Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

policy: Do not share same policy for multiple cached selectors #24788

Merged
merged 1 commit into from
Apr 11, 2023
Merged

policy: Do not share same policy for multiple cached selectors #24788

merged 1 commit into from
Apr 11, 2023

Conversation

jrajahalme
Copy link
Member

@jrajahalme jrajahalme commented Apr 6, 2023
edited

Do not share the same PerSelectorPolicy object between multiple cached selectors. This makes sure that when rules are merged only the rules for the intended selectors are affected by the merging process.

Fixes: #9486

Fixed bug where L7 rules would be incorrectly merged between rules for the same (remote) endpoint. This bug could have caused L7 rules to be bypassed via a wildcard header rule being improperly appended to the set of HTTP rules when both a policy with HTTP header rules applying to multiple endpoints and an allow-all rule for only one of those endpoints are specified.

@jrajahalme
policy: Do not share same policy for multiple cached selectors
297d899 
Do not share the same PerSelectorPolicy object between multiple cached
selectors. This makes sure that when rules are merged only the rules for
the intended selectors are effected.

Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
@jrajahalme jrajahalme added kind/bug This is a bug in the Cilium logic. release-note/bug This PR fixes an issue in a previous release of Cilium. sig/policy Impacts whether traffic is allowed or denied based on user-defined policies. labels Apr 6, 2023
@jrajahalme jrajahalme requested a review from a team as a code owner April 6, 2023 23:43
@jrajahalme jrajahalme requested a review from nebril April 6, 2023 23:43
@jrajahalme jrajahalme added needs-backport/1.11 needs-backport/1.13 This PR / issue needs backporting to the v1.13 branch labels Apr 6, 2023
@maintainer-s-little-helper maintainer-s-little-helper bot added this to Needs backport from master in 1.12.9 Apr 6, 2023
@maintainer-s-little-helper maintainer-s-little-helper bot added this to Needs backport from master in 1.13.2 Apr 6, 2023
@maintainer-s-little-helper maintainer-s-little-helper bot added this to Needs backport from master in 1.11.16 Apr 6, 2023
@jrajahalme
Copy link
Member Author

/test

@jrajahalme
Copy link
Member Author

/test-1.16-4.19

@pchaigno
Copy link
Member

pchaigno commented Apr 7, 2023

Fixed entanglement of complex L7 rules in policy ingestion.

Is there any user impact or is it more about simplifying the code? Label says it's the former, while the release note seems to say it's the latter.

@jrajahalme
Copy link
Member Author

jrajahalme commented Apr 7, 2023
edited

ci-eks is known to be broken (#24774), so please disregard that :-)

@jrajahalme
Copy link
Member Author

Fixed entanglement of complex L7 rules in policy ingestion.

Is there any user impact or is it more about simplifying the code? Label says it's the former, while the release note seems to say it's the latter.

Yes, there is user impact when using policies of specific form as demonstrated by the added unit test.

@jrajahalme
Copy link
Member Author

@pchaigno Made the release note more explicit.

@jrajahalme jrajahalme requested a review from asauber April 10, 2023 21:24
@jrajahalme jrajahalme added release-blocker/1.11 This issue will prevent the release of the next version of Cilium. release-blocker/1.12 This issue will prevent the release of the next version of Cilium. release-blocker/1.13 This issue will prevent the release of the next version of Cilium. release-blocker/1.14 This issue will prevent the release of the next version of Cilium. labels Apr 11, 2023
@jrajahalme
Copy link
Member Author

@liyihuang Marked this as a release blocker.

@pchaigno
Copy link
Member

Fixed entanglement of complex L7 rules in policy ingestion.

Is there any user impact or is it more about simplifying the code? Label says it's the former, while the release note seems to say it's the latter.

Yes, there is user impact when using policies of specific form as demonstrated by the added unit test.

Thanks! It's now clear it's a bugfix but it's still hard to understand what is the impact for users. Does this lead to a policy bypass, to packet drops, to unnecessary proxy redirections, to a failure to apply the policy, etc.?

@maintainer-s-little-helper maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Apr 11, 2023
pchaigno
pchaigno previously requested changes Apr 11, 2023
View reviewed changes
Copy link
Member

@pchaigno pchaigno left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Release note needs to be fixed.

