From 3b3e8d0b1194ebc1d8c8f0f1525045b521e1c7f9 Mon Sep 17 00:00:00 2001 From: Paul Chaignon Date: Tue, 16 May 2023 21:54:17 +0200 Subject: [PATCH] node: Don't encrypt traffic to CiliumInternalIP For the similar reasons as in the previous commit, we don't want to encrypt traffic going from a pod to the CiliumInternalIP. This is currently the only node IP address type that is associated an encryption key. Since we don't encrypt traffic from the hostns to remote pods anymore (see previous commit), encrypting traffic going to a CiliumInternalIP (remote node) would result in a path asymmetry: traffic going to the CiliumInternalIP would be encrypted, whereas reply traffic coming from the CiliumInternalIP wouldn't. This commit removes that caseand therefore ensures we never encrypt traffic going to a node IP address. Reported-by: Gray Lian Signed-off-by: Paul Chaignon --- pkg/node/manager/manager.go | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/pkg/node/manager/manager.go b/pkg/node/manager/manager.go index 8d64e40133e9..00a7ae8bf435 100644 --- a/pkg/node/manager/manager.go +++ b/pkg/node/manager/manager.go @@ -343,13 +343,12 @@ func (m *manager) nodeAddressHasTunnelIP(address nodeTypes.Address) bool { } func (m *manager) nodeAddressHasEncryptKey(address nodeTypes.Address) bool { - return (m.conf.NodeEncryptionEnabled() || - // If we are doing encryption, but not node based encryption, then do not - // add a key to the nodeIPs so that we avoid a trip through stack and attempting - // to encrypt something we know does not have an encryption policy installed - // in the datapath. By setting key=0 and tunnelIP this will result in traffic - // being sent unencrypted over overlay device. - (address.Type != addressing.NodeExternalIP && address.Type != addressing.NodeInternalIP)) && + // If we are doing encryption, but not node based encryption, then do not + // add a key to the nodeIPs so that we avoid a trip through stack and attempting + // to encrypt something we know does not have an encryption policy installed + // in the datapath. By setting key=0 and tunnelIP this will result in traffic + // being sent unencrypted over overlay device. + return m.conf.NodeEncryptionEnabled() && // Also ignore any remote node's key if the local node opted to not perform // node-to-node encryption !node.GetOptOutNodeEncryption()