Skip to content

Kubernetes: fix global network policy #1235

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 20, 2025
Merged

Kubernetes: fix global network policy #1235

merged 1 commit into from
Oct 20, 2025

Conversation

@YuryHrytsuk
Copy link
Collaborator

@YuryHrytsuk YuryHrytsuk commented Oct 19, 2025
edited
Loading

What do these changes do?

global network policy was misconfigured so that it allowed all traffic. By setting correct value structure this is fixed.

Proper global network policy discovered a wrong RUT network policy that was correctly adjusted.

Bonus:

  • Imrpove calico network policy debug documentation

Related issue/s

Related PR/s

Checklist

  • I tested and it works

@YuryHrytsuk
Kubernetes: fix global network policy
2df8daa 
global network policy was misconfigured so that it allowed all traffic.
By setting correct value structure this is fixed.

Proper global network policy discovered a wrong RUT network policy that
was correctly adjusted.

Bonus:
* Imrpove calico network policy debug documentation

Related issue/s
* ITISFoundation#1226
@YuryHrytsuk YuryHrytsuk added this to the Imparable milestone Oct 19, 2025
@YuryHrytsuk YuryHrytsuk self-assigned this Oct 19, 2025
mrnicegyu11
mrnicegyu11 reviewed Oct 20, 2025
View reviewed changes
Copy link
Member

@mrnicegyu11 mrnicegyu11 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't fully understand yet what has changed since the revert of the last merge of this PR... Can you maybe comment? Was a revert not even necessary?

@mrnicegyu11
Copy link
Member

mrnicegyu11 commented Oct 20, 2025

Otherwise fine, go ahead and merge :)

@YuryHrytsuk
Copy link
Collaborator Author

YuryHrytsuk commented Oct 20, 2025
edited
Loading

I don't fully understand yet what has changed since the revert of the last merge of this PR... Can you maybe comment? Was a revert not even necessary?

The ideal action was to fix wrong resource-usage-tracker network policy. #1227 was a proper fix and nothing wrong with it.

The properly configured global network policy (achieved via #1227) actually came into affect and blocked all traffic that was not explicitly allowed. This revealed a bug in resource-usage-tracker network policy that was not properly allowing all traffic.

This PR is just a copy of original (reverted) #1227 + fix of resource-usage-tracker network policy

@YuryHrytsuk YuryHrytsuk merged commit 566d3bf into ITISFoundation:main Oct 20, 2025
3 checks passed
@YuryHrytsuk YuryHrytsuk deleted the kubernetes-fix-global-network-policy branch October 20, 2025 08:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@matusdrobuliak66 matusdrobuliak66 Awaiting requested review from matusdrobuliak66

@mrnicegyu11 mrnicegyu11 Awaiting requested review from mrnicegyu11 mrnicegyu11 is a code owner

Assignees

@YuryHrytsuk YuryHrytsuk

Labels

p:high-prio SECURITY

Projects

None yet

Milestone

Imparable

Development

Successfully merging this pull request may close these issues.

Kubernetes: global network policy allows any egress

2 participants

@YuryHrytsuk @mrnicegyu11