-
Notifications
You must be signed in to change notification settings - Fork 100
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Flannel v0.9.1 adds FORWARD rules breaking networkpolicy behaviour #115
Comments
@KashifSaadat just to be clear, this is the correct and expected behavior for Felix when set to use "append" for its rules. By using "append", you're opening up a hole where another application might bypass policy. That said, it's a bit sad that flannel doesn't play nicely here. There may be room for a change to flannel in order to disable the iptables rules that it installs, but I'll defer to @tomdee or @gunjan5 for that.
Wondering, is there a reason you need to hand-write global rules rather than using Calico policy to enforce that behavior? |
Hey @caseydavenport, thanks for the update. I'm afraid I don't have much experience with using Calico policies, at the time I implemented the custom iptables ruleset there wasn't support for defining these policies when using the K8s datastore (this was back on v2.4.1). Would you be able to point me at the docs for creating them? |
@KashifSaadat Ah, yes. I forgot that canal was using the k8s api datastore. Support for Calico policies isn't available yet, but will be in Calico v3.0.0, to be released at the end of the year. |
I have the same issue with k8s v1.10.2 and Calico v3.1. |
Looks like this is just waiting on a flannel release. Once that's done, we can update the manifests to use a new version of flannel and set the Also note that Canal now fully supports Calico global network policies, so the need for writing global reject iptables rules by hand is gone! |
We've updated to v0.11 so I think this should be good to go if someone wants to try making the changes? |
Sorry I forgot to update! I have tested and can confirm that using flannel v0.11.0 with the new environment variable / flag set for the deployment (introduced in that release) fixes this issue. I'll close the issue, thanks! |
Expected Behavior
FELIX_CHAININSERTMODE
toappend
in the canal manifest fileiptables -nv -L FORWARD
Current Behavior
Flannel v0.9.1 includes a change to add 2 rules to the FORWARD chain (flannel-io/flannel#872). When Calico is configured with
append
mode, the Calico rule is added to the bottom of the chain, resulting in the following rule order:Because of this, the calico rule is never hit and all traffic in/out is accepted by default. This means that k8s ingress/egress network policies will have no effect.
You won't encounter this issue if the chain insert mode isn't set to append (it is
insert
by default). Flannel will still add 2 rules to the forward chain, but they will never be hit because the calico rule is processed first.Possible Solution
I'm not sure whether this is a flannel bug (when using as part of a canal deployment) or something that can be fixed by changes to the manifest file.
One suggestion would be to provide a flag to flannel such as
"AddIPTablesForwardRules": false
and then specify this in the Canal manifest.Context
I'm performing these deployments using kops v1.8.0, and the relevant manifest file is located here: https://github.com/kubernetes/kops/blob/1.8.0/upup/models/cloudup/resources/addons/networking.projectcalico.org.canal/k8s-1.8.yaml.template
I set
FELIX_CHAININSERTMODE
toappend
so that I can insert rules at the top of theINPUT
andFORWARD
chains to process specific globalREJECT
rules before the network policies take effect.A quick fix for kops would be to downgrade flannel to v0.9.0 JUST in the Canal manifest files (3 of them), but of course this isn't ideal.
Your Environment
CC @chrislovecnm @justinsb
Ping @tomdee @caseydavenport
The text was updated successfully, but these errors were encountered: