Unable to view or save L7 CiliumNetworkPolicies
Summary
Users are unable to edit or save custom policies written in yaml mode in the Threat Management policy editor.
Steps to reproduce
Relevant Policy yaml
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: limit-inbound-ip
spec:
endpointSelector: {}
ingress:
- toPorts:
- ports:
- port: '80'
protocol: TCP
- port: '443'
protocol: TCP
rules:
http:
- headers:
- 'X-Forwarded-For: 192.168.1.1'
fromEntities:
- cluster
- Navigate to Security & Compliance -> Threat Monitoring -> Policies
- Create a new policy. Toggle over to yaml mode
- Paste the policy above in the textarea and save the policies
- Observe that the policy that was saved is displayed without the spec.ingress.toPorts.rules object in the UI
Example Project
https://gitlab.com/defenddemo/simple-web-app/-/threat_monitoring
What is the current bug behavior?
The UI displays a stripped down version of the policy and removed the layer 7 content from the yaml
What is the expected correct behavior?
The full policy should be displayed. Rule mode should be unavailable as rule mode does not support layer 7 policies.
Relevant logs and/or screenshots
swhite@cloudshell:~$ kubectl exec -it -n gitlab-managed-apps -c cilium-agent cilium-cjx6v -- /bin/bash
root@gke-protect-demo-default-pool-6e467161-9rv1:/home/cilium# cilium policy get
[
{
"endpointSelector": {
"matchLabels": {
"k8s:io.kubernetes.pod.namespace": "simple-web-app-20452785-production",
"k8s:network-policy.gitlab.com/disabled_by": "gitlab"
}
},
"ingress": [
{
"fromEndpoints": [
{}
]
}
],
"labels": [
{
"key": "io.cilium.k8s.policy.derived-from",
"value": "NetworkPolicy",
"source": "k8s"
},
{
"key": "io.cilium.k8s.policy.name",
"value": "production-auto-deploy",
"source": "k8s"
},
{
"key": "io.cilium.k8s.policy.namespace",
"value": "simple-web-app-20452785-production",
"source": "k8s"
},
{
"key": "io.cilium.k8s.policy.uid",
"value": "401d51bf-a4cc-4257-8fe3-2d45424d30dc",
"source": "k8s"
}
]
},
{
"endpointSelector": {
"matchLabels": {
"k8s:io.kubernetes.pod.namespace": "simple-web-app-20452785-production"
}
},
"ingress": [
{
"toPorts": [
{
"ports": [
{
"port": "80",
"protocol": "TCP"
},
{
"port": "443",
"protocol": "TCP"
}
],
"rules": {
"http": [
{
"headers": [
"X-Forwarded-For: 192.168.1.1"
]
}
]
}
}
],
"fromEntities": [
"cluster"
]
}
],
"labels": [
{
"key": "io.cilium.k8s.policy.derived-from",
"value": "CiliumNetworkPolicy",
"source": "k8s"
},
{
"key": "io.cilium.k8s.policy.name",
"value": "limit-inbound-ip",
"source": "k8s"
},
{
"key": "io.cilium.k8s.policy.namespace",
"value": "simple-web-app-20452785-production",
"source": "k8s"
},
{
"key": "io.cilium.k8s.policy.uid",
"value": "068496be-b67a-4ffa-a8bb-a403fdce51e7",
"source": "k8s"
}
]
},
{
"endpointSelector": {
"matchLabels": {
"any:network-policy.gitlab.com/disabled_by": "gitlab",
"k8s:io.kubernetes.pod.namespace": "simple-web-app-20452785-production"
}
},
"ingress": [
{
"toPorts": [
{
"ports": [
{
"port": "80",
"protocol": "TCP"
},
{
"port": "443",
"protocol": "TCP"
}
]
}
],
"fromEntities": [
"cluster"
]
}
],
"labels": [
{
"key": "io.cilium.k8s.policy.derived-from",
"value": "CiliumNetworkPolicy",
"source": "k8s"
},
{
"key": "io.cilium.k8s.policy.name",
"value": "limit-inbound-ips",
"source": "k8s"
},
{
"key": "io.cilium.k8s.policy.namespace",
"value": "simple-web-app-20452785-production",
"source": "k8s"
},
{
"key": "io.cilium.k8s.policy.uid",
"value": "528b0e4f-e917-42ba-bdda-bdafdf92c4e7",
"source": "k8s"
}
]
}
]
Revision: 88
Output of checks
Results of GitLab environment info
Expand for output related to GitLab environment info
(For installations with omnibus-gitlab package run and paste the output of: `sudo gitlab-rake gitlab:env:info`) (For installations from source run and paste the output of: `sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)
Results of GitLab application Check
Expand for output related to the GitLab application check
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true
)(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true
)(we will only investigate if the tests are passing)
Possible fixes
-
frontend update savePolicy
method to use yaml configuration if in yaml mode -
frontend update rules mode conversion to show error for L7 policies (per #271169 (comment 508032460))
Edited by Alexander Turinske