Skip to content

loadbalancer: enforce loadBalancerSourceRanges on ExternalIPs frontends#44747

Merged
joamaki merged 1 commit intocilium:mainfrom
syedazeez337:pr/fix-lb-source-ranges-external-ips
Mar 16, 2026
Merged

loadbalancer: enforce loadBalancerSourceRanges on ExternalIPs frontends#44747
joamaki merged 1 commit intocilium:mainfrom
syedazeez337:pr/fix-lb-source-ranges-external-ips

Conversation

@syedazeez337
Copy link
Copy Markdown
Contributor

@syedazeez337 syedazeez337 commented Mar 12, 2026

ExternalIPs frontends of a LoadBalancer service were not subject to
loadBalancerSourceRanges filtering. Traffic from outside the allowed
source ranges could bypass the check via the ExternalIP address, while
the LoadBalancerIP frontend correctly enforced it.

Fix GetSourceRangesEnabled to return true for SVCTypeExternalIPs
in addition to SVCTypeLoadBalancer.

Fixes: #44718

Fix `loadBalancerSourceRanges` not being enforced on ExternalIPs frontends of LoadBalancer services.

@syedazeez337 syedazeez337 requested a review from a team as a code owner March 12, 2026 09:37
@syedazeez337 syedazeez337 requested a review from joamaki March 12, 2026 09:37
@maintainer-s-little-helper maintainer-s-little-helper bot added the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Mar 12, 2026
@github-actions github-actions bot added the kind/community-contribution This was a contribution made by a community member. label Mar 12, 2026
@joamaki
Copy link
Copy Markdown
Contributor

joamaki commented Mar 12, 2026

Hey looks reasonable! Could you also look into adding a script test for this so we have a high-level integration test for ExternalIPs that would cover this? https://github.com/cilium/cilium/blob/main/pkg/loadbalancer/tests/testdata/source-ranges-all.txtar or https://github.com/cilium/cilium/blob/main/pkg/loadbalancer/tests/testdata/loadbalancer.txtar might be close as starting point. Maybe call it external-ips.txtar? I would remove the bpf_reconciler_test.go change in favour of this.

Useful references:
https://github.com/cilium/cilium/blob/main/pkg/loadbalancer/README.md#testing
https://docs.cilium.io/en/stable/contributing/development/hive/#testing-with-hive-script
https://docs.cilium.io/en/stable/contributing/development/statedb/#script-commands

@syedazeez337
loadbalancer: enforce loadBalancerSourceRanges on ExternalIPs frontends
5ba2a2e 
ExternalIPs frontends of a LoadBalancer service were not subject to
loadBalancerSourceRanges filtering, allowing traffic from outside the
allowed source ranges to bypass the check via the ExternalIP address.
Only the LoadBalancerIP frontend was enforcing the restriction.

Fix GetSourceRangesEnabled to also return true for SVCTypeExternalIPs,
and extend the test coverage to include ExternalIPs with and without
source ranges, and with lbSourceRangeAllTypes enabled.

Fixes: cilium#44718
Signed-off-by: Azeez Syed <syedazeez337@gmail.com>
@syedazeez337 syedazeez337 force-pushed the pr/fix-lb-source-ranges-external-ips branch from cfd8161 to 5ba2a2e Compare March 12, 2026 10:04
@joamaki joamaki added the release-note/bug This PR fixes an issue in a previous release of Cilium. label Mar 13, 2026
@maintainer-s-little-helper maintainer-s-little-helper bot removed the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Mar 13, 2026
@joamaki
Copy link
Copy Markdown
Contributor

joamaki commented Mar 13, 2026

/test

@syedazeez337
Copy link
Copy Markdown
Contributor Author

syedazeez337 commented Mar 13, 2026

Hi @joamaki , thank you for approving the PR. The failed check appears to be Flaky, let me know if anything comes up related to my changes.

@joamaki joamaki enabled auto-merge March 16, 2026 09:32
@joamaki
Copy link
Copy Markdown
Contributor

joamaki commented Mar 16, 2026
edited
Loading

Hi @joamaki , thank you for approving the PR. The failed check appears to be Flaky, let me know if anything comes up related to my changes.

Doesn't seem related to your changes. I'll try re-running the test (https://github.com/cilium/cilium/actions/runs/23046248348/job/67224092249). If this still fails could you please rebase the PR?

@joamaki joamaki added this pull request to the merge queue Mar 16, 2026
@maintainer-s-little-helper maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Mar 16, 2026
Merged via the queue into cilium:main with commit e5e62c7 Mar 16, 2026
79 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@joamaki joamaki joamaki approved these changes

Assignees

No one assigned

Labels

kind/community-contribution This was a contribution made by a community member. ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/bug This PR fixes an issue in a previous release of Cilium.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

LoadBalancer Source Ranges does not filter External IPs traffic

2 participants

@syedazeez337 @joamaki