Change host iptables rule addition from Append to Insert to ensure Istio's rules take precedence#56414
Conversation
…les on the Host (cherry picked from commit fb2e1ef)
|
😊 Welcome @Xscaperrr! This is either your first contribution to the Istio istio repo, or it's been You can learn more about the Istio working groups, Code of Conduct, and contribution guidelines Thanks for contributing! Courtesy of your friendly welcome wagon. |
|
Hi @Xscaperrr. Thanks for your PR. I'm waiting for a istio member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
/ok-to-test |
|
Thank you for the PR. Yeah, this is a common thing with iptables where the order of the rules really matters. If a rule matches earlier in the chain, it can stop the traffic from ever reaching the Istio rules. So inserting the rule at the top makes sense in cases like this, especially when we're using a whitelist setup that only affects certain pods. Could you please share some details about the platform where you're seeing this issue? Like the cloud platform, CNI, and anything else that might be relevant. Also, it would be great if you could add/update the unit tests to cover this change. |
|
/retest |
|
/retest-required |
In my scenario, the environment employs a custom-developed CNI plugin based on Open vSwitch. The following iptables rules currently exist in this environment: The health check traffic originating from the host to Istio matches the first POSTROUTING rule, thus bypassing Istio's iptables rules.After my commit, Istio's iptables will be matched first. |
|
@bleggett @howardjohn Does ambient mesh still need to create iptabels on host node? |
I'll let @howardjohn to confirm, but AFAICT we are programming iptable rules on the host network to support health-check probes from kubelet. where the ipset And inside the pod network namespace, we have the following rule to accept traffic with sourceIP of 169.254.7.127 |
Assuming we have inserted the Istio iptable rule at the beginning of the POSTROUTING chain, could you please verify that your CNI will not overwrite the iptables rule later on, such as by pushing/removing the Istio iptable rule? |
In my scenario, the CNI plugin needs to insert its iptables rules just before the KUBE-POSTROUTING chain rule. Therefore, I can modify the CNI logic to always insert its rules directly before the KUBE-POSTROUTING rule instead of appending them at the top. However, if another program inserts a similar rule at the very beginning, it could still potentially interfere with the iptables rules set by Istio. This PR can only partially mitigate such issues, but does not completely resolve them. |
Yes, that’s a challenge when working with iptables. There needs to be some form of coordination among the different components that program iptables rules on the host network. Nftables (WIP) helps mitigate this issue by supporting priorities when creating base chains, allowing us to use higher priorities if needed and create custom table and chain names. |
Co-authored-by: Sridhar Gaddam <sgaddam@redhat.com>
|
Probably we should remove all these intrusion to the host |
|
one worry I have is I think in testing some CNIs will revert changes if we
are before their. Specifically calico
can we test it
…On Thu, May 29, 2025, 9:11 AM Sridhar Gaddam ***@***.***> wrote:
***@***.**** approved this pull request.
—
Reply to this email directly, view it on GitHub
<#56414 (review)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAEYGXNB5P7AGHT5ZJZNEE33A4WRLAVCNFSM6AAAAAB5625JVKVHI2DSMVQWIX3LMV43YUDVNRWFEZLROVSXG5CSMV3GSZLXHMZDQNZYHA2DGMJXGM>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
|
Not stale |
@howardjohn I verified the behavior with Calico CNI by deploying a KIND cluster and I can see that Calico is appending its rule (cali-POSTROUTING) at the end of the POSTROUTING by default. So, even if Istio Inserts (instead of append), it should be okay i guess for Calico. |
|
@howardjohn @keithmattix, we need this fix even for OVN-Kubernetes CNI, which is used in OpenShift deployments. In an Ambient deployment, we observed that pod health checks were failing because OVN-K iptables rules were incorrectly being applied to the health-check traffic instead of the Istio SNAT rule (as its appended at the end of POSTROUTING chain). FYI, the iptable rules from the host network were as follows in an OVN-K/OpenShift Cluster. I discussed with the OVN-K team whether Istio's iptables rules, if inserted at the beginning of the POSTROUTING chain, would subsequently be pushed to the end of the chain by OVN-K. They confirmed that OVN-K only appends its rules and does not use insert operation. |
keithmattix
left a comment
There was a problem hiding this comment.
LGTM, but I'm not enough of an expert in this area of the code yet to feel comfortable approving
Thanks @keithmattix for the review. Just to add some context. By using This is a common challenge with iptables, where rule order determines precedence. Nftables, on the other hand, supports setting priorities on base chains, which makes rule ordering easier to manage. For now, with iptables, inserting is the best option IMO. |
Co-authored-by: Keith Mattix II <keithmattix2@gmail.com>
|
@howardjohn can you PTAL, thanks. |
I looked into the behavior of the Calico CNI and captured my observations above. I also discussed with the OVN-K team, who confirmed that OVN-K appends its rules and does not use insert operation. Even in the worst case where a CNI does revert our rule if it appears before theirs, we'd end up in the same state we’re in today (i.e., our rule being at the end of the chain). So this change wouldn't introduce any new issues compared to the current behavior. @istio/wg-networking-maintainers can you PTAL, thank you. |
|
/cherry-pick release-1.27 |
|
@keithmattix: once the present PR merges, I will cherry-pick it on top of DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
/test integ-ambient-dual |
|
/test unit-tests-arm64 |
|
/retest |
|
/test unit-tests |
|
It appears like the following testcase is |
|
Yeah it's a data race caused by a bug. I've opened #56926 to fix it |
|
/test unit-tests |
|
/retest |
|
@keithmattix: new pull request created: #56984 DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
* upstream/master: (21 commits) feat: skip queue for status updates on gw (istio#56962) Automator: update proxy@master in istio/istio@master (istio#56993) Automator: update proxy@master in istio/istio@master (istio#56990) Change host iptables rule addition from Append to Insert to ensure Istio's rules take precedence (istio#56414) support specifying proxy admin port for describe (istio#56854) support reset log level or stack trace level separately for admin log (istio#56642) improve example format for istioctl x describe (istio#56951) Automator: update ztunnel@master in istio/istio@master (istio#56971) Remove flaky test (istio#56919) fix: fixes test which fails for distroless (istio#56965) Automator: update proxy@master in istio/istio@master (istio#56969) Ambient Multicluster SplitHorizon WDS Implementation (istio#56844) Fix log message in cni install.go file (istio#56966) add env vars for ip auto allocate ipv4/v6 cidr prefixes (istio#56276) Update BASE_VERSION to master-2025-07-10T19-01-16 (istio#56967) Add AllowCRDsMismatch parameter to gateway conformance options. (istio#56945) Revert "feat: represent revision tags using services (istio#56851)" (istio#56941) Automator: update proxy@master in istio/istio@master (istio#56954) Automator: update istio/client-go@master dependency in istio/istio@master (istio#56911) Automator: update common-files@master in istio/istio@master (istio#56952) ...
Please provide a description of this PR:
This PR modifies the existing host iptables rule addition logic from using the Append method to the Insert method. By inserting Istio's rules at the front of the iptables chain, we ensure these rules have higher matching priority compared to existing iptables rules.
Previously, appending rules caused issues in scenarios where existing iptables rules matched and handled targeted traffic before it reached Istio's rules. Consequently, the rules configured by Istio became ineffective.
We use a whitelist with iptables on the host, which only affects pods within the istio ipset. Therefore, matching it first will not cause any issues.