Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Has anyone used cilium (especially cilium network policies) with gatekeeper? #3648

Open
lir1ka opened this issue Oct 15, 2024 · 1 comment
Open
Labels

Comments

@lir1ka
Copy link

lir1ka commented Oct 15, 2024

What happened?

I tried to secure my gatekepeer namespace. The gatekeeper manages and receives traffic only from the computer (kube is an api server). I am the one who needs an input/output network policy. the problem is that once the packets came from the master's IP address (10.1.0.11:443), once from the master's CIDR endpoint (198.18.0.1 or 198.18.0.2).

Oct 15 10:53:22.292: gatekeeper-system/gatekeeper-controller-manager-8cfdfc7d4-mg266:57736 (ID:5303) <- 10.1.0.11:443 (kube-apiserver) to-endpoint FORWARDED (TCP Flags: ACK, PSH)
Oct 15 10:53:22.292: gatekeeper-system/gatekeeper-controller-manager-8cfdfc7d4-mg266:57736 (ID:5303) -> 10.1.0.11:443 (kube-apiserver) to-stack FORWARDED (TCP Flags: ACK)
Oct 15 10:53:22.338: 198.18.0.1:61504 (remote-node) <> gatekeeper-system/gatekeeper-controller-manager-8cfdfc7d4-mg266:8443 (ID:5303) policy-verdict:none INGRESS DENIED (TCP Flags: SYN)
Oct 15 10:53:22.338: 198.18.0.1:61504 (remote-node) <> gatekeeper-system/gatekeeper-controller-manager-8cfdfc7d4-mg266:8443 (ID:5303) Policy denied DROPPED (TCP Flags: SYN)
Oct 15 10:53:22.338: 198.18.0.1:61644 (remote-node) <> gatekeeper-system/gatekeeper-controller-manager-8cfdfc7d4-hxr4k:8443 (ID:5303) policy-verdict:none INGRESS DENIED (TCP Flags: SYN)
Oct 15 10:53:22.338: 198.18.0.1:61644 (remote-node) <> gatekeeper-system/gatekeeper-controller-manager-8cfdfc7d4-hxr4k:8443 (ID:5303) Policy denied DROPPED (TCP Flags: SYN)

this network policy does not work, but --enable-node-selector-labels=true is set.

apiVersion: "cilium.io/v2"
kind: CiliumNetworkPolicy
metadata:
  name: "test"
  namespace: gatekeeper-system
spec:
  description: "gatekeeper_rules"
  endpointSelector:
    matchLabels:
      app: gatekeeper
      release: gatekeeper
  ingress:
    - fromEntities:
      - kube-apiserver
    - fromEndpoints:
        - matchLabels:
            app: gatekeeper
            release: gatekeeper
    - fromCIDRSet:
      - cidr: 198.18.0.0/24
  egress:
    - toEntities:
      - kube-apiserver
    - toEndpoints:
        - matchLabels:
            app: gatekeeper
            release: gatekeeper
    - toCIDRSet:
      - cidr: 198.18.0.0/24
   

please help me, i tried to solve this about 2 months

How can we reproduce the issue?

  1. install cilium
  2. install gatekeeper
  3. make cilium network policy

Cilium Version

cilium-cli: v0.16.15 compiled with go1.22.5 on linux/amd64
cilium image (default): v1.16.0
cilium image (stable): v1.16.2

Kernel Version

Linux vmfordeploy 5.15.0-119-generic #129-Ubuntu SMP Fri Aug 2 19:25:20 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux

Kubernetes Version

v1.27.3

Copy link

stale bot commented Dec 20, 2024

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.

@stale stale bot added the stale label Dec 20, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

1 participant