Skip to content

Fixed bug where allowing Prometheus metrics scraping could block DNS resolution by preventing traffic to the DNS server #595

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
zohar7ch merged 2 commits into from
Jun 3, 2025
Merged

Fixed bug where allowing Prometheus metrics scraping could block DNS resolution by preventing traffic to the DNS server #595

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
f390a5a
Refactor the way we determine metrics-traffic-network-policy ports
zohar7ch Jun 3, 2025
356bb78
Support DNS traffic when creating metric-traffic network policies
zohar7ch Jun 3, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
62 changes: 48 additions & 14 deletions src/operator/controllers/metrics_collection_traffic/network_policy_handler.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -475,35 +475,69 @@ func (r *NetworkPolicyHandler) buildNetpolForPod(ctx context.Context, pod *Poten
},
}

scrapePort, portDefined, err := r.getMetricsPort(pod.scrapeResourceMeta)
ports, err := r.getNetpolPorts(pod)
if err != nil {
return v1.NetworkPolicy{}, errors.Wrap(err)
}

newPolicy.Spec.Ingress[0].Ports = ports
allowDNS := v1.NetworkPolicyIngressRule{
From: []v1.NetworkPolicyPeer{},
Ports: []v1.NetworkPolicyPort{
{
Port: lo.ToPtr(intstr.IntOrString{IntVal: 53, Type: intstr.Int}),
Protocol: lo.ToPtr(corev1.ProtocolTCP),
},
{
Port: lo.ToPtr(intstr.IntOrString{IntVal: 53, Type: intstr.Int}),
Protocol: lo.ToPtr(corev1.ProtocolUDP),
},
},
}

newPolicy.Spec.Ingress = append(newPolicy.Spec.Ingress, allowDNS)

return newPolicy, nil
}

func (r *NetworkPolicyHandler) getNetpolPorts(pod *PotentiallyScrapeMetricPod) ([]v1.NetworkPolicyPort, error) {
netpolPorts := make([]v1.NetworkPolicyPort, 0)

scrapePort, portDefined, err := r.getMetricsPort(pod.scrapeResourceMeta)
if err != nil {
return make([]v1.NetworkPolicyPort, 0), errors.Wrap(err)
}

// First we want to see whether the resource has the scraping-port annotation
if portDefined {
newPolicy.Spec.Ingress[0].Ports = append(newPolicy.Spec.Ingress[0].Ports, v1.NetworkPolicyPort{
netpolPorts = append(netpolPorts, v1.NetworkPolicyPort{
Port: lo.ToPtr(intstr.IntOrString{IntVal: scrapePort, Type: intstr.Int}),
Protocol: lo.ToPtr(corev1.ProtocolTCP),
})
return newPolicy, nil
}
} else {
// If it doesn't, we want to mimic Prometheus behavior - which is to attempt to scrape all the ports of the resource
// that is defined with the scraping annotation

// If the resource does not define any ports - then we can't scrape anything..
if len(pod.scrapeResourcePorts) == 0 {
return make([]v1.NetworkPolicyPort, 0), errors.Wrap(fmt.Errorf("can not deduce the port to scrape"))
}

if len(pod.scrapeResourcePorts) == 0 {
return v1.NetworkPolicy{}, errors.Wrap(fmt.Errorf("can not deduce the port to scrape"))
netpolPorts = lo.Map(pod.scrapeResourcePorts, func(port int32, _ int) v1.NetworkPolicyPort {
return v1.NetworkPolicyPort{
Port: lo.ToPtr(intstr.IntOrString{IntVal: port, Type: intstr.Int}),
Protocol: lo.ToPtr(corev1.ProtocolTCP),
}
})
}

// We want to have deterministic order, since later on we will compare this policy with the existing one, and we don't
// want to order of the ports to create a difference
slices.Sort(pod.scrapeResourcePorts)
ingressPorts := lo.Map(pod.scrapeResourcePorts, func(port int32, _ int) v1.NetworkPolicyPort {
return v1.NetworkPolicyPort{
Port: lo.ToPtr(intstr.IntOrString{IntVal: port, Type: intstr.Int}),
Protocol: lo.ToPtr(corev1.ProtocolTCP),
}
slices.SortFunc(netpolPorts, func(port, otherPort v1.NetworkPolicyPort) bool {
return port.Port.IntValue() < otherPort.Port.IntValue()
})
newPolicy.Spec.Ingress[0].Ports = ingressPorts

return newPolicy, nil
return netpolPorts, nil
}

func (r *NetworkPolicyHandler) handleCreationErrors(ctx context.Context, err error, policy *v1.NetworkPolicy) error {
Expand Down
21 changes: 17 additions & 4 deletions src/operator/controllers/metrics_collection_traffic/network_policy_handler_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -60,6 +60,19 @@ var EXPECTRED_NETPOL = v1.NetworkPolicy{
Ports: []v1.NetworkPolicyPort{{}},
From: []v1.NetworkPolicyPeer{},
},
{
Ports: []v1.NetworkPolicyPort{
{
Port: lo.ToPtr(intstr.IntOrString{IntVal: 53, Type: intstr.Int}),
Protocol: lo.ToPtr(corev1.ProtocolTCP),
},
{
Port: lo.ToPtr(intstr.IntOrString{IntVal: 53, Type: intstr.Int}),
Protocol: lo.ToPtr(corev1.ProtocolUDP),
},
},
From: []v1.NetworkPolicyPeer{},
},
},
PolicyTypes: []v1.PolicyType{v1.PolicyTypeIngress},
},
Expand Down Expand Up @@ -106,10 +119,6 @@ type NetworkPolicyHandlerTestSuite struct {
podMarkedForScraping *corev1.Pod
}

func TestNetworkPolicyHandlerTestSuite(t *testing.T) {
suite.Run(t, new(NetworkPolicyHandlerTestSuite))
}

func (s *NetworkPolicyHandlerTestSuite) SetupTest() {
s.MocksSuiteBase.SetupTest()
s.handler = NewNetworkPolicyHandler(s.Client, &runtime.Scheme{}, automate_third_party_network_policy.IfBlockedByOtterize, SCRAPING_METRICS_SERVER)
Expand Down Expand Up @@ -427,3 +436,7 @@ func (s *NetworkPolicyHandlerTestSuite) mockForRecordingEventExistingPolicy() {
},
)
}

func TestNetworkPolicyHandlerTestSuite(t *testing.T) {
suite.Run(t, new(NetworkPolicyHandlerTestSuite))
}
Loading