Add knobs to disable adding encap drop rules from workloads (#2484) (#…

…2487)
projectcalico · Sep 3, 2020 · 90fa8f4 · 90fa8f4
1 parent 76da00b
commit 90fa8f4
Show file tree

Hide file tree

Showing 8 changed files with 211 additions and 21 deletions.
diff --git a/config/config_params.go b/config/config_params.go
@@ -211,6 +211,11 @@ type Config struct {
 	IpInIpMtu        int    `config:"int;1440;non-zero"`
 	IpInIpTunnelAddr net.IP `config:"ipv4;"`
 
+	// Knobs provided to explicitly control whether we add rules to drop encap traffic
+	// from workloads. We always add them unless explicitly requested not to add them.
+	AllowVXLANPacketsFromWorkloads bool `config:"bool;false"`
+	AllowIPIPPacketsFromWorkloads  bool `config:"bool;false"`
+
 	ReportingIntervalSecs time.Duration `config:"seconds;30"`
 	ReportingTTLSecs      time.Duration `config:"seconds;90"`
 

diff --git a/dataplane/driver.go b/dataplane/driver.go
@@ -190,6 +190,9 @@ func StartDataplaneDriver(configParams *config.Config,
 				IPIPTunnelAddress:  configParams.IpInIpTunnelAddr,
 				VXLANTunnelAddress: configParams.IPv4VXLANTunnelAddr,
 
+				AllowVXLANPacketsFromWorkloads: configParams.AllowVXLANPacketsFromWorkloads,
+				AllowIPIPPacketsFromWorkloads:  configParams.AllowIPIPPacketsFromWorkloads,
+
 				WireguardEnabled:       configParams.WireguardEnabled,
 				WireguardInterfaceName: configParams.WireguardInterfaceName,
 

diff --git a/dataplane/linux/endpoint_mgr_test.go b/dataplane/linux/endpoint_mgr_test.go
@@ -167,12 +167,12 @@ func chainsForIfaces(ifaceMetadata []string,
 			Match: iptables.Match().ProtocolNum(ProtoUDP).
 				DestPorts(uint16(VXLANPort)),
 			Action:  iptables.DropAction{},
-			Comment: []string{"Drop VXLAN encapped packets originating in pods"},
+			Comment: []string{"Drop VXLAN encapped packets originating in workloads"},
 		},
 		{
 			Match:   iptables.Match().ProtocolNum(ProtoIPIP),
 			Action:  iptables.DropAction{},
-			Comment: []string{"Drop IPinIP encapped packets originating in pods"},
+			Comment: []string{"Drop IPinIP encapped packets originating in workloads"},
 		},
 	}
 

diff --git a/go.mod b/go.mod
@@ -22,9 +22,9 @@ require (
 	github.com/onsi/ginkgo v1.10.1
 	github.com/onsi/gomega v1.7.0
 	github.com/pkg/errors v0.8.1
-	github.com/projectcalico/libcalico-go v1.7.2-0.20200616235705-7bb88b19faec
+	github.com/projectcalico/libcalico-go v1.7.2-0.20200902230107-7172b374bef1
 	github.com/projectcalico/pod2daemon v0.0.0-20191223184832-a0e1c4693271
-	github.com/projectcalico/typha v0.7.3-0.20200730222001-0fe961723108
+	github.com/projectcalico/typha v0.7.3-0.20200902235727-0d154c5ee130
 	github.com/prometheus/client_golang v1.0.0
 	github.com/satori/go.uuid v1.2.0
 	github.com/sirupsen/logrus v1.4.2

