antrea
antrea copied to clipboard
add except to ipBlock
Hi everyone, I understand that the "except" is not part of the IPBlock in antrea per
IPBlock field in the ClusterNetworkPolicy rules do not have the except field. A higher priority rule can be written to deny the specific CIDR range to simulate the behavior of IPBlock field with cidr and except set.
It would be a nice feature to add that. Create a higher priority rule is not always a feasible or looks clean for those debugging problems.
Let's take this example:
Premise:
- Native KNP creation is blocked. ( We want to avoid the isolation created by KNPs and keep the more intuitive firewall behaviour provided by ANP)
- Developers can create ANP only in Application Tier.
- Cluster Operators create ACNP to secure the cluster in SecurityOps and NetworkOps tier.
- There is one single ACNP in Baseline tier that does deny all.
Now let's say that we want a easy way to provide internet for pods. By internet I mean ports 80 and 443 to: something like:
ipBlock: 0.0.0.0
except:
- 10.0.0.0/8
- 172.16.0.0/12
- 192.168.0.0/16
With that pods can go to outside, but won't have access to private ips on port 80 and 443.
To implement that, currently I need to do something like:
apiVersion: crd.antrea.io/v1beta1
kind: ClusterNetworkPolicy
metadata:
name: allow-internet-by-label
spec:
appliedTo:
- namespaceSelector: {}
podSelector:
matchLabels:
internet: 'true'
egress:
- action: Pass
to:
- ipBlock:
cidr: 10.0.0.0/8
- ipBlock:
cidr: 172.16.0.0/12
- ipBlock:
cidr: 192.168.0.0/16
ports:
- protocol: TCP
port: 80
- protocol: TCP
port: 443
- action: Allow
to:
- ipBlock:
cidr: 0.0.0.0/0
ports:
- protocol: TCP
port: 80
- protocol: TCP
port: 443
If I add that in the SecurityOps or NetworkOps, that "Pass" will effectively block the developers from letting the pods talk to the internet and also access any other internal service on port 80/443 by creating ANP in application tier. The only way that can somehow work is to create that Cluster policy as the lowest priority possible in Application Tier. But again, that looks more like a NetworkOps "rule" than a Application rule.
If we could have except in IPBlock, that rule could be easily created as:
apiVersion: crd.antrea.io/v1beta1
kind: ClusterNetworkPolicy
metadata:
name: allow-internet-by-label
spec:
priority: 1
tier: NetworkOps
appliedTo:
- namespaceSelector: {}
podSelector:
matchLabels:
internet: 'true'
egress:
- action: Allow
to:
- ipBlock:
cidr: 0.0.0.0/0
except:
- 10.0.0.0/8
- 172.16.0.0/12
- 192.168.0.0/16
ports:
- protocol: TCP
port: 80
- protocol: TCP
port: 443
and that rule would interfere with no other rule and it would be "self-contained".
Somehow related: https://github.com/antrea-io/antrea/issues/6424