antrea: Antrea wildcard fqdn netpolicy not working

Describe the bug According to the netpol documentation, one could use example like the following to match fqdn:

apiVersion: crd.antrea.io/v1alpha1
kind: ClusterNetworkPolicy
metadata:
  name: acnp-fqdn
spec:
  priority: 1
  appliedTo:
  - podSelector: {}
  egress:
  - action: Allow
    to:
      - fqdn: "*.google.com"

I also have a cluster netpol default-deny priority 999 on Baseline. So by default all traffic should be denied except traffic to google. The problem is if that I try to curl www.google.com from the container it is still being denied by the default-deny baseline rule. If I change the fqdn policy to allow “www.google.com” instead of “*.google.com” it does work, so for some reason the wildcard fqdn is not working.

To Reproduce

  1. Create a FQDN wildcard policy that match all pods and higher priority
  2. Create a default-deny policy with the lowest priority that also match all pods
  3. Try to access some URL from the FQDN Expected It should work ’ Actual behavior The wildcard FQDN is not matching, only a expressed FQDN works.

Versions:

  • Antrea version: 1.6.0
  • Kubernetes version (use kubectl version). 1.22.8
  • Container runtime: crio-o

Additional info: There are some other rules that allows the pods resolve DNS for example, but I removed those from the context because it is not related to the context of the problem.

About this issue

  • Original URL
  • State: closed
  • Created 2 years ago
  • Comments: 30 (19 by maintainers)

Most upvoted comments

Working perfectly.

+1
jsalatiel on May 12, 2022

@jsalatiel fix will be included in 1.6.1. Release will be late this week or next.

+1
antoninbas on May 3, 2022

I was able to reproduce this issue with a kubespray cluster with nodelocaldns enabled, with Antrea v1.6 build. TL;DR - this issue can be solved with https://github.com/antrea-io/antrea/pull/3510, which was intended to fix another issue and is already merged in main branch (after the 1.6 release cutoff).

Wildcard FQDN rule matching is made possible by Antrea installing a DNS reply packet interception rule at the highest priority in the AntreaIngressRuleTable. Before PR https://github.com/antrea-io/antrea/pull/3510 is merged, however, there is a flow which bypass packets for ingress rule evaluation as long as the packet’s pkt_mark=0x80000000/0x80000000 is set (which means the packet comes from the localhost). This flow exists in IngressSecurityClassifierTable to make sure that liveness probes etc. are not dropped by netpol rules.

Unfortunately with nodelocaldns, the dns query response packet matches this bypass flow and thus skipped the dns intercept flow. With PR https://github.com/antrea-io/antrea/pull/3510, the above mentioned flow is changed to match only non-reply packets, and thus will not bypass the dns reply packet for ingress tables.

@hongliangl Since we have this bug that can be resolved with #3510, maybe we could backport it to v1.6?

(special thanks to @antoninbas for help in debugging this issue)

+1
Dyanngg on Apr 29, 2022
Read more comments on GitHub
← antrea: antrea-agent failed to start on windows
antrea: IPFIX start and stop timestamps are wrong/too large →