diff --git a/go.sum b/go.sum
@@ -501,6 +501,8 @@ github.com/projectcalico/libcalico-go v1.7.2-0.20200611205049-0bcaac1699e3 h1:Yx
 github.com/projectcalico/libcalico-go v1.7.2-0.20200611205049-0bcaac1699e3/go.mod h1:1RxboTOZJzpDYDvE03hMlf13b7gR0DPNcO7J/9uv6iY=
 github.com/projectcalico/libcalico-go v1.7.2-0.20200616235705-7bb88b19faec h1:QXbMXuyZwe0TtmMjW6o5kgJw0yAveAm2L/YVYOw3ogU=
 github.com/projectcalico/libcalico-go v1.7.2-0.20200616235705-7bb88b19faec/go.mod h1:1RxboTOZJzpDYDvE03hMlf13b7gR0DPNcO7J/9uv6iY=
+github.com/projectcalico/libcalico-go v1.7.2-0.20200902230107-7172b374bef1 h1:I5F+XJcXzx8xRe4wwsIjk3yEI5sDWPPaXd0TCT8lfS8=
+github.com/projectcalico/libcalico-go v1.7.2-0.20200902230107-7172b374bef1/go.mod h1:1RxboTOZJzpDYDvE03hMlf13b7gR0DPNcO7J/9uv6iY=
 github.com/projectcalico/logrus v0.0.0-20180701205716-fc9bbf2f5799 h1:9jp4YoHqZvEKDW3Z9464x/whSRCWEinIo4/JifaKR+g=
 github.com/projectcalico/logrus v0.0.0-20180701205716-fc9bbf2f5799/go.mod h1:DfgrchabbtEO9wjOz5lVae+XRvjFKKWEA9GTMme6A8g=
 github.com/projectcalico/pod2daemon v0.0.0-20191223184832-a0e1c4693271 h1:AOFOckD83tAIMQob6I1FpzSVs+Rn5Td701Q3/aQFqe8=
@@ -513,6 +515,8 @@ github.com/projectcalico/typha v0.7.3-0.20200617153257-58b723e3b38f h1:m0laQlD4x
 github.com/projectcalico/typha v0.7.3-0.20200617153257-58b723e3b38f/go.mod h1:mPqSi+Y1IQW3+q84IbnbqpmWP3QhVDN0wIR/uw2UUyM=
 github.com/projectcalico/typha v0.7.3-0.20200730222001-0fe961723108 h1:hanOykreiVjePUK79JC/+ulH2mPOstdflD6RfrLtFrI=
 github.com/projectcalico/typha v0.7.3-0.20200730222001-0fe961723108/go.mod h1:mPqSi+Y1IQW3+q84IbnbqpmWP3QhVDN0wIR/uw2UUyM=
+github.com/projectcalico/typha v0.7.3-0.20200902235727-0d154c5ee130 h1:eKb57kCQaX0iTuX4f2PG71bILwZ3oOT8awr1NXVHJEM=
+github.com/projectcalico/typha v0.7.3-0.20200902235727-0d154c5ee130/go.mod h1:4AiYfIf+xsFSJwsbTEbGo3T7/Cd9/15sJdh7BxfWfu8=
 github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw=
 github.com/prometheus/client_golang v1.0.0 h1:vrDKnkGzuGvhNAL56c7DBz29ZL+KxnoR0x7enabFceM=
 github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo=

diff --git a/rules/endpoints.go b/rules/endpoints.go
@@ -23,8 +23,8 @@ import (
 )
 
 const (
-	dropEncap     = true
-	dontDropEncap = false
+	alwaysAllowVXLANEncap = true
+	alwaysAllowIPIPEncap  = true
 )
 
 func (r *DefaultRuleRenderer) WorkloadEndpointToIptablesChains(
@@ -35,6 +35,8 @@ func (r *DefaultRuleRenderer) WorkloadEndpointToIptablesChains(
 	egressPolicies []string,
 	profileIDs []string,
 ) []*Chain {
+	allowVXLANEncapFromWorkloads := r.Config.AllowVXLANPacketsFromWorkloads
+	allowIPIPEncapFromWorkloads := r.Config.AllowIPIPPacketsFromWorkloads
 	result := []*Chain{}
 	result = append(result,
 		// Chain for traffic _to_ the endpoint.
@@ -49,9 +51,12 @@ func (r *DefaultRuleRenderer) WorkloadEndpointToIptablesChains(
 			chainTypeNormal,
 			adminUp,
 			r.filterAllowAction, // Workload endpoint chains are only used in the filter table
-			dontDropEncap,
+			alwaysAllowVXLANEncap,
+			alwaysAllowIPIPEncap,
 		),
 		// Chain for traffic _from_ the endpoint.
+		// Encap traffic is blocked by default from workload endpoints
+		// unless explicitly overridden.
 		r.endpointIptablesChain(
 			egressPolicies,
 			profileIDs,
@@ -63,7 +68,8 @@ func (r *DefaultRuleRenderer) WorkloadEndpointToIptablesChains(
 			chainTypeNormal,
 			adminUp,
 			r.filterAllowAction, // Workload endpoint chains are only used in the filter table
-			dropEncap,
+			allowVXLANEncapFromWorkloads,
+			allowIPIPEncapFromWorkloads,
 		),
 	)
 
