From 4db8b2c272b854ff8ab388f1fc9bc71c45cb0cb7 Mon Sep 17 00:00:00 2001 From: Markus Rudy Date: Wed, 10 Apr 2024 13:48:32 +0200 Subject: [PATCH] Merge pull request from GHSA-g8fc-vrcg-8vjg * helm: firewall pods * helm: bump cilium chart version --------- Co-authored-by: Leonard Cohnen --- .../helm/charts/cilium/Chart.yaml | 4 +- .../templates/cilium-agent/daemonset.yaml | 31 +++++++++++++ internal/constellation/helm/cilium.patch | 46 ++++++++++++++++++- internal/constellation/helm/loader.go | 3 +- 4 files changed, 79 insertions(+), 5 deletions(-) diff --git a/internal/constellation/helm/charts/cilium/Chart.yaml b/internal/constellation/helm/charts/cilium/Chart.yaml index 3f3fc714b..3ba2d273f 100644 --- a/internal/constellation/helm/charts/cilium/Chart.yaml +++ b/internal/constellation/helm/charts/cilium/Chart.yaml @@ -2,8 +2,8 @@ apiVersion: v2 name: cilium displayName: Cilium home: https://cilium.io/ -version: 1.15.0-pre.3-edg.2 -appVersion: 1.15.0-pre.3-edg.2 +version: 1.15.0-pre.3-edg.3 +appVersion: 1.15.0-pre.3-edg.3 kubeVersion: ">= 1.16.0-0" icon: https://cdn.jsdelivr.net/gh/cilium/cilium@main/Documentation/images/logo-solo.svg description: eBPF-based Networking, Security, and Observability diff --git a/internal/constellation/helm/charts/cilium/templates/cilium-agent/daemonset.yaml b/internal/constellation/helm/charts/cilium/templates/cilium-agent/daemonset.yaml index f6b493cb7..773a5b26b 100644 --- a/internal/constellation/helm/charts/cilium/templates/cilium-agent/daemonset.yaml +++ b/internal/constellation/helm/charts/cilium/templates/cilium-agent/daemonset.yaml @@ -715,6 +715,37 @@ spec: - name: cni-path mountPath: /host/opt/cni/bin {{- end }} # .Values.cni.install + - name: firewall-pods + image: ghcr.io/edgelesssys/cilium/cilium:v1.15.0-pre.3-edg.2@sha256:c21b7fbbb084a128a479d6170e5f89ad2768dfecb4af10ee6a99ffe5d1a11749 + imagePullPolicy: IfNotPresent + command: + - /bin/bash + - -exc + - | + pref=32 + interface=$(ip route | awk '/^default/ { print $5 }') + tc qdisc add dev "${interface}" clsact || true + tc filter del dev "${interface}" ingress pref "${pref}" 2>/dev/null || true + handle=0 + for cidr in ${POD_CIDRS}; do + handle=$((handle + 1)) + tc filter replace dev "${interface}" ingress pref "${pref}" handle "${handle}" protocol ip flower dst_ip "${cidr}" action drop + done + env: + - name: POD_CIDRS + valueFrom: + configMapKeyRef: + key: encryption-strict-mode-pod-cidrs + name: cilium-config + optional: true + resources: + requests: + cpu: 100m + memory: 20Mi + securityContext: + capabilities: + add: + - NET_ADMIN restartPolicy: Always priorityClassName: {{ include "cilium.priorityClass" (list $ .Values.priorityClassName "system-node-critical") }} serviceAccount: {{ .Values.serviceAccounts.cilium.name | quote }} diff --git a/internal/constellation/helm/cilium.patch b/internal/constellation/helm/cilium.patch index 26d7c3343..cc12f4cb5 100644 --- a/internal/constellation/helm/cilium.patch +++ b/internal/constellation/helm/cilium.patch @@ -54,8 +54,50 @@ index 256a79542..3f3fc714b 100644 home: https://cilium.io/ -version: 1.15.0-pre.3 -appVersion: 1.15.0-pre.3 -+version: 1.15.0-pre.3-edg.2 -+appVersion: 1.15.0-pre.3-edg.2 ++version: 1.15.0-pre.3-edg.3 ++appVersion: 1.15.0-pre.3-edg.3 kubeVersion: ">= 1.16.0-0" icon: https://cdn.jsdelivr.net/gh/cilium/cilium@main/Documentation/images/logo-solo.svg description: eBPF-based Networking, Security, and Observability +diff --git a/install/kubernetes/cilium/templates/cilium-agent/daemonset.yaml b/install/kubernetes/cilium/templates/cilium-agent/daemonset.yaml +index f6b493cb7..50b80267a 100644 +--- a/install/kubernetes/cilium/templates/cilium-agent/daemonset.yaml ++++ b/install/kubernetes/cilium/templates/cilium-agent/daemonset.yaml +@@ -715,6 +715,37 @@ spec: + - name: cni-path + mountPath: /host/opt/cni/bin + {{- end }} # .Values.cni.install ++ - name: firewall-pods ++ image: ghcr.io/edgelesssys/cilium/cilium:v1.15.0-pre.3-edg.2@sha256:c21b7fbbb084a128a479d6170e5f89ad2768dfecb4af10ee6a99ffe5d1a11749 ++ imagePullPolicy: IfNotPresent ++ command: ++ - /bin/bash ++ - -exc ++ - | ++ pref=32 ++ interface=$(ip route | awk '/^default/ { print $5 }') ++ tc qdisc add dev "${interface}" clsact || true ++ tc filter del dev "${interface}" ingress pref "${pref}" 2>/dev/null || true ++ handle=0 ++ for cidr in ${POD_CIDRS}; do ++ handle=$((handle + 1)) ++ tc filter replace dev "${interface}" ingress pref "${pref}" handle "${handle}" protocol ip flower dst_ip "${cidr}" action drop ++ done ++ env: ++ - name: POD_CIDRS ++ valueFrom: ++ configMapKeyRef: ++ key: encryption-strict-mode-pod-cidrs ++ name: cilium-config ++ optional: true ++ resources: ++ requests: ++ cpu: 100m ++ memory: 20Mi ++ securityContext: ++ capabilities: ++ add: ++ - NET_ADMIN + restartPolicy: Always + priorityClassName: {{ include "cilium.priorityClass" (list $ .Values.priorityClassName "system-node-critical") }} + serviceAccount: {{ .Values.serviceAccounts.cilium.name | quote }} diff --git a/internal/constellation/helm/loader.go b/internal/constellation/helm/loader.go index 5634d03fa..a3c6a50fa 100644 --- a/internal/constellation/helm/loader.go +++ b/internal/constellation/helm/loader.go @@ -359,7 +359,7 @@ func (i *chartLoader) cspTags() map[string]any { func (i *chartLoader) loadCiliumValues(cloudprovider.Provider) (map[string]any, error) { sharedConfig := map[string]any{ - "extraArgs": []string{"--node-encryption-opt-out-labels=invalid.label"}, + "extraArgs": []string{"--node-encryption-opt-out-labels=invalid.label", "--bpf-filter-priority=128"}, "endpointRoutes": map[string]any{ "enabled": true, }, @@ -412,6 +412,7 @@ func (i *chartLoader) loadCiliumValues(cloudprovider.Provider) (map[string]any, "kubeProxyReplacement": "strict", "enableCiliumEndpointSlice": true, "kubeProxyReplacementHealthzBindAddr": "0.0.0.0:10256", + "cleanBpfState": true, } cspOverrideConfigs := map[string]map[string]any{ cloudprovider.AWS.String(): {},