Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AntreaNetworkPolicy should not be applied to Pods in other Namespaces #4116

Closed
tnqn opened this issue Aug 15, 2022 · 0 comments · Fixed by #4119
Closed

AntreaNetworkPolicy should not be applied to Pods in other Namespaces #4116

tnqn opened this issue Aug 15, 2022 · 0 comments · Fixed by #4119
Labels
kind/bug Categorizes issue or PR as related to a bug. priority/critical-urgent Highest priority. Must be actively worked on as someone's top priority right now.
Milestone
Antrea v1.8 release

Comments

@tnqn
Copy link
Member

tnqn commented Aug 15, 2022

Describe the bug

Group validation was only performed when creating AppliedToGroup for namespaced group, there were two ways that can bypass the validation and apply the AntreaNetworkPolicy to Pods in other Namespaces:

  1. Use a group which has child groups that select Pods in other Namespaces, for example:
apiVersion: crd.antrea.io/v1alpha1
kind: NetworkPolicy
metadata:
  name: anp-with-groups
  namespace: default
spec:
  priority: 5
  tier: securityops
  appliedTo:
    - group: "test-grp-parent"
  egress:
    - action: Drop
      to:
        - podSelector:
            matchLabels:
              app: nginx
      name: DropToThirdParty
      enableLogging: true
---
apiVersion: crd.antrea.io/v1alpha3
kind: Group
metadata:
  name: test-grp-parent
  namespace: default
spec:
  childGroups:
  - test-grp
---
apiVersion: crd.antrea.io/v1alpha3
kind: Group
metadata:
  name: test-grp
  namespace: default
spec:
  podSelector:
    matchLabels:
      app: client
  namespaceSelector: {}
---
  1. Use a group which is namespace scope first, then change it to cluster scope. This may make the policy apply to cluster scope Pods in a short time but will be fixed after the policy is reprocessed because Group is resynced first, then ANP.

Expected

AntreaNetworkPolicy should never be applied to Pods in other Namespaces at any time point.

Versions:

  • Antrea version (Docker image tag).
    cab72fc
@tnqn tnqn added the kind/bug Categorizes issue or PR as related to a bug. label Aug 15, 2022
@tnqn tnqn changed the title AntreaNetworkPolicy should not not applied to Pods in other Namespaces AntreaNetworkPolicy should not be applied to Pods in other Namespaces Aug 15, 2022
@tnqn tnqn added the priority/critical-urgent Highest priority. Must be actively worked on as someone's top priority right now. label Aug 15, 2022
@tnqn tnqn added this to the Antrea v1.8 release milestone Aug 16, 2022
tnqn added a commit to tnqn/antrea that referenced this issue Aug 16, 2022
@tnqn
Do not realize AntreaNetworkPolicy applied to Pods in other Namespace
fff1da7 
When AntreaNetworkPolicy uses Group as AppliedTo, the Group should not
select Pods in other Namespaces, otherwise the policy would be applied
to other Namespaces. This was prevented by using a validation when
creating AppliedToGroup for Group, which ensures that the Group doesn't
have a NamespaceSelector. However, the validation could be bypassed by
several approaches, the most straightforward one is to use a parent
Group as AppliedTo and make one of its child Groups use
NamespaceSelector.

It's hard to cover all cases if the validation is only in the phase of
creating AppliedToGroup because of its dynamic nature. This patch
implements a validation when syncing AppliedToGroup. The validation
ensures that the AppliedToGroup cannot have any members in other
Namespaces if it's derived from a namespaced Group, regardless of the
way by which the members are selected. The error encountered when
syncing AppliedToGroup will be reflected in the statuses of the
NetworkPolicies that use this AppliedToGroup.

This patch also unifies the behavior of ClusterNetworkPolicy and
AntreaNetworkPolicy when a ClusterGroup/Group used as AppliedTo contains
IPBlocks only: it would be treated like empty AppliedTo in both cases.

Fixes antrea-io#4116

Signed-off-by: Quan Tian <qtian@vmware.com>
tnqn added a commit to tnqn/antrea that referenced this issue Aug 16, 2022
@tnqn
Do not realize AntreaNetworkPolicy applied to Pods in other Namespace
b97b7b1 
When AntreaNetworkPolicy uses Group as AppliedTo, the Group should not
select Pods in other Namespaces, otherwise the policy would be applied
to other Namespaces. This was prevented by using a validation when
creating AppliedToGroup for Group, which ensures that the Group doesn't
have a NamespaceSelector. However, the validation could be bypassed by
several approaches, the most straightforward one is to use a parent
Group as AppliedTo and make one of its child Groups use
NamespaceSelector.

It's hard to cover all cases if the validation is only in the phase of
creating AppliedToGroup because of its dynamic nature. This patch
implements a validation when syncing AppliedToGroup. The validation
ensures that the AppliedToGroup cannot have any members in other
Namespaces if it's derived from a namespaced Group, regardless of the
way by which the members are selected. The error encountered when
syncing AppliedToGroup will be reflected in the statuses of the
NetworkPolicies that use this AppliedToGroup.

This patch also unifies the behavior of ClusterNetworkPolicy and
AntreaNetworkPolicy when a ClusterGroup/Group used as AppliedTo contains
IPBlocks only: it would be treated like empty AppliedTo in both cases.

Fixes antrea-io#4116

Signed-off-by: Quan Tian <qtian@vmware.com>
@tnqn tnqn mentioned this issue Aug 16, 2022
Merged
tnqn added a commit to tnqn/antrea that referenced this issue Aug 16, 2022
@tnqn
Do not realize AntreaNetworkPolicy applied to Pods in other Namespace
891b95b 
When AntreaNetworkPolicy uses Group as AppliedTo, the Group should not
select Pods in other Namespaces, otherwise the policy would be applied
to other Namespaces. This was prevented by using a validation when
creating AppliedToGroup for Group, which ensures that the Group doesn't
have a NamespaceSelector. However, the validation could be bypassed by
several approaches, the most straightforward one is to use a parent
Group as AppliedTo and make one of its child Groups use
NamespaceSelector.

