Cilium: Network policy which allows endpoint ping local node do not work
General Information
- Cilium version (1.8.2 67089eaef 2020-08-28T18:36:23+08:00 go version go1.14.6 linux/amd64)
- Kernel version (4.19.117 x86_64 GNU/Linux)
- Orchestration system version in use (Client Version: version.Info{Major:"1", Minor:"18", GitVersion:"v1.18.6")
- Link to relevant artifacts (policies, deployments scripts, ...)
- Generate and upload a system zip:
cilium-sysdump-latest.zip
cilium-sysdump-20200904-173839.zip
How to reproduce the issue
- create pod A on node 1, config policy enforce mode = default
- label pod A with policy=whitelist
3 create a policy as :
apiVersion: "cilium.io/v2"
kind: CiliumNetworkPolicy
metadata:
name: "alow-44"
spec:
endpointSelector:
matchLabels:
k8s:policy: whitelist
egress:
- toCIDR:
- node1 ip
4 ping node 1 from pod A. Pod A could not ping node 1
kinquestion
lrouter
All 3 comments
This behavior is expected. To match the host, you need to use the host entity with toEntity: https://docs.cilium.io/en/latest/policy/language/#entities-based.
This limitation is documented in the CIDR-based policy section: https://docs.cilium.io/en/latest/policy/language/#ip-cidr-based:
Conversely, CIDR rules do not apply to traffic where both sides of the connection are either managed by Cilium or use an IP belonging to a node in the cluster (including host networking pods). This traffic may be allowed using labels, services or entities -based policies as described above.
pchaigno
on 8 Sep 2020
@lrouter does that fixes your issue?
aanm
on 14 Sep 2020
@aanm @pchaigno yes. thanks.
lrouter
on 16 Sep 2020
👍2
Was this page helpful?
0 / 5 - 0 ratings
Related issues
danwent
路
4Comments
tklauser
路
3Comments
ianvernon
路
4Comments
christarazi
路
4Comments
joestringer
路
3Comments
Most helpful comment
@aanm @pchaigno yes. thanks.