@@ -105,7 +111,8 @@ func (r *DefaultRuleRenderer) HostEndpointToFilterChains(
 			chainTypeNormal,
 			true, // Host endpoints are always admin up.
 			r.filterAllowAction,
-			dontDropEncap,
+			alwaysAllowVXLANEncap,
+			alwaysAllowIPIPEncap,
 		),
 		// Chain for input traffic _from_ the endpoint.
 		r.endpointIptablesChain(
@@ -119,7 +126,8 @@ func (r *DefaultRuleRenderer) HostEndpointToFilterChains(
 			chainTypeNormal,
 			true, // Host endpoints are always admin up.
 			r.filterAllowAction,
-			dontDropEncap,
+			alwaysAllowVXLANEncap,
+			alwaysAllowIPIPEncap,
 		),
 		// Chain for forward traffic _to_ the endpoint.
 		r.endpointIptablesChain(
@@ -133,7 +141,8 @@ func (r *DefaultRuleRenderer) HostEndpointToFilterChains(
 			chainTypeForward,
 			true, // Host endpoints are always admin up.
 			r.filterAllowAction,
-			dontDropEncap,
+			alwaysAllowVXLANEncap,
+			alwaysAllowIPIPEncap,
 		),
 		// Chain for forward traffic _from_ the endpoint.
 		r.endpointIptablesChain(
@@ -147,7 +156,8 @@ func (r *DefaultRuleRenderer) HostEndpointToFilterChains(
 			chainTypeForward,
 			true, // Host endpoints are always admin up.
 			r.filterAllowAction,
-			dontDropEncap,
+			alwaysAllowVXLANEncap,
+			alwaysAllowIPIPEncap,
 		),
 	)
 
@@ -184,7 +194,8 @@ func (r *DefaultRuleRenderer) HostEndpointToRawChains(
 			chainTypeUntracked,
 			true, // Host endpoints are always admin up.
 			AcceptAction{},
-			dontDropEncap,
+			alwaysAllowVXLANEncap,
+			alwaysAllowIPIPEncap,
 		),
 		// Chain for traffic _from_ the endpoint.
 		r.endpointIptablesChain(
@@ -198,7 +209,8 @@ func (r *DefaultRuleRenderer) HostEndpointToRawChains(
 			chainTypeUntracked,
 			true, // Host endpoints are always admin up.
 			AcceptAction{},
-			dontDropEncap,
+			alwaysAllowVXLANEncap,
+			alwaysAllowIPIPEncap,
 		),
 	}
 }
@@ -222,7 +234,8 @@ func (r *DefaultRuleRenderer) HostEndpointToMangleChains(
 			chainTypePreDNAT,
 			true, // Host endpoints are always admin up.
 			r.mangleAllowAction,
-			dontDropEncap,
+			alwaysAllowVXLANEncap,
+			alwaysAllowIPIPEncap,
 		),
 	}
 }
@@ -269,7 +282,8 @@ func (r *DefaultRuleRenderer) endpointIptablesChain(
 	chainType endpointChainType,
 	adminUp bool,
 	allowAction Action,
-	dropEncap bool,
+	allowVXLANEncap bool,
+	allowIPIPEncap bool,
 ) *Chain {
 	rules := []Rule{}
 	chainName := EndpointChainName(endpointPrefix, name)
@@ -308,17 +322,19 @@ func (r *DefaultRuleRenderer) endpointIptablesChain(
 		},
 	})
 