It's hard to cover all cases if the validation is only in the phase of
creating AppliedToGroup because of its dynamic nature. This patch
implements a validation when syncing AppliedToGroup. The validation
ensures that the AppliedToGroup cannot have any members in other
Namespaces if it's derived from a namespaced Group, regardless of the
way by which the members are selected. The error encountered when
syncing AppliedToGroup will be reflected in the statuses of the
NetworkPolicies that use this AppliedToGroup.

This patch also unifies the behavior of ClusterNetworkPolicy and
AntreaNetworkPolicy when a ClusterGroup/Group used as AppliedTo contains
IPBlocks only: it would be treated like empty AppliedTo in both cases.

Fixes antrea-io#4116

Signed-off-by: Quan Tian <qtian@vmware.com>
tnqn added a commit to tnqn/antrea that referenced this issue Aug 17, 2022
@tnqn
Do not realize AntreaNetworkPolicy applied to Pods in other Namespace
0ff0557 
When AntreaNetworkPolicy uses Group as AppliedTo, the Group should not
select Pods in other Namespaces, otherwise the policy would be applied
to other Namespaces. This was prevented by using a validation when
creating AppliedToGroup for Group, which ensures that the Group doesn't
have a NamespaceSelector. However, the validation could be bypassed by
several approaches, the most straightforward one is to use a parent
Group as AppliedTo and make one of its child Groups use
NamespaceSelector.

It's hard to cover all cases if the validation is only in the phase of
creating AppliedToGroup because of its dynamic nature. This patch
implements a validation when syncing AppliedToGroup. The validation
ensures that the AppliedToGroup cannot have any members in other
Namespaces if it's derived from a namespaced Group, regardless of the
way by which the members are selected. The error encountered when
syncing AppliedToGroup will be reflected in the statuses of the
NetworkPolicies that use this AppliedToGroup.

This patch also unifies the behavior of ClusterNetworkPolicy and
AntreaNetworkPolicy when a ClusterGroup/Group used as AppliedTo contains
IPBlocks only: it would be treated like empty AppliedTo in both cases.

Fixes antrea-io#4116

Signed-off-by: Quan Tian <qtian@vmware.com>
tnqn added a commit that referenced this issue Aug 17, 2022
@tnqn
Do not realize AntreaNetworkPolicy applied to Pods in other Namespace (
18aee9d 
…#4119)

When AntreaNetworkPolicy uses Group as AppliedTo, the Group should not
select Pods in other Namespaces, otherwise the policy would be applied
to other Namespaces. This was prevented by using a validation when
creating AppliedToGroup for Group, which ensures that the Group doesn't
have a NamespaceSelector. However, the validation could be bypassed by
several approaches, the most straightforward one is to use a parent
Group as AppliedTo and make one of its child Groups use
NamespaceSelector.

It's hard to cover all cases if the validation is only in the phase of
creating AppliedToGroup because of its dynamic nature. This patch
implements a validation when syncing AppliedToGroup. The validation
ensures that the AppliedToGroup cannot have any members in other
Namespaces if it's derived from a namespaced Group, regardless of the
way by which the members are selected. The error encountered when
syncing AppliedToGroup will be reflected in the statuses of the
NetworkPolicies that use this AppliedToGroup.

This patch also unifies the behavior of ClusterNetworkPolicy and
AntreaNetworkPolicy when a ClusterGroup/Group used as AppliedTo contains
IPBlocks only: it would be treated like empty AppliedTo in both cases.

Fixes #4116

Signed-off-by: Quan Tian <qtian@vmware.com>

Signed-off-by: Quan Tian <qtian@vmware.com>
heanlan pushed a commit to heanlan/antrea that referenced this issue Mar 29, 2023
@tnqn @heanlan
Do not realize AntreaNetworkPolicy applied to Pods in other Namespace (
f43d688 
…antrea-io#4119)

When AntreaNetworkPolicy uses Group as AppliedTo, the Group should not
select Pods in other Namespaces, otherwise the policy would be applied
to other Namespaces. This was prevented by using a validation when
creating AppliedToGroup for Group, which ensures that the Group doesn't
have a NamespaceSelector. However, the validation could be bypassed by
several approaches, the most straightforward one is to use a parent
Group as AppliedTo and make one of its child Groups use
NamespaceSelector.

It's hard to cover all cases if the validation is only in the phase of
creating AppliedToGroup because of its dynamic nature. This patch
implements a validation when syncing AppliedToGroup. The validation
ensures that the AppliedToGroup cannot have any members in other
Namespaces if it's derived from a namespaced Group, regardless of the
way by which the members are selected. The error encountered when
syncing AppliedToGroup will be reflected in the statuses of the
NetworkPolicies that use this AppliedToGroup.

This patch also unifies the behavior of ClusterNetworkPolicy and
AntreaNetworkPolicy when a ClusterGroup/Group used as AppliedTo contains
IPBlocks only: it would be treated like empty AppliedTo in both cases.

Fixes antrea-io#4116

Signed-off-by: Quan Tian <qtian@vmware.com>

Signed-off-by: Quan Tian <qtian@vmware.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Categorizes issue or PR as related to a bug. priority/critical-urgent Highest priority. Must be actively worked on as someone's top priority right now.
Projects
None yet
Milestone
Antrea v1.8 release
Development

Successfully merging a pull request may close this issue.

Do not realize AntreaNetworkPolicy applied to Pods in other Namespace tnqn/antrea
1 participant
@tnqn