From 2e682f0ed8aad9dca7fec6365f5ee0866190bfb9 Mon Sep 17 00:00:00 2001 From: Antonio Ojea Date: Tue, 23 Jul 2024 13:29:35 +0000 Subject: [PATCH 1/2] don't default ginkgo FOCUS and SKIP regex use LABEL_FILTER instead --- hack/ci/e2e.sh | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/hack/ci/e2e.sh b/hack/ci/e2e.sh index 251c922..9089846 100755 --- a/hack/ci/e2e.sh +++ b/hack/ci/e2e.sh @@ -168,8 +168,9 @@ run_tests() { fi # ginkgo regexes - SKIP="${SKIP:-"Feature|Federation|PerformanceDNS|DualStack|Disruptive|Serial|KubeProxy|GCE|Netpol|NetworkPolicy|256.search.list.characters|LoadBalancer.Service.without.NodePort|type.and.ports.of.a.TCP.service|loadbalancer.source.ranges"}" - FOCUS="${FOCUS:-"\\[sig-network\\]"}" + SKIP="${SKIP:-}" + FOCUS="${FOCUS:-}" + LABEL_FILTER="${LABEL_FILTER:-"Feature: containsAny NetworkPolicy"}" # if we set PARALLEL=true, skip serial tests set --ginkgo-parallel if [ "${PARALLEL:-false}" = "true" ]; then export GINKGO_PARALLEL=y From dff26fe5c9a3f541d0f5be9ead319dca03e94d7a Mon Sep 17 00:00:00 2001 From: Antonio Ojea Date: Tue, 23 Jul 2024 13:20:11 +0000 Subject: [PATCH 2/2] don't block traffic generated by the root user on the node Kubelet has to run as root, blocking the traffic directed to Pods by network policies can impact kubelet probes per example. Since root user can do anything on the node, network policies are not a security boundary for it, so don't apply them to the traffic generated by the root user. --- pkg/networkpolicy/controller.go | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/pkg/networkpolicy/controller.go b/pkg/networkpolicy/controller.go index 3d22ee4..2075629 100644 --- a/pkg/networkpolicy/controller.go +++ b/pkg/networkpolicy/controller.go @@ -695,6 +695,13 @@ func (c *Controller) syncNFTablesRules(ctx context.Context) error { Rule: knftables.Concat( "icmpv6", "type", "{", "nd-neighbor-solicit, nd-neighbor-advert", "}", "accept"), }) + // Don't process traffic generated from the root user in the Node, it can block kubelet probes + // or system daemons that depend on the internal node traffic to not be blocked. + // Ref: https://github.com/kubernetes-sigs/kube-network-policies/issues/65 + tx.Add(&knftables.Rule{ + Chain: chainName, + Rule: "meta skuid 0 accept", + }) // instead of aggregating all the expresion in one rule, use two different // rules to understand if is causing issues with UDP packets with the same // tuple (https://github.com/kubernetes-sigs/kube-network-policies/issues/12)