Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

First draft of forbidden mode for isolated clusters #172

Merged
merged 38 commits into from
Jan 30, 2024
Merged

Conversation

majst01
Copy link
Contributor

@majst01 majst01 commented Dec 18, 2023

Related to: https://github.com/fi-ts/proxy-services/issues/4

Todos:

  • refactoring regarding code additions
  • ignore violations
  • send violations as event logs
  • update shoot client controller status
  • forbid service type loadbalancer outside of allowedNetworks in forbidden mode
  • tests

vknabel and others added 6 commits December 18, 2023 16:01
If allowed networks have been set up, we enforce all cwnps to be included. Otherwise we want them to be deleted.

Use case: network isolated clusters with internet access forbidden may not add conflicting cwnps. If they somehow do exist like after migration, we reflect the changes by deletion.
@majst01
Copy link
Contributor Author

majst01 commented Jan 15, 2024

rewall monitor successfully updated, requeuing in 10s","name":"shoot--pcfgbt--forbidden-firewall-ad19e","namespace":"firewall"}                                                                                                               
Jan 15 13:57:08 shoot--pcfgbt--forbidden-firewall-ad19e ip[2052]: {"level":"info","timestamp":"2024-01-15T13:57:08+01:00","caller":"controller/controller.go:118","msg":"Observed a panic in reconciler: runtime error: invalid memory address
 or nil pointer dereference","controller":"clusterwidenetworkpolicy","controllerGroup":"metal-stack.io","controllerKind":"ClusterwideNetworkPolicy","ClusterwideNetworkPolicy":{"name":"allow-to-forbidden","namespace":"firewall"},"namespace
":"firewall","name":"allow-to-forbidden","reconcileID":"2af9ae73-266a-4a63-a55d-cf8a1b0f6b49"}                                                                                                                                                
Jan 15 13:57:08 shoot--pcfgbt--forbidden-firewall-ad19e ip[2052]: panic: runtime error: invalid memory address or nil pointer dereference [recovered]                                                                                         
Jan 15 13:57:08 shoot--pcfgbt--forbidden-firewall-ad19e ip[2052]:         panic: runtime error: invalid memory address or nil pointer dereference                                                                                             
Jan 15 13:57:08 shoot--pcfgbt--forbidden-firewall-ad19e ip[2052]: [signal SIGSEGV: segmentation violation code=0x1 addr=0x20 pc=0x168b6cd]                                                                                                    
Jan 15 13:57:08 shoot--pcfgbt--forbidden-firewall-ad19e ip[2052]: goroutine 774 [running]:                                                                                                                                                    
Jan 15 13:57:08 shoot--pcfgbt--forbidden-firewall-ad19e ip[2052]: sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Reconcile.func1()                                                                                      
Jan 15 13:57:08 shoot--pcfgbt--forbidden-firewall-ad19e ip[2052]:         sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:119 +0x1e5                                                                             
Jan 15 13:57:08 shoot--pcfgbt--forbidden-firewall-ad19e ip[2052]: panic({0x1810a20?, 0x29dc300?})                                                                                                                                             
Jan 15 13:57:08 shoot--pcfgbt--forbidden-firewall-ad19e ip[2052]:         runtime/panic.go:914 +0x21f                                                                                                                                         
Jan 15 13:57:08 shoot--pcfgbt--forbidden-firewall-ad19e ip[2052]: github.com/metal-stack/firewall-controller/v2/controllers.(*ClusterwideNetworkPolicyReconciler).validateCWNPEgressTargetPrefix(_, {{{0x16e22be, 0x18}, {0xc0007eb248, 0x11}}
, {{0xc0007eb1b8, 0x12}, {0x0, 0x0}, {0xc000d165b8, ...}, ...}, ...}, ...)                                                                                                                                                                    
Jan 15 13:57:08 shoot--pcfgbt--forbidden-firewall-ad19e ip[2052]:         github.com/metal-stack/firewall-controller/v2/controllers/clusterwidenetworkpolicy_controller.go:283 +0x30d                                                         Jan 15 13:57:08 shoot--pcfgbt--forbidden-firewall-ad19e ip[2052]: github.com/metal-stack/firewall-controller/v2/controllers.(*ClusterwideNetworkPolicyReconciler).allowedCWNPsOrDelete(0xc000281c00, {0x1cee5e8, 0xc000c8ed50}, {0xc00110aa80?
, 0x7, 0xc0011fe000?}, {0xc000d851a0?, 0x53d75a?}, {{0xc000e0e040, 0x1, ...}, ...})                                                                                                                                                           
Jan 15 13:57:08 shoot--pcfgbt--forbidden-firewall-ad19e ip[2052]:         github.com/metal-stack/firewall-controller/v2/controllers/clusterwidenetworkpolicy_controller.go:222 +0x24e                                                         Jan 15 13:57:08 shoot--pcfgbt--forbidden-firewall-ad19e ip[2052]: github.com/metal-stack/firewall-controller/v2/controllers.(*ClusterwideNetworkPolicyReconciler).Reconcile(0xc000281c00, {0x1cee5e8, 0xc000c8ed50}, {{{0xc000c8ed50?, 0x0?}, 
{0xc000bc5d20?, 0x4105a5?}}})                                                                                                                                                                                                                 
Jan 15 13:57:08 shoot--pcfgbt--forbidden-firewall-ad19e ip[2052]:         github.com/metal-stack/firewall-controller/v2/controllers/clusterwidenetworkpolicy_controller.go:101 +0x345                                                         Jan 15 13:57:08 shoot--pcfgbt--forbidden-firewall-ad19e ip[2052]: sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Reconcile(0x1cee5e8?, {0x1cee5e8?, 0xc000c8ed50?}, {{{0xc000d165b8?, 0x1756560?}, {0xc0007eb1b8?, 0x1ce
0108?}}})                                                                                                                                                                                                                                     
Jan 15 13:57:08 shoot--pcfgbt--forbidden-firewall-ad19e ip[2052]:         sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:122 +0xb7                                                             
Jan 15 13:57:08 shoot--pcfgbt--forbidden-firewall-ad19e ip[2052]: sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler(0xc000621360, {0x1cee620, 0xc0005730e0}, {0x1898200?, 0xc000a9f3c0?})
Jan 15 13:57:08 shoot--pcfgbt--forbidden-firewall-ad19e ip[2052]:         sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:323 +0x368                                  
Jan 15 13:57:08 shoot--pcfgbt--forbidden-firewall-ad19e ip[2052]: sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem(0xc000621360, {0x1cee620, 0xc0005730e0})
Jan 15 13:57:08 shoot--pcfgbt--forbidden-firewall-ad19e ip[2052]:         sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:274 +0x1c9             
Jan 15 13:57:08 shoot--pcfgbt--forbidden-firewall-ad19e ip[2052]: sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2()                        
Jan 15 13:57:08 shoot--pcfgbt--forbidden-firewall-ad19e ip[2052]:         sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:235 +0x79              
Jan 15 13:57:08 shoot--pcfgbt--forbidden-firewall-ad19e ip[2052]: created by sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2 in goroutine 643
Jan 15 13:57:08 shoot--pcfgbt--forbidden-firewall-ad19e ip[2052]:         sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:231 +0x565
Jan 15 13:57:08 shoot--pcfgbt--forbidden-firewall-ad19e systemd[1]: firewall-controller.service: Main process exited, code=exited, status=2/INVALIDARGUMENT
Jan 15 13:57:08 shoot--pcfgbt--forbidden-firewall-ad19e systemd[1]: firewall-controller.service: Failed with result 'exit-code'.

