Skip to main content

Browse the archive

https://github.com/cilium/cilium
09 April 2024, 21:14:05 UTC
Revision dcf89059d00bcde91aacc0c4849b89bc1bcea966 authored by John Fastabend on 17 February 2021, 00:44:56 UTC, committed by John Fastabend on 21 February 2021, 06:54:30 UTC 
cilium: encryption fix, ipv4-pod-subnets without encryptnode fails
 
In the default mode encryption picks the outer IP headers to use
based on the destination IP of the packet to be encrypted. This
works because we create a IPSec rule that matches the destination
IP of the packet using the node CIDR IP used to allocate IPs for
that node. This allows us to scale rules with number of nodes
instead of number of pods.

However, in modes where a global IP pool is used for any pods we
no longer have a subnet -> pod mapping that we use above. To
handle this case, instead of adding a rule per pod, we rewrite
the srcIP,dstIP after encryption using the ipcache. The ipcache
has the pod->node mapping so we can use this reliable. Then we
do a fib lookup to rewrite the src/dst MAC and redirect out the
correct egress interface.

But, we have a bug where nodeEncrypt routing rules are added
even if encryptNode is not enabled. Additionally, when encryptNode
is enabled we add wrong and possibly conflicting rules from the
normal path.

To fix ensure we only add encryptNode routes correctlyy from the
subnetEncryption path with ipv4-pod-subnets is enabled.

Signed-off-by: John Fastabend <john.fastabend@gmail.com>
1 parent 42eb1ed
History
Tip revision: dcf89059d00bcde91aacc0c4849b89bc1bcea966 authored by John Fastabend on 17 February 2021, 00:44:56 UTC
cilium: encryption fix, ipv4-pod-subnets without encryptnode fails
Tip revision: dcf8905
File Mode Size
.github
.travis
Documentation
api
bpf
bugtool
cilium
cilium-health
clustermesh-apiserver
contrib
daemon
envoy
examples
hack
hubble-relay
images
install
jenkinsfiles
operator
pkg
plugins
proxylib
test
tests
tools
vendor
.authors.aux -rw-r--r-- 416 bytes
.dockerignore -rw-r--r-- 1.1 KB
.gitattributes -rw-r--r-- 187 bytes
.gitignore -rw-r--r-- 1.5 KB
.gitmodules -rw-r--r-- 0 bytes
.golangci.yaml -rw-r--r-- 3.3 KB
.mailmap -rw-r--r-- 2.5 KB
.travis.yml -rw-r--r-- 1.0 KB
AUTHORS -rw-r--r-- 16.1 KB
CODEOWNERS -rw-r--r-- 11.8 KB
CONTRIBUTING.md -rw-r--r-- 227 bytes
Dockerfile -rw-r--r-- 3.6 KB
Dockerfile.builder -rw-r--r-- 1.8 KB
FURTHER_READINGS.rst -rw-r--r-- 4.9 KB
GO_VERSION -rw-r--r-- 7 bytes
LICENSE -rw-r--r-- 11.1 KB
MAINTAINERS.rst -rw-r--r-- 2.4 KB
Makefile -rw-r--r-- 23.3 KB
Makefile.buildkit -rw-r--r-- 5.7 KB
Makefile.defs -rw-r--r-- 5.6 KB
Makefile.docker -rw-r--r-- 5.4 KB
Makefile.quiet -rw-r--r-- 718 bytes
README.rst -rw-r--r-- 15.8 KB
SECURITY.md -rw-r--r-- 615 bytes
USERS.md -rw-r--r-- 6.8 KB
VERSION -rw-r--r-- 7 bytes
Vagrantfile -rw-r--r-- 12.8 KB
cilium-dev.Dockerfile -rw-r--r-- 1.4 KB
cilium-dev.Dockerfile.dockerignore -rw-r--r-- 931 bytes
cilium-docker-plugin.Dockerfile -rw-r--r-- 904 bytes
cilium-operator-aws.Dockerfile -rw-r--r-- 2.0 KB
cilium-operator-azure.Dockerfile -rw-r--r-- 2.0 KB
cilium-operator-generic.Dockerfile -rw-r--r-- 2.0 KB
cilium-operator.Dockerfile -rw-r--r-- 2.0 KB
clustermesh-apiserver.Dockerfile -rw-r--r-- 2.3 KB
docs.Jenkinsfile l--------- 29 bytes
ginkgo-kubernetes-all.Jenkinsfile l--------- 46 bytes
ginkgo.Jenkinsfile l--------- 31 bytes
go.mod -rw-r--r-- 5.4 KB
go.sum -rw-r--r-- 128.2 KB
hubble-relay.Dockerfile -rw-r--r-- 1.9 KB
kubernetes-upstream.Jenkinsfile l--------- 44 bytes
netlify.toml -rw-r--r-- 92 bytes
vagrant_box_defaults.rb -rw-r--r-- 330 bytes

README.rst

back to top