amazon-network-policy-controller-k8s icon indicating copy to clipboard operation
amazon-network-policy-controller-k8s copied to clipboard

Published 20 hours ago verified publisher icon aws

Allow-all CIDR rule conflicts with more restrictive rule on the same CIDR

Open yndai opened this issue 10 months ago • 2 comments

What happened:

Summary: When creating a NetworkPolicy with a rule that allows all traffic to a CIDR and another rule for the same CIDR, but with a port specified, the allow all rule is missing in the resulting PolicyEndpoint

Additional details:

Specifying an allow all rule without the more restrictive rule on the same CIDR works as expected. This seems to be related to some merging mechanism to collect all allowed ports/protocols on the same CIDR.

This use-case is important because there are 3rd party Helm charts with policies that are configured additively so we would have to override them entirely in order to allow all traffic on egress, for example.

According to the NetworkPolicy spec: https://kubernetes.io/docs/concepts/services-networking/network-policies The effects of those egress lists combine additively so this is unexpected behavior. We have had this working as expected in the past with Cilium network policies, as well.

How to reproduce it (as minimally and precisely as possible):

Example:

kubectl apply -f on:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-web-traffic-egress
spec:
  podSelector:
    matchLabels:
      app: target
  policyTypes:
  - Egress
  egress:
    - to:
      - ipBlock:
          cidr: 10.0.0.0/16
      ports:
        - protocol: TCP
          port: 443
    - to:
      - ipBlock:
          cidr: 10.0.0.0/16

We expect this in the resulting PolicyEndpoint:

apiVersion: networking.k8s.aws/v1alpha1
[...]
spec:
  egress:
  - cidr: 10.0.0.0/16
    ports:
    - port: 443
      protocol: TCP
  - cidr: 10.0.0.0/16

but we get:

apiVersion: networking.k8s.aws/v1alpha1
[...]
spec:
  egress:
  - cidr: 10.0.0.0/16
    ports:
    - port: 443
      protocol: TCP

which is more restrictive

Environment:

Kubernetes version (use kubectl version): Server Version: version.Info{Major:"1", Minor:"27+", GitVersion:"v1.27.10-eks-508b6b3", GitCommit:"e99f7c75641f738090d483d988dc4a70001e01cf", GitTreeState:"clean", BuildDate:"2024-01-29T20:59:05Z", GoVersion:"go1.20.13", Compiler:"gc", Platform:"linux/amd64"} CNI Version: amazon-k8s-cni:v1.16.0-eksbuild.1 Network Policy Agent Version: aws-network-policy-agent:v1.0.7-eksbuild.1 OS (e.g: cat /etc/os-release): Amazon Linux 2 Kernel (e.g. uname -a): Linux ip-10-1-61-179.ec2.internal 5.10.192-183.736.amzn2.x86_64 aws/aws-network-policy-agent#1 SMP Wed Sep 6 21:15:41 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux

yndai avatar Apr 09 '24 16:04 yndai