-	if dropEncap {
+	if !allowVXLANEncap {
 		rules = append(rules, Rule{
 			Match: Match().ProtocolNum(ProtoUDP).
 				DestPorts(uint16(r.Config.VXLANPort)),
 			Action:  DropAction{},
-			Comment: []string{"Drop VXLAN encapped packets originating in pods"},
+			Comment: []string{"Drop VXLAN encapped packets originating in workloads"},
 		})
+	}
+	if !allowIPIPEncap {
 		rules = append(rules, Rule{
 			Match:   Match().ProtocolNum(ProtoIPIP),
 			Action:  DropAction{},
-			Comment: []string{"Drop IPinIP encapped packets originating in pods"},
+			Comment: []string{"Drop IPinIP encapped packets originating in workloads"},
 		})
 	}
 

diff --git a/rules/endpoints_test.go b/rules/endpoints_test.go
@@ -78,12 +78,12 @@ var _ = Describe("Endpoints", func() {
 			Match: Match().ProtocolNum(ProtoUDP).
 				DestPorts(uint16(VXLANPort)),
 			Action:  DropAction{},
-			Comment: []string{"Drop VXLAN encapped packets originating in pods"},
+			Comment: []string{"Drop VXLAN encapped packets originating in workloads"},
 		}
 		dropIPIPRule := Rule{
 			Match:   Match().ProtocolNum(ProtoIPIP),
 			Action:  DropAction{},
-			Comment: []string{"Drop IPinIP encapped packets originating in pods"},
+			Comment: []string{"Drop IPinIP encapped packets originating in workloads"},
 		}
 
