Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Google Summer of Code 2021 Final Report

GSoC 2021 Explicit Allow-Listing for ICMP @Cilium

Introduction

Kubernetes is a container orchestration platform and it has emerged as the de-facto tool for managing a large number of containers. In Kubernetes, networking functions, such as managing communication between applications and network policies, are delegated to CNI plugins.

Cilium is a CNI plugin for Kubernetes which provides secure network connectivity and load-balancing between applications using eBPF. Cilium can manage network access by using network policy functions, called “CiliumNetworkPolicy” (CNP). Users can allow or deny specific traffic by applying a CNP.
However, currently, any traffic except for TCP/UDP (including ICMP) is denied if an L4 CNP is present, and there is no way for users to explicitly allow ICMP traffic. Therefore, my project aims to implement a CNP for explicitly allowing ICMP traffic.

My project page is here.

Description of My Project

The main goal of my project is supporting ICMP rules for CNP (This project also includes supporting ICMPv6).
The followings are steps to achieve this goal.

  1. Add ICMP field to the CNP.
    • This step also includes implementing validation and unit tests for the new field.
  2. Update Cilium CLI commands which is related to network policy to support ICMP.
  3. Update eBPF codes to check packet header information against applied ICMP rules.
  4. Add e2e test cases.
  5. Update documents.

However, the number of instructions in each eBPF programs has a limit and I found that some eBPF programs violate this limitation when I added codes for ICMP rules (kernel complexity issue). To resolve this issue, I have to reduce code sizes but this work will change existing code blocks which is unrelated to ICMP policy and it's outside the scope of this project.
Therefore, currently, I added a feature flag for conditional compilation to avoid this issue temporarily. In addition, I discussed with my mentors and decided to announce this feature, update the documentation and add e2e tests after resolving the kernel complexity issue and implementing the ICMP policy witout the flag.

Codes

The following Pull Requests are what I opened in the GSoC coding period.

Future Work

Reducing the eBPF code sizes is mainly discussed here. After the kernel complexity issue is resolved, the feature flag for ICMP policy will be removed and e2e tests and documentation PR will be merged.

The ultimate goal of my project is to add ICMP policy completely and mark this feature request as resolved. Unfortunately, I was not able to achive this goal in this GSoC coding period, however I plang to keep working on this project.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment