Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add an output-chain, needed for proxy-mode=ipvs #47

Closed
wants to merge 2 commits into from

Conversation

uablrek
Copy link
Contributor

@uablrek uablrek commented Jul 1, 2024

If the receiving pod is local, then ipvs sends packet via the output hook (not forward). So both are needed

Fixes #46

Example:

# nft list table inet kube-network-policies
table inet kube-network-policies {
        comment "rules for kubernetes NetworkPolicy"
        set podips-v4 {
                type ipv4_addr
                comment "Local V4 Pod IPs with Network Policies"
                elements = { 11.0.2.2, 11.0.2.3,
                             11.0.2.4 }
        }

        set podips-v6 {
                type ipv6_addr
                comment "Local V6 Pod IPs with Network Policies"
                elements = { 1100::202,
                             1100::203,
                             1100::204 }
        }

        chain forward {
                type filter hook forward priority filter - 5; policy accept;
                ct state established,related accept
                ip saddr @podips-v4 queue to 100 comment "process IPv4 traffic with network policy enforcement"
                ip daddr @podips-v4 queue to 100 comment "process IPv4 traffic with network policy enforcement"
                ip6 saddr @podips-v6 queue to 100 comment "process IPv6 traffic with network policy enforcement"
                ip6 daddr @podips-v6 queue to 100 comment "process IPv6 traffic with network policy enforcement"
        }

        chain output {
                type filter hook output priority filter - 5; policy accept;
                ct state established,related accept
                ip saddr @podips-v4 queue to 100 comment "process IPv4 traffic with network policy enforcement"
                ip daddr @podips-v4 queue to 100 comment "process IPv4 traffic with network policy enforcement"
                ip6 saddr @podips-v6 queue to 100 comment "process IPv6 traffic with network policy enforcement"
                ip6 daddr @podips-v6 queue to 100 comment "process IPv6 traffic with network policy enforcement"
        }
}

The "chain output" is added by this PR.

Please see issue #46 for more info

@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Jul 1, 2024
@uablrek
Copy link
Contributor Author

uablrek commented Jul 1, 2024

/cc @aojea @danwinship

@k8s-ci-robot k8s-ci-robot requested a review from aojea July 1, 2024 12:38
@aojea
Copy link
Contributor

aojea commented Jul 1, 2024

/approve

I think this is ok, but let's wait if Dan have time for review

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: aojea, uablrek

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 1, 2024
@uablrek
Copy link
Contributor Author

uablrek commented Jul 1, 2024

@aojea What does "npa" mean? Is it a flake? It seem to be sctp related. I didn't exclude sctp when I ran e2e, so the ~5 sctp e2e test-cases works for me

@danwinship
Copy link

"NPA" seems to mean "AdminNetworkPolicy"
Only the IPv6 run failed... let's see if it fails if we run it again

@danwinship
Copy link

/lgtm
other than the test failure; I believe Antonio and I had debated forward-only vs forward-and-output earlier...

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jul 1, 2024
@aojea
Copy link
Contributor

aojea commented Jul 1, 2024

@uablrek
Copy link
Contributor Author

uablrek commented Jul 1, 2024

Yeah, and failed 3 times with this PR. There is a link in the log to https://github.com/kubernetes-sigs/network-policy-api.
Perhaps @astoycos has any lead?

@aojea
Copy link
Contributor

aojea commented Jul 1, 2024

it has to be this PR then

@aojea
Copy link
Contributor

aojea commented Jul 1, 2024

2024-07-01T12:51:17.425650028Z stderr F I0701 12:51:17.425622 1 controller.go:390] Processing sync for packet 1783
2024-07-01T12:51:17.425660467Z stderr F I0701 12:51:17.425629 1 controller.go:394] Can not process packet 1783 applying default policy (failOpen: false): unknown protocol 58

it seems is blocking icmpv6 because does not recognize it

It seems that is better to just log and let the packet pass through rather than applying the default policy, if is not a protocol that is supported by the network policy APIs blocking them can cause issues, @uablrek can you append a commit to comment this and set the verdict to accept if parsePacket fails?

packet, err := parsePacket(*a.Payload)
if err != nil {
klog.Infof("Can not process packet %d applying default policy (failOpen: %v): %v", *a.PacketID, c.config.FailOpen, err)
c.nfq.SetVerdict(*a.PacketID, verdict) //nolint:errcheck
return 0

@aojea
Copy link
Contributor

aojea commented Jul 1, 2024

hmm @BenTheElder points there are new changes on docker , another possible reason https://docs.docker.com/engine/release-notes/27.0/#ipv6

@BenTheElder
Copy link
Member

We just picked up docker v27.x in CI recently, see the thread here kubernetes-sigs/kind#3677 and kubernetes/test-infra#32863 (comment)

Docker v27 has some behavior changes for ipv6.