 		Context("with normal config", func() {
@@ -600,6 +600,165 @@ var _ = Describe("Endpoints", func() {
 				}))
 			})
 		})
+		Describe("Disabling adding drop encap rules", func() {
+			Context("VXLAN allowed, IPIP dropped", func() {
+				It("should render a minimal workload endpoint without VXLAN drop encap rule and with IPIP drop encap rule", func() {
+					rrConfigNormalMangleReturn.AllowVXLANPacketsFromWorkloads = true
+					renderer = NewRenderer(rrConfigNormalMangleReturn)
+					epMarkMapper = NewEndpointMarkMapper(rrConfigNormalMangleReturn.IptablesMarkEndpoint,
+						rrConfigNormalMangleReturn.IptablesMarkNonCaliEndpoint)
+					Expect(renderer.WorkloadEndpointToIptablesChains(
+						"cali1234", epMarkMapper,
+						true,
+						nil,
+						nil,
+						nil,
+					)).To(Equal(trimSMChain(kubeIPVSEnabled, []*Chain{
+						{
+							Name: "cali-tw-cali1234",
+							Rules: []Rule{
+								// conntrack rules.
+								{Match: Match().ConntrackState("RELATED,ESTABLISHED"),
+									Action: AcceptAction{}},
+								{Match: Match().ConntrackState("INVALID"),
+									Action: DropAction{}},
+
+								{Action: ClearMarkAction{Mark: 0x8}},
+								{Action: DropAction{},
+									Comment: []string{"Drop if no profiles matched"}},
+							},
+						},
+						{
+							Name: "cali-fw-cali1234",
+							Rules: []Rule{
+								// conntrack rules.
+								{Match: Match().ConntrackState("RELATED,ESTABLISHED"),
+									Action: AcceptAction{}},
+								{Match: Match().ConntrackState("INVALID"),
+									Action: DropAction{}},
+
+								{Action: ClearMarkAction{Mark: 0x8}},
+								dropIPIPRule,
+								{Action: DropAction{},
+									Comment: []string{"Drop if no profiles matched"}},
+							},
+						},
+						{
+							Name: "cali-sm-cali1234",
+							Rules: []Rule{
+								{Action: SetMaskedMarkAction{Mark: 0xd400, Mask: 0xff00}},
+							},
+						},
+					})))
+				})
+			})
+			Context("VXLAN dropped, IPIP allowed", func() {
+				It("should render a minimal workload endpoint with VXLAN drop encap rule and without IPIP drop encap rule", func() {
+					rrConfigNormalMangleReturn.AllowIPIPPacketsFromWorkloads = true
+					renderer = NewRenderer(rrConfigNormalMangleReturn)
+					epMarkMapper = NewEndpointMarkMapper(rrConfigNormalMangleReturn.IptablesMarkEndpoint,
+						rrConfigNormalMangleReturn.IptablesMarkNonCaliEndpoint)
+					Expect(renderer.WorkloadEndpointToIptablesChains(
+						"cali1234", epMarkMapper,
+						true,
+						nil,
+						nil,
+						nil,
+					)).To(Equal(trimSMChain(kubeIPVSEnabled, []*Chain{
+						{
+							Name: "cali-tw-cali1234",
+							Rules: []Rule{
+								// conntrack rules.
+								{Match: Match().ConntrackState("RELATED,ESTABLISHED"),
+									Action: AcceptAction{}},
+								{Match: Match().ConntrackState("INVALID"),
+									Action: DropAction{}},
+
+								{Action: ClearMarkAction{Mark: 0x8}},
+								{Action: DropAction{},
+									Comment: []string{"Drop if no profiles matched"}},
+							},
+						},
+						{
+							Name: "cali-fw-cali1234",
+							Rules: []Rule{
+								// conntrack rules.
+								{Match: Match().ConntrackState("RELATED,ESTABLISHED"),
+									Action: AcceptAction{}},
+								{Match: Match().ConntrackState("INVALID"),
+									Action: DropAction{}},
+
+								{Action: ClearMarkAction{Mark: 0x8}},
+								dropVXLANRule,
+								{Action: DropAction{},
+									Comment: []string{"Drop if no profiles matched"}},
+							},
+						},
+						{
+							Name: "cali-sm-cali1234",
+							Rules: []Rule{
+								{Action: SetMaskedMarkAction{Mark: 0xd400, Mask: 0xff00}},
+							},
+						},
+					})))
+				})
+			})
+			Context("VXLAN and IPIP allowed", func() {
+				It("should render a minimal workload endpoint without both VXLAN and IPIP drop encap rule", func() {
+					rrConfigNormalMangleReturn.AllowVXLANPacketsFromWorkloads = true
+					rrConfigNormalMangleReturn.AllowIPIPPacketsFromWorkloads = true
+					renderer = NewRenderer(rrConfigNormalMangleReturn)
+					epMarkMapper = NewEndpointMarkMapper(rrConfigNormalMangleReturn.IptablesMarkEndpoint,
+						rrConfigNormalMangleReturn.IptablesMarkNonCaliEndpoint)
+					Expect(renderer.WorkloadEndpointToIptablesChains(
+						"cali1234", epMarkMapper,
+						true,
+						nil,
+						nil,
+						nil,
+					)).To(Equal(trimSMChain(kubeIPVSEnabled, []*Chain{
+						{
+							Name: "cali-tw-cali1234",
+							Rules: []Rule{
+								// conntrack rules.
+								{Match: Match().ConntrackState("RELATED,ESTABLISHED"),
+									Action: AcceptAction{}},
+								{Match: Match().ConntrackState("INVALID"),
+									Action: DropAction{}},
+
+								{Action: ClearMarkAction{Mark: 0x8}},
+								{Action: DropAction{},
+									Comment: []string{"Drop if no profiles matched"}},
+							},
+						},
+						{
+							Name: "cali-fw-cali1234",
+							Rules: []Rule{
+								// conntrack rules.
+								{Match: Match().ConntrackState("RELATED,ESTABLISHED"),
+									Action: AcceptAction{}},
+								{Match: Match().ConntrackState("INVALID"),
+									Action: DropAction{}},
+
+								{Action: ClearMarkAction{Mark: 0x8}},
+								{Action: DropAction{},
+									Comment: []string{"Drop if no profiles matched"}},
+							},
+						},
+						{
+							Name: "cali-sm-cali1234",
+							Rules: []Rule{
+								{Action: SetMaskedMarkAction{Mark: 0xd400, Mask: 0xff00}},
+							},
+						},
+					})))
+				})
+			})
+			AfterEach(func() {
+				rrConfigNormalMangleReturn.AllowIPIPPacketsFromWorkloads = false
+				rrConfigNormalMangleReturn.AllowVXLANPacketsFromWorkloads = false
+			})
+		})
 	}
 })