Kubernetes is a container orchestration platform and it has emerged as the de-facto tool for managing a large number of containers. In Kubernetes, networking functions, such as managing communication between applications and network policies, are delegated to CNI plugins.
Cilium is a CNI plugin for Kubernetes which provides secure network connectivity and load-balancing between applications using eBPF.
Cilium can manage network access by using network policy functions, called “CiliumNetworkPolicy” (CNP).
Users can allow or deny specific traffic by applying a CNP.
However, currently, any traffic except for TCP/UDP (including ICMP) is denied if an L4 CNP is present, and there is no way for users to explicitly allow ICMP traffic.
Therefore, my project aims to implement a CNP for explicitly allowing ICMP traffic.
My project page is here.
The main goal of my project is supporting ICMP rules for CNP (This project also includes supporting ICMPv6).
The followings are steps to achieve this goal.
- Add ICMP field to the CNP.
- This step also includes implementing validation and unit tests for the new field.
- Update Cilium CLI commands which is related to network policy to support ICMP.
- Update eBPF codes to check packet header information against applied ICMP rules.
- Add e2e test cases.
- Update documents.
However, the number of instructions in each eBPF programs has a limit and I found that some eBPF programs violate this limitation when I added codes for ICMP rules (kernel complexity issue).
To resolve this issue, I have to reduce code sizes but this work will change existing code blocks which is unrelated to ICMP policy and it's outside the scope of this project.
Therefore, currently, I added a feature flag for conditional compilation to avoid this issue temporarily.
In addition, I discussed with my mentors and decided to announce this feature, update the documentation and add e2e tests after resolving the kernel complexity issue and implementing the ICMP policy witout the flag.
The following Pull Requests are what I opened in the GSoC coding period.
- #16516 policy: Add ICMP and ICMPv6 support for CNP and CCNP with a feature flag
- This PR includes the tasks in step 1 to 3 described in the previous section.
- #16991 policy: Fix
cilium policy traceoutput when only deny rules are applied- This PR has fixed trivial bug which I found while working on the project.
- #17135 policy: Add e2e test for ICMP CNP
- This PR is currently a draft.
- This PR will be merged after ICMP policy is implemented without the feature flag
- #17136 docs: update documents for ICMP CNP
- This PR is currently a draft.
- This PR will be merged after ICMP policy is implemented without the feature flag
Reducing the eBPF code sizes is mainly discussed here. After the kernel complexity issue is resolved, the feature flag for ICMP policy will be removed and e2e tests and documentation PR will be merged.
The ultimate goal of my project is to add ICMP policy completely and mark this feature request as resolved. Unfortunately, I was not able to achive this goal in this GSoC coding period, however I plang to keep working on this project.