-
Notifications
You must be signed in to change notification settings - Fork 30
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Response traffic from allowed egress denied on short lived pods #189
Comments
+1 |
@luk2038649 Based on the issue description, it is expected behavior in a way. Right now, all traffic will be allowed to/from a Pod until the newly launched pods are reconciled against configured network policies on the cluster. It can take up to few seconds for the reconciliation to complete and policies are enforced against a new pod. We track reverse flows (response traffic) via our own internal conntrack. In the above example, when we initiate a connection to AWS Aurora, the traffic should be allowed (as egress is configured to be allow-all) and once the probe allows the traffic it creates a conntrack entry which the ingress probe will then rely on to allow the return traffic. However, I think the egress connection in this case happens right after pod startup and before the policies are enforced (i.e.,) before the relevant eBPF probes are attached and so the required conntrack entry is not created. But the probes are attached with relevant rules before the return traffic arrives at the pod - so we will not have a match in the conntrack entry and the ingress rules in the configured policy do not allow traffic from this endpoint resulting in a drop. Explains why introducing a few seconds delay resolved the issue (explicitly adding the rules under ingress section will also work in the above race condition). To get around this we might need a few seconds delay at pod startup before it initiates a connection (or) a retry for a failed connection should help as well. We plan to introduce a Strict mode option in the near future which will gate pod launch until either relevant policies are configured against a new pod replica (or) block all ingress/egress connections until the policies are reconciled against a new pod. |
@achevuru Thanks for the quick response! Is there any approximate timeline for the general release of the "strict mode" option? Is there an issue or PR we can track?
This is what we have done for known hosts like databases, but we have a lot of applications and opening up traffic for all possible responses is not ideal |
Hi all!
@achevuru I think this is the opposite. All Traffic is denied from a newly created pod until the newly launched pods are reconciled against configured network policies on the cluster What I was describing is in fact:
|
@luk2038649 We're targeting it for early Q2/late Q1 release time frame. Will update once we're closer to the release. |
Can it be possible to delay the readiness of the pod until all the netpol have been correctly applied ? Something like the podreadinessgate used with load balancer integration ? |
@achevuru The Strict mode option has not solved the issue as it seems that what the issue is describing is especially the
This statement is not true therefore |
@ariary Can you expand on what was not solved with Strict mode? What exactly did you try with Strict mode? Regarding Standard mode, the above statement is true (i.e.,) the pods will not have any firewall rules enforced until the new pod is reconciled against active policies and so all traffic is allowed. However, once the firewall rules take effect, it will block any return traffic that isn't tracked by the probes. Please refer here. Strict mode should address this. |
@achevuru My issue is more related to other issues, you can ignore my comment |
@luk2038649 Did the issue resolve for you with the strict mode ? |
Why would strict mode help? It simply blocks all outbound traffic from the pod until the policy reconciles (thus dropping 100% of the outbound traffic), instead of randomly dropping connections. |
We are actively working on a fix for this issue. Fix for this issue can be tracked here #345. Closing this issue. Please follow above issue for the fix |
What happened:
Recently switched from using calico tigera operator for networkpolicies, to enabling networkpolicy handling by
aws-vpc-cni
.We are finding intermittent errors with connections hanging for applications which are short lived, and reach out to external services like databases immediately. Noted primarily in
cronjobs
andairflow
pods.We experienced this same issue reaching out to external google services, and also AWS Aurora instances in a paired VPC.
Our networkpolicy is setup with an explicit Egress allow all. And a more restrictive ingress policy.
Picture of policy:
Its my understanding that we should be allowed to receive response traffic from anywhere based on the documentation here
Example Pod Logs:
Requests that are normally completed quickly hang and never finish.
Note that if you exec into this pod and run the same command some minutes startup, it will complete. It only fails to complete right after startup.
Attach logs
VPC-CNI logs.
Instance of return traffic from a google service being denied
instance of return traffic from an aurora instance in a peered VPC being denied.
What you expected to happen:
Response traffic should not be denied if egress was allowed.
How to reproduce it (as minimally and precisely as possible):
Anything else we need to know?:
We did not experience this same situation when using calico tigera operator to handle the same networkpolicy.
to be clear, calico has been completely removed and all nodes have been restarted.
Seems to be possibly the same as #83
We have found workarounds by doing two main things.
Environment:
kubectl version
): Server Version: version.Info{Major:"1", Minor:"26+", GitVersion:"v1.26.12-eks-5e0fdde", GitCommit:"95c835ee1111774fe5e8b327187034d8136720a0", GitTreeState:"clean", BuildDate:"2024-01-02T20:34:50Z", GoVersion:"go1.20.12", Compiler:"gc", Platform:"linux/amd64"}cat /etc/os-release
): NAME="Amazon Linux"VERSION="2"
ID="amzn"
ID_LIKE="centos rhel fedora"
VERSION_ID="2"
PRETTY_NAME="Amazon Linux 2"
ANSI_COLOR="0;33"
CPE_NAME="cpe:2.3:o:amazon:amazon_linux:2"
HOME_URL="https://amazonlinux.com/"
SUPPORT_END="2025-06-30"
uname -a
): Linux ip-x-x-x-x.ec2.internal 5.10.201-191.748.amzn2.x86_64 Network Policy Agent - Initial commit #1 SMP Mon Nov 27 18:28:14 UTC 2023 x86_64 x86_64 x86_64 GNU/LinuxThe text was updated successfully, but these errors were encountered: