| e3fe4bc | Marco Iorio | 11 October 2023, 09:49:45 UTC | conformance-ipsec-e2e: add leaked unencrypted packets check Extend the conformance-ipsec-e2e GHA workflow to additionally check that we don't leak any unencrypted packets during the connectivity test. This aims to complement the validation already performed as part of the connectivity tests by the Cilium CLI. Specifically, we leverage bpftrace to analyze the packets forwarded by the bridge device (used by kind), and report those that are not encrypted. We flag packets with both the source and the destination belonging to the IPv4/6 PodCIDR, and we consider the inner headers if packets are encapsulated. In this case, we additionally skip packets originating or targeting CiliumInternalIP addresses (as these are used for node-to-pod traffic when running in tunnel mode, which is not encrypted by design). Extra checks are finally added to always include packets originating from the L7 and DNS proxies, as their source IP is not that of a pod. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> | 10 June 2024, 12:43:03 UTC |
| ec1b796 | gray | 06 June 2024, 03:56:28 UTC | ci: Delete deprecated conn-disrupt-test action Signed-off-by: gray <gray.liang@isovalent.com> | 10 June 2024, 12:43:03 UTC |
| 364ff9e | gray | 06 June 2024, 03:55:55 UTC | ci: Use conn-disrupt-test-{setup,check} for ci-ipsec-upgrade Signed-off-by: gray <gray.liang@isovalent.com> | 10 June 2024, 12:43:03 UTC |
| c430572 | gray | 06 June 2024, 03:42:45 UTC | ci: Decouple ipsec-key-rotate action from conn-disrupt-test action So in future we can add encryption leak detection right after key rotation to avoid certain issues. ci-ipsec-e2e and ci-eks also has been adjusted to use conn-disrupt-test-* actions before and after ipsec-key-rotate action. Signed-off-by: gray <gray.liang@isovalent.com> | 10 June 2024, 12:43:03 UTC |
| 0f957a7 | gray | 30 May 2024, 09:35:24 UTC | ci: Add conn-disrupt-test-{setup,check} actions They are to replace conn-disrupt-test action for better flexibility. Please note the new conn-disrupt-test-check doesn't run full tests by default. Signed-off-by: gray <gray.liang@isovalent.com> | 10 June 2024, 12:43:03 UTC |
| 6a0d178 | Marcel Zieba | 10 June 2024, 10:14:17 UTC | ci: fix cluster name in CI tests In these workflows we used specific cluster name for kops. Cilium-cli fetched cluster name from context resulting in validation error. Signed-off-by: Marcel Zieba <marcel.zieba@isovalent.com> | 10 June 2024, 12:40:28 UTC |
| 1cfc5a9 | cilium-renovate[bot] | 10 June 2024, 11:05:18 UTC | chore(deps): update docker/build-push-action action to v5.4.0 Signed-off-by: cilium-renovate[bot] <134692979+cilium-renovate[bot]@users.noreply.github.com> | 10 June 2024, 12:35:17 UTC |
| 597e2b3 | Daniel Borkmann | 10 June 2024, 10:02:36 UTC | cilium, netkit: Add CI e2e coverage Add various netkit and netkit-l2 test coverage to CI: - netkit/netkit-l2 with recommended performance profile (https://docs.cilium.io/en/latest/operations/performance/tuning/) - netkit/netkit-l2 with vxlan/geneve under BPF host routing and legacy routing with ingress Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> | 10 June 2024, 12:38:50 UTC |
| 8b1f64a | Dylan Reimerink | 07 June 2024, 09:21:50 UTC | Bandwidth map: fix missing table in reconciler config The table wasn't assigned to the reconciler config for the bandwidth map this causes an error on startup when bandwidth manager is enabled. This commit should resolve the issue. Signed-off-by: Dylan Reimerink <dylan.reimerink@isovalent.com> | 10 June 2024, 12:09:49 UTC |
| f3e65e3 | cilium-renovate[bot] | 10 June 2024, 01:31:08 UTC | chore(deps): update dependency cilium/cilium-cli to v0.16.10 Signed-off-by: cilium-renovate[bot] <134692979+cilium-renovate[bot]@users.noreply.github.com> | 10 June 2024, 10:28:03 UTC |
| 6a203d4 | cilium-renovate[bot] | 10 June 2024, 03:04:57 UTC | chore(deps): update all github action dependencies Signed-off-by: cilium-renovate[bot] <134692979+cilium-renovate[bot]@users.noreply.github.com> | 10 June 2024, 10:26:01 UTC |
| 03afbcc | Aleksander Mistewicz | 13 May 2024, 10:43:16 UTC | Add active connection tracking to eBPF Add new map - LB_ACT_MAP - behind ENABLE_ACTIVE_CONNECTION_TRACKING flag with counters of opened and closed connections. Behavior of eBPF remains completely unchanged when ENABLE_ACTIVE_CONNECTION_TRACKING flag is not set. When an entry, to conntrack table is created, an entry in LB_ACT_MAP.opened is incremented by one. When connection is closed, the related LB_ACT_MAP.closed is incremented by one. This works only for traffic originating from the local pods. LB_ACT_MAP is keyed by svc_id (also known as rev_nat_index) and zone, which is obtained from backend entry. Zone field in backend is populated only when EndpointSlice contains a reference to zone in FixedZoneMapping (so it is possible to convert between uint8 ID and string). Signed-off-by: Aleksander Mistewicz <amistewicz@google.com> | 10 June 2024, 10:14:28 UTC |
| 95886de | Philip Schmid | 03 June 2024, 14:38:07 UTC | GwAPI: externalTrafficPolicy support for GwAPI Added externalTrafficPolicy (eTP) support for Cilium GatewayAPI. eTP is globally configurable via `gatewayAPI.externalTrafficPolicy` Helm flag. Signed-off-by: Philip Schmid <phisch@cisco.com> | 10 June 2024, 09:42:24 UTC |
| 5af8e22 | Philip Schmid | 31 May 2024, 17:44:51 UTC | ingress, docs: eTP support for dedicated ingress Added externalTrafficPolicy support for dedicated Cilium Ingress instances. Configurable via new `ingress.cilium.io/service-external-traffic-policy` Ingress annotation. Signed-off-by: Philip Schmid <phisch@cisco.com> | 10 June 2024, 09:42:24 UTC |
| 1a1a048 | Philip Schmid | 30 May 2024, 20:12:04 UTC | helm: externalTrafficPolicy for shared ingress Added configuration option to explicitly configure the externalTrafficPolicy for the Cilium Ingress Kubernetes Service. Signed-off-by: Philip Schmid <phisch@cisco.com> | 10 June 2024, 09:42:24 UTC |
| bfa6e5c | cilium-renovate[bot] | 10 June 2024, 02:21:03 UTC | fix(deps): update aws-sdk-go-v2 monorepo Signed-off-by: cilium-renovate[bot] <134692979+cilium-renovate[bot]@users.noreply.github.com> | 10 June 2024, 09:03:56 UTC |
| 2bf8ae7 | Jarno Rajahalme | 03 June 2024, 18:08:04 UTC | envoy/xds: Await until endpoint restoration is done Wait until endpoint restoration is done before serving any xDS resources to Envoy, when agent is restoring and envoy daemonset is used. This reduces Envoy resource churn during agent restart. Endpoint restoration does not wait for Envoy ACKs during restart. This is needed to break dependency cycle as resources are not sent to Envoy during restoration, so they will not be ACKed. With this we only get one no-op policy update in Envoy: [cilium/network_policy.cc:1175] NetworkPolicyMap::onConfigUpdate(cilium.policymap.10.244.1.193.1.), 3 resources, version: 17 xternal/envoy/source/common/init/watcher_impl.cc:31] init manager NetworkPolicyMap manager for version 16 destroyed [cilium/network_policy.cc:1200] Received Network Policy for endpoint 1830 in onConfigUpdate() version 17 [cilium/network_policy.cc:1214] New policy is equal to old one, not updating. [cilium/network_policy.cc:1200] Received Network Policy for endpoint 3283 in onConfigUpdate() version 17 [cilium/network_policy.cc:1214] New policy is equal to old one, not updating. [cilium/network_policy.cc:1200] Received Network Policy for endpoint 3268 in onConfigUpdate() version 17 [cilium/network_policy.cc:1214] New policy is equal to old one, not updating. [external/envoy/source/common/init/target_impl.cc:34] target NetworkPolicyMap manager for version 16 destroyed [cilium/network_policy.cc:1266] Reopening ipcache on new stream [cilium/ipcache.cc:81] cilium.ipcache: Opened ipcache. [cilium/network_policy.cc:1273] Skipping empty or duplicate policy update. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> | 10 June 2024, 06:30:44 UTC |
| 3660e4d | Jarno Rajahalme | 03 June 2024, 09:55:08 UTC | envoy/xds: Call the callback even if wg == nil Call the callback if given even if wg == nil. Define 'wait := wg != nil' to make code more readable. Move UseCurrent to ack_test.go and remove from the interface, as it is only used for testing. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> | 10 June 2024, 06:30:44 UTC |
| 4a00efb | Jarno Rajahalme | 31 May 2024, 15:38:18 UTC | daemon: Remove endpointstate promise dependency on daemon Remove endpointstate resolver's dependency on the daemon, so that it can be used in daemon's dependencies. Suggested-by: Jussi Maki <jussi@isovalent.com> Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> | 10 June 2024, 06:30:44 UTC |
| 02304ca | Jarno Rajahalme | 31 May 2024, 14:07:37 UTC | daemon: Do not create l7 policies for health endpoint The special health endpoint should not be subject to L7 policies, so we can disable l7 proxy for it altogether. This helps reduce churn on Envoy policy updates. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> | 10 June 2024, 06:30:44 UTC |
| f1b5334 | Rob Scott | 21 May 2024, 22:12:17 UTC | Adding support for TrafficDistribution This commit adds support for Service Traffic Distribution, a Kubernetes feature that is on track to go beta/available-by-default in v1.31. TrafficDistribution represents the latest and hopefully final iteration in Kubernetes topology aware routing. The default logic is quite simple - route traffic within the same zone if there are any healthy endpoints in that zone. The kube-proxy implementation of that is still based on the EndpointSlice hints field, but does not strictly need to be. This KEP also comes with a more fundamental change to the implementation logic. As part of a broader goal of separating concerns, we've removed the check from Kube-Proxy that verified that a topology annotation was set before honoring hints on EndpointSlices. Now we simply check that all endpoints for an EndpointSlice have hints, and honor them if so. In this commit I've left some logic to determine if a Service is likely to have hints set, but that is now only used to determine if a Service should be reconciled again if the local node labels change. Signed-off-by: Rob Scott <robertjscott@google.com> | 10 June 2024, 06:10:46 UTC |
| 3bdfd9d | Jarno Rajahalme | 04 June 2024, 09:36:13 UTC | dnsproxy: Pick up cilium/dns with ID retry logic Update to cilium/dns with request ID retry logic to reduce the likelihood of failures like this: level=error msg="Cannot forward proxied DNS lookup" error="duplicate request id 31372" subsys=fqdn/dnsproxy Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> | 09 June 2024, 15:50:29 UTC |
| e364fec | Jarno Rajahalme | 07 June 2024, 19:29:13 UTC | envoy: Call given callback also when reusing a listener Call the given callback function of addListener(), if any, in all return cases, or by passing it to the completion. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> | 09 June 2024, 12:18:35 UTC |
| 025fc0f | Marco Iorio | 21 May 2024, 10:13:56 UTC | docs: document the cluster name format Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> | 07 June 2024, 22:08:26 UTC |
| 32e7736 | Marco Iorio | 21 May 2024, 09:12:01 UTC | gha: configure extreme cluster names in conformance clustermesh To detect and prevent possible regressions causing valid names to not be correctly supported. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> | 07 June 2024, 22:08:26 UTC |
| 32416d2 | Marco Iorio | 21 May 2024, 09:05:38 UTC | helm: formalize and validate cluster name format Describe the cluster name specifications, and mimic the same checks performed by the Cilium components, to provide early feedback in case the cluster name is invalid. To enable users performing a smooth transition, helm validation can be skipped setting upgradeCompatibility to 1.15 or earlier. In that case, Cilium components will still emit error logs to warn users in case the cluster name is invalid. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> | 07 June 2024, 22:08:26 UTC |
| e15911e | Marco Iorio | 31 May 2024, 10:20:36 UTC | clustermesh: validate remote cluster name Following the formalization of the cluster name format, let's additionally emit an error log when trying to connect to a cluster associated with an invalid name. Starting from v1.17, Cilium will reject connecting to a cluster with an invalid name. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> | 07 June 2024, 22:08:26 UTC |
