calico
calico copied to clipboard
Published
20 hours ago •
projectcalico
projectcalico
Unable to restrict host installed etcd access control
Expected Behavior
Current Behavior
I used the following configuration to restrict a certain IP from accessing port 2379 of the machine. It did not take effect, and the calico-node status was always abnormal.
cat <<EOF | calicoctl create -f -
apiVersion: projectcalico.org/v3
kind: GlobalNetworkPolicy
metadata:
name: k8s-worker
spec:
selector: "kubernetes.io/hostname == '192.168.123.50'"
order: 0
ingress:
- action: Deny
protocol: TCP
source:
nets:
- '192.168.123.53/32'
destination:
ports: [2379]
egress:
- action: Deny
protocol: TCP
destination:
nets:
- '192.168.123.53/32'
ports: [2379]
EOF
log
2024-03-20 02:26:27.187 [INFO][96] felix/label_inheritance_index.go 182: Updating selector selID=Policy(name=default.k8s-worker)
2024-03-20 02:26:27.188 [INFO][96] felix/int_dataplane.go 1693: Received *proto.ActivePolicyUpdate update from calculation graph msg=id:<tier:"default" name:"default.k8s-worker" > policy:<inbound_rules:<action:"deny" protocol:<name:"tcp" > src_net:"192.168.123.53/32" dst_ports:<first:2379 last:2379 > rule_id:"cO9NLbNvEy0py5pA" > outbound_rules:<action:"deny" protocol:<name:"tcp" > dst_net:"192.168.123.53/32" dst_ports:<first:2379 last:2379 > rule_id:"35GJSFH_F0il5cNa" > >
2024-03-20 02:26:27.188 [INFO][96] felix/table.go 508: Queueing update of chain. chainName="cali-pi-default.k8s-worker" ipVersion=0x4 table="raw"
2024-03-20 02:26:27.188 [INFO][96] felix/table.go 508: Queueing update of chain. chainName="cali-po-default.k8s-worker" ipVersion=0x4 table="raw"
2024-03-20 02:26:27.188 [INFO][96] felix/table.go 508: Queueing update of chain. chainName="cali-pi-default.k8s-worker" ipVersion=0x4 table="mangle"
2024-03-20 02:26:27.188 [INFO][96] felix/table.go 508: Queueing update of chain. chainName="cali-po-default.k8s-worker" ipVersion=0x4 table="mangle"
2024-03-20 02:26:27.189 [INFO][96] felix/table.go 508: Queueing update of chain. chainName="cali-pi-default.k8s-worker" ipVersion=0x4 table="filter"
2024-03-20 02:26:27.189 [INFO][96] felix/table.go 508: Queueing update of chain. chainName="cali-po-default.k8s-worker" ipVersion=0x4 table="filter"
2024-03-20 02:26:27.189 [INFO][96] felix/int_dataplane.go 1693: Received *proto.HostEndpointUpdate update from calculation graph msg=id:<endpoint_id:"192.168.123.50-auto-hep" > endpoint:<name:"*" profile_ids:"projectcalico-default-allow" tiers:<name:"default" ingress_policies:"default.k8s-worker" egress_policies:"default.k8s-worker" > expected_ipv4_addrs:"192.168.123.50" expected_ipv4_addrs:"10.244.180.64" >
2024-03-20 02:26:27.189 [INFO][96] felix/endpoint_mgr.go 966: Endpoint matching interface changed id=proto.HostEndpointID{EndpointId:"192.168.123.50-auto-hep"} ifaceName="any-interface-at-all" newID=proto.HostEndpointID{EndpointId:"192.168.123.50-auto-hep"} oldID=proto.HostEndpointID{EndpointId:""}
2024-03-20 02:26:27.189 [INFO][96] felix/endpoint_mgr.go 983: Updating host endpoint normal policy chains. id=proto.HostEndpointID{EndpointId:"192.168.123.50-auto-hep"}
2024-03-20 02:26:27.189 [INFO][96] felix/table.go 508: Queueing update of chain. chainName="cali-th-any-interface-at-all" ipVersion=0x4 table="filter"
2024-03-20 02:26:27.189 [INFO][96] felix/table.go 582: Chain became referenced, marking it for programming chainName="cali-po-default.k8s-worker"
2024-03-20 02:26:27.189 [INFO][96] felix/table.go 508: Queueing update of chain. chainName="cali-fh-any-interface-at-all" ipVersion=0x4 table="filter"
2024-03-20 02:26:27.189 [INFO][96] felix/table.go 582: Chain became referenced, marking it for programming chainName="cali-pi-default.k8s-worker"
2024-03-20 02:26:27.190 [INFO][96] felix/table.go 508: Queueing update of chain. chainName="cali-thfw-_Nqh4HyA73udmyanQI" ipVersion=0x4 table="filter"
2024-03-20 02:26:27.190 [INFO][96] felix/table.go 508: Queueing update of chain. chainName="cali-fhfw-_Nqh4HyA73udmyanQI" ipVersion=0x4 table="filter"
2024-03-20 02:26:27.190 [INFO][96] felix/table.go 508: Queueing update of chain. chainName="cali-sm-any-interface-at-all" ipVersion=0x4 table="filter"
2024-03-20 02:26:27.190 [INFO][96] felix/table.go 508: Queueing update of chain. chainName="cali-th-any-interface-at-all" ipVersion=0x4 table="mangle"
2024-03-20 02:26:27.190 [INFO][96] felix/table.go 582: Chain became referenced, marking it for programming chainName="cali-po-default.k8s-worker"
2024-03-20 02:26:27.191 [INFO][96] felix/endpoint_mgr.go 540: Re-evaluated host endpoint status hostEndpointID=proto.HostEndpointID{EndpointId:"192.168.123.50-auto-hep"} known=true operUp=true resolved=true status="up"
2024-03-20 02:26:27.191 [INFO][96] felix/status_combiner.go 58: Storing endpoint status update ipVersion=0x4 status="up" workload=proto.HostEndpointID{EndpointId:"192.168.123.50-auto-hep"}
2024-03-20 02:26:27.221 [INFO][96] felix/status_combiner.go 81: Endpoint up for at least one IP version id=proto.HostEndpointID{EndpointId:"192.168.123.50-auto-hep"} ipVersion=0x4 status="up"
2024-03-20 02:26:27.222 [INFO][96] felix/status_combiner.go 98: Reporting combined status. id=proto.HostEndpointID{EndpointId:"192.168.123.50-auto-hep"} status="up"
Possible Solution
Steps to Reproduce (for bugs)
- calicoctl patch kubecontrollersconfiguration default --patch='{"spec": {"controllers": {"node": {"hostEndpoint": {"autoCreate": "Enabled"}}}}}'
- create GlobalNetworkPolicy above
Context
Your Environment
- Calico version calico 3.25.2
- Orchestrator version (e.g. kubernetes, mesos, rkt): kubernetes 1.23
- Operating System and version: CentOS Linux 7
- Link to your project (optional):
What do the full logs from the previous (restarted) container in calico/node show?
kubectl logs -p -n calico-system calico-node-qzwvl
