feat(transparent-proxy): remove deprecated outbound port exclusions o…

…pts (#10983)

- Removed `--exclude-outbound-tcp-ports-for-uids` and `--exclude-outbound-udp-ports-for-uids` flags from `kumactl install transparent-proxy`.
- Removed annotations `traffic.kuma.io/exclude-outbound-tcp-ports-for-uids` and `traffic.kuma.io/exclude-outbound-udp-ports-for-uids` in favor of `traffic.kuma.io/exclude-outbound-ports-for-uids`.

Signed-off-by: Bart Smykla <bartek@smykla.com>

UPGRADE.md

@@ -92,6 +92,40 @@ networking:
 
 Ensure to update your Dataplane resources to the new format to avoid any validation errors.
 
+#### Removal of Deprecated Exclude Outbound TCP/UDP Ports for UIDs Flags
+
+The flags `--exclude-outbound-tcp-ports-for-uids` and `--exclude-outbound-udp-ports-for-uids` have been removed from the `kumactl install transparent-proxy` command. Users should now use the consolidated flag `--exclude-outbound-ports-for-uids <protocol:>?<ports:>?<uids>` instead.
+
+##### Examples:
+
+- To disable redirection of outbound TCP traffic on port 22 for users with UID 1000:
+  ```sh
+  kumactl install transparent-proxy --exclude-outbound-ports-for-uids tcp:22:1000 ...
+  ```
+
+- To disable redirection of outbound UDP traffic on port 53 for users with UID 1000:
+  ```sh
+  kumactl install transparent-proxy --exclude-outbound-ports-for-uids udp:53:1000 ...
+  ```
+
+#### Removal of Deprecated Exclude Outbound TCP/UDP Ports for UIDs Annotations
+
+The annotations `traffic.kuma.io/exclude-outbound-tcp-ports-for-uids` and `traffic.kuma.io/exclude-outbound-udp-ports-for-uids` have also been removed. Use the annotation `traffic.kuma.io/exclude-outbound-ports-for-uids` instead.
+
+##### Examples:
+
+- To disable redirection of outbound TCP traffic on port 22 for users with UID 1000:
+  ```yaml
+  traffic.kuma.io/exclude-outbound-ports-for-uids: tcp:22:1000
+  ```
+
+- To disable redirection of outbound UDP traffic on port 53 for users with UID 1000:
+  ```yaml
+  traffic.kuma.io/exclude-outbound-ports-for-uids: udp:53:1000
+  ```
+
+Make sure to update your configuration files and scripts accordingly to accommodate these changes.
+
 #### Deprecation of `--kuma-dp-uid` Flag
 
 In this release, the `--kuma-dp-uid` flag used in the `kumactl install transparent-proxy` command has been deprecated. The functionality of specifying a user by UID is now included in the `--kuma-dp-user` flag, which accepts both usernames and UIDs.

app/kumactl/cmd/completion/testdata/bash.golden

@@ -5854,14 +5854,6 @@ _kumactl_install_transparent-proxy()
     two_word_flags+=("--exclude-outbound-ports-for-uids")
     local_nonpersistent_flags+=("--exclude-outbound-ports-for-uids")
     local_nonpersistent_flags+=("--exclude-outbound-ports-for-uids=")
-    flags+=("--exclude-outbound-tcp-ports-for-uids=")
-    two_word_flags+=("--exclude-outbound-tcp-ports-for-uids")
-    local_nonpersistent_flags+=("--exclude-outbound-tcp-ports-for-uids")
-    local_nonpersistent_flags+=("--exclude-outbound-tcp-ports-for-uids=")
-    flags+=("--exclude-outbound-udp-ports-for-uids=")
-    two_word_flags+=("--exclude-outbound-udp-ports-for-uids")
-    local_nonpersistent_flags+=("--exclude-outbound-udp-ports-for-uids")
-    local_nonpersistent_flags+=("--exclude-outbound-udp-ports-for-uids=")
     flags+=("--ip-family-mode=")
     two_word_flags+=("--ip-family-mode")
     local_nonpersistent_flags+=("--ip-family-mode")

app/kumactl/cmd/install/install_transparent_proxy.go

@@ -17,28 +17,24 @@ import (
 )
 
 type transparentProxyArgs struct {
-	RedirectPortOutBound           string
-	RedirectPortInBound            string
-	ExcludeInboundPorts            string
-	ExcludeOutboundPorts           string
-	ExcludeOutboundTCPPortsForUIDs []string
-	ExcludeOutboundUDPPortsForUIDs []string
-	AgentDNSListenerPort           string
-	SkipDNSConntrackZoneSplit      bool
+	RedirectPortOutBound      string
+	RedirectPortInBound       string
+	ExcludeInboundPorts       string
+	ExcludeOutboundPorts      string
+	AgentDNSListenerPort      string
+	SkipDNSConntrackZoneSplit bool
 }
 
 func newInstallTransparentProxy() *cobra.Command {
 	cfg := config.DefaultConfig()
 
 	args := transparentProxyArgs{
-		RedirectPortOutBound:           "15001",
-		RedirectPortInBound:            "15006",
-		ExcludeInboundPorts:            "",
-		ExcludeOutboundPorts:           "",
-		ExcludeOutboundTCPPortsForUIDs: []string{},
-		ExcludeOutboundUDPPortsForUIDs: []string{},
-		AgentDNSListenerPort:           "15053",
-		SkipDNSConntrackZoneSplit:      false,
+		RedirectPortOutBound:      "15001",
+		RedirectPortInBound:       "15006",
+		ExcludeInboundPorts:       "",
+		ExcludeOutboundPorts:      "",
+		AgentDNSListenerPort:      "15053",
+		SkipDNSConntrackZoneSplit: false,
 	}
 
 	cmd := &cobra.Command{
@@ -136,22 +132,6 @@ runuser -u kuma-dp -- \
 				}
 			}
 
-			if len(args.ExcludeOutboundPorts) > 0 && (len(args.ExcludeOutboundUDPPortsForUIDs) > 0 || len(args.ExcludeOutboundTCPPortsForUIDs) > 0) {
-				return errors.Errorf("--exclude-outbound-ports-for-uids set you can't use --exclude-outbound-tcp-ports-for-uids and --exclude-outbound-udp-ports-for-uids anymore")
-			}
-			if len(args.ExcludeOutboundTCPPortsForUIDs) > 0 {
-				fmt.Fprintln(cfg.RuntimeStderr, "# [WARNING] flag --exclude-outbound-tcp-ports-for-uids is deprecated use --exclude-outbound-ports-for-uids instead")
-				for _, v := range args.ExcludeOutboundTCPPortsForUIDs {
-					cfg.Redirect.Outbound.ExcludePortsForUIDs = append(cfg.Redirect.Outbound.ExcludePortsForUIDs, fmt.Sprintf("tcp:%s", v))
-				}
-			}
-			if len(args.ExcludeOutboundUDPPortsForUIDs) > 0 {
-				fmt.Fprintln(cfg.RuntimeStderr, "# [WARNING] flag --exclude-outbound-udp-ports-for-uids is deprecated use --exclude-outbound-ports-for-uids instead")
-				for _, v := range args.ExcludeOutboundUDPPortsForUIDs {
-					cfg.Redirect.Outbound.ExcludePortsForUIDs = append(cfg.Redirect.Outbound.ExcludePortsForUIDs, fmt.Sprintf("udp:%s", v))
-				}
-			}
-
 			if err := parseArgs(&cfg, &args); err != nil {
 				return errors.Wrap(err, "failed to setup transparent proxy")
 			}
@@ -211,8 +191,6 @@ runuser -u kuma-dp -- \
 	cmd.Flags().StringVar(&cfg.Ebpf.CgroupPath, "ebpf-cgroup-path", cfg.Ebpf.CgroupPath, "the path of cgroup2")
 	cmd.Flags().StringVar(&cfg.Ebpf.TCAttachIface, "ebpf-tc-attach-iface", cfg.Ebpf.TCAttachIface, "name of the interface which TC eBPF programs should be attached to")
 
-	cmd.Flags().StringArrayVar(&args.ExcludeOutboundTCPPortsForUIDs, "exclude-outbound-tcp-ports-for-uids", []string{}, "[DEPRECATED (use --exclude-outbound-ports-for-uids)] tcp outbound ports to exclude for specific uids in a format of ports:uids where ports can be a single value, a list, a range or a combination of all and uid can be a value or a range e.g. 53,3000-5000:106-108 would mean exclude ports 53 and from 3000 to 5000 for uids 106, 107, 108")
-	cmd.Flags().StringArrayVar(&args.ExcludeOutboundUDPPortsForUIDs, "exclude-outbound-udp-ports-for-uids", []string{}, "[DEPRECATED (use --exclude-outbound-ports-for-uids)] udp outbound ports to exclude for specific uids in a format of ports:uids where ports can be a single value, a list, a range or a combination of all and uid can be a value or a range e.g. 53, 3000-5000:106-108 would mean exclude ports 53 and from 3000 to 5000 for uids 106, 107, 108")
 	cmd.Flags().StringArrayVar(&cfg.Redirect.Outbound.ExcludePortsForUIDs, "exclude-outbound-ports-for-uids", []string{}, "outbound ports to exclude for specific uids in a format of protocol:ports:uids where protocol and ports can be omitted or have value tcp or udp and ports can be a single value, a list, a range or a combination of all or * and uid can be a value or a range e.g. 53,3000-5000:106-108 would mean exclude ports 53 and from 3000 to 5000 for both TCP and UDP for uids 106, 107, 108")
 	cmd.Flags().StringArrayVar(&cfg.Redirect.VNet.Networks, "vnet", cfg.Redirect.VNet.Networks, "virtual networks in a format of interfaceNameRegex:CIDR split by ':' where interface name doesn't have to be exact name e.g. docker0:172.17.0.0/16, br+:172.18.0.0/16, iface:::1/64")
 	cmd.Flags().UintVar(&cfg.Wait, "wait", cfg.Wait, "specify the amount of time, in seconds, that the application should wait for the xtables exclusive lock before exiting. If the lock is not available within the specified time, the application will exit with an error")

app/kumactl/cmd/install/install_transparent_proxy_test.go

@@ -144,12 +144,11 @@ var _ = Context("kumactl install transparent proxy", func() {
 		Entry("should generate defaults with outbound exclude ports", testCase{
 			extraArgs: []string{
 				"--kuma-dp-user", "root",
-				"--exclude-outbound-tcp-ports-for-uids", "1900,1902,1000-2000:106-108",
-				"--exclude-outbound-tcp-ports-for-uids", "2900,2902,3000-5000:203",
-				"--exclude-outbound-udp-ports-for-uids", "3900,3902,4000-6000:303",
+				"--exclude-outbound-ports-for-uids", "tcp:1900,1902,1000-2000:106-108",
+				"--exclude-outbound-ports-for-uids", "tcp:2900,2902,3000-5000:203",
+				"--exclude-outbound-ports-for-uids", "udp:3900,3902,4000-6000:303",
 			},
-			errorMatcher: Equal("# [WARNING] flag --exclude-outbound-tcp-ports-for-uids is deprecated use --exclude-outbound-ports-for-uids instead\n# [WARNING] flag --exclude-outbound-udp-ports-for-uids is deprecated use --exclude-outbound-ports-for-uids instead\n"),
-			goldenFile:   "install-transparent-proxy.excludedports.txt",
+			goldenFile: "install-transparent-proxy.excludedports.txt",
 		}),
 		Entry("should generate defaults with outbound exclude ports for uids wildcard", testCase{
 			extraArgs: []string{

pkg/plugins/runtime/k8s/metadata/annotations.go

@@ -76,15 +76,13 @@ const (
 	KumaBuiltinDNSPort    = "kuma.io/builtin-dns-port"
 	KumaBuiltinDNSLogging = "kuma.io/builtin-dns-logging"
 
-	KumaTrafficExcludeInboundPorts            = "traffic.kuma.io/exclude-inbound-ports"
-	KumaTrafficExcludeOutboundPorts           = "traffic.kuma.io/exclude-outbound-ports"
-	KumaTrafficExcludeOutboundPortsForUIDs    = "traffic.kuma.io/exclude-outbound-ports-for-uids"
-	KumaTrafficExcludeOutboundTCPPortsForUIDs = "traffic.kuma.io/exclude-outbound-tcp-ports-for-uids"
-	KumaTrafficExcludeOutboundUDPPortsForUIDs = "traffic.kuma.io/exclude-outbound-udp-ports-for-uids"
-	KumaTrafficDropInvalidPackets             = "traffic.kuma.io/drop-invalid-packets"
-	KumaTrafficIptablesLogs                   = "traffic.kuma.io/iptables-logs"
-	KumaTrafficExcludeInboundIPs              = "traffic.kuma.io/exclude-inbound-ips"
-	KumaTrafficExcludeOutboundIPs             = "traffic.kuma.io/exclude-outbound-ips"
+	KumaTrafficExcludeInboundPorts         = "traffic.kuma.io/exclude-inbound-ports"
+	KumaTrafficExcludeOutboundPorts        = "traffic.kuma.io/exclude-outbound-ports"
+	KumaTrafficExcludeOutboundPortsForUIDs = "traffic.kuma.io/exclude-outbound-ports-for-uids"
+	KumaTrafficDropInvalidPackets          = "traffic.kuma.io/drop-invalid-packets"
+	KumaTrafficIptablesLogs                = "traffic.kuma.io/iptables-logs"
+	KumaTrafficExcludeInboundIPs           = "traffic.kuma.io/exclude-inbound-ips"
+	KumaTrafficExcludeOutboundIPs          = "traffic.kuma.io/exclude-outbound-ips"
 
 	// KumaSidecarTokenVolumeAnnotation allows to specify which volume contains the service account token
 	KumaSidecarTokenVolumeAnnotation = "kuma.io/service-account-token-volume"

pkg/transparentproxy/kubernetes/kubernetes.go

@@ -72,20 +72,6 @@ func NewPodRedirectForPod(pod *kube_core.Pod) (*PodRedirect, error) {
 		podRedirect.ExcludeOutboundPortsForUIDs = strings.Split(excludeOutboundPortsForUIDs, ";")
 	}
 
-	excludeOutboundTCPPortsForUIDs, exists := metadata.Annotations(pod.Annotations).GetString(metadata.KumaTrafficExcludeOutboundTCPPortsForUIDs)
-	if exists {
-		for _, v := range strings.Split(excludeOutboundTCPPortsForUIDs, ";") {
-			podRedirect.ExcludeOutboundPortsForUIDs = append(podRedirect.ExcludeOutboundPortsForUIDs, fmt.Sprintf("tcp:%s", v))
-		}
-	}
-
-	excludeOutboundUDPPortsForUIDs, exists := metadata.Annotations(pod.Annotations).GetString(metadata.KumaTrafficExcludeOutboundUDPPortsForUIDs)
-	if exists {
-		for _, v := range strings.Split(excludeOutboundUDPPortsForUIDs, ";") {
-			podRedirect.ExcludeOutboundPortsForUIDs = append(podRedirect.ExcludeOutboundPortsForUIDs, fmt.Sprintf("udp:%s", v))
-		}
-	}
-
 	podRedirect.RedirectPortOutbound, _, err = metadata.Annotations(pod.Annotations).GetUint32(metadata.KumaTransparentProxyingOutboundPortAnnotation)
 	if err != nil {
 		return nil, err

pkg/transparentproxy/kubernetes/kubernetes_test.go

@@ -50,9 +50,7 @@ var _ = Describe("kubernetes", func() {
 						metadata.KumaTrafficExcludeInboundPorts:                "12000",
 						metadata.KumaTransparentProxyingInboundPortAnnotation:  "25204",
 						metadata.KumaSidecarUID:                                "12345",
-						metadata.KumaTrafficExcludeOutboundUDPPortsForUIDs:     "11001:1;11002:2",
-						metadata.KumaTrafficExcludeOutboundTCPPortsForUIDs:     "11003:3",
-						metadata.KumaTrafficExcludeOutboundPortsForUIDs:        "0;12",
+						metadata.KumaTrafficExcludeOutboundPortsForUIDs:        "0;12;udp:11001:1;udp:11002:2;tcp:11003:3",
 						metadata.KumaTransparentProxyingIPFamilyMode:           "ipv4",
 						metadata.KumaTrafficDropInvalidPackets:                 metadata.AnnotationTrue,
 						metadata.KumaTrafficIptablesLogs:                       metadata.AnnotationTrue,
@@ -71,9 +69,9 @@ var _ = Describe("kubernetes", func() {
 				"--ip-family-mode", "ipv4",
 				"--exclude-outbound-ports-for-uids", "0",
 				"--exclude-outbound-ports-for-uids", "12",
-				"--exclude-outbound-ports-for-uids", "tcp:11003:3",
 				"--exclude-outbound-ports-for-uids", "udp:11001:1",
 				"--exclude-outbound-ports-for-uids", "udp:11002:2",
+				"--exclude-outbound-ports-for-uids", "tcp:11003:3",
 				"--redirect-all-dns-traffic",
 				"--redirect-dns-port", "25053",
 				"--drop-invalid-packets",

test/e2e_env/kubernetes/connectivity/exclude_outbound_port.go

@@ -47,9 +47,8 @@ func ExcludeOutboundPort() {
 			testserver.WithName("test-server"),
 			testserver.WithNamespace(namespace),
 			testserver.WithPodAnnotations(map[string]string{
-				metadata.KumaInitFirst:                             "true",
-				metadata.KumaTrafficExcludeOutboundTCPPortsForUIDs: "80:1234",
-				metadata.KumaTrafficExcludeOutboundUDPPortsForUIDs: "53:1234",
+				metadata.KumaInitFirst:                          "true",
+				metadata.KumaTrafficExcludeOutboundPortsForUIDs: "tcp:80:1234;udp:53:1234",
 			}),
 			testserver.AddInitContainer(corev1.Container{
 				Name:            "init-test-server",