Datapath portion of egress label-based policy enforcement#2954
Merged
tgraf merged 5 commits intocilium:masterfrom Mar 9, 2018
Merged
Datapath portion of egress label-based policy enforcement#2954tgraf merged 5 commits intocilium:masterfrom
tgraf merged 5 commits intocilium:masterfrom
Conversation
5 tasks
4ef008d to
8e73983
Compare
Member
|
@joestringer is there a duplicate commit from #2992? It seems some of the code is similar |
Member
Author
|
@aanm yes, one commit is the same. This work requires the l4-only bug to be fixed or current l4 egress policy breaks. |
Introduce a new map, `cilium_remote_lxc`, which maps from an IP (v4/v6) address to an identity for a remote node. Then, extend the policy_key to include directionality. With these two bits in place, we can reuse the existing POLICY_MAP to enforce egress label-based policies, including egress label-based policy and L3-dependent L4 policy. Signed-off-by: Joe Stringer <joe@covalent.io>
This test was previously erroneously checking whether app3 could communicate with http3, which should not be allowed based on the policy. Update this to disallow. Signed-off-by: Joe Stringer <joe@covalent.io>
Signed-off-by: Joe Stringer <joe@covalent.io>
Existing test cases and so on are all geared around there only being L4 policy enforcement on egress, and the label-based egress work is not quite ready yet. Since the L4 policies are not being pushed into the `POLICY_MAP` yet, always apply L4 policy from the egress path. This should be removed when label-based egress policy is properly plumbed down through userspace. Signed-off-by: Joe Stringer <joe@covalent.io>
Signed-off-by: Joe Stringer <joe@covalent.io>
8e73983 to
8b3f4e2
Compare
Member
Author
|
test-me-please |
aanm
approved these changes
Mar 8, 2018
tgraf
approved these changes
Mar 9, 2018
| .size_key = sizeof(struct endpoint_key), | ||
| .size_value = sizeof(struct remote_endpoint_info), | ||
| .pinning = PIN_GLOBAL_NS, | ||
| .max_elem = ENDPOINTS_MAP_SIZE, /* XXX: Consider resizing? */ |
Contributor
There was a problem hiding this comment.
I think it's fine but bumping it to 250K doesn't hurt either. The map is still quite small. Please create a GH to track adjusting this on demand. Given regenerations, we could easily resize the map.
Member
Author
There was a problem hiding this comment.
Created #3075. Main reason I put this comment was that it's now referring to remote containers so binding it to the same limit as the lxcmap might not be appropriate.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes: #2553
This PR implements egress label-based policies (labels + labels-dependent l4) in the datapath. It's prepared in a way that allows it to be merged independent of the rest of the label-based egress policy work. The last two commits should be fixed up when label-based egress support lands in the tree.
The core change is that one of the pad bits in
struct policy_keynow represents whether the entry represents ingress (0) or egress (1). Because the entire field is currently padding, and is set to 0, this allows the change to be backward-compatible - earlier versions will only set the bit to 0, indicating ingress, and upon upgrade the entries will be treated exactly the same.In addition to this change, there is a new map,
cilium_remote_lxc, which maps destination IP addresses to remote identites. This will be populated by subsequent changes in the userspace.Note that when the
egressbit is set in thepolicy_keyfor thePOLICY_MAP, thesec_labelrepresents the destination identity rather than the source identity.