metal-stack/firewall-controller

implementation is not matching the cwnp spec

mwennrich opened this issue · 5 comments

mwennrich commented

CRD describes spec.egress.port as numerical or named port ( https://github.com/metal-stack/firewall-controller/blob/master/config/crd/bases/metal-stack.io_clusterwidenetworkpolicies.yaml#L65-L72 ) while in validator only int ports are supported (

firewall-controller/api/v1/clusterwidenetworkpolicy_types.go

Lines 128 to 133 in 714a5bf

func validatePorts(ports []networking.NetworkPolicyPort) *multierror.Error {
var errors *multierror.Error
for _, p := range ports {
if p.Port != nil && p.Port.Type != intstr.Int {
errors = multierror.Append(errors, fmt.Errorf("only int ports are supported, but %v given", p.Port))
}
)

GrigoriyMikhalkin commented

@mwennrich If i'm correct, egress and ingress fields specify IPs(or subnets) outside of cluster, from which traffic is allowed. Does it even makes sense to allow to specify named port? Probably a better solution would be to replace NetworkPolicyPort fields with custom port field that would be always int.

majst01 commented

egress is for communication with outside endpoints, ingress for communication with inside endpoints.

GrigoriyMikhalkin commented

@majst01 Yep, i got that) What i meant is that, both for egress and ingress rules we specify addresses outside of cluster, so named ports don't even make sense for that case. So, for cleanliness, it's probably better to introduce our custom structure for ports. That would be backwards compatible with NetworkPolicyPort(except that it would only allow int type for ports).

GrigoriyMikhalkin commented

Maybe i misunderstood this. Comment to ports field says:

List of ports which should be made accessible on the cluster for this rule

So, does it mean that ports field lists ports of services in cluster?

majst01 commented

So at least description must be adopted