalibhutiyani]

Assigning to Joe, Please reassign if needed.

[joestringer]

@eloycoto is this a feature request or a suggestion that we should perform better validation of the policy input? The latter should be addressed by #2304.

[eloycoto]

@joestringer feature request I guess

[joestringer]

I see. I'm not sure that I see strong value in allowing all ports for a particular protocol; why not just define an L3 policy to allow all traffic?

[eloycoto]

For example for all VoIP/WebRTC signalling, where all the media ports are random and you need to specify a range of ports or all the protocol (use to be UDP)

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

[stale]

This issue has not seen any activity since it was marked stale. Closing.