@majst01
Copy link
Contributor Author

majst01 commented Jan 18, 2024

Error is weird:

3s          Warning   ForbiddenCIDR          service/nginx-gardener   the specified of "nginx-gardener" to address:"212.34.83.6/32" is outside of the allowed network range:"100.64.0.0/10", ignoring

@majst01 majst01 marked this pull request as ready for review January 23, 2024 12:15
@majst01 majst01 requested a review from a team as a code owner January 23, 2024 12:15
controllers/clusterwidenetworkpolicy_controller.go Outdated Show resolved Hide resolved
controllers/clusterwidenetworkpolicy_controller.go Outdated Show resolved Hide resolved
controllers/clusterwidenetworkpolicy_controller.go Outdated Show resolved Hide resolved
controllers/clusterwidenetworkpolicy_controller.go Outdated Show resolved Hide resolved
controllers/clusterwidenetworkpolicy_controller.go Outdated Show resolved Hide resolved
controllers/clusterwidenetworkpolicy_controller.go Outdated Show resolved Hide resolved
pkg/nftables/rendering.go Outdated Show resolved Hide resolved
@majst01 majst01 requested review from mwennrich and Gerrit91 January 29, 2024 12:16
go.mod Outdated Show resolved Hide resolved
@majst01 majst01 merged commit 118b30e into master Jan 30, 2024
2 checks passed
@majst01 majst01 deleted the isolated-clusters branch January 30, 2024 10:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants