From 260df7f2444c98fb0dc5016f4176ce0d5b1885a8 Mon Sep 17 00:00:00 2001 From: Bart Smykla Date: Thu, 25 Jul 2024 16:17:49 +0200 Subject: [PATCH] feat(transparent-proxy): remove deprecated outbound port exclusions opts (#10983) - Removed `--exclude-outbound-tcp-ports-for-uids` and `--exclude-outbound-udp-ports-for-uids` flags from `kumactl install transparent-proxy`. - Removed annotations `traffic.kuma.io/exclude-outbound-tcp-ports-for-uids` and `traffic.kuma.io/exclude-outbound-udp-ports-for-uids` in favor of `traffic.kuma.io/exclude-outbound-ports-for-uids`. Signed-off-by: Bart Smykla --- UPGRADE.md | 34 ++++++++++++++ .../cmd/completion/testdata/bash.golden | 8 ---- .../cmd/install/install_transparent_proxy.go | 46 +++++-------------- .../install/install_transparent_proxy_test.go | 9 ++-- .../runtime/k8s/metadata/annotations.go | 16 +++---- pkg/transparentproxy/kubernetes/kubernetes.go | 14 ------ .../kubernetes/kubernetes_test.go | 6 +-- .../connectivity/exclude_outbound_port.go | 5 +- 8 files changed, 61 insertions(+), 77 deletions(-) diff --git a/UPGRADE.md b/UPGRADE.md index 45d5081d4af6..436cce4a31aa 100644 --- a/UPGRADE.md +++ b/UPGRADE.md @@ -92,6 +92,40 @@ networking: Ensure to update your Dataplane resources to the new format to avoid any validation errors. +#### Removal of Deprecated Exclude Outbound TCP/UDP Ports for UIDs Flags + +The flags `--exclude-outbound-tcp-ports-for-uids` and `--exclude-outbound-udp-ports-for-uids` have been removed from the `kumactl install transparent-proxy` command. Users should now use the consolidated flag `--exclude-outbound-ports-for-uids ??` instead. + +##### Examples: + +- To disable redirection of outbound TCP traffic on port 22 for users with UID 1000: + ```sh + kumactl install transparent-proxy --exclude-outbound-ports-for-uids tcp:22:1000 ... + ``` + +- To disable redirection of outbound UDP traffic on port 53 for users with UID 1000: + ```sh + kumactl install transparent-proxy --exclude-outbound-ports-for-uids udp:53:1000 ... + ``` + +#### Removal of Deprecated Exclude Outbound TCP/UDP Ports for UIDs Annotations + +The annotations `traffic.kuma.io/exclude-outbound-tcp-ports-for-uids` and `traffic.kuma.io/exclude-outbound-udp-ports-for-uids` have also been removed. Use the annotation `traffic.kuma.io/exclude-outbound-ports-for-uids` instead. + +##### Examples: + +- To disable redirection of outbound TCP traffic on port 22 for users with UID 1000: + ```yaml + traffic.kuma.io/exclude-outbound-ports-for-uids: tcp:22:1000 + ``` + +- To disable redirection of outbound UDP traffic on port 53 for users with UID 1000: + ```yaml + traffic.kuma.io/exclude-outbound-ports-for-uids: udp:53:1000 + ``` + +Make sure to update your configuration files and scripts accordingly to accommodate these changes. + #### Deprecation of `--kuma-dp-uid` Flag In this release, the `--kuma-dp-uid` flag used in the `kumactl install transparent-proxy` command has been deprecated. The functionality of specifying a user by UID is now included in the `--kuma-dp-user` flag, which accepts both usernames and UIDs. diff --git a/app/kumactl/cmd/completion/testdata/bash.golden b/app/kumactl/cmd/completion/testdata/bash.golden