Skip to content

pkg/kubelet: add KUBE-FIREWALL-IN chain, move localnet rule to it #91666

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

pkg/kubelet: add KUBE-FIREWALL-IN chain, move localnet rule to it #91666

wants to merge 1 commit into from

Conversation

@squeed
Copy link
Contributor

@squeed squeed commented Jun 2, 2020
edited
Loading

@champtar observed that the rule added in #91569 still allowed packets through unidirectionally, meaning UDP with a spoofed source wouldn't be caught. So we need to filter on source interface.

However, KUBE-FIREWALL is run on both OUTPUT and INPUT, so it can't reference interfaces. This PR, thus,

  • creates a chain KUBE-FIREWALL-IN
  • Add it to INPUT, pass through to KUBE-FIREWALL
  • Move the localnet protection rule to KUBE-FIREWALL-IN, and adjust it
    to reference source if, not source address.

Signed-off-by: Casey Callendrello cdc@redhat.com

What type of PR is this?
/kind bug

What this PR does / why we need it:

Which issue(s) this PR fixes:
Fixes #90259

Special notes for your reviewer:
You can test this pretty simply using cnitool if you don't want to spin up a whole kind cluster.

Does this PR introduce a user-facing change?:

NONE

/sig network

@k8s-ci-robot k8s-ci-robot added release-note-none Denotes a PR that doesn't merit a release note. do-not-merge/invalid-commit-message Indicates that a PR should not merge because it has an invalid commit message. kind/bug Categorizes issue or PR as related to a bug. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. sig/network Categorizes an issue or PR as relevant to SIG Network. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. labels Jun 2, 2020
@k8s-ci-robot k8s-ci-robot added area/kubelet sig/node Categorizes an issue or PR as relevant to SIG Node. and removed do-not-merge/invalid-commit-message Indicates that a PR should not merge because it has an invalid commit message. labels Jun 2, 2020
@squeed
Copy link
Contributor Author

squeed commented Jun 2, 2020

/cc @derekwaynecarr @matthyx

@squeed
Copy link
Contributor Author

squeed commented Jun 2, 2020
edited
Loading

/hold
@champtar we can't do this - KUBE-FIREWALL is called in both INPUT and OUTPUT, and you can't do -i foo in an OUTPUT rule.

Arguably, iptables should never have allowed this rule to apply, but it does apply and block all traffic between localhost.

@k8s-ci-robot k8s-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jun 2, 2020
@champtar
Copy link
Contributor

champtar commented Jun 2, 2020

@squeed good catch, I only tested that 127.0.0.1:NodePort was working, nothing more ...
In that case you need a KUBE-FIREWALL-IN and KUBE-FIREWALL-OUT that chain to KUBE-FIREWALL

@k8s-ci-robot k8s-ci-robot added size/S Denotes a PR that changes 10-29 lines, ignoring generated files. and removed size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Jun 2, 2020
@squeed squeed changed the title pkg/kubelet: adjust localnet firewall rule pkg/kubelet: add KUBE-FIREWALL-IN chain, move localnet rule to it Jun 2, 2020
@squeed
Copy link
Contributor Author

squeed commented Jun 2, 2020

Created KUBE-FIREWALL-IN, but not KUBE-FIREWALL-OUT, since we don't need it (yet). If this should exist for symmetry, I'm happy to add it.

@squeed
Copy link
Contributor Author

squeed commented Jun 2, 2020

/hold cancel

@k8s-ci-robot k8s-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jun 2, 2020
@squeed
Copy link
Contributor Author

squeed commented Jun 2, 2020

/cc @danwinship

@k8s-ci-robot k8s-ci-robot requested a review from danwinship June 2, 2020 13:18
@joelsmith
Copy link
Contributor

joelsmith commented Jun 2, 2020

/retest

@danwinship
Copy link
Contributor

danwinship commented Jun 2, 2020

well, this is ugly.
we put this into the KUBE-FIREWALL chain before because it seemed to logically make sense, but given that that won't work, would it be better to just create a new chain (KUBE-SECURITY?) only for input, rather than doing the nested thing?

@ehashman
Copy link
Member

ehashman commented Apr 21, 2021

/assign @danwinship

@ehashman
Copy link
Member

ehashman commented May 26, 2021

also
/cc @aojea

would love to get this one closed out @kubernetes/sig-network-bugs

@k8s-ci-robot k8s-ci-robot requested a review from aojea May 26, 2021 22:16
@aojea
Copy link
Member

aojea commented May 26, 2021

/cc

@aojea
Copy link
Member

aojea commented May 27, 2021
edited
Loading

I'm puzzled with this issue, the description of the original issue refers that traffic external to the node can send packets to the localhost of another node, and since it has route_localnet enabled, the external node should be able to reach the localhost of the other node

A host on the local segment can actually route 127.0.0.1 to a k8s-node and access ports that really should be local.

