Merge pull request #66 from aojea/probes

node local traffic is not processed by network policies
kubernetes-sigs · Jul 23, 2024 · 5d52862 · 5d52862
2 parents ccd1684 + dff26fe
commit 5d52862
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 2 deletions.
diff --git a/hack/ci/e2e.sh b/hack/ci/e2e.sh
@@ -168,8 +168,9 @@ run_tests() {
   fi
 
   # ginkgo regexes
-  SKIP="${SKIP:-"Feature|Federation|PerformanceDNS|DualStack|Disruptive|Serial|KubeProxy|GCE|Netpol|NetworkPolicy|256.search.list.characters|LoadBalancer.Service.without.NodePort|type.and.ports.of.a.TCP.service|loadbalancer.source.ranges"}"
-  FOCUS="${FOCUS:-"\\[sig-network\\]"}"
+  SKIP="${SKIP:-}"
+  FOCUS="${FOCUS:-}"
+  LABEL_FILTER="${LABEL_FILTER:-"Feature: containsAny NetworkPolicy"}"
   # if we set PARALLEL=true, skip serial tests set --ginkgo-parallel
   if [ "${PARALLEL:-false}" = "true" ]; then
     export GINKGO_PARALLEL=y

diff --git a/pkg/networkpolicy/controller.go b/pkg/networkpolicy/controller.go
@@ -695,6 +695,13 @@ func (c *Controller) syncNFTablesRules(ctx context.Context) error {
 			Rule: knftables.Concat(
 				"icmpv6", "type", "{", "nd-neighbor-solicit, nd-neighbor-advert", "}", "accept"),
 		})
+		// Don't process traffic generated from the root user in the Node, it can block kubelet probes
+		// or system daemons that depend on the internal node traffic to not be blocked.
+		// Ref: https://github.com/kubernetes-sigs/kube-network-policies/issues/65
+		tx.Add(&knftables.Rule{
+			Chain: chainName,
+			Rule:  "meta skuid 0 accept",
+		})
 		// instead of aggregating all the expresion in one rule, use two different
 		// rules to understand if is causing issues with UDP packets with the same
 		// tuple (https://github.com/kubernetes-sigs/kube-network-policies/issues/12)