Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Inconsistent handling of IPv6 blocks in Istio between ConnectivityMap query and Equivalence query #108

Open
zivnevo opened this issue Aug 14, 2024 · 1 comment
Open

Inconsistent handling of IPv6 blocks in Istio between ConnectivityMap query and Equivalence query #108

zivnevo opened this issue Aug 14, 2024 · 1 comment
Labels
bug Something isn't working istio

Comments

@zivnevo
Copy link
Member

zivnevo commented Aug 14, 2024

See test .../tests/istio_testcases/example_policies/testcase2/testcase2-istio-scheme.yaml, the difference between istio6 and istio7 configs.
In istio6 the action is 'ALLOW', and thus the only allowed sources connected to the selected peers are those explicitly defined in the policy rules. Since IP blocks are not mentioned in the rules, they are not connected to the selected peers.
In istio7, on the other hand, the action is 'DENY'. and thus all connections to the selected peers are allowed except of those mentioned in the policy rules. Since only IPv4 blocks are mentioned in the policy, all the rest (IPv6) blocks are connected to the selected peers.
Thus, the connectivity maps of istio6 and istio7 differ by IPv6 block (this difference may be observed when setting the option excludeIPv6Range to false (by default it is true and the difference cannot be observed).
This change in the connectivity maps is observed due to the inclusion of all IPs block in peers to compare, as follows:

ref_ip_blocks = IpBlock.disjoint_ip_blocks(self.config.get_referenced_ip_blocks(exclude_ipv6),
                                                                   IpBlock.get_all_ips_block_peer_set(exclude_ipv6), exclude_ipv6)

However, in the equivalence query, peers to compare are calculated as follows (in the function disjoint_referenced_ip_blocks)

IpBlock.disjoint_ip_blocks(self.config1.get_referenced_ip_blocks(exclude_ipv6),
                                          self.config2.get_referenced_ip_blocks(exclude_ipv6), exclude_ipv6)

Thus, the EquivalenceQuery returns that istio6 and istio7 configs are equivalent, even when the excludeIPv6Range is false.

This inconsistency between ConnectivityMapQuery and EquivalenceQuery is misleading and should be resolved in either way.
@zivnevo zivnevo added bug Something isn't working istio labels Aug 14, 2024
@zivnevo
Copy link
Member Author

zivnevo commented Aug 14, 2024

A comment from @tanyaveksler :
On a second thought, the problem is not in disjoint_referenced_ip_blocks calculation, but rather in the expected result of the equivalence query, and the fact that excludeIPv6Range flag masks the difference.

@zivnevo zivnevo mentioned this issue Aug 14, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working istio
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@zivnevo