Skip to content

enable network policies strict mode #268

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

enable network policies strict mode #268

wants to merge 2 commits into from
+762 −77

Conversation

aojea
Copy link
Contributor

@aojea aojea commented Oct 17, 2025
edited
Loading

apply network policies to existing connections.

The dataplane now inspect the existing connections in the conntrack table and evaluates against the current network policies. If a established connection is no longer allowed then the dataplane it sets the conntrack timeout to zero, so next packets of the connections are reevaluated.

Fixes: #246

TODO:

  • API design, flag with enum, multiple values
  • Do we apply it periodically or rate limited or just everytime that a network policy changes?

cc: @danwinship

@k8s-ci-robot k8s-ci-robot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label Oct 17, 2025
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: aojea

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot requested a review from thockin October 17, 2025 14:02
@k8s-ci-robot k8s-ci-robot added approved Indicates a PR has been approved by an approver from all required OWNERS files. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Oct 17, 2025
@aojea
Copy link
Contributor Author

aojea commented Oct 17, 2025

not working :/

danwinship
danwinship reviewed Oct 18, 2025
View reviewed changes
@aojea aojea force-pushed the strict_mode branch 2 times, most recently from 1849ebd to f131351 Compare October 19, 2025 14:05
@aojea aojea added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Oct 19, 2025
@aojea aojea force-pushed the strict_mode branch 7 times, most recently from 629963a to 9f9e727 Compare October 19, 2025 22:02
@aojea aojea removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Oct 19, 2025
@aojea aojea requested a review from Copilot October 19, 2025 22:11
Copilot
Copilot AI reviewed Oct 19, 2025
View reviewed changes
Copy link

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

Enables a "strict mode" that reevaluates existing conntrack flows against current NetworkPolicies and times out disallowed connections, ensuring policy changes apply to established connections.

  • Adds StrictMode flag and threads it through configuration/command entrypoints.
  • Implements a firewallEnforcer that scans conntrack entries and zeroes the timeout on disallowed flows.
  • Adds an e2e test for dropping established connections and adjusts logging.

Reviewed Changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 11 comments.

Show a summary per file
File Description
tests/e2e_standard.bats Adds an E2E test for established-connection enforcement and tweaks install verbosity.
pkg/dataplane/controller.go Introduces StrictMode, a conntrack enforcement runner, and logging refinements.
pkg/dataplane/conntrack.go Adds PacketFromFlow utility to convert conntrack entries into evaluatable packets.
pkg/cmd/cmd.go Adds --strict-mode flag, defaulting to true.
cmd/kube-network-policies/*/main.go Wires StrictMode from flags into dataplane config.

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

@aojea aojea force-pushed the strict_mode branch 4 times, most recently from c6071b3 to 6787ff6 Compare October 20, 2025 08:20
@aojea
enable network policies strict mode
95e38d4 
apply network policies to existing connections.

The dataplane now inspect the existing connections in the conntrack
table and evaluates against the current network policies.
If a established connection is no longer allowed then the dataplane
sets the conntrack entry timeout to zero, causing the subsequent packets
to be enqueued and processed dropping them if are no longer enabled.

The strict mode is enabled by default and runs at most every 30 seconds
once there is a change triggered in the dataplane, this is to avoid
performance issues for listing conntrack entries too often.
@aojea
Copy link
Contributor Author

aojea commented Oct 20, 2025

@danwinship this is ready

@aojea aojea mentioned this pull request Oct 20, 2025
Open
@aojea
Copy link
Contributor Author

aojea commented Oct 21, 2025

/hold

Florian (netlink) explained this behavior is racy https://patchwork.ozlabs.org/project/netfilter-devel/patch/[email protected]/

@k8s-ci-robot k8s-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Oct 21, 2025
@aojea aojea force-pushed the strict_mode branch 3 times, most recently from 29d9f63 to cd9a667 Compare October 21, 2025 10:45
@aojea aojea mentioned this pull request Oct 21, 2025
Open
@k8s-ci-robot k8s-ci-robot added size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. and removed size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Oct 21, 2025
@aojea aojea mentioned this pull request Oct 21, 2025
Open
@aojea
Copy link
Contributor Author

aojea commented Oct 21, 2025
edited
Loading

Ok, this is finally ready, I just had to go into a big rabbit hole with the ct labels but is the most elegant way to solve it

Pending of two fixes in the libraries and to split in commits, but this is the final PR and we go for v1

vishvananda/netlink#1135
florianl/go-nfqueue#70

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@danwinship danwinship danwinship left review comments

Copilot code review Copilot Copilot left review comments

@thockin thockin Awaiting requested review from thockin

Assignees

No one assigned

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

re-evaluate active connections when policies change

3 participants

@aojea @k8s-ci-robot @danwinship