daemon: Fatal on incompatible host firewall options#12495
Merged
Conversation
34 tasks
2d169bf to
ba966a4
Compare
The host firewall currently only works if remote node identities are distinct from the host identity (i.e., REMOTE_NODE_ID is supported). It's not clear if this restriction can be removed in the future, especially once #12345 is merged. In particular, #12345 will redirect packets from local endpoints through the host device if the destination security ID is HOST_ID. If the HOST_ID includes remote nodes, then this redirection is likely to result in packet drops. Signed-off-by: Paul Chaignon <paul@cilium.io>
The host firewall lives only in the host device and the native devices. Therefore, we must ensure that packet to and from local pods are routed through the host device. If not, the host firewall will be bypassed. Making the host firewall compatible with per-endpoint routes would require substantial changes, which are unlikely to be a good fit for backport. In particular, the host policies would need to be accessed from the bpf_lxc programs. Such changes would impact the size and complexity of bpf_lxc, as well as the loading of maps. Per-endpoint routes is a recommended setting in some cases (e.g., GKE). In such cases, it would be possible to have a partial host firewall enforcement, with all traffic to and from pods whitelisted. The host firewall would then only enforce policies on packets to and from world on the native devices (likely the first use case for the host firewall). This commit does not implement this second approach and prefers to forbid per-endpoint routes with the host firewall because a partial enforcement would likely be confusing to users. Signed-off-by: Paul Chaignon <paul@cilium.io>
ba966a4 to
a81df6f
Compare
Member
Author
|
test-me-please |
brb
approved these changes
Jul 13, 2020
Member
brb
left a comment
There was a problem hiding this comment.
LGTM. I think we have a long term plan to get rid of cilium_host, so supporting host-fw with per-endpoint-routes is worth revisiting.
Member
Author
|
@brb Thanks for the review! Yep, supporting per-endpoint routes is definitely on the TODO for the host firewall. I just don't think it's something that we'll be able to backport, hence this temporary "solution". |
qmonnet
approved these changes
Jul 14, 2020
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
See commits for details.
In particular, the message of the second commit, which disallows per-endpoint routes with the host firewall, discusses an alternative:
Updates: #11799