k8s ingress network policy does not work with L2 announcement #32113
Labels
feature/l2-announcement
kind/bug
This is a bug in the Cilium logic.
kind/community-report
This was reported by a user in the Cilium community, eg via Slack.
sig/datapath
Impacts bpf/ or low-level forwarding details, including map management and monitor messages.
sig/policy
Impacts whether traffic is allowed or denied based on user-defined policies.
Is there an existing issue for this?
What happened?
I have syslog server running in k8s cluster, service is exposed using l2 announcement, I want to control access to the service using network policy.
Syslog is exposed using following service:
We are using default deny np, then one can explicitly allow specific network traffic using additional network policies. It looks like this:
This policy is ignored. During troubleshooting using Hubble UI we noticed, that source IP is the IP of the announced k8s node - cilium_host interface (10.42.5.104), the external source IP of the syslog client is not visible in Hubble at all.
I also tried to add cilium host interface to network policy explicitly (IP/subnet), it was not working either. The only way it was working is to specify 0.0.0.0/0 in the network policy (whitelisting everything)
Hubble screenshot:
Is this correct behavior? Is it possible to control network access using network policies (ingress traffic) when L2 announcement is enabled? What is the recommended way to control ingress traffic in case L2 announcement is enabled?
L2 announcement docs does not contain any related information (did not find anything useful)
Thanks for any update / links to docs or anything related.
Cilium Version
v1.15.1
Kernel Version
Linux worker-e961021e-8n4mg 5.15.0-92-generic #102 SMP Wed Jan 10 09:33:48 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
Kubernetes Version
v1.28.8
Regression
No response
Sysdump
No response
Relevant log output
Anything else?
No response
Cilium Users Document
Code of Conduct
The text was updated successfully, but these errors were encountered: