Skip to content

envoy: Sync deny policies for Ingress policy enforcement#39736

Merged
joestringer merged 3 commits intocilium:mainfrom
jrajahalme:envoy-deny-policy-fix
Jun 20, 2025
Merged

envoy: Sync deny policies for Ingress policy enforcement#39736
joestringer merged 3 commits intocilium:mainfrom
jrajahalme:envoy-deny-policy-fix

Conversation

@jrajahalme
Copy link
Copy Markdown
Member

@jrajahalme jrajahalme commented May 27, 2025

Now that endpoint policies with east/west Ingress are enforced completely in Envoy we must sync the full deny policy to Envoy, as we can not rely on the bpf datapath doing it prior to Envoy.

Fixes: #39730

Deny policies are now synced to Envoy so that they can be enforced for Ingress policies.

@jrajahalme jrajahalme requested a review from a team as a code owner May 27, 2025 06:58
@jrajahalme jrajahalme added the kind/bug This is a bug in the Cilium logic. label May 27, 2025
@jrajahalme jrajahalme requested review from a team as code owners May 27, 2025 06:58
@jrajahalme jrajahalme added area/proxy Impacts proxy components, including DNS, Kafka, Envoy and/or XDS servers. sig/policy Impacts whether traffic is allowed or denied based on user-defined policies. labels May 27, 2025
@jrajahalme jrajahalme requested review from asauber and doniacld May 27, 2025 06:58
@maintainer-s-little-helper maintainer-s-little-helper bot added the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label May 27, 2025
@jrajahalme jrajahalme requested a review from sayboras May 27, 2025 06:58
@jrajahalme jrajahalme force-pushed the envoy-deny-policy-fix branch from 3499f8d to 2832d8d Compare May 27, 2025 07:03
@jrajahalme jrajahalme added the release-note/bug This PR fixes an issue in a previous release of Cilium. label May 27, 2025
@maintainer-s-little-helper maintainer-s-little-helper bot removed the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label May 27, 2025
@jrajahalme
Copy link
Copy Markdown
Member Author

jrajahalme commented May 27, 2025

/test

@jrajahalme jrajahalme force-pushed the envoy-deny-policy-fix branch from 2832d8d to d8388fe Compare May 29, 2025 11:09
@jrajahalme
Copy link
Copy Markdown
Member Author

jrajahalme commented May 29, 2025

rebased to fix conflicts

@jrajahalme
Copy link
Copy Markdown
Member Author

jrajahalme commented May 29, 2025

/test

@sayboras sayboras self-assigned this May 29, 2025
@jrajahalme
Copy link
Copy Markdown
Member Author

jrajahalme commented Jun 17, 2025

/test

@jrajahalme jrajahalme force-pushed the envoy-deny-policy-fix branch from d8388fe to b823c32 Compare June 17, 2025 19:55
@sayboras sayboras changed the title Envoy: Sync deny policies for Ingress policy enforcement envoy: Sync deny policies for Ingress policy enforcement Jun 18, 2025
@maintainer-s-little-helper maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Jun 18, 2025
@sayboras sayboras enabled auto-merge June 18, 2025 12:16
@jrajahalme
policy: Export getDeny()
203101b 
Avoid callers in other packages having to make nil checks by exporting GetDeny().

Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
@jrajahalme
envoy: Sync deny policies properly
3418ce7 
Now that endpoint policies with east/west Ingress are enforced completely
in Envoy we must sync the full deny policy to Envoy, as we can not rely
on the bpf datapath doing it prior to Envoy.

Fixes: cilium#39730

Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
@jrajahalme
envoy: Add deny policy tests
fee09dc 
Add unit test cases with deny policies.

Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
@jrajahalme jrajahalme force-pushed the envoy-deny-policy-fix branch from b823c32 to fee09dc Compare June 18, 2025 14:32
@jrajahalme
Copy link
Copy Markdown
Member Author

jrajahalme commented Jun 18, 2025

Rebased to hopefully unstuck the auto-merge, which may have been confused by some skipped but required workflows.

@jrajahalme
Copy link
Copy Markdown
Member Author

jrajahalme commented Jun 18, 2025

/test

@sayboras
Copy link
Copy Markdown
Member

sayboras commented Jun 19, 2025

Rebased to hopefully unstuck the auto-merge, which may have been confused by some skipped but required workflows.

