node: Don't encrypt traffic to CiliumInternalIP

For the similar reasons as in the previous commit, we don't want to encrypt traffic going from a pod to the CiliumInternalIP. This is currently the only node IP address type that is associated an encryption key. Since we don't encrypt traffic from the hostns to remote pods anymore (see previous commit), encrypting traffic going to a CiliumInternalIP (remote node) would result in a path asymmetry: traffic going to the CiliumInternalIP would be encrypted, whereas reply traffic coming from the CiliumInternalIP wouldn't. This commit removes that caseand therefore ensures we never encrypt traffic going to a node IP address. Reported-by: Gray Lian <gray.liang@isovalent.com> Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
cilium · May 22, 2023 · 3b3e8d0 · 3b3e8d0
1 parent 5fe2b2d
commit 3b3e8d0
Showing 1 changed file with 6 additions and 7 deletions.
diff --git a/pkg/node/manager/manager.go b/pkg/node/manager/manager.go
@@ -343,13 +343,12 @@ func (m *manager) nodeAddressHasTunnelIP(address nodeTypes.Address) bool {
 }
 
 func (m *manager) nodeAddressHasEncryptKey(address nodeTypes.Address) bool {
-	return (m.conf.NodeEncryptionEnabled() ||
-		// If we are doing encryption, but not node based encryption, then do not
-		// add a key to the nodeIPs so that we avoid a trip through stack and attempting
-		// to encrypt something we know does not have an encryption policy installed
-		// in the datapath. By setting key=0 and tunnelIP this will result in traffic
-		// being sent unencrypted over overlay device.
-		(address.Type != addressing.NodeExternalIP && address.Type != addressing.NodeInternalIP)) &&
+	// If we are doing encryption, but not node based encryption, then do not
+	// add a key to the nodeIPs so that we avoid a trip through stack and attempting
+	// to encrypt something we know does not have an encryption policy installed
+	// in the datapath. By setting key=0 and tunnelIP this will result in traffic
+	// being sent unencrypted over overlay device.
+	return m.conf.NodeEncryptionEnabled() &&
 		// Also ignore any remote node's key if the local node opted to not perform
 		// node-to-node encryption
 		!node.GetOptOutNodeEncryption()