standards icon indicating copy to clipboard operation
standards copied to clipboard

Published 20 hours ago verified publisher icon SovereignCloudStack

[BUG] Cilium failed to pass SCS-0219-V1 KaaS networking standard

Open matofeder opened this issue 9 months ago • 5 comments

Cilium CNI, the default CNI in the SCS KaaS reference implementation, can not pass the SCS compliance check using Sonobuoy with --e2e-focus "NetworkPolicy" to validate SCS-0219-V1.

It failed on:

[sig-network] Netpol NetworkPolicy between server and client should enforce except clause while egress access to server in CIDR block [Feature:NetworkPolicy]
[sig-network] Netpol NetworkPolicy between server and client should ensure an IP overlapping both IPBlock.CIDR and IPBlock.Except is allowed [Feature:NetworkPolicy]
[sig-network] Netpol NetworkPolicy between server and client should allow egress access to server in CIDR block [Feature:NetworkPolicy]

It appears that Cilium does not support these features, meaning the SCS KaaS compliance check cannot be used when Cilium is the k8s CNI, refer to https://github.com/cilium/cilium/blob/main/.github/workflows/k8s-kind-network-policies-e2e.yaml#L172

matofeder avatar Feb 27 '25 13:02 matofeder

@matofeder explained on matrix:

I think that the check (sonobuoy --e2e-focus=NetworkPolicy) which is used to validate SCS-0219-V1 standard may be too broad and extend beyond the SCS-0219-V1 standard.

sonobuoy --e2e-focus=NetworkPolicy executes 54 tests. 3 of them failed due to lack of Cilium support (it seems)

IMO the solution could be re-visit 54 tests in that sonobuoy e2e-focus and re-evaluate whether all af them are needed to validate SCS-0219-V1 standard

fkr avatar Feb 27 '25 13:02 fkr

@kgube Can you have a look, please?

mbuechse avatar Mar 03 '25 12:03 mbuechse

According to @janiskemper, it could be related to https://github.com/cilium/cilium/issues/14287

mbuechse avatar Mar 05 '25 10:03 mbuechse

@lucasrattz you have had a deeper look into this. Maybe you can share your thoughts

janiskemper avatar Mar 05 '25 12:03 janiskemper

@lucasrattz you have had a deeper look into this. Maybe you can share your thoughts

In my testing, I never got these three specific cases failing. But indeed, Cilium is not conformant with Sonobuoy.

Based on my research, one possible solution is to use the default portmap implementation from the cni-plugins and enable chaining in Cilium. So Cilium is still used for everything else.

Also keep in mind that some of the tests are flaky.

I would be interested in your test results if you use the portmap chaining.

lucasrattz avatar Mar 11 '25 13:03 lucasrattz