@uablrek
Copy link
Contributor Author

uablrek commented Jul 2, 2024

@uablrek can you append a commit to comment this and set the verdict to accept if parsePacket fails?

Sure

@k8s-ci-robot k8s-ci-robot removed the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jul 2, 2024
@k8s-ci-robot
Copy link
Contributor

New changes are detected. LGTM label has been removed.

@uablrek
Copy link
Contributor Author

uablrek commented Jul 2, 2024

It may be better to extend parsePacket(). I have intended to do that (#15), but haven't got around to do it yet

@aojea
Copy link
Contributor

aojea commented Jul 2, 2024

ok, progressing, different error now??

    helper.go:123: StatefulSet replicas in namespace network-policy-conformance-forbidden-forrest not rolled out yet. 1/2 replicas are available.
    helper.go:120: Error retrieving StatefulSet harry-potter from namespace network-policy-conformance-gryffindor: client rate limiter Wait returned an error: context deadline exceeded
    helper.go:123: StatefulSet replicas in namespace network-policy-conformance-gryffindor not rolled out yet. 0/2 replicas are available.
    suite.go:143: 

@uablrek
Copy link
Contributor Author

uablrek commented Jul 2, 2024

This time the error seem unreated to the PR. How can allowing icmp make a StatefulSet fail to start??

@aojea aojea mentioned this pull request Jul 2, 2024
@aojea
Copy link
Contributor

aojea commented Jul 2, 2024

This time the error seem unreated to the PR. How can allowing icmp make a StatefulSet fail to start??

the failure has to be related to the output rule we just added, it does not fail in #49

@k8s-ci-robot k8s-ci-robot removed the size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. label Jul 2, 2024
@k8s-ci-robot k8s-ci-robot added the size/S Denotes a PR that changes 10-29 lines, ignoring generated files. label Jul 2, 2024
@aojea
Copy link
Contributor

aojea commented Jul 17, 2024

@uablrek please leave only first and last commit,

@k8s-ci-robot k8s-ci-robot added size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. and removed size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Jul 17, 2024
@uablrek
Copy link
Contributor Author

uablrek commented Jul 17, 2024

@uablrek please leave only first and last commit

@aojea Done. But tests fail. I can't see why.

Local test works.

export FOCUS="\[sig-network\].*\[Feature:NetworkPolicy\].*"

@aojea
Copy link
Contributor

aojea commented Jul 17, 2024

interesting, anyway, this is the part we need to debug and troubleshoot

@aojea
Copy link
Contributor

aojea commented Jul 18, 2024

Once we get this sorted out I cut a new release so we can get this into kindnet

@aojea
Copy link
Contributor

aojea commented Jul 18, 2024

@uablrek can you rebase?

@aojea
Copy link
Contributor

aojea commented Jul 18, 2024

I see, so the problem most likely was that blocking unknown protocols we were blocking icmp, that in IPv6 is needed for discovery ... that may be the reason why adding lo to the rules made the test pass

uablrek added 2 commits July 19, 2024 05:33
If the receiving pod is local, then ipvs sends packet
via the output hook (not forward). So both are needed
@k8s-ci-robot k8s-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jul 20, 2024
@k8s-ci-robot
Copy link
Contributor

PR needs rebase.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@uablrek
Copy link
Contributor Author

uablrek commented Jul 20, 2024

@aojea This can be closed, right?

@uablrek uablrek closed this Jul 20, 2024
@aojea
Copy link
Contributor

aojea commented Jul 20, 2024

yes

@aojea
Copy link
Contributor

aojea commented Jul 20, 2024

we also have coverage now in CI for IPVS to avoid regressions

@uablrek uablrek deleted the output-chain branch July 20, 2024 11:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Doesn't work with proxy-mode=ipvs
5 participants