Published
Last updated
Cilium East-west traffic not subject to egress policy enforcement for requests via Gateway API load balancers
For Cilium users who:
Egress traffic from workloads covered by such network policies to LoadBalancers configured by Gateway
resources will incorrectly be allowed.
LoadBalancer resources not deployed via a Gateway API configuration are not affected by this issue.
This issue was fixed by https://github.com/cilium/proxy/pull/1172.
This issue affects:
This issue is fixed in:
A Clusterwide Cilium Network Policy can be used to work around this issue for users who are unable to upgrade. An outline of such a policy is provided below:
The Cilium community has worked together with members of the Isovalent team to prepare these mitigations. Special thanks to @jrajahalme for the fix.
If you think you have found a vulnerability affecting Cilium, we strongly encourage you to report it to our security mailing list at security@cilium.io. This is a private mailing list for the Cilium security team, and your report will be treated as top priority.