kubespray
kubespray copied to clipboard
kubernetes-sigs
variables cilium_enable_host_firewall and cilium_policy_audit_mode for configmap/cilium-config
What type of PR is this?
/kind feature
Special notes for your reviewer:
In order to enable (Cilium Host Firewall](https://docs.cilium.io/en/v1.15/security/host-firewall/) and the recommended PolicyAuditMode that prevents unwanted side effects during testing, we have added 2 variables to cilium role and to inventory (features are disabled by default) :
cilium_enable_host_firewall: false
cilium_policy_audit_mode: false
These features are then added in ConfigMap/cilium-config by cilium role
enable-host-firewall: "true"
policy-audit-mode: "true"
We have added related documentation in docs/cilium.md
Does this PR introduce a user-facing change?:
Add optional support for _Host Firewall_ and _PolicyAuditMode_ features in Cilium
Hi @ledroide. Thanks for your PR.
I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.
Once the patch is verified, the new status will be reflected by the ok-to-test label.
I understand the commands that are listed here.
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.
I have a doubt about the right choice for conditionals in the cilium-config template at path roles/network_plugin/cilium/templates/cilium/config.yml.j2.
Here is what I wrote, just because many options are implemented this way.
{% if cilium_enable_host_firewall %}
enable-host-firewall: "true"
{% endif %}
{% if cilium_policy_audit_mode %}
policy-audit-mode: "true"
{% endif %}
Let's say I want to enable policy-audit-mode temporarily in order to set my rules. Si I set the variable cilium_policy_audit_mode: true and run my playbook.
Because cilium_policy_audit_mode is true the the configmap contains policy-audit-mode: "true".
But what if, after my whole setting, I want to explicitly set policy-audit-mode: "false" in the configmap/cilium-config - changing to cilium_policy_audit_mode: false ?
Maybe we had better always rely on default values for the role - that are already set in roles/network_plugin/cilium/defaults/main.yml - and always set a value for policy-audit-mode in the configmap/cilium-config ?
This would simply be written this way, instead of conditionals :
enable-host-firewall: {{ cilium_enable_host_firewall | quote }}
policy-audit-mode: {{ cilium_policy_audit_mode | quote }}
What do you think ?
PR needs rebase.
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.
[APPROVALNOTIFIER] This PR is NOT APPROVED
This pull-request has been approved by: ledroide
The full list of commands accepted by this bot can be found here.
Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment