netpol: anchor base-chain jump on veth only, not pod IP
Build flock Image / build (push) Has been cancelled
Build flock Image / build (push) Has been cancelled
The previous base-chain jump matched iifname/oifname AND saddr/daddr == pod eth0 IP. Anycast traffic has the anycast IP as daddr, not the pod's eth0 unicast — so anycast packets skipped the policy chain entirely and fell through to the forward chain's policy=accept. The veth uniquely belongs to one pod. Anything traversing it is to or from that pod by definition (anycast, unicast, future overlay routes). Match on iifname/oifname alone; let the pod-side chain's accept lines + trailing drop be the policy. Validated end-to-end on host001: anycast nginx pod with default-deny ingress NetPol now correctly drops traffic from any peer; adding an allow-from-podSelector rule unblocks only the matched peer. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Donavan Fritz
@@ -126,7 +126,7 @@ func TestReconciler_PolicyIsolatesLocalPod(t *testing.T) {
|
||||
if !strings.Contains(got, "drop") {
|
||||
t.Fatalf("expected default-deny drop:\n%s", got)
|
||||
}
|
||||
if !strings.Contains(got, `oifname "flock00000001"`) {
|
||||
if !strings.Contains(got, `oifname "flock00000001" jump pod_`) {
|
||||
t.Fatalf("expected base-chain jump anchored on veth:\n%s", got)
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user