However, we are only filtering here traffic from/to the same node to localhost, what part I'm missing 😅 ?

@aojea aojea mentioned this pull request Jul 19, 2021
Merged
@k8s-triage-robot
Copy link

k8s-triage-robot commented Aug 25, 2021

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle stale
  • Mark this issue or PR as rotten with /lifecycle rotten
  • Close this issue or PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Aug 25, 2021
@k8s-triage-robot
Copy link

k8s-triage-robot commented Sep 24, 2021

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle rotten
  • Close this issue or PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

@k8s-ci-robot k8s-ci-robot added lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Sep 24, 2021
@k8s-triage-robot
Copy link

k8s-triage-robot commented Oct 24, 2021

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Reopen this issue or PR with /reopen
  • Mark this issue or PR as fresh with /remove-lifecycle rotten
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/close

@k8s-ci-robot
Copy link
Contributor

k8s-ci-robot commented Oct 24, 2021

@k8s-triage-robot: Closed this PR.

In response to this:

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Reopen this issue or PR with /reopen
  • Mark this issue or PR as fresh with /remove-lifecycle rotten
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@champtar
Copy link
Contributor

champtar commented Oct 24, 2021

Except if this was fixed in another PR, packet with src 192.168.1.2 and dst 127.0.0.1 can go through, can someone reopen this PR ?

@SergeyKanzhelev
Copy link
Member

SergeyKanzhelev commented Oct 25, 2021

@champtar you can reopen using this command:

/reopen

@aojea is @champtar's comment makes it clearer? I'm lost in those rules so please take a look.

@k8s-ci-robot
Copy link
Contributor

k8s-ci-robot commented Oct 25, 2021

@SergeyKanzhelev: Reopened this PR.

In response to this:

@champtar you can reopen using this command:

/reopen

@aojea is @champtar's comment makes it clearer? I'm lost in those rules so please take a look.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot reopened this Oct 25, 2021
@k8s-ci-robot k8s-ci-robot added the needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. label Oct 25, 2021
@k8s-ci-robot
Copy link
Contributor

k8s-ci-robot commented Oct 25, 2021

@squeed: This issue is currently awaiting triage.

If a SIG or subproject determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@SergeyKanzhelev
Copy link
Member

SergeyKanzhelev commented Oct 25, 2021

/remove-sig node

@k8s-ci-robot k8s-ci-robot removed the sig/node Categorizes an issue or PR as relevant to SIG Node. label Oct 25, 2021
@k8s-ci-robot
Copy link
Contributor

k8s-ci-robot commented Oct 25, 2021

@squeed: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
pull-kubernetes-verify 07b7cde link true /test pull-kubernetes-verify
pull-kubernetes-e2e-gce-ubuntu-containerd 07b7cde link true /test pull-kubernetes-e2e-gce-ubuntu-containerd

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@k8s-ci-robot
Copy link
Contributor

k8s-ci-robot commented Nov 18, 2021

@squeed: PR needs rebase.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Nov 18, 2021
@k8s-triage-robot
Copy link

k8s-triage-robot commented Dec 18, 2021

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Reopen this issue or PR with /reopen
  • Mark this issue or PR as fresh with /remove-lifecycle rotten
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/close

@k8s-ci-robot
Copy link
Contributor

k8s-ci-robot commented Dec 18, 2021

@k8s-triage-robot: Closed this PR.

In response to this:

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Reopen this issue or PR with /reopen
  • Mark this issue or PR as fresh with /remove-lifecycle rotten
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@a1994sc a1994sc mentioned this pull request Apr 18, 2025
Closed
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mattjmcnaughton mattjmcnaughton Awaiting requested review from mattjmcnaughton

@sjenning sjenning Awaiting requested review from sjenning

@derekwaynecarr derekwaynecarr Awaiting requested review from derekwaynecarr

@danwinship danwinship Awaiting requested review from danwinship

@aojea aojea Awaiting requested review from aojea

1 more reviewer

@champtar champtar champtar left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@danwinship danwinship

Labels

area/kubelet cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/bug Categorizes issue or PR as related to a bug. lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete. release-note-none Denotes a PR that doesn't merit a release note. sig/network Categorizes an issue or PR as relevant to SIG Network. size/S Denotes a PR that changes 10-29 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

net.ipv4.conf.all.route_localnet=1 opens security issue