Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Stop crashing when parsing network policies that only specify protocol and not port #643

Merged
merged 1 commit into from
Jan 21, 2019
Merged

Stop crashing when parsing network policies that only specify protocol and not port #643

merged 1 commit into from
Jan 21, 2019

Conversation

adamtulinius
Copy link
Contributor

This fixes #642, which causes kube-router to crash on valid network policies, and also implements support for ingress and egress rules without a port specified.

The iptable rules created before and after this patch are equivalent when using network policies that specify both port an protocol. When only specifying a protocol, the rules end up looking like this (output from iptables -S):

-A KUBE-NWPLCY-SXPBPXC4QPX6XLVS -p tcp -m comment --comment "rule to ACCEPT traffic from all sources to dest pods selected by policy name: allow-oracle namespace user-atu" -m set --match-set KUBE-DST-BLGAVYZWLICCYSMQ dst -j ACCEPT
-A KUBE-NWPLCY-SXPBPXC4QPX6XLVS -p tcp -m comment --comment "rule to ACCEPT traffic from source pods to all destinations selected by policy name: allow-oracle namespace user-atu" -m set --match-set KUBE-SRC-BLGAVYZWLICCYSMQ src -j ACCEPT

The same rules with a port specified ends up as

-A KUBE-NWPLCY-EKPYW73V3MR4KPNF -p tcp -m comment --comment "rule to ACCEPT traffic from all sources to dest pods selected by policy name: allow-oracle namespace user-atu" -m set --match-set KUBE-DST-BLGAVYZWLICCYSMQ dst -m tcp --dport 1521 -j ACCEPT
-A KUBE-NWPLCY-EKPYW73V3MR4KPNF -p tcp -m comment --comment "rule to ACCEPT traffic from source pods to all destinations selected by policy name: allow-oracle namespace user-atu" -m set --match-set KUBE-SRC-BLGAVYZWLICCYSMQ src -m tcp --dport 1521 -j ACCEPT

Note how -m tcp is missing from the rules without a --dport. I have no idea what causes -m tcp in the output, since (as far as I can tell) it isn't added to the iptables command in network_policy_controller.go. Any input as to what causes this is most welcome.

No further testing has been done yet, but I plan to apply this patch on our cluster tomorrow.

@adamtulinius
Validate the presence of port definitions before attempting to access
e3f382e 
This fixes cloudnativelabs#642, which causes kube-router to crash on valid network
policies, and also implements support for ingress and egress rules
without a port specified.
@adamtulinius adamtulinius changed the title Validate the presence of port definitions before attempting to access Stop crashing when parsing network policies that only specify protocol and not port Jan 20, 2019
@murali-reddy
Copy link
Member

LGTM

@murali-reddy murali-reddy merged commit 11ae253 into cloudnativelabs:master Jan 21, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

crash: kube-router assumes a port is always present in network policies
2 participants
@adamtulinius @murali-reddy