As per the github ui, auto merge is not enabled due to the below reason. I am guessing Donia is no longer part of sig-policy.

Waiting on code owner review from cilium/sig-policy.

@jrajahalme jrajahalme requested review from a team and bimmlerd and removed request for a team June 19, 2025 14:08
@sayboras sayboras removed the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Jun 20, 2025
@sayboras sayboras added this pull request to the merge queue Jun 20, 2025
@maintainer-s-little-helper maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Jun 20, 2025
@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to failed status checks Jun 20, 2025
@joestringer joestringer added this pull request to the merge queue Jun 20, 2025
Merged via the queue into cilium:main with commit b2477a1 Jun 20, 2025
72 checks passed
@jrajahalme jrajahalme added release-blocker/1.18 This issue will prevent the release of the next version of Cilium. needs-backport/1.17 This PR / issue needs backporting to the v1.17 branch labels Jun 23, 2025
@viktor-kurchenko viktor-kurchenko added the backport/author The backport will be carried out by the author of the PR. label Jun 23, 2025
@jrajahalme jrajahalme mentioned this pull request Jun 24, 2025
Merged
1 task
@jrajahalme jrajahalme added backport-pending/1.17 The backport for Cilium 1.17.x for this PR is in progress. and removed needs-backport/1.17 This PR / issue needs backporting to the v1.17 branch labels Jun 24, 2025
@github-actions github-actions bot added backport-done/1.17 The backport for Cilium 1.17.x for this PR is done. and removed backport-pending/1.17 The backport for Cilium 1.17.x for this PR is in progress. labels Jul 3, 2025
@julianwiedmann julianwiedmann mentioned this pull request Sep 1, 2025
Merged
julianwiedmann added a commit that referenced this pull request Oct 13, 2025
@julianwiedmann
connectivity-tests: limit IPv6 PodToIngress to Cilium >= v1.17
50a508c 
Looking at the failures [0] when running these tests against v1.16, it
seems like we might be missing #39736.

Rather than backporting more & more fixes into old stable releases, roll
back the testing to the old behavior before
#39667 was merged.

Note that the `v1.17.0` is just a guess, we might actually require a more
recent patch version of v1.17.

Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
@julianwiedmann julianwiedmann mentioned this pull request Oct 13, 2025
Merged
github-merge-queue bot pushed a commit that referenced this pull request Oct 14, 2025
@julianwiedmann
connectivity-tests: limit IPv6 PodToIngress to Cilium >= v1.17
8c4b6a1 
Looking at the failures [0] when running these tests against v1.16, it
seems like we might be missing #39736.

Rather than backporting more & more fixes into old stable releases, roll
back the testing to the old behavior before
#39667 was merged.

Note that the `v1.17.0` is just a guess, we might actually require a more
recent patch version of v1.17.

Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
aditighag pushed a commit to aditighag/cilium that referenced this pull request Oct 14, 2025
@julianwiedmann @aditighag
connectivity-tests: limit IPv6 PodToIngress to Cilium >= v1.17
cc18ef0 
Looking at the failures [0] when running these tests against v1.16, it
seems like we might be missing cilium#39736.

Rather than backporting more & more fixes into old stable releases, roll
back the testing to the old behavior before
cilium#39667 was merged.

Note that the `v1.17.0` is just a guess, we might actually require a more
recent patch version of v1.17.

Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@asauber asauber asauber approved these changes

@bimmlerd bimmlerd bimmlerd approved these changes

@sayboras sayboras sayboras approved these changes

+1 more reviewer

@doniacld doniacld doniacld approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@sayboras sayboras

Labels

area/proxy Impacts proxy components, including DNS, Kafka, Envoy and/or XDS servers. backport/author The backport will be carried out by the author of the PR. backport-done/1.17 The backport for Cilium 1.17.x for this PR is done. kind/bug This is a bug in the Cilium logic. ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-blocker/1.18 This issue will prevent the release of the next version of Cilium. release-note/bug This PR fixes an issue in a previous release of Cilium. sig/policy Impacts whether traffic is allowed or denied based on user-defined policies.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

egressDeny policy doesn't block ClusterIP service traffic

9 participants

@jrajahalme @sayboras @asauber @bimmlerd @doniacld @joestringer @msune @mathpl @viktor-kurchenko