policy: Enable ingress CIDR-dependent L3 policy (FromCIDR + ToPorts)#12482
Merged
joestringer merged 6 commits intocilium:masterfrom Jul 15, 2020
Merged
Conversation
Member
Author
|
test-me-please |
joestringer
requested changes
Jul 9, 2020
Member
joestringer
left a comment
There was a problem hiding this comment.
Nice work, just few minor nits.
christarazi
commented
Jul 9, 2020
26d0956 to
84b7a97
Compare
Member
Author
|
test-me-please |
Member
Author
|
CI failures look legit; seems like these tests can be flakey. Looking into making them more deterministic. |
84b7a97 to
2b51192
Compare
Member
Author
|
Reworked some of the tests a bit to make them more deterministic. The main changes from the original code are:
|
a4bccbb to
af4e675
Compare
Member
Author
|
test-me-please |
pchaigno
reviewed
Jul 10, 2020
Member
pchaigno
left a comment
There was a problem hiding this comment.
A few nits and questions below. LGTM overall!
It looks like implementing the same test for the host firewall is going to be fairly easy now 🎉 Thanks!
Member
|
Marking this for backport because I think we will need it at least in 1.8, at least for the host firewall. |
af4e675 to
6a1f685
Compare
Member
Author
|
test-me-please |
6a1f685 to
174fa10
Compare
38951c0 to
7094430
Compare
joestringer
reviewed
Jul 14, 2020
This allows policies such as FromCIDR + ToPorts on ingress. Signed-off-by: Chris Tarazi <chris@isovalent.com>
This is useful for monitoring specific endpoints. Signed-off-by: Chris Tarazi <chris@isovalent.com>
Signed-off-by: Chris Tarazi <chris@isovalent.com>
Signed-off-by: Chris Tarazi <chris@isovalent.com>
This helper is useful for situations where you'd want to preserve the
previous Cilium configuration when redeploying. This helper abstracts
away the need to manually create a copy of the new merged configuration
before calling RedeployCilium.
Example usage:
```
daemonCfg := map[string]string{ ... }
(...)
RedeployCiliumWithMerge(..., daemonCfg, map[string]string{
"flag-previously-set-in-daemonCfg": "1",
"new-flag-also": "abc",
})
```
Signed-off-by: Chris Tarazi <chris@isovalent.com>
This test validates that the new ingress FromCIDR+ToPorts policy (CIDR-dependent L4) allows ingress traffic from an allowed IP address range, to specific ports. The setup of this test requires a third node (k8s3) which doesn't have Cilium installed on it by making use of the NO_CILIUM_ON_NODE environment variable of the test suite. The test validates the policy by checking that ingress traffic is: 1) Allowed before any policies 2) Disallowed by applying a default deny ingress policy 3) Allowed again after applying "cnp-ingress-from-cidr-to-ports" Signed-off-by: Chris Tarazi <chris@isovalent.com>
7094430 to
45ed873
Compare
Member
|
test-me-please |
joestringer
approved these changes
Jul 15, 2020
Member
|
I've been providing the feedback for @cilium/api and Paul (as well as me to a secondary degree) have been reviewing on behalf of @cilium/ci so all codeowners should be covered. Tests are passing, reviews are in. Merging. |
7 tasks
christarazi
added a commit
to christarazi/cilium
that referenced
this pull request
Jul 20, 2020
This comes as a follow up to cilium#12482. Signed-off-by: Chris Tarazi <chris@isovalent.com>
christarazi
added a commit
that referenced
this pull request
Jul 20, 2020
This comes as a follow up to #12482. Signed-off-by: Chris Tarazi <chris@isovalent.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
See commit msgs.
Updates: #4129
Note to backporters: If there are conflicts with the tests, then test coverage commits do not need to be backported; only enabling the policy.