Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Correct policy for OpenStack sec group with no remote_ip_prefix #8026

Merged
merged 1 commit into from
Sep 19, 2023
Merged

Correct policy for OpenStack sec group with no remote_ip_prefix #8026

merged 1 commit into from
Sep 19, 2023

Conversation

nelljerram
Copy link
Member

Fixes #7968

When an OpenStack security group does not specify a remote_ip_prefix - in other words, it applies to traffic from all possible sources - but it does specify ports - in other words, it only applies to those ports, the resulting Calico policy is missing the restriction to the intended ports, and so is accidentally an allow policy for all ports.

Release Note

Correct policy for OpenStack sec group with no remote_ip_prefix

@nelljerram nelljerram requested a review from a team as a code owner September 18, 2023 15:12
@marvin-tigera marvin-tigera added this to the Calico v3.27.0 milestone Sep 18, 2023
@marvin-tigera marvin-tigera added release-note-required Change has user-facing impact (no matter how small) docs-pr-required Change is not yet documented labels Sep 18, 2023
@nelljerram nelljerram added docs-not-required Docs not required for this change and removed docs-pr-required Change is not yet documented labels Sep 18, 2023
@nelljerram
Correct policy for OpenStack sec group with no remote_ip_prefix
ff96fc8 
Fixes projectcalico#7968

When an OpenStack security group does not specify a remote_ip_prefix - in other words, it applies to
traffic from all possible sources - but it does specify ports - in other words, it only applies to
those ports, the resulting Calico policy is _missing_ the restriction to the intended ports, and so
is accidentally an allow policy for _all_ ports.
@nelljerram
Copy link
Member Author

The remaining CI issue is tracked at https://tigera.atlassian.net/browse/CORE-9844

@nelljerram nelljerram merged commit d821261 into projectcalico:master Sep 19, 2023
1 of 2 checks passed
@nelljerram nelljerram deleted the port-spec-issue branch September 19, 2023 13:41
nelljerram added a commit to nelljerram/calico that referenced this pull request Sep 19, 2023
@nelljerram
Merge pull request projectcalico#8026 from nelljerram/port-spec-issue
4ec3013 
Correct policy for OpenStack sec group with no remote_ip_prefix
@nelljerram nelljerram mentioned this pull request Sep 19, 2023
Merged
nelljerram added a commit to nelljerram/calico that referenced this pull request Sep 19, 2023
@nelljerram
Merge pull request projectcalico#8026 from nelljerram/port-spec-issue
1cb9b71 
Correct policy for OpenStack sec group with no remote_ip_prefix
@nelljerram nelljerram mentioned this pull request Sep 19, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Josh-Tigera Josh-Tigera Josh-Tigera approved these changes

Assignees
No one assigned
Labels
docs-not-required Docs not required for this change release-note-required Change has user-facing impact (no matter how small)
Projects
None yet
Milestone
Calico v3.27.0
Development

Successfully merging this pull request may close these issues.

Not specifying remote_ip_prefix creates a policy that unexpectedly opens all ports
3 participants
@nelljerram @Josh-Tigera @marvin-tigera