Egress firewall support #9227
Egress firewall support #9227
Conversation
|
Travis says you need a gofmt on pkg/sdn/api/v1beta3/types.go, pkg/sdn/api/v1/types.go and pkg/sdn/api/validation/validation_test.go |
|
Otherwise LGTM but somebody with more experience adding API to origin needs to check too. |
openshift-bot
added
the
needs-rebase
danwinship
force-pushed
the
egress-firewall
branch
from
79b8a40 to
8a49b98
Compare
danwinship
changed the title
danwinship
force-pushed
the
egress-firewall
branch
from
8a49b98 to
e5aa1a6
Compare
|
merged in the old openshift-sdn PR, and updated to add service endpoint filtering; we use the existing endpoint filtering infrastructure to also filter out external endpoints that conflict with firewall rules. (This is a stopgap; eventually we will fix things so that either service rewriting happens in OVS [when we have conntrack support there] or else egress firewalling happens in iptables [when we have a way to make iptables rules namespace-aware].) |
openshift-bot
removed
the
needs-rebase
danwinship
force-pushed
the
egress-firewall
branch
2 times, most recently
from
46c5ba8 to
5a5b4e3
Compare
|
@openshift/networking PTAL? The one customer who has looked at this so far was a bit concerned about having all of the rules on a single object, since they expect to have on the order of one rule per namespace (with lots of namespaces). (Basically, they plan to block all outgoing access by default, and project admins will have to use some [non-OpenShift] tool to indicate the external sites they need access to, and then some script will create the EgressFirewall rules from that.) So, we could change it so that the EgressFirewall object doesn't have a namespace field, and instead you just create objects in each namespace, and then say that the default namespace's rules apply to all namespaces, except that as discussed before in email, I'm dubious of that since nothing else treats the default namespace as being a parent of other namespaces. So maybe we should just ignore this for 3.3 and just make sure it gets dealt with better in the eventual upstream version. |
|
@openshift/api-review PTAL. This adds a new object type |
|
How does this differ from NetworkPolicy in intent? On Jul 14, 2016, at 9:47 AM, Dan Winship [email protected] wrote: @openshift/api-review https://github.com/orgs/openshift/teams/api-review — |
|
As of kubernetes 1.3, NetworkPolicy only covers ingress policy, not egress policy. There will eventually be upstream egress policy stuff as well, but not in time for OpenShift 1.3 (or probably even 1.4), and based on the conversation that has happened so far, it's impossible to guess what it will look like when it does happen. (Notably, the existing ingress NetworkPolicy stuff is something that project admins opt in to, whereas the functionality implemented in this PR is imposed by the cluster admin, and can't be overridden or modified by project admins, so it seems unlikely to end up being part of the same NetworkPolicy objects.) So the expectation is that, like NetworkNamespaces, this would eventually be deprecated in favor of the upstream solution, but we don't know what or when that will be. |
|
Why would cluster admins not be able to choose whether either ingress or On Thu, Jul 14, 2016 at 10:49 AM, Dan Winship [email protected]
|
| unversioned.TypeMeta | ||
| kapi.ObjectMeta | ||
|
|
||
| Rules []EgressFirewallRule |
There was a problem hiding this comment.
Should be in a spec (same as network policy) and Rules should be called Egress []EgressFirewallRule
|
Added some comments about structure assuming this is intended to be roughly in line with the upstream NetworkPolicy. Unless you plan on being wildly divergent, we should have similar patterns and structures. |
Because ingress filtering is about protecting your project from other people, but egress filtering is about protecting other people from your project. The entire premise of egress filtering (in this PR) is that the cluster admin doesn't fully trust the project admins. (Eg, in OpenShift Online, maybe there are some There are other egress filtering use cases where opt-in at the project level does make sense. (Eg, "I know my pod needs to contact github.com, but nothing else, so I want to firewall off everything else so that if hackers break into my pod they can't use it to attack people") But this PR isn't trying to handle that. (And really, that makes more sense as a Pod annotation than a Namespace-level policy...) |
It's not. This isn't intended to handle arbitrary "egress policy". It's just supposed to handle this one use case (namespace-aware firewall rules) as a stop-gap until upstream finishes designing a full egress policy solution, at which point we should hopefully be able to to auto-translate EgressFirewall objects into corresponding upstream policy objects and deprecate EgressFirewall. Also, I don't think it's safe to assume at this point that the eventual upstream egress filtering solution is going to look anything like (current) NetworkPolicy. (The initial attempt to add egress policy to NetworkPolicy fell apart when someone pointed out that the proposal didn't actually let you implement any of the proposed use cases.) |
|
Rather than invent new conventions, use the existing conventions. If On Thu, Jul 14, 2016 at 1:23 PM, Dan Winship [email protected]
|
danwinship
force-pushed
the
egress-firewall
branch
from
5a5b4e3 to
b25c1dd
Compare
|
[test] |
danwinship
force-pushed
the
egress-firewall
branch
2 times, most recently
from
973dee7 to
5e1e660
Compare
|
[test] |
danwinship
force-pushed
the
egress-firewall
branch
from
718e1d2 to
0b0dac9
Compare
| if _, err := fmt.Fprintf(w, "%s\t", n.Namespace); err != nil { | ||
| return err | ||
| } | ||
| if _, err := fmt.Fprintf(w, "%s\n", n.Name); err != nil { |
There was a problem hiding this comment.
Simplify...if _, err := fmt.Fprintf(w, "%s\t%s\n", n.Namespace, n.Name); err != nil
egressNetworkPolicyColumns contains only one column 'NAME', do we want to add 'NAMESPACE' column?
There was a problem hiding this comment.
Hm... somehow I thought this matched the style elsewhere, but I guess not really.
Namespace gets added automatically, although it looks like I didn't handle it quite correctly.
(Also, this was a fix-up that I squashed into the wrong commit, it should have gone into the earlier commit...)
| // Temporarily drop all outgoing traffic, to avoid race conditions while modifying the other rules | ||
| otx.AddFlow("table=9, reg0=%d, cookie=1, priority=65535, actions=drop", vnid) | ||
| otx.DeleteFlows("table=9, reg0=%d, cookie=0/1", vnid) | ||
|
|
There was a problem hiding this comment.
Don't we need to drop all existing rules for vnid before adding new rules?
otx.DeleteFlows("table=9, reg0=%d", vnid) [Consider the case where policy is updated]
There was a problem hiding this comment.
we do; the comment about dropping all traffic only applies to the AddFlow(); the DeleteFlows() then drops all existing flows for vnid (except for the "drop all traffic" flow which we just added with cookie=1 to mark it as being different from the the other flows)
danwinship
force-pushed
the
egress-firewall
branch
from
0b0dac9 to
2f0255e
Compare
|
LGTM, there will be follow up PR to provide feedback to the user when egress policy is not applied. |
|
[test] |
|
Flake #9959 |
|
[merge] |
|
LGTM re[merge] |
|
continuous-integration/openshift-jenkins/merge SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pr_origin/7348/) (Image: devenv-rhel7_4720) |
|
[test] #9959
|
|
re[merge] |
|
Evaluated for origin merge up to 5aaf3cb |
|
re[test] |
|
Evaluated for origin test up to 5aaf3cb |
|
continuous-integration/openshift-jenkins/test FAILURE (https://ci.openshift.redhat.com/jenkins/job/test_pr_origin/7316/) |
The origin side of openshift/openshift-sdn#319, for reference. The interesting bits are all over there though.