node local traffic is not processed by network policies #66
Conversation
k8s-ci-robot
added
the
cncf-cla: yes
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: aojea The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
approved
|
/assign @danwinship Dan please check this is aligned with admin network policies also |
|
@aojea: GitHub didn't allow me to request PR reviews from the following users: vaskozl. Note that only kubernetes-sigs members and repo collaborators can review this PR, and authors cannot review their own PRs. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
k8s-ci-robot
added
size/S
pkg/networkpolicy/controller.go
Outdated
| tx.Add(&knftables.Rule{ | ||
| Chain: chainName, | ||
| Rule: knftables.Concat( | ||
| "fib", "saddr", "type", "local", "accept"), |
There was a problem hiding this comment.
(nit: you don't need to use knftables.Concat here; you can just write "fib saddr type local accept")
But that's not right; with some network plugins, all local pod IPs would be considered "type local" (because the IPs are visible on interfaces in the host netns).
I think the "standard" approach is to allow only from the primary and secondary node IP (learned either via the downward API, or by watching the Node object). Though actually, I don't think that's CNI-agnostic; in some cases, node-to-pod traffic will use the IP of the bridge that the pods are on (eg docker0) rather than the official node IP.
The super-clever option would be to figure out kubelet's cgroup ID and write a meta cgroupv2 ... rule. Although I think some people expect the non-clever "allow from the node's IP" version anyway.
There was a problem hiding this comment.
what was wrong with the iif lo approach?
There was a problem hiding this comment.
We have contributors willing to accept challenges , looking at @uablrek now :)
I like the idea of restricting the loophole to the kubelet, now that you explain it the "type local" sounds easy to cheat
There was a problem hiding this comment.
what was wrong with the iif lo approach?
the trace does not show the iif metadata on the postrouting hook, so I think that to make that work we should add a new rule in INPUT to mark the packets and then in POSTROUTING ignore those packets
cgroups
cat /proc/66685/cgroup
0::/kubelet.slice/kubelet.service
I don't know how stable or configurable is this option, @BenTheElder do you know?
There is also a skuid and skgid match
https://wiki.nftables.org/wiki-nftables/index.php/Matching_packet_metainformation
cat /proc/66685/status
Name: kubelet
Umask: 0022
State: S (sleeping)
Tgid: 66685
Ngid: 0
Pid: 66685
PPid: 1
TracerPid: 0
Uid: 0 0 0 0
Gid: 0 0 0 0
Maybe accepting everything that comes as root from the host is the best approach, kubelet hast to run as root and if you are root does not matter network policies, you can do whatever you want and access the pods directly on the namespaces
chain trace_chain2 {
type filter hook postrouting priority filter - 1; policy accept;
meta skuid 0 counter packets 194 bytes 20003
There was a problem hiding this comment.
I think you should go back to "type local". It's probably not "more unsafe" than anything existing, and to assume user 0 for all traffic I think will cause problems. People try very hard to not enforce the root user it seems.
There was a problem hiding this comment.
Ok, maybe not "type local", but I think it's unsafe to assume that kubelet runs as root in all clusters, and will so forever
There was a problem hiding this comment.
But then again, I have no better idea.
There was a problem hiding this comment.
kubelet has to do root operations creating cgroups per example, the probes need to open sockets ... it can be rootless https://kubernetes.io/docs/tasks/administer-cluster/kubelet-in-userns/ but in a rootless environment this project will not work too 😄 , the network there is 🕺
The network namespace of the Node components has to have a non-loopback interface, which can be for example configured with slirp4netns, VPNKit, or lxc-user-nic(1).
The network namespaces of the Pods can be configured with regular CNI plugins. For multi-node networking, Flannel (VXLAN, 8472/UDP) is known to work.
Ports such as the kubelet port (10250/TCP) and NodePort service ports have to be exposed from the Node network namespace to the host with an external port forwarder, such as RootlessKit, slirp4netns, or socat(1).
@BenTheElder how safe do you think it is assume that kubelet runs as root?
ANP v1alpha1 does not provide any way to block node-to-pod traffic, so this doesn't affect ANP at all |
| @@ -168,8 +168,6 @@ run_tests() { | |||
| fi | |||
|
|
|||
| # ginkgo regexes | |||
| SKIP="${SKIP:-"Feature|Federation|PerformanceDNS|DualStack|Disruptive|Serial|KubeProxy|GCE|Netpol|NetworkPolicy|256.search.list.characters|LoadBalancer.Service.without.NodePort|type.and.ports.of.a.TCP.service|loadbalancer.source.ranges"}" | |||
| FOCUS="${FOCUS:-"\\[sig-network\\]"}" | |||
There was a problem hiding this comment.
we have now LABEL_FILTER that is the new cool kid on the block kubernetes/test-infra#33075 ... you can even read the filter and understand it 😄
k8s-ci-robot
added
size/XS
|
Applied this PR and tested: And my PODs with TCP probes stays alive. |
use LABEL_FILTER instead
Kubelet has to run as root, blocking the traffic directed to Pods by network policies can impact kubelet probes per example. Since root user can do anything on the node, network policies are not a security boundary for it, so don't apply them to the traffic generated by the root user.
k8s-ci-robot
added
size/S
|
pushed new version using the uid of root to discriminate the local packets |
|
Tested the new version. Same result as #66 (comment) 👍 |
|
/lgtm |
k8s-ci-robot
added
the
lgtm
Fixes: #65