| b1f10bc | Marco Iorio | 21 May 2024, 07:54:16 UTC | options: formalize and validate cluster name format Formally define and validate that a cluster name must respect the following constraints: * It must contain at most 32 characters; * It must begin and end with a lower case alphanumeric character; * It may contain lower case alphanumerics and dashes between; * The "default" name is reserved, and forbidden with ClusterID != 0. The specification almost matches the cluster name definition from the Kubernetes multi-cluster services API [1] (except for the shorter maximum length), and derives from the already implicit requirements due to the usage of the cluster name as: * a k8s label value [2] (for CiliumIdentities), * a hostname [3] when configuring the host aliases during clustermesh interconnection; * part of TLS certificates common name [4]. The goal of the explicit validation is to ensure that Cilium components fail to start with a clear error if the cluster name is invalid, rather than failing silently at a later stage. Given the above constraints, the vast majority of existing deployments are not expected to affected by this change. Still, to enable users performing a smooth transition, we currently only emit an error log in case of invalid cluster names. The cluster name format will start being strictly enforced starting from the Cilium version. [1]: https://github.com/kubernetes/enhancements/tree/master/keps/sig-multicluster/1645-multi-cluster-services-api#proposal [2]: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#syntax-and-character-set [3]: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#dns-label-names [4]: https://stackoverflow.com/a/5142550 Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> | 07 June 2024, 22:08:26 UTC |
| c94af82 | Marco Iorio | 31 May 2024, 10:10:30 UTC | clustermesh, operator: slightly rework invoke function registration Directly register the target function, rather than creating a wrapper, both for simplicity, and to make a subsequent introduction of a new parameter in ClusterInfo.Validate transparent from this point of view. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> | 07 June 2024, 22:08:26 UTC |
| 13d257f | Daniel Borkmann | 06 June 2024, 12:10:37 UTC | cilium, docs: Add performance profile recommendation Add a small summary to help guide users. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> | 07 June 2024, 22:00:37 UTC |
| 4fda7ad | Daniel Borkmann | 06 June 2024, 08:55:12 UTC | cilium, docs: Add netkit section to performance doc Add a section on netkit. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> | 07 June 2024, 22:00:37 UTC |
| 073a772 | Daniel Borkmann | 03 May 2024, 13:11:53 UTC | cilium, netkit: Add Helm support Add bpf.datapathMode to Helm, so that netkit can be selected as alternative to veth. Example via Cilium CLI: ./cilium-cli install --wait --chart-directory=install/kubernetes/cilium --helm-set=hubble.eventBufferCapacity=65535 --helm-set=bpf.monitorAggregation=none --helm-set=cluster.name=default --nodes-without-cilium --helm-set-string=kubeProxyReplacement=true --set='' --helm-set=image.repository=localhost:5000/cilium/cilium-dev --helm-set=image.useDigest=false --helm-set=image.tag=local --helm-set=image.pullPolicy=IfNotPresent --helm-set=operator.image.repository=localhost:5000/cilium/operator --helm-set=operator.image.suffix="" --helm-set=operator.image.tag=local --helm-set=operator.image.pullPolicy=IfNotPresent --helm-set=operator.image.useDigest=false --helm-set-string=bpf.datapathMode=netkit --helm-set=ipv6.enabled=true --helm-set=tunnelProtocol=geneve Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> | 07 June 2024, 22:00:37 UTC |
| 895e7f9 | Daniel Borkmann | 07 June 2024, 16:08:28 UTC | cilium, loader: Unify tcx and netkit detach methods Both just remove the link file, therefore create a common helper. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> | 07 June 2024, 22:00:37 UTC |
| fbddb07 | Daniel Borkmann | 03 May 2024, 15:10:39 UTC | cilium, status: Add datapath mode to status Dump the status for the used device mode into cilium status, so that this is picked up by the sysdump. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> | 07 June 2024, 22:00:37 UTC |
| bd6ca1f | Daniel Borkmann | 29 May 2024, 10:03:20 UTC | cilium, bpf: Handle local Pod redirect for netkit under host routing The programs we attach via tcx on the physical devices are using bpf_redirect_peer() for inbound traffic into netkit device. Similarly, we use bpf_redirect_neigh() for the way out, pushing from netkit peer to phys device directly. For local Pod-Pod on the same node, it is slightly different in that as opposed to veth devices we do not use bpf_redirect_peer() to go from ingress->ingress since we're on egress for the case of netkit. Thus egress->egress needs to use the regular bpf_redirect(). From a performance PoV there is no difference since both cases need to go via per-CPU backlog once. The detection whether we are on ingress or egress side is based on the ingress_ifindex. In case of netkit, it is set to 0 shortly before via skb scrubbing. In case of tcx at the ingress side it's set to the host facing veth (> 0). Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> | 07 June 2024, 22:00:37 UTC |
| 51da8e2 | Daniel Borkmann | 05 April 2024, 11:44:58 UTC | cilium, loader: Wire-up netkit support Add a similar loading mechanism as we recently got with tcx, but for netkit attachments. Given both utilize bpf_mprog underneath the API looks very similar. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> | 07 June 2024, 22:00:37 UTC |
| 6895341 | Daniel Borkmann | 15 March 2024, 16:27:05 UTC | cilium, connector: Add netkit connector Add netkit support to Cilium. netkit is a new, minimal BPF-programmable device we presented at LSF/MM/BPF, LPC and KubeCons some time ago. The core idea is that BPF programs are executed within the drivers xmit routine and therefore e.g. in case of containers/Pods moving BPF processing closer to the source. One of the goals was that in case of Pod egress traffic, this allows to move BPF programs from hostns tcx ingress into the device itself, providing earlier drop or forward mechanisms, for example, if the BPF program determines that the skb must be sent out of the node, then a redirect to the physical device can take place directly without going through per-CPU backlog queue. This helps to shift processing for such traffic from softirq to process context, leading to better scheduling decisions/performance (see measurements in the slides). Going forward, we plan to use netkit devices in Cilium as the main device type for connecting Pods. They will be operated in L3 mode in order to simplify a Pod's neighbor management and the peer will operate in default drop mode, so that no traffic is leaving between the time when a Pod is brought up by the CNI plugin and programs attached by the agent. This PR supports both netkit operation modes with the L3 mode being the main/recommended one. Note: netkit in L3 mode has an all-zero mac, so the eth header has dst == src == zero mac, hence the tests for mac len in the template code as node mac is not needed/used. Also in L3 mode any ARP responder is compiled out as the Pod with netkit does not attempt to resolve mac addresses (it's a NOARP device). Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Link: https://lore.kernel.org/bpf/20231024214904.29825-1-daniel@iogearbox.net Link: https://sched.co/1R2s5 | 07 June 2024, 22:00:37 UTC |
| 5d7d6fd | Daniel Borkmann | 15 March 2024, 16:24:48 UTC | cilium, api: Extend daemon api for netkit mode Add netkit as well as netkit-l2 mode as another option next to veth. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> | 07 June 2024, 22:00:37 UTC |
| ce48c39 | Tam Mach | 07 June 2024, 16:13:01 UTC | precheck: Avoid using unbounded io.ReadAll func Fixes: 48a9976a09015a0e411997780c8b260d59593071 Signed-off-by: Tam Mach <tam.mach@cilium.io> | 07 June 2024, 18:12:51 UTC |
| 48a9976 | Tam Mach | 05 June 2024, 04:11:54 UTC | bugtool: Add post-processing masking function for Envoy This commit is to explicitly mask the below fields from Envoy config dump: - api_key (used in kafka L7 policy) - TLSContext (used in Cilium NetworkPolicy) One round of scanning on existing Cilium protobuf was done. Related docs: https://www.envoyproxy.io/docs/envoy/latest/operations/admin#get--config_dump Signed-off-by: Tam Mach <tam.mach@cilium.io> | 07 June 2024, 15:20:19 UTC |
| 568dbc5 | Tam Mach | 05 June 2024, 05:01:04 UTC | bugtool: Add json masking function This commit is to add a generic json field masking based on the field name. Signed-off-by: Tam Mach <tam.mach@cilium.io> | 07 June 2024, 15:20:19 UTC |
| 4dc5898 | Fabio Falzoi | 05 June 2024, 08:30:13 UTC | k8s: cegp: Use ipv4 as validation format for EgressIP Instead of relying on a regex based kubebuilder validation pattern, use the ipv4 format to validate EgressIP field in CEGP. Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com> | 07 June 2024, 13:16:27 UTC |
| 037623d | Fabio Falzoi | 04 June 2024, 09:10:44 UTC | egressgw: Stop CEGP parsing in case of non-empty invalid EgressIP EgressIP field of CiliumEgressGatewayPolicy spec is optional, but if specified, it is used to SNAT egress traffic. Being an optional parameter, no error is logged in case the conversion to netip.Addr fails, and the field is silently ignored. To inform the user of the failure in setting the requested egress IP, fail the CEGP parsing in case of an invalid non-empty egress IP. Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com> | 07 June 2024, 13:16:27 UTC |
| ec8e73a | dependabot[bot] | 06 June 2024, 23:27:06 UTC | build(deps): bump tornado from 6.3.3 to 6.4.1 in /Documentation Bumps [tornado](https://github.com/tornadoweb/tornado) from 6.3.3 to 6.4.1. - [Changelog](https://github.com/tornadoweb/tornado/blob/master/docs/releases.rst) - [Commits](https://github.com/tornadoweb/tornado/compare/v6.3.3...v6.4.1) --- updated-dependencies: - dependency-name: tornado dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> | 07 June 2024, 13:01:19 UTC |
| f056579 | Lorenz Bauer | 07 June 2024, 09:57:00 UTC | loader: remove datapathSHA256 datapathSHA256 was added in commit a530ac0b70 ("loader: Hash datapath objects and store results"). It is fed into the endpoint / template hash to ensure that templates are recompiled when bundled source code changes. Since at least 48591d8f42 ("loader: simplify template cache invalidation") the endpoint program cache doesn't reuse results from an older / different cilium process. This means that we're always using the correct source code by construction. Remove datapathSHA256 and related machinery. In the process of refactoring it turns out that we swallow errors from WriteNodeConfig in hashDatapath, which has so far obscured failing tests. The comment that writing to an in-memory hash is correct, but misleading. WriteNodeConfig also returns errors when certain devices are missing. Signed-off-by: Lorenz Bauer <lmb@isovalent.com> | 07 June 2024, 11:06:27 UTC |
| c52bee9 | Marco Iorio | 04 June 2024, 08:14:03 UTC | clustermesh: periodically enforce cluster config presence Currently, we only write the cluster configuration once, when the clustermesh-apiserver starts and when kvstoremesh connects to a remote cluster. However, the cluster configuration presence is critical, as otherwise remote clusters cannot connect to the given cluster. Hence, let's introduce a periodic enforcement mechanism (every 5 minutes), to ensure that it gets eventually restored in case of external modifications or deletions (e.g., if the associated lease unexpectedly expires). No changes are performed in the cilium operator, as the configuration is already periodically enforced there. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> | 07 June 2024, 10:49:45 UTC |
| 70b592f | Marco Iorio | 04 June 2024, 07:36:04 UTC | clustermesh: add {Get,Set}ClusterConfig unit tests Add basic unit tests to ensure the correct functioning of the GetClusterConfig and SetClusterConfig functions. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> | 07 June 2024, 10:49:45 UTC |
| 9c5ad72 | Marco Iorio | 04 June 2024, 07:13:05 UTC | clustermesh: define reduced clusterConfigBackend interface Instead of using the generic kvstore.Backend interface, to explicit the two methods which are actually used, and simplify mocking them out for testing purposes. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> | 07 June 2024, 10:49:45 UTC |
| 6079830 | hacktivist123 | 07 June 2024, 09:40:44 UTC | chore: replace straight quotes with backticks for commands and functions Signed-off-by: Shedrack Akintayo <akintayoshedrack@gmail.com> | 07 June 2024, 10:43:18 UTC |
| 99f8871 | Yutaro Hayakawa | 04 June 2024, 07:11:06 UTC | helm: Decouple sysctlfix from cgroup.autoMount Currently, the sysctlfix is only enabled when cgroup.autoMount is enabled which is not a directly-related feature. This dependency is introduced because the host procfs mount is only enabled when cgroup.autoMount is enabled. Due to this limitation, we recently observed the issue that disabling cgroup.autoMount in the environment that runs systemd 245+ makes a connectivity loss between nodes in tunnel mode due to the rp_filter. To fix the above issue, introduce a new configuration knob to enable/disable sysctlfix individually. It is enabled by default. Fixes: #20643 Co-authored-by: Nick Young <inocuo@gmail.com> Signed-off-by: Yutaro Hayakawa <yhayakawa3720@gmail.com> | 07 June 2024, 09:13:53 UTC |
| 8401331 | Joe Stringer | 07 June 2024, 04:35:06 UTC | ci: l4lb: Don't hang on gathering logs forever It doesn't make sense to pass `--follow` when the container is still running, this will hang forever and fail to complete the remaining steps in the workflow. Remove the follow flag. Fixes: 93927457779d ("ci: l4lb: gather more infos about docker-in-docker issues") Signed-off-by: Joe Stringer <joe@cilium.io> | 07 June 2024, 08:41:17 UTC |
| 3c3e769 | Gilberto Bertin | 06 June 2024, 12:55:52 UTC | bpf: use tail calls to run host firewall in cil_to_host to tackle the complexity issue introduced by the previous commit in cil_to_host in the bpf_host program, use the already existing CILIUM_CALL_IPV{4,6}_TO_HOST_POLICY_ONLY tail calls to handle the enforcement of the ingress host firewall policies Signed-off-by: Gilberto Bertin <jibi@cilium.io> | 07 June 2024, 07:35:02 UTC |
| ee10671 | Gilberto Bertin | 06 June 2024, 08:32:04 UTC | bpf: allow policy verdict notifications in bpf_host 300236c ("Add the datapath filtering for policy verdict logs.") introduced a mechanism to generate policy verdict logs only if an endpoint has a network policy enforced on the direction of the traffic, to reduce the number of allow events that otherwise would have been notified in case of default allow policies. Unfortunately this logic doesn't take into account the case where send_policy_verdict_notify is called from the bpf_host program (e.g. Host Firewall policies), as POLICY_VERDICT_LOG_FILTER is always set to 0 for that program, resulting in no policy verdicts being notified. This change tries to address this by ignoring the filter if send_policy_verdict_notify is evaluated in the context of bpf_host. Moreover, to prevent a flood of notifications, the ones for default allow policies are ignored. Signed-off-by: Gilberto Bertin <jibi@cilium.io> | 07 June 2024, 07:35:02 UTC |
| 4853fb1 | Maxim Mikityanskiy | 03 June 2024, 19:14:57 UTC | bpf: Use __align_stack_8 on IPv6 structs LLVM 18 doesn't align these structs to 8 by default, and our memcpy implementation fails to pass the verifier when applied to these structs, because the verifier requires stack access to be aligned. Align all affected structs. Signed-off-by: Maxim Mikityanskiy <maxim@isovalent.com> | 07 June 2024, 07:33:31 UTC |
| 4420034 | Maxim Mikityanskiy | 04 June 2024, 17:44:38 UTC | Remove the unused LPM_LOOKUP_FN macro Since commit 7628b19e7313 ("bpf, ipcache: unconditionally assume support for LPM trie maps"), LPM_LOOKUP_FN is only used in its own test. Remove the macro and the test, as it's not used in any actual code, and it causes verifier errors when upgrading to LLVM 18: the verifier can't track a pointer spilled to a map (a global variable). Signed-off-by: Maxim Mikityanskiy <maxim@isovalent.com> | 07 June 2024, 07:33:31 UTC |
| 26e15dc | Joe Stringer | 06 June 2024, 02:52:07 UTC | docs: Document stable release timing We've recently been trending towards a process that looks something like this with for instance a target date of the 15th and a stable branch cutoff date a week prior, such as the 8th (or earlier weekday if it falls on a weekend). Document this in general terms without making hard commitments to ship or not ship any specific change, subject to the discretion of the release team. Signed-off-by: Joe Stringer <joe@cilium.io> | 07 June 2024, 02:56:57 UTC |
| acdd363 | Joe Stringer | 06 June 2024, 02:40:29 UTC | docs: Document feature release process Document the process that the Cilium release team typically follows around publishing prereleases and release candidates, and outline the expectations around feature freeze / thaw. Signed-off-by: Joe Stringer <joe@cilium.io> | 07 June 2024, 02:56:57 UTC |
| 9c36c72 | Joe Stringer | 06 June 2024, 01:55:42 UTC | docs: Remove unrelated paragraph for releases This paragraph doesn't make sense in context of releases, as release management is a task for maintainers / committers of the project. Signed-off-by: Joe Stringer <joe@cilium.io> | 07 June 2024, 02:56:57 UTC |
| fbb1e8a | Joe Stringer | 06 June 2024, 01:48:27 UTC | docs: Fix organization docs flow This page referred to GitHub projects being used for tracking upcoming work, but in general we don't have mechanisms in the project to reliably track work in this manner. The projects tooling we were using is also being deprecated in favor of a newer tool in GitHub, so the links etc. will stop working soon. We can always re-introduce that wording if we find a good way to maintain and manage such projects. Additionally, there is some minor wording improvements we can make to the release cadence to clarify the statements according to the way we manage releases as a project. Signed-off-by: Joe Stringer <joe@cilium.io> | 07 June 2024, 02:56:57 UTC |
| df03e88 | André Martins | 06 June 2024, 12:12:31 UTC | remove release scripts These scripts will only be available under github.com/cilium/release to avoid any confusion when performing releases. Signed-off-by: André Martins <andre@cilium.io> | 07 June 2024, 01:47:19 UTC |
| 129a200 | André Martins | 06 June 2024, 12:03:42 UTC | remove unused files Signed-off-by: André Martins <andre@cilium.io> | 07 June 2024, 01:47:19 UTC |
| 55bf8fa | Marcel Zieba | 04 June 2024, 10:37:26 UTC | Cleanup leftovers from node statuses in CNP/CCNP Fixes: #29590 Signed-off-by: Marcel Zieba <marcel.zieba@isovalent.com> | 06 June 2024, 19:25:24 UTC |
