fritzlab-public/flock
4
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
a17d33e182cc809a1731ab91c170559e060cb8d3
flock/pkg/agent/netpol
T
History
Donavan Fritz e9d3eef2cc
Build flock Image / build (push) Has been cancelled
Details
netpol: accept established+related at top of every pod chain 
K8s NetworkPolicy applies to the start of new connections; reply
packets for established flows (and ICMP related) must not be matched
against the explicit allow set. The pod ingress chain previously had
only explicit dport allows + a final drop, so any reply to a
pod-initiated outbound where the reply's dport (the ephemeral source
port) wasn't in the allow set got dropped.

Hit in production 2026-04-26: garage's `garage-admin-restrict` NP
allowed dports 3900/80/3901/3903 only. Garage uses kubernetes_discovery
to find peers — outbound to kube-apiserver succeeded, replies returned
to ephemeral source ports, dropped → "Layout not ready" cluster-wide.

Fix: emit `ct state established,related accept` as the first rule in
every pod_<hash>_(ingress|egress) chain. Regression test added.

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
2026-04-25 22:22:39 -05:00
..
apply_linux.go
netpol: NetworkPolicy v1 enforcement via nftables
2026-04-25 09:25:58 -05:00
apply_stub.go
netpol: NetworkPolicy v1 enforcement via nftables
2026-04-25 09:25:58 -05:00
cluster_fixtures_test.go
netpol: NetworkPolicy v1 enforcement via nftables
2026-04-25 09:25:58 -05:00
doc.go
netpol: NetworkPolicy v1 enforcement via nftables
2026-04-25 09:25:58 -05:00
informers.go
netpol: NetworkPolicy v1 enforcement via nftables
2026-04-25 09:25:58 -05:00
reconciler_test.go
netpol: anchor base-chain jump on veth only, not pod IP
2026-04-25 09:32:08 -05:00
reconciler.go
netpol: NetworkPolicy v1 enforcement via nftables
2026-04-25 09:25:58 -05:00
render_test.go
netpol: accept established+related at top of every pod chain
2026-04-25 22:22:39 -05:00
render.go
netpol: accept established+related at top of every pod chain
2026-04-25 22:22:39 -05:00
translator_fuzz_test.go
netpol: NetworkPolicy v1 enforcement via nftables
2026-04-25 09:25:58 -05:00
translator_test.go
netpol: NetworkPolicy v1 enforcement via nftables
2026-04-25 09:25:58 -05:00
translator.go
netpol: NetworkPolicy v1 enforcement via nftables
2026-04-25 09:25:58 -05:00
types.go
netpol: NetworkPolicy v1 enforcement via nftables
2026-04-25 09:25:58 -05:00