Skip to content
This repository has been archived by the owner on Jun 20, 2024. It is now read-only.

weave allows through all traffic to a virtual service IP when NetworkPolicy is set to deny all ingress #3209

Closed
mariusv opened this issue Jan 2, 2018 · 1 comment
Closed

weave allows through all traffic to a virtual service IP when NetworkPolicy is set to deny all ingress #3209

mariusv opened this issue Jan 2, 2018 · 1 comment
Milestone
2.2

Comments

@mariusv
Copy link

mariusv commented Jan 2, 2018
edited
Loading

What you expected to happen?

Block all the traffic if the network policy is set to do so

What happened?

Allows through all traffic to a virtual service IP

How to reproduce it?

Create a new namespace and NetworkPolicy to deny all ingress:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny
spec:
  podSelector: {}
  policyTypes:
  - Ingress

Deploy two nginx pods and create a service for it: NodePort, LoadBalancer, ClusterIP. If you run curl on that service IP you would still be able to hit the nodes even if the NetworkPolicy is set to deny all ingress. If you hit the pods from a different pod in the same namespace or different namespace it behaves as it should and the traffic is blocked as expected.

Anything else we need to know?

This specific situation was tested on AWS using Kops.

Versions:

$ weave version
weave 2.1.3

$ docker version

Client:
 Version:      1.13.1
 API version:  1.26
 Go version:   go1.7.5
 Git commit:   092cba3
 Built:        Wed Feb  8 06:36:34 2017
 OS/Arch:      linux/amd64

Server:
 Version:      1.13.1
 API version:  1.26 (minimum version 1.12)
 Go version:   go1.7.5
 Git commit:   092cba3
 Built:        Wed Feb  8 06:36:34 2017
 OS/Arch:      linux/amd64
 Experimental: false

$ uname -a
Linux ip-10-88-32-23 4.4.102-k8s #1 SMP Sun Nov 26 23:32:43 UTC 2017 x86_64 GNU/Linux

$ kubectl version
Server Version: version.Info{Major:"1", Minor:"8", GitVersion:"v1.8.5", GitCommit:"cce11c6a185279d037023e02ac5249e14daa22bf", GitTreeState:"clean", BuildDate:"2017-12-07T16:05:18Z", GoVersion:"go1.8.3", Compiler:"gc", Platform:"linux/amd64"}

This seems to be happening because of kubernetes/kubernetes#56524
This rule [24:1440] -A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT which is above the WEAVE-NET rules might cause the issue
@bboreham bboreham mentioned this issue Jan 2, 2018
Merged
@bboreham
Copy link
Contributor

bboreham commented Jan 3, 2018

From trying to recreate the problem at #3210, I believe it is necessary to set --cluster-cidr on kube-proxy to make it go wrong. This may explain why few people have noticed the problem.

Weave-NPC should still work when you set that parameter - kube-proxy complains if you don't set it - but kube-proxy only actually needs it for a very small niche case when using Weave Net.

@brb brb closed this as completed in #3210 Jan 14, 2018
brb added a commit that referenced this issue Jan 14, 2018
@brb
Merge pull request #3210 from /issues/3209-npc-rules-first
b3f9baa 
Move weave-npc checks to top of FORWARD chain

Fixes #3209
@brb brb added this to the 2.2 milestone Jan 14, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
2.2
Development

No branches or pull requests
3 participants
@brb @mariusv @bboreham