| 4ee8ae5 | harsimran pabla | 04 June 2024, 19:49:08 UTC | bgp/configmap: remove unnecessary else statement Making BGP config-map settings similar to how rest of the feature flags are deduced. Signed-off-by: harsimran pabla <hpabla@isovalent.com> | 06 June 2024, 19:24:40 UTC |
| c269031 | Fabio Falzoi | 03 June 2024, 15:31:34 UTC | iptables: Remove unneeded cell.Health param The cell.Health reporter is not needed anymore, since one it is already provided to the job registered in the manager by the JobGroup. Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com> | 06 June 2024, 19:24:26 UTC |
| e1eb623 | Marco Iorio | 27 May 2024, 07:43:45 UTC | clustermesh: drop clustermesh/remoteCluster circular reference Currently, the remoteCluster struct holds a reference to the clustermesh object, leading to a sort of circular dependency. Let's simplify this by explicitly propagating only the necessary parameters, for improved separation and clarity. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> | 06 June 2024, 19:24:08 UTC |
| b43dd5f | Marco Hofstetter | 30 May 2024, 10:50:04 UTC | daemon: cleanup daemon fields This commit cleans up the fields from the daemon and daemonParams struct: - EgressGatewayManager (unused - removed from daemon and daemonParams) - HealthProvider (unused - removed from daemon and daemonParams) - DeviceManager (keep in daemonParams) - EndpointManager (set when initializing daemon struct) Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> | 06 June 2024, 19:23:50 UTC |
| 6ece4c9 | Julian Wiedmann | 18 May 2024, 12:15:15 UTC | bpf: tests: add test for encrypted overlay Exercise the whole codepath in to-netdev that's needed for encrypted overlay. This allows us to validate the whole machinery of packet rewrites and IPsec-related context in the skb mark/cb. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> | 06 June 2024, 17:04:20 UTC |
| c55d352 | Julian Wiedmann | 18 May 2024, 12:15:00 UTC | bpf: tests: add helper to insert NODE_MAP entry This will be used in a subsequent patch. Also clean up the existing usage. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> | 06 June 2024, 17:04:20 UTC |
| b38d139 | Julian Wiedmann | 18 May 2024, 11:37:48 UTC | bpf: tests: add endpoint parameter for security identity Enable a subsequent patch to specify the security identity of an inserted endpoint. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> | 06 June 2024, 17:04:20 UTC |
| fec6a95 | hacktivist123 | 06 June 2024, 11:09:55 UTC | documentation: fix AKS note positioning Signed-off-by: Shedrack Akintayo <akintayoshedrack@gmail.com> Signed-off-by: Quentin Monnet <qmo@qmon.net> | 06 June 2024, 15:19:19 UTC |
| 378e881 | hacktivist123 | 06 June 2024, 10:53:07 UTC | documentation: embed eCHO episodes in Cilium docs Signed-off-by: Shedrack Akintayo <akintayoshedrack@gmail.com> Signed-off-by: Quentin Monnet <qmo@qmon.net> | 06 June 2024, 15:19:19 UTC |
| 38e1001 | Tam Mach | 05 June 2024, 13:20:51 UTC | envoy: Bump envoy version to v1.29.5 This commit is to bump envoy version to v1.29.5 for below CVEs: - [CVE-2024-34362: Crash (use-after-free) in EnvoyQuicServerStream](https://togithub.com/envoyproxy/envoy/security/advisories/GHSA-hww5-43gv-35jv) - [CVE-2024-34363: Crash due to uncaught nlohmann JSON exception](https://togithub.com/envoyproxy/envoy/security/advisories/GHSA-g979-ph9j-5gg4) - [CVE-2024-34364: Envoy OOM vector from HTTP async client with unbounded response buffer for mirror response, and other components](https://togithub.com/envoyproxy/envoy/security/advisories/GHSA-xcj3-h7vf-fw26) - [CVE-2024-32974: Crash in EnvoyQuicServerStream::OnInitialHeadersComplete()](https://togithub.com/envoyproxy/envoy/security/advisories/GHSA-mgxp-7hhp-8299) - [CVE-2024-32975: Crash in QuicheDataReader::PeekVarInt62Length()](https://togithub.com/envoyproxy/envoy/security/advisories/GHSA-g9mq-6v96-cpqc) - [CVE-2024-32976: Endless loop while decompressing Brotli data with extra input](https://togithub.com/envoyproxy/envoy/security/advisories/GHSA-7wp5-c2vq-4f8m) - [CVE-2024-23326: Envoy incorrectly accepts HTTP 200 response for entering upgrade mode](https://togithub.com/envoyproxy/envoy/security/advisories/GHSA-vcf8-7238-v74c) Upstream release: https://github.com/envoyproxy/envoy/releases/tag/v1.29.5 Signed-off-by: Tam Mach <tam.mach@cilium.io> | 06 June 2024, 12:24:52 UTC |
| a3dafbd | André Martins | 06 June 2024, 09:08:32 UTC | .github: fix renovate GitHub workflow config The renovate config had some errors, as pointed out by GitHub, this commit fixes the errors. Fixes: 38e90f3f15f0 ("Renovate SPIRE images in makefile values") Signed-off-by: André Martins <andre@cilium.io> | 06 June 2024, 09:45:25 UTC |
| 38e90f3 | Maartje Eyskens | 09 January 2024, 14:13:07 UTC | Renovate SPIRE images in makefile values This points the Renovate SPIRE update to the Makefile.values file. After the version update Renovate will run the Makefile to update the Helm charts. Signed-off-by: Maartje Eyskens <maartje@eyskens.me> | 06 June 2024, 09:02:37 UTC |
| f1d7e56 | Maartje Eyskens | 10 January 2024, 15:23:31 UTC | Add Renovate GHA file This adds a file that is similar to the one in the cilium/tetragon repo to run a self hosted Renovate bot inside GitHub Actions Signed-off-by: Maartje Eyskens <maartje@eyskens.me> | 06 June 2024, 09:02:37 UTC |
| 65bdb0c | Maartje Eyskens | 09 January 2024, 12:33:16 UTC | Add validation on change of Renovate config This change adds a GHA to validate the Renovate configuration when it is changed inside a PR. This is analog to the one in the Tetragon repository Signed-off-by: Maartje Eyskens <maartje@eyskens.me> | 06 June 2024, 09:02:37 UTC |
| 5ee8be7 | Jarno Rajahalme | 21 May 2024, 16:06:19 UTC | datapath: Deprecate trace reason REOPENED Datapath no longer returns a trace reason for REOPENED. Keep the Go symbol for compatibility with older datapaths, but rename it to mark it as deperecated. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> | 06 June 2024, 07:36:10 UTC |
| dcc3dcf | Jarno Rajahalme | 05 June 2024, 10:55:19 UTC | bpf: Remove CT_REOPENED, return CT_NEW instead CT_REOPENED was originally added in https://github.com/cilium/cilium/pull/13340 to emit policy verdicts for apparently re-opened TCP connections, which are in fact more likely to be newly opened TCP connections rather than re-opened ones, as the CT entries may live minutes after the TCP state from the endpoints has already timed out. This added complexity to call sites, forcing differentiation between CT_NEW and CT_REOPENED. In all cases some CT entry field values were left stale, e.g., 'proxy_redirect' after a policy change. Instead of adjusting each call site to behave properly for CT_REOPENED, return CT_NEW instead, and make the observable CT lookup behavior the same as for CT_NEW in that case, most notably by not updating the passed in `*ct_state'. This change fixes proxy redirection bug where return packets are not redirected to an L7 proxy when (a stale) CT entry is missing the 'proxy_redirect' flag. Fixes: #27762 Fixes: #13340 Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> | 06 June 2024, 07:36:10 UTC |
| e43e299 | Feroz Salam | 05 June 2024, 09:45:33 UTC | ci: remove container scanning workflow The results of this workflow are not being actively reviewed, remove it for now. Signed-off-by: Feroz Salam <feroz.salam@isovalent.com> | 05 June 2024, 20:34:43 UTC |
| ce59386 | Andrei Kvapil | 27 May 2024, 10:28:10 UTC | Introduce --force-device-detection option This commit introduces the --force-device-detection option, which can be used together with --devices to enrich user specified devices with automatically detected devices. When this option is enabled, the system not only uses the devices explicitly specified by the user but also includes devices that are automatically detected. This ensures comprehensive network device management, particularly useful in dynamic environments where network interfaces may change or new interfaces may be added post-initial configuration. Fixes: #32721 Signed-off-by: Andrei Kvapil <kvapss@gmail.com> | 05 June 2024, 19:01:13 UTC |
| c77d1a3 | Casey Callendrello | 04 June 2024, 10:26:36 UTC | ipcache: skip prefix update when metadata unchanged If a particular upsert operation is a no-op, then there's no point in enqueuing a prefix update for it. Signed-off-by: Casey Callendrello <cdc@isovalent.com> | 05 June 2024, 17:27:20 UTC |
| c95ee60 | Casey Callendrello | 04 June 2024, 10:02:56 UTC | ipcache: split queued updates in to chunks If a large number of prefixes are queued for update, then we should not update all at the same time. This is because outgoing identities are only released at the end of doInjectLabels(), which means we could double the set of in-use identities while application is happening. The only exception is for the first run, in which case there is no point in dividing, as no identities will be released. Signed-off-by: Casey Callendrello <cdc@isovalent.com> | 05 June 2024, 17:27:20 UTC |
| 3ac9cbc | Casey Callendrello | 04 June 2024, 10:01:19 UTC | mechanical: ipc.InjectLabels() -> ipc.doInjectLabels() This is a private function that should never be called directly. Signed-off-by: Casey Callendrello <cdc@isovalent.com> | 05 June 2024, 17:27:20 UTC |
| 86b0d55 | Casey Callendrello | 04 June 2024, 09:56:59 UTC | ipcache: correctly handle failed allocation It turns out that label injection panics if identity allocation fails. This code-path is not practically reachable, as we would need to run out of local identities. Still good to clean up, though. Signed-off-by: Casey Callendrello <cdc@isovalent.com> | 05 June 2024, 17:27:20 UTC |
| 118a64b | Cilium Imagebot | 05 June 2024, 07:10:44 UTC | images: update cilium-{runtime,builder} Signed-off-by: Cilium Imagebot <noreply@cilium.io> | 05 June 2024, 16:56:38 UTC |
| 0de75f4 | renovate[bot] | 05 June 2024, 00:21:40 UTC | chore(deps): update go to v1.22.4 Signed-off-by: renovate[bot] <bot@renovateapp.com> | 05 June 2024, 16:56:38 UTC |
| 7dbd76c | Julian Wiedmann | 03 June 2024, 06:49:22 UTC | bpf: s/NODE_MAC/THIS_INTERFACE_MAC This value is *not* some generic, node-wide MAC address. Rather it is the MAC address of the specific interface that the BPF program is attached to. Align the naming with the THIS_MTU macro. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> | 05 June 2024, 15:21:16 UTC |
| 42c04e9 | Casey Callendrello | 05 June 2024, 07:29:21 UTC | policy: rename test helper function .Add to .mustAdd, strictly validate This is a convenience test function, there's no need for it to be exported. The one external use is easily removed. Also, add a panic() to ensure tests do not accidentally rely on invalid data, which has happened in the past. Signed-off-by: Casey Callendrello <cdc@isovalent.com> | 05 June 2024, 14:37:21 UTC |
| 6ebddc9 | Casey Callendrello | 05 June 2024, 06:55:04 UTC | policy: require valid policies for tests We were accidentally adding policies that did not pass validation. Rename the test-only function AddList to MustAddList, reject invalid policies. Add the additional helper addInvalidRules() which accepts invalid policies. Signed-off-by: Casey Callendrello <cdc@isovalent.com> | 05 June 2024, 14:37:21 UTC |
| dd088df | Casey Callendrello | 05 June 2024, 07:17:29 UTC | test: fix invalid network policies There were some tests that supplied invalid network policies. Fix them. Unfortunately, there is one disallowed case we would still like to test, so add an option to override that particular validation check in test mode. Signed-off-by: Casey Callendrello <cdc@isovalent.com> | 05 June 2024, 14:37:21 UTC |
| 5f18d88 | Julian Wiedmann | 05 June 2024, 10:01:21 UTC | docs: ipsec: remove limitation for native-routing with L7 egress policy This was addressed by https://github.com/cilium/cilium/pull/32683. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> | 05 June 2024, 13:55:23 UTC |
| 0cbd730 | Tam Mach | 17 March 2024, 14:51:26 UTC | ingress: Add CNP example for default deny Relates: #28254 Signed-off-by: Tam Mach <tam.mach@cilium.io> | 05 June 2024, 12:12:56 UTC |
| 8848188 | Tam Mach | 17 March 2024, 13:46:51 UTC | docs: Lift and shift CNP page for Ingress This is move external lockdown policy section to its own page, so that we can have more rooms for other CNP examples. Signed-off-by: Tam Mach <tam.mach@cilium.io> | 05 June 2024, 12:12:56 UTC |