@joestringer joestringer merged commit af83b0e into cilium:master Apr 11, 2023
43 checks passed
@gandro gandro mentioned this pull request Apr 12, 2023
Merged
2 tasks
@gandro gandro added backport-pending/1.13 The backport for Cilium 1.13.x for this PR is in progress. and removed needs-backport/1.13 This PR / issue needs backporting to the v1.13 branch labels Apr 12, 2023
@maintainer-s-little-helper maintainer-s-little-helper bot moved this from Needs backport from master to Backport pending to v1.13 in 1.13.2 Apr 12, 2023
@gandro
Copy link
Member

gandro commented Apr 12, 2023

@jrajahalme This does not apply cleanly to any stable branches. I was able to fix it on v1.13, but the difference to 1.12 and 1.11 are larger. You will have to do the backport for 1.12 and 1.11 manually.

@gandro gandro added the backport/author The backport will be carried out by the author of the PR. label Apr 12, 2023
@jrajahalme jrajahalme mentioned this pull request Apr 12, 2023
Merged
1 task
@maintainer-s-little-helper maintainer-s-little-helper bot moved this from Needs backport from master to Backport pending to v1.12 in 1.12.9 Apr 12, 2023
@jrajahalme jrajahalme mentioned this pull request Apr 12, 2023
Merged
1 task
@maintainer-s-little-helper maintainer-s-little-helper bot moved this from Needs backport from master to Backport pending to v1.11 in 1.11.16 Apr 12, 2023
@maintainer-s-little-helper maintainer-s-little-helper bot moved this from Needs backport from master to Backport pending to v1.11 in 1.11.16 Apr 12, 2023
@gandro gandro added backport-done/1.12 The backport for Cilium 1.12.x for this PR is done. and removed backport-pending/1.12 labels Apr 13, 2023
@maintainer-s-little-helper maintainer-s-little-helper bot moved this from Backport pending to v1.12 to Backport done to v1.12 in 1.12.9 Apr 13, 2023
@michi-covalent michi-covalent mentioned this pull request Apr 14, 2023
Merged
@michi-covalent michi-covalent added backport-done/1.11 The backport for Cilium 1.11.x for this PR is done. and removed backport-pending/1.11 labels Apr 14, 2023
@maintainer-s-little-helper maintainer-s-little-helper bot moved this from Backport pending to v1.11 to Backport done to v1.11 in 1.11.16 Apr 14, 2023
@michi-covalent michi-covalent mentioned this pull request Apr 14, 2023
Merged
@gentoo-root gentoo-root added backport-done/1.13 The backport for Cilium 1.13.x for this PR is done. and removed backport-pending/1.13 The backport for Cilium 1.13.x for this PR is in progress. labels Apr 14, 2023
@maintainer-s-little-helper maintainer-s-little-helper bot moved this from Backport pending to v1.13 to Backport done to v1.13 in 1.13.2 Apr 14, 2023
@maintainer-s-little-helper maintainer-s-little-helper bot moved this from Backport pending to v1.13 to Backport done to v1.13 in 1.13.2 Apr 14, 2023
@gentoo-root gentoo-root mentioned this pull request Apr 14, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@joestringer joestringer joestringer approved these changes

@nebril nebril nebril approved these changes

@asauber asauber asauber approved these changes

@pchaigno pchaigno Awaiting requested review from pchaigno

Assignees
No one assigned
Labels
backport/author The backport will be carried out by the author of the PR. backport-done/1.11 The backport for Cilium 1.11.x for this PR is done. backport-done/1.12 The backport for Cilium 1.12.x for this PR is done. backport-done/1.13 The backport for Cilium 1.13.x for this PR is done. kind/bug This is a bug in the Cilium logic. ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-blocker/1.11 This issue will prevent the release of the next version of Cilium. release-blocker/1.12 This issue will prevent the release of the next version of Cilium. release-blocker/1.13 This issue will prevent the release of the next version of Cilium. release-blocker/1.14 This issue will prevent the release of the next version of Cilium. release-note/bug This PR fixes an issue in a previous release of Cilium. sig/policy Impacts whether traffic is allowed or denied based on user-defined policies.
Projects
No open projects
1.11.16
Backport done to v1.11
1.12.9
Backport done to v1.12
1.13.2
Backport done to v1.13
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
8 participants
@jrajahalme @pchaigno @gandro @joestringer @nebril @asauber @gentoo-root @michi-covalent