index 9db0f334b170..3a3ad1766464 100644 --- a/app/kumactl/cmd/completion/testdata/bash.golden +++ b/app/kumactl/cmd/completion/testdata/bash.golden @@ -5854,14 +5854,6 @@ _kumactl_install_transparent-proxy() two_word_flags+=("--exclude-outbound-ports-for-uids") local_nonpersistent_flags+=("--exclude-outbound-ports-for-uids") local_nonpersistent_flags+=("--exclude-outbound-ports-for-uids=") - flags+=("--exclude-outbound-tcp-ports-for-uids=") - two_word_flags+=("--exclude-outbound-tcp-ports-for-uids") - local_nonpersistent_flags+=("--exclude-outbound-tcp-ports-for-uids") - local_nonpersistent_flags+=("--exclude-outbound-tcp-ports-for-uids=") - flags+=("--exclude-outbound-udp-ports-for-uids=") - two_word_flags+=("--exclude-outbound-udp-ports-for-uids") - local_nonpersistent_flags+=("--exclude-outbound-udp-ports-for-uids") - local_nonpersistent_flags+=("--exclude-outbound-udp-ports-for-uids=") flags+=("--ip-family-mode=") two_word_flags+=("--ip-family-mode") local_nonpersistent_flags+=("--ip-family-mode") diff --git a/app/kumactl/cmd/install/install_transparent_proxy.go b/app/kumactl/cmd/install/install_transparent_proxy.go index 56eb5e6e2335..9aff5aa11499 100644 --- a/app/kumactl/cmd/install/install_transparent_proxy.go +++ b/app/kumactl/cmd/install/install_transparent_proxy.go @@ -17,28 +17,24 @@ import ( ) type transparentProxyArgs struct { - RedirectPortOutBound string - RedirectPortInBound string - ExcludeInboundPorts string - ExcludeOutboundPorts string - ExcludeOutboundTCPPortsForUIDs []string - ExcludeOutboundUDPPortsForUIDs []string - AgentDNSListenerPort string - SkipDNSConntrackZoneSplit bool + RedirectPortOutBound string + RedirectPortInBound string + ExcludeInboundPorts string + ExcludeOutboundPorts string + AgentDNSListenerPort string + SkipDNSConntrackZoneSplit bool } func newInstallTransparentProxy() *cobra.Command { cfg := config.DefaultConfig() args := transparentProxyArgs{ - RedirectPortOutBound: "15001", - RedirectPortInBound: "15006", - ExcludeInboundPorts: "", - ExcludeOutboundPorts: "", - ExcludeOutboundTCPPortsForUIDs: []string{}, - ExcludeOutboundUDPPortsForUIDs: []string{}, - AgentDNSListenerPort: "15053", - SkipDNSConntrackZoneSplit: false, + RedirectPortOutBound: "15001", + RedirectPortInBound: "15006", + ExcludeInboundPorts: "", + ExcludeOutboundPorts: "", + AgentDNSListenerPort: "15053", + SkipDNSConntrackZoneSplit: false, } cmd := &cobra.Command{ @@ -136,22 +132,6 @@ runuser -u kuma-dp -- \ } } - if len(args.ExcludeOutboundPorts) > 0 && (len(args.ExcludeOutboundUDPPortsForUIDs) > 0 || len(args.ExcludeOutboundTCPPortsForUIDs) > 0) { - return errors.Errorf("--exclude-outbound-ports-for-uids set you can't use --exclude-outbound-tcp-ports-for-uids and --exclude-outbound-udp-ports-for-uids anymore") - } - if len(args.ExcludeOutboundTCPPortsForUIDs) > 0 { - fmt.Fprintln(cfg.RuntimeStderr, "# [WARNING] flag --exclude-outbound-tcp-ports-for-uids is deprecated use --exclude-outbound-ports-for-uids instead") - for _, v := range args.ExcludeOutboundTCPPortsForUIDs { - cfg.Redirect.Outbound.ExcludePortsForUIDs = append(cfg.Redirect.Outbound.ExcludePortsForUIDs, fmt.Sprintf("tcp:%s", v)) - } - } - if len(args.ExcludeOutboundUDPPortsForUIDs) > 0 { - fmt.Fprintln(cfg.RuntimeStderr, "# [WARNING] flag --exclude-outbound-udp-ports-for-uids is deprecated use --exclude-outbound-ports-for-uids instead") - for _, v := range args.ExcludeOutboundUDPPortsForUIDs { - cfg.Redirect.Outbound.ExcludePortsForUIDs = append(cfg.Redirect.Outbound.ExcludePortsForUIDs, fmt.Sprintf("udp:%s", v)) - } - } - if err := parseArgs(&cfg, &args); err != nil { return errors.Wrap(err, "failed to setup transparent proxy") } @@ -211,8 +191,6 @@ runuser -u kuma-dp -- \ cmd.Flags().StringVar(&cfg.Ebpf.CgroupPath, "ebpf-cgroup-path", cfg.Ebpf.CgroupPath, "the path of cgroup2") cmd.Flags().StringVar(&cfg.Ebpf.TCAttachIface, "ebpf-tc-attach-iface", cfg.Ebpf.TCAttachIface, "name of the interface which TC eBPF programs should be attached to") - cmd.Flags().StringArrayVar(&args.ExcludeOutboundTCPPortsForUIDs, "exclude-outbound-tcp-ports-for-uids", []string{}, "[DEPRECATED (use --exclude-outbound-ports-for-uids)] tcp outbound ports to exclude for specific uids in a format of ports:uids where ports can be a single value, a list, a range or a combination of all and uid can be a value or a range e.g. 53,3000-5000:106-108 would mean exclude ports 53 and from 3000 to 5000 for uids 106, 107, 108") - cmd.Flags().StringArrayVar(&args.ExcludeOutboundUDPPortsForUIDs, "exclude-outbound-udp-ports-for-uids", []string{}, "[DEPRECATED (use --exclude-outbound-ports-for-uids)] udp outbound ports to exclude for specific uids in a format of ports:uids where ports can be a single value, a list, a range or a combination of all and uid can be a value or a range e.g. 53, 3000-5000:106-108 would mean exclude ports 53 and from 3000 to 5000 for uids 106, 107, 108") cmd.Flags().StringArrayVar(&cfg.Redirect.Outbound.ExcludePortsForUIDs, "exclude-outbound-ports-for-uids", []string{}, "outbound ports to exclude for specific uids in a format of protocol:ports:uids where protocol and ports can be omitted or have value tcp or udp and ports can be a single value, a list, a range or a combination of all or * and uid can be a value or a range e.g. 53,3000-5000:106-108 would mean exclude ports 53 and from 3000 to 5000 for both TCP and UDP for uids 106, 107, 108") cmd.Flags().StringArrayVar(&cfg.Redirect.VNet.Networks, "vnet", cfg.Redirect.VNet.Networks, "virtual networks in a format of interfaceNameRegex:CIDR split by ':' where interface name doesn't have to be exact name e.g. docker0:172.17.0.0/16, br+:172.18.0.0/16, iface:::1/64") cmd.Flags().UintVar(&cfg.Wait, "wait", cfg.Wait, "specify the amount of time, in seconds, that the application should wait for the xtables exclusive lock before exiting. If the lock is not available within the specified time, the application will exit with an error") diff --git a/app/kumactl/cmd/install/install_transparent_proxy_test.go b/app/kumactl/cmd/install/install_transparent_proxy_test.go index c6807f21f00f..6bfe8b163f7a 100644 --- a/app/kumactl/cmd/install/install_transparent_proxy_test.go +++ b/app/kumactl/cmd/install/install_transparent_proxy_test.go @@ -144,12 +144,11 @@ var _ = Context("kumactl install transparent proxy", func() { Entry("should generate defaults with outbound exclude ports", testCase{ extraArgs: []string{ "--kuma-dp-user", "root", - "--exclude-outbound-tcp-ports-for-uids", "1900,1902,1000-2000:106-108", - "--exclude-outbound-tcp-ports-for-uids", "2900,2902,3000-5000:203", - "--exclude-outbound-udp-ports-for-uids", "3900,3902,4000-6000:303", + "--exclude-outbound-ports-for-uids", "tcp:1900,1902,1000-2000:106-108", + "--exclude-outbound-ports-for-uids", "tcp:2900,2902,3000-5000:203", + "--exclude-outbound-ports-for-uids", "udp:3900,3902,4000-6000:303", }, - errorMatcher: Equal("# [WARNING] flag --exclude-outbound-tcp-ports-for-uids is deprecated use --exclude-outbound-ports-for-uids instead\n# [WARNING] flag --exclude-outbound-udp-ports-for-uids is deprecated use --exclude-outbound-ports-for-uids instead\n"), - goldenFile: "install-transparent-proxy.excludedports.txt", + goldenFile: "install-transparent-proxy.excludedports.txt", }), Entry("should generate defaults with outbound exclude ports for uids wildcard", testCase{ extraArgs: []string{ diff --git a/pkg/plugins/runtime/k8s/metadata/annotations.go b/pkg/plugins/runtime/k8s/metadata/annotations.go index 1d0622c4a151..063b2d0c50ef 100644 --- a/pkg/plugins/runtime/k8s/metadata/annotations.go +++ b/pkg/plugins/runtime/k8s/metadata/annotations.go @@ -76,15 +76,13 @@ const ( KumaBuiltinDNSPort = "kuma.io/builtin-dns-port" KumaBuiltinDNSLogging = "kuma.io/builtin-dns-logging" - KumaTrafficExcludeInboundPorts = "traffic.kuma.io/exclude-inbound-ports" - KumaTrafficExcludeOutboundPorts = "traffic.kuma.io/exclude-outbound-ports" - KumaTrafficExcludeOutboundPortsForUIDs = "traffic.kuma.io/exclude-outbound-ports-for-uids" - KumaTrafficExcludeOutboundTCPPortsForUIDs = "traffic.kuma.io/exclude-outbound-tcp-ports-for-uids" - KumaTrafficExcludeOutboundUDPPortsForUIDs = "traffic.kuma.io/exclude-outbound-udp-ports-for-uids" - KumaTrafficDropInvalidPackets = "traffic.kuma.io/drop-invalid-packets" - KumaTrafficIptablesLogs = "traffic.kuma.io/iptables-logs" - KumaTrafficExcludeInboundIPs = "traffic.kuma.io/exclude-inbound-ips" - KumaTrafficExcludeOutboundIPs = "traffic.kuma.io/exclude-outbound-ips" + KumaTrafficExcludeInboundPorts = "traffic.kuma.io/exclude-inbound-ports" + KumaTrafficExcludeOutboundPorts = "traffic.kuma.io/exclude-outbound-ports" + KumaTrafficExcludeOutboundPortsForUIDs = "traffic.kuma.io/exclude-outbound-ports-for-uids" + KumaTrafficDropInvalidPackets = "traffic.kuma.io/drop-invalid-packets" + KumaTrafficIptablesLogs = "traffic.kuma.io/iptables-logs" + KumaTrafficExcludeInboundIPs = "traffic.kuma.io/exclude-inbound-ips" + KumaTrafficExcludeOutboundIPs = "traffic.kuma.io/exclude-outbound-ips" // KumaSidecarTokenVolumeAnnotation allows to specify which volume contains the service account token KumaSidecarTokenVolumeAnnotation = "kuma.io/service-account-token-volume" diff --git a/pkg/transparentproxy/kubernetes/kubernetes.go b/pkg/transparentproxy/kubernetes/kubernetes.go index 18ce0c7cd311..94ba34cc2b27 100644 --- a/pkg/transparentproxy/kubernetes/kubernetes.go +++ b/pkg/transparentproxy/kubernetes/kubernetes.go @@ -72,20 +72,6 @@ func NewPodRedirectForPod(pod *kube_core.Pod) (*PodRedirect, error) { podRedirect.ExcludeOutboundPortsForUIDs = strings.Split(excludeOutboundPortsForUIDs, ";") } - excludeOutboundTCPPortsForUIDs, exists := metadata.Annotations(pod.Annotations).GetString(metadata.KumaTrafficExcludeOutboundTCPPortsForUIDs) - if exists { - for _, v := range strings.Split(excludeOutboundTCPPortsForUIDs, ";") { - podRedirect.ExcludeOutboundPortsForUIDs = append(podRedirect.ExcludeOutboundPortsForUIDs, fmt.Sprintf("tcp:%s", v)) - } - } - - excludeOutboundUDPPortsForUIDs, exists := metadata.Annotations(pod.Annotations).GetString(metadata.KumaTrafficExcludeOutboundUDPPortsForUIDs) - if exists { - for _, v := range strings.Split(excludeOutboundUDPPortsForUIDs, ";") { - podRedirect.ExcludeOutboundPortsForUIDs = append(podRedirect.ExcludeOutboundPortsForUIDs, fmt.Sprintf("udp:%s", v)) - } - } - podRedirect.RedirectPortOutbound, _, err = metadata.Annotations(pod.Annotations).GetUint32(metadata.KumaTransparentProxyingOutboundPortAnnotation) if err != nil { return nil, err diff --git a/pkg/transparentproxy/kubernetes/kubernetes_test.go b/pkg/transparentproxy/kubernetes/kubernetes_test.go index 83b7432c67dc..83701866e289 100644 --- a/pkg/transparentproxy/kubernetes/kubernetes_test.go +++ b/pkg/transparentproxy/kubernetes/kubernetes_test.go @@ -50,9 +50,7 @@ var _ = Describe("kubernetes", func() { metadata.KumaTrafficExcludeInboundPorts: "12000", metadata.KumaTransparentProxyingInboundPortAnnotation: "25204", metadata.KumaSidecarUID: "12345", - metadata.KumaTrafficExcludeOutboundUDPPortsForUIDs: "11001:1;11002:2", - metadata.KumaTrafficExcludeOutboundTCPPortsForUIDs: "11003:3", - metadata.KumaTrafficExcludeOutboundPortsForUIDs: "0;12", + metadata.KumaTrafficExcludeOutboundPortsForUIDs: "0;12;udp:11001:1;udp:11002:2;tcp:11003:3", metadata.KumaTransparentProxyingIPFamilyMode: "ipv4", metadata.KumaTrafficDropInvalidPackets: metadata.AnnotationTrue, metadata.KumaTrafficIptablesLogs: metadata.AnnotationTrue, @@ -71,9 +69,9 @@ var _ = Describe("kubernetes", func() { "--ip-family-mode", "ipv4", "--exclude-outbound-ports-for-uids", "0", "--exclude-outbound-ports-for-uids", "12", - "--exclude-outbound-ports-for-uids", "tcp:11003:3", "--exclude-outbound-ports-for-uids", "udp:11001:1", "--exclude-outbound-ports-for-uids", "udp:11002:2", + "--exclude-outbound-ports-for-uids", "tcp:11003:3", "--redirect-all-dns-traffic", "--redirect-dns-port", "25053", "--drop-invalid-packets", diff --git a/test/e2e_env/kubernetes/connectivity/exclude_outbound_port.go b/test/e2e_env/kubernetes/connectivity/exclude_outbound_port.go index e315ab293a42..6b95562a819d 100644 --- a/test/e2e_env/kubernetes/connectivity/exclude_outbound_port.go +++ b/test/e2e_env/kubernetes/connectivity/exclude_outbound_port.go @@ -47,9 +47,8 @@ func ExcludeOutboundPort() { testserver.WithName("test-server"), testserver.WithNamespace(namespace), testserver.WithPodAnnotations(map[string]string{ - metadata.KumaInitFirst: "true", - metadata.KumaTrafficExcludeOutboundTCPPortsForUIDs: "80:1234", - metadata.KumaTrafficExcludeOutboundUDPPortsForUIDs: "53:1234", + metadata.KumaInitFirst: "true", + metadata.KumaTrafficExcludeOutboundPortsForUIDs: "tcp:80:1234;udp:53:1234", }), testserver.AddInitContainer(corev1.Container{ Name: "init-test-server",