| f9ee4bc | Arthur Outhenin-Chalandre | 15 May 2024, 17:18:09 UTC | clustermesh: fix a few misc issue in the new mcs api controller This commit does 3 small fixes: - Use the correct upstream MCS-API controller. The controller used is now the ones that sync the service IP to the ServiceImport resources. The rest of the controllers are Cilium specific and will (or already is) be implemented soon. - Also add a shortcut on creation to save a delete/recreate on of the derived service if there is no ServiceImport and the local is headless. - Fix the watch on Services to also issue a reconcile if the locally exported Service has changed Signed-off-by: Arthur Outhenin-Chalandre <arthur@cri.epita.fr> | 05 June 2024, 08:33:17 UTC |
| 1ce4c7f | gray | 13 May 2024, 09:45:42 UTC | proxy/routes: Also routes egress proxy's return traffic to 2005 This commit installs "0xb00/0xf00 lookup 2005" routing rule when IPsec is enabled with native routing and envoy. This is a necessary step towards fixing encryption leaks, otherwise egress proxy's return traffic gets no chance to be set IPsec mark. The new routing rule ensures these packets are routed to cilium_host, where we have bpf_host to handle encryption datapath. This patch uses a different condition from requireFromProxyRoutes() to determine whether to install the new routing rule, otherwise we will see breakage on IPsec=off + envoy=on. Specially, the new routing rule is isolated to IPsec only. Signed-off-by: gray <gray.liang@isovalent.com> | 05 June 2024, 08:05:03 UTC |
| 3384d73 | gray | 13 May 2024, 09:51:31 UTC | iptables: Ensure iptables masquerading works for proxy traffic After https://github.com/cilium/proxy/pull/742, proxy traffic keeps original pod IP as source IP for to-world packets, which must be masqueraded to eth0 IP. There is no issue for now, but the new routing rule (0xb00 lookup 2005) to be added for https://github.com/cilium/cilium/issues/31984 will cause a side effect breaking masquerading. This patch fixes the that side effect as a precaution, otherwise git-bisect breaks. The new routing rule (0xb00 lookup 2005) will cause proxy packets going through POSTROUTING for twice: first time happens when proxy sends packets which are routed to cilium_host, these are hitting OUTPUT + **POSTROUTING**; the second time takes place after packets ingressed from cilium_net, these skbs will traverse PREROUTING + FORWARD + **POSTROUTING**. However, due to kernel's implementation details, an skb won't be processed by nat POSTROUTING for twice: after the first POSTROUTING check, skb's ct `(struct nf_conn*)(skb->_nfct & ~7)` has a status IPS_SRC_NAT_DONE to skip the further traversal at all. [1] To avoid being set the IPS_SRC_NAT_DONE flag, this patch adds an iptables rule `--mark 0xb00 -j CT --notrack` at OUTPUT to skip the first round iptables ct, just for proxy traffic which is characterized by 0xb00 mark. [1] https://elixir.bootlin.com/linux/v6.6.2/source/net/netfilter/nf_nat_core.c#L825 [1] https://elixir.bootlin.com/linux/v6.6.2/source/include/net/netfilter/nf_nat.h#L111 Signed-off-by: gray <gray.liang@isovalent.com> | 05 June 2024, 08:05:03 UTC |
| f93a40c | gray | 28 May 2024, 07:57:23 UTC | Don't set 0x200 mark for proxy to world traffic in iptables PREROUTING We have an iptables rule to set 0x200 mark for transparent socket: ``` *mangle -A PREROUTING -m comment --comment "cilium-feeder: CILIUM_PRE_mangle" -j CILIUM_PRE_mangle -A CILIUM_PRE_mangle -m socket --transparent -m mark ! --mark 0xe00/0xf00 -m comment --comment "cilium: any->pod redirect proxied traffic to host proxy" -j MARK --set-xmark 0x200/0xffffffff ``` This rule is in the mangle PREROUTING which checks packets ingressed from a netdev. Let's then focus on the pod to world traffic when IPsec=on + proxy=on + tunnel=off. Currently, a pod-to-world packet will go through the path: 1. from_lxc@lxc: skb->mark is set to 0x200 and returned to stack 2. iptables: skb is hijacked by tproxy (due to 0x200), to be accepted by proxy 3. proxy process: the old skb is consumed by proxy, an new skb is sent to upstream (world) 4. stack routing: the new skb is routed to eth0 5. stack iptables: the new skb is traversing OUTPUT chain and POSTROUTING chain 6. to_netdev@eth0: the new skb is going to world Please note the new skb won't hit PREROUTING chain, where there is a rule setting skb->mark=0x200. To fix https://github.com/cilium/cilium/issues/31984, we are going to change the routing for packets from egress proxy; consequently, on the step 4 above, the new skb will be routed to cilium_host instead: 4. stack routing: the new skb is routed to cilium_host 5. from_host@cilium_host: the new skb is returned to stack 6. to_host@cilium_net: the new skb is returned to stack 7. stack: PREROUTING, routing, FORWARD, POSTROUTING Look at step 7, we are hitting PREROUTING! Because of https://github.com/cilium/proxy/pull/742, this to-world skb is also linked to a transparent socket, matching the "-m socket --transparent" condition, the packet will fortunately have the 0x200 mark. If we do nothing, this to-world skb marked with 0x200 will then hit routiong rule "from all fwmark 0x200/0xf00 lookup 2004" and be routed to local. It should have gone to the world. This patch fixes this future issue as a precaution (otherwise we'll break git-bisect). This patch provides a straightforward solution: at step 5 from_host@cilium_host, we set a specical mark 0x800 (MARK_MAGIC_PROXY_TO_WORLD), then iptables can exclude this mark using "-m mark ! --mark 0x800/0xf00". Signed-off-by: gray <gray.liang@isovalent.com> | 05 June 2024, 08:05:03 UTC |
| 729fee6 | renovate[bot] | 03 June 2024, 19:08:06 UTC | fix(deps): update all go dependencies main Signed-off-by: renovate[bot] <bot@renovateapp.com> | 05 June 2024, 07:33:34 UTC |
| bcbc4c4 | Casey Callendrello | 31 May 2024, 09:36:24 UTC | cleanup: remove commented-out test function I commented it out but forgot to remove it in a prior PR. Signed-off-by: Casey Callendrello <cdc@isovalent.com> | 05 June 2024, 02:07:43 UTC |
| 75345de | Casey Callendrello | 22 May 2024, 09:11:45 UTC | cleanup: disentagle policy trifecta The dependencies aren't actually as complicated as the code makes them out to be. We can construct them iteratively without mutation, now that we no longer need the cache to list reserved identities. This is a no-op change. Signed-off-by: Casey Callendrello <cdc@isovalent.com> | 05 June 2024, 02:07:43 UTC |
