Skip to content

k8s: Fix parsing of CCNPs#12851

Merged
aanm merged 1 commit intomasterfrom
pr/pchaigno/fix-ccnp-parsing
Aug 13, 2020
Merged

k8s: Fix parsing of CCNPs#12851
aanm merged 1 commit intomasterfrom
pr/pchaigno/fix-ccnp-parsing

Conversation

@pchaigno
Copy link
Copy Markdown
Member

@pchaigno pchaigno commented Aug 12, 2020

Host policies are rejected on master with the following error:

$ kubectl describe ccnp | tail -n9
Status:
  Nodes:
    k8s1:
      Error:         Invalid CiliumNetworkPolicy spec: rule cannot have NodeSelector
      Last Updated:  2020-08-10T12:52:51Z
    k8s2:
      Error:         Invalid CiliumNetworkPolicy spec: rule cannot have NodeSelector
      Last Updated:  2020-08-10T12:52:48Z
Events:              <none>

This error is printed because CiliumNetworkPolicy.Parse() has some new checks to prevent using NodeSelector in CNPs. It assumes CiliumClusterwideNetworkPolicy.Parse() will be called in the case of CCNPs with NodeSelectors. However, the k8s watcher for CCNPs calls addCiliumNetworkPolicyV2 which takes a types.SlimCNP and therefore calls CiliumNetworkPolicy.Parse().

This commit implements a temporary fix for this regression by manually construction a CCNP object from CiliumNetworkPolicy.Parse() when the namespace is empty (CNP is actually a CCNP) and parsing that instead of the CNP object. It also adds a new unit test to check this behavior.

Fixes: #12834
Fixes: #11607

@christarazi Should we leave #12834 open until this is properly fixed, or is it okay to close it with this PR?

@pchaigno pchaigno added area/k8s Impacts the kubernetes API, or kubernetes -> cilium internals translation layers. sig/policy Impacts whether traffic is allowed or denied based on user-defined policies. release-note/misc This PR makes changes that have no direct user impact. labels Aug 12, 2020
@pchaigno pchaigno requested a review from christarazi August 12, 2020 09:52
aanm
aanm approved these changes Aug 12, 2020
View reviewed changes
Copy link
Copy Markdown
Member

@aanm aanm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM except a small nit.

Comment thread pkg/k8s/apis/cilium.io/v2/cnp_types.go Outdated
@coveralls
Copy link
Copy Markdown

coveralls commented Aug 12, 2020
edited
Loading

Coverage Status

Coverage increased (+0.02%) to 37.12% when pulling 1de9523 on pr/pchaigno/fix-ccnp-parsing into df0235f on master.

@pchaigno
k8s: Fix parsing of CCNPs
1de9523 
Host policies are rejected on master with the following error:

    $ kubectl describe ccnp | tail -n9
    Status:
      Nodes:
        k8s1:
          Error:         Invalid CiliumNetworkPolicy spec: rule cannot have NodeSelector
          Last Updated:  2020-08-10T12:52:51Z
        k8s2:
          Error:         Invalid CiliumNetworkPolicy spec: rule cannot have NodeSelector
          Last Updated:  2020-08-10T12:52:48Z
    Events:              <none>

This error is printed because CiliumNetworkPolicy.Parse() has some new
checks to prevent using NodeSelector in CNPs. It assumes
CiliumClusterwideNetworkPolicy.Parse() will be called in the case of CCNPs
with NodeSelectors. However, the k8s watcher for CCNPs calls
addCiliumNetworkPolicyV2 which takes a types.SlimCNP and therefore calls
CiliumNetworkPolicy.Parse().

This commit implements a temporary fix for this regression by manually
construction a CCNP object from CiliumNetworkPolicy.Parse() when the
namespace is empty (CNP is actually a CCNP) and parsing that instead of
the CNP object. It also adds a new unit test to check this behavior.

Related: #12834
Fixes: eafeb8f ("k8s: Disallow nodeSelector for CNP at agent level")
Signed-off-by: Paul Chaignon <paul@cilium.io>
@pchaigno pchaigno force-pushed the pr/pchaigno/fix-ccnp-parsing branch from 9a63a88 to 1de9523 Compare August 12, 2020 10:55
@pchaigno pchaigno marked this pull request as ready for review August 12, 2020 10:56
@pchaigno pchaigno requested a review from a team as a code owner August 12, 2020 10:56
@pchaigno
Copy link
Copy Markdown
Member Author

pchaigno commented Aug 12, 2020

test-me-please

christarazi
christarazi approved these changes Aug 12, 2020
View reviewed changes
Copy link
Copy Markdown
Member

@christarazi christarazi left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Thanks for fixing this.

To answer your question about closing out the issue, I think yes we should close it because this fixes it. You asked about a "proper" fix--I spoke with @aanm offline about an approach that would allow us to "properly" fix this, however, it would require changes to the code that may not be worth the effort. In summary, we would need to split out the CNP and CCNP types from each other, which requires creating a new type for Rule (let's call it ClusterRule). ClusterRule would be what CCNP accepts as it contains a NodeSelector, while Rule would only contain an EndpointSelector. Unfortunately, the code is too heavily dependent on the Rule type.

I think we could revisit implementing a proper fix for #12834 if another need arises. Does that sound alright?

@pchaigno
Copy link
Copy Markdown
Member Author

pchaigno commented Aug 13, 2020

I think this is okay to merge. It has received two reviews from frequent contributors to this code and all required builds are passing.

@pchaigno pchaigno added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Aug 13, 2020
@aanm aanm merged commit f1e9495 into master Aug 13, 2020
@aanm aanm deleted the pr/pchaigno/fix-ccnp-parsing branch August 13, 2020 12:14
@joestringer joestringer mentioned this pull request Oct 12, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@christarazi christarazi christarazi approved these changes

@aanm aanm aanm approved these changes

Assignees

No one assigned

Labels

area/k8s Impacts the kubernetes API, or kubernetes -> cilium internals translation layers. ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/misc This PR makes changes that have no direct user impact. sig/policy Impacts whether traffic is allowed or denied based on user-defined policies.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Host CCNP policies rejected on master

4 participants

@pchaigno @coveralls @christarazi @aanm