noironetworks / aci-containers / 11974
64%
master: 63%

LAST BUILD BRANCH: conflicting-named-port-resolutions
DEFAULT BRANCH: master
Ran
Jobs 1
Files 48
Run time 1min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 63.735% (+0.6%) from 63.185%
11974

Pull #1707

travis-pro

jeffinkottaram 
Fix over-permissive named port resolution in NetworkPolicy

Named ports in NetworkPolicies were resolved too broadly, creating a
security gap where traffic to unintended ports was allowed.

When a named port (e.g., "http") resolved to different container port
numbers on different pods (e.g., 9090 on pod A, 8080 on pod B), the
generated rules allowed traffic to ALL resolved port numbers on ALL
matching pods — even when only a specific pod defined the named port
at that number. This meant any pod defining the same port name at a
different number would widen the policy for every other pod.

The service augment path had a related issue where it did not verify
that the service owning a target port mapping was the one matched by
the policy, further contributing to over-matching.

Changes:
- Unified peer and port resolution into a single per-pod pass so each
  rule carries only the IPs of pods that resolve the named port to a
  specific number (per-destination-IP scoping)
- Added support for ingress named ports with empty PodSelectors, which
  were previously skipped with a warning
- Guarded service augment port matching against the service key that
  registered the port mapping
- Moved pod informer startup before endpointSlice informer in
  PrepareRun so that podIndexer is populated when epSlice List fires
  during controller startup, preventing named-port resolution misses
- Removed redundant HasSynced entries from the final WaitForCacheSync
  (namespace and pod informers already synced earlier in the sequence)

Test changes:
- Added waitForPodIndexed helper to enforce the real K8s invariant
  (pods exist before their EndpointSlices) in npfirst test loops
- Reordered npfirst loops to add pods before services (post-run),
  matching the production event sequence
- Kept podsfirst loops with original pre-run ordering (pods + services
  before cont.run) to test the initial-sync path
- Test coverage added for getServiceAugmentByPort (port-range iteration,
  name... (continued)
Pull Request #1707: Fix over-permissive named port resolution in NetworkPolicy

408 of 466 new or added lines in 4 files covered. (87.55%)

13 existing lines in 4 files now uncovered.

13550 of 21260 relevant lines covered (63.73%)

0.73 hits per line

Uncovered Changes

Lines Coverage File
55
82.34
 3.63% pkg/controller/network_policy.go
2
59.39
 0.94% pkg/controller/services.go
1
61.84
 0.0% pkg/controller/pods.go

Coverage Regressions

Lines Coverage File
6
82.34
 3.63% pkg/controller/network_policy.go
3
63.51
 -0.21% pkg/apicapi/apicapi.go
2
59.39
 0.94% pkg/controller/services.go
2
71.25
 -0.18% pkg/hostagent/snats.go
Jobs
ID Job ID Ran Files Coverage
1 11974.1 (DEFAULT_BRANCH=master GOPROXY=https://proxy.golang.org|https://goproxy.io|direct) 48
63.73
 Travis Job 11974.1
Source Files on build 11974