Revision 313d4716d19140ce3613feb9149850ab032b4dd4 authored by Joe Stringer on 29 July 2022, 20:35:55 UTC, committed by Chris Tarazi on 03 October 2022, 19:33:03 UTC
[ upstream commit e6ad7438357da93e5c5dbf823e71ae349adde61d ]
[ Backporter's notes: Conflicts were mostly to convert the methods on
(ipc *IPIdentityCache) to the global IPIdentityCache. ]
Previously, the logic would only upsert identities into the IPCache if
the identity was newly allocated. Logically this makes sense, as the
relationship between a CIDR identity and the ipcache should be tightly
coupled. However, we have observed in some user environments that
ipcache entries may end up being removed from the datapath and the
corresponding identity would remain allocated in userspace. As a result,
the next time a DNS request arrives which intends to make use of that
identity for subsequent connection attempts, it would not populate the
ipcache with the identity, leading to packet loss on the connection
allowed by ToFQDNs policy.
In order to mitigate this issue, ensure that all identities used in DNS
responses are populated into the datapath, and track a metric for any
cases where this occurs for identities that we expect to already be
present in the IPCache. This way, active issues should be mitigated,
but we also still have a way to detect whether this mitigation is
necessary and whether we need to further investigate the root cause of
this issue.
Signed-off-by: Joe Stringer <joe@cilium.io>
1 parent 8230e7b
| File | Mode | Size |
|---|---|---|
| .github | ||
| .travis | ||
| Documentation | ||
| api | ||
| bpf | ||
| bugtool | ||
| cilium | ||
| cilium-health | ||
| clustermesh-apiserver | ||
| contrib | ||
| daemon | ||
| envoy | ||
| examples | ||
| hack | ||
| hubble-relay | ||
| images | ||
| install | ||
| jenkinsfiles | ||
| operator | ||
| pkg | ||
| plugins | ||
| proxylib | ||
| test | ||
| tools | ||
| vendor | ||
| .authors.aux | -rw-r--r-- | 416 bytes |
| .gitattributes | -rw-r--r-- | 301 bytes |
| .gitignore | -rw-r--r-- | 1.5 KB |
| .gitmodules | -rw-r--r-- | 0 bytes |
| .golangci.yaml | -rw-r--r-- | 3.3 KB |
| .mailmap | -rw-r--r-- | 5.0 KB |
| .travis.yml | -rw-r--r-- | 1.1 KB |
| AUTHORS | -rw-r--r-- | 24.7 KB |
| CHANGELOG.md | -rw-r--r-- | 123.7 KB |
| CODEOWNERS | -rw-r--r-- | 1.1 KB |
| CODE_OF_CONDUCT.md | -rw-r--r-- | 2.2 KB |
| CONTRIBUTING.md | -rw-r--r-- | 227 bytes |
| FURTHER_READINGS.rst | -rw-r--r-- | 4.9 KB |
| GO_VERSION | -rw-r--r-- | 8 bytes |
| LICENSE | -rw-r--r-- | 11.1 KB |
| MAINTAINERS.md | -rw-r--r-- | 3.8 KB |
| Makefile | -rw-r--r-- | 28.7 KB |
| Makefile.defs | -rw-r--r-- | 5.9 KB |
| Makefile.docker | -rw-r--r-- | 6.2 KB |
| Makefile.quiet | -rw-r--r-- | 718 bytes |
| README.rst | -rw-r--r-- | 14.9 KB |
| SECURITY.md | -rw-r--r-- | 615 bytes |
| USERS.md | -rw-r--r-- | 8.1 KB |
| VERSION | -rw-r--r-- | 7 bytes |
| Vagrantfile | -rw-r--r-- | 12.9 KB |
| go.mod | -rw-r--r-- | 10.8 KB |
| go.sum | -rw-r--r-- | 204.8 KB |
| netlify.toml | -rw-r--r-- | 92 bytes |
| stable.txt | -rw-r--r-- | 8 bytes |
| vagrant_box_defaults.rb | -rw-r--r-- | 394 bytes |
Computing file changes ...
