-
Notifications
You must be signed in to change notification settings - Fork 364
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
support for multicast networkpolicy #3323
Comments
I have a question about how to represent an Ingress rule for multicast traffic? What should be the "appliedTo" value, multicast address or Pods? If it is multicast address, the existing ANP API doesn't support using IPBlock as AppliedTo field, and AntreaController might not able to calculate the ANP span. If the appliedTo is a Pod, how would you identify this is a rule for multicast but not for a general unicast traffic? |
From my understanding, Antrea should support 3 scenarios for multicast: 1) Pods only work as multicast sender, 2) Pods only work as multicast receiver, 3) Pods work as both multicast sender and receiver. If we only support Egress rule with multicast, I don't think we can satisfy the security requirement for senario 2. |
I 'd like to introduce a field IPBlock to indicate the multicast address or other IP address. And for "appliedTo" we should use the existing implementation, for example, pod selector, clustergroup and so on. |
This issue is stale because it has been open 90 days with no activity. Remove stale label or comment, or this will be closed in 90 days |
close as #3660 is merged |
Describe the problem/challenge you have
Antrea has implemented multicasr traffic support, but currently there is no networkpolicy for multicast, all multicast packet will be passed as long as the pod enters the group. For security consideration, it is better to implement networkpolicy for multicast to allow or reject multicast packet.
This proposal is to define networkpolicy for multicast, here are the requirements:
Describe the solution you'd like
0. changes in pipeline
IGMP handles with IGMP query and report
multicastEgress handles multicast egress traffic
multicastEgressMetric collects metric for multicast egress metric
multicastIngress handles multicast ingress traffic
multicastIngressMetric collects metric for multicast ingress metric
1. crd defination
since there is Ingress/Egress in ACNP, it is better to reuse the existing crd defination, and extend with a member in Rule:
protocol string
to indicate what kind of protocol it is.
2. Block IGMP query and reports from and towards Pods
It needs to be possible to define Antrea Cluster Network Policies that block IGMP queries and reports from and towards Block IGMP query to pods.
2.1 Block IGMP query
for example, to block IGMP query to pod which matches label app=app1
4.When the rule is deleted, antrea-agent will allow the port number to send IGMP query
2.2 Block IGMP report
Antrea should block IGMP report from specific pods to any multicast address or specific multicast address
antrea-agent add rule in table IGMP. But since ovs can not read multicast address in IGMP v2/v3, maybe blocking in antrea-agent is a solution to make the behavior same. For the IGMP report message, ovs should redirect to antrea-agent if the packet if from pod (reg0=0x2/0xf), and antrea-agent will send query to ANP to check if report from pod should be blocked.
func queryAction(podRef, multicastAddr string) (RuleAction, type.UID)
, types.UID is the uuid for policy.here is the rule to send packet to antrea-agent:
Limit specific pod to send multicast to specific multicast Ips
here is the rule to drop multicast traffic from pod that matches label app=app2 to multicast address 225.1.2.3:
Anything else you would like to add?
thing need to be discussed is that do we need to define ingress that pod (label app=app1) does not receive multicast traffic from specific IP address (for example 192.168.1.100) to multicast address 225.1.2.3?
If yes, we need to introduce a new member to store the multicast address. something like:
I think we can put ingress for multicast traffic in low priority
The text was updated successfully, but these errors were encountered: