Skip to content

Commit

Permalink
k8s: Disallow unknown fields in CNP & CCNP
Browse files Browse the repository at this point in the history 
Previously, the `x-kubernetes-preserve-unknown-fields` field was set to
true because it was incorrectly thought to have disallowed an empty spec
in a CNP / CCNP (empty rule). In reality, it is not needed at all, and
actually allows additional unknown fields to be permitted. Policies
such as the following would be allowed, bypassing the schema validation
of the CRD (note the `toFQDNs2`).

```
apiVersion: "cilium.io/v2"
kind: CiliumClusterwideNetworkPolicy
metadata:
  name: "denylist"
spec:
  endpointSelector:
    matchLabels:
      k8s-app.guestbook: web
  egress:
    - toEndpoints:
      - matchLabels:
          "k8s:io.kubernetes.pod.namespace": kube-system
          "k8s:k8s-app": kube-dns
      toPorts:
        - ports:
           - port: "53"
             protocol: ANY
          rules:
            dns:
              - matchPattern: "*"
    - toFQDNs2:
        - matchName: "www.google.com"
```

Fixes: 691f831 ("k8s, examples: Preserve unknown fields in {C,CC}NP")

Revert "k8s, examples: Preserve unknown fields in {C,CC}NP"
This reverts commit 691f831.

Reported-by: André Martins <andre@cilium.io>
Signed-off-by: Chris Tarazi <chris@isovalent.com>
  • Loading branch information
@christarazi @aanm
christarazi authored and aanm committed Oct 7, 2020
1 parent a03e1a6 commit fa00ef7
Show file tree
Hide file tree
Showing 5 changed files with 4 additions and 8 deletions.
1 change: 0 additions & 1 deletion examples/crds/ciliumclusterwidenetworkpolicies.yaml
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 0 additions & 1 deletion examples/crds/ciliumnetworkpolicies.yaml
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 0 additions & 1 deletion pkg/k8s/apis/cilium.io/v2/ccnp_types.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,6 @@ import (
// +kubebuilder:resource:singular="ciliumclusterwidenetworkpolicy",path="ciliumclusterwidenetworkpolicies",scope="Cluster",shortName={ccnp}
// +kubebuilder:subresource:status
// +kubebuilder:storageversion
// +kubebuilder:xpreserveunknownfields

// CiliumClusterwideNetworkPolicy is a Kubernetes third-party resource with an
// modified version of CiliumNetworkPolicy which is cluster scoped rather than
Expand Down
8 changes: 4 additions & 4 deletions pkg/k8s/apis/cilium.io/v2/client/bindata.go
View file

Large diffs are not rendered by default.

1 change: 0 additions & 1 deletion pkg/k8s/apis/cilium.io/v2/cnp_types.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,6 @@ import (
// +kubebuilder:printcolumn:JSONPath=".metadata.creationTimestamp",name="Age",type=date
// +kubebuilder:subresource:status
// +kubebuilder:storageversion
// +kubebuilder:xpreserveunknownfields

// CiliumNetworkPolicy is a Kubernetes third-party resource with an extended
// version of NetworkPolicy.
Expand Down

0 comments on commit fa00ef7

Please sign in to comment.