From 5df073768eb9f8c8f00433413039918bdb85d362 Mon Sep 17 00:00:00 2001 From: Micah Nagel Date: Thu, 10 Oct 2024 08:38:18 -0600 Subject: [PATCH] fix: support for anywhere network policies in cilium (#884) ## Description Reference [this doc](https://github.com/cilium/cilium/blob/v1.16.2/Documentation/network/kubernetes/policy.rst#networkpolicy) for the limitations of Cilium with `ipBlock` based netpols. Two changes included to support this behavior: - Modifies the keycloak backchannel policy to include all namespaces instead of using the `Anywhere` generated target. This was intended to be anywhere in cluster anyways (see the deleted TODO comment in the diff). - Modifies `Anywhere` target to include both the `0.0.0.0/0` CIDR and an empty namespace selector. For any non-Cilium CNIs `0.0.0.0/0` would've already covered any in-cluster endpoints, so this only changes the behavior for Cilium. ## Related Issue Fixes https://github.com/defenseunicorns/uds-core/issues/871 ## Type of change - [x] Bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [ ] Other (security config, docs update, etc) ## Checklist before merging - [x] Test, docs, adr added or updated as needed - [x] [Contributor Guide](https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md) followed --- src/keycloak/chart/templates/uds-package.yaml | 5 ++--- src/pepr/operator/controllers/network/generate.ts | 4 ++-- .../operator/controllers/network/generators/anywhere.ts | 8 ++++++++ 3 files changed, 12 insertions(+), 5 deletions(-) diff --git a/src/keycloak/chart/templates/uds-package.yaml b/src/keycloak/chart/templates/uds-package.yaml index 371c91554..63a907a38 100644 --- a/src/keycloak/chart/templates/uds-package.yaml +++ b/src/keycloak/chart/templates/uds-package.yaml @@ -26,13 +26,12 @@ spec: app: pepr-uds-core-watcher port: 8080 - # Temp workaround for any cluster pod - # todo: remove this once cluster pods is a remote generated target - description: "Keycloak backchannel access" direction: Ingress selector: app.kubernetes.io/name: keycloak - remoteGenerated: Anywhere + # Allow access from anything in cluster using an empty namespace selector + remoteNamespace: "*" port: 8080 # Keycloak OCSP to check certs cannot guarantee a static IP diff --git a/src/pepr/operator/controllers/network/generate.ts b/src/pepr/operator/controllers/network/generate.ts index 473f73d4c..53d0a6280 100644 --- a/src/pepr/operator/controllers/network/generate.ts +++ b/src/pepr/operator/controllers/network/generate.ts @@ -3,7 +3,7 @@ import { V1NetworkPolicyPeer, V1NetworkPolicyPort } from "@kubernetes/client-nod import { kind } from "pepr"; import { Allow, RemoteGenerated } from "../../crd"; -import { anywhere } from "./generators/anywhere"; +import { anywhere, anywhereInCluster } from "./generators/anywhere"; import { cloudMetadata } from "./generators/cloudMetadata"; import { intraNamespace } from "./generators/intraNamespace"; import { kubeAPI } from "./generators/kubeAPI"; @@ -31,7 +31,7 @@ function getPeers(policy: Allow): V1NetworkPolicyPeer[] { break; case RemoteGenerated.Anywhere: - peers = [anywhere]; + peers = [anywhere, anywhereInCluster]; break; } } else if (policy.remoteNamespace !== undefined || policy.remoteSelector !== undefined) { diff --git a/src/pepr/operator/controllers/network/generators/anywhere.ts b/src/pepr/operator/controllers/network/generators/anywhere.ts index da732960e..cb4ce0637 100644 --- a/src/pepr/operator/controllers/network/generators/anywhere.ts +++ b/src/pepr/operator/controllers/network/generators/anywhere.ts @@ -9,3 +9,11 @@ export const anywhere: V1NetworkPolicyPeer = { except: [META_IP], }, }; + +/** Matches any endpoint in cluster + * This is primarily to support Cilium where IP based policies do not match/allow anything in-cluster + * Ref: https://github.com/defenseunicorns/uds-core/issues/871 and https://github.com/cilium/cilium/blob/v1.16.2/Documentation/network/kubernetes/policy.rst#networkpolicy + */ +export const anywhereInCluster: V1NetworkPolicyPeer = { + namespaceSelector: {}, +};