Skip to content

Commit

Permalink
labelsfilter: add 'reserved:.*' to default label list
Browse files Browse the repository at this point in the history 
[ upstream commit 16e8f2f ]

Fix #14100

Identity relevant labels is a label prefix list combined of two parts:

1. base part:
  1.1. Read from a user specified (--label-prefix-file) json file if this
      file is provided. Default: `--label-prefix-file=""`.
  1.2 If `--label-prefix-file=""`, read from a default hardcoded list
      (`func defaultLabelPrefixCfg()`).
2. additional part: read from user inputs (--labels), default `--labels=""`

When `--label-prefix-file=""` (default) but `--labels=<custom-list>` provided,
if `reserved:host` (or `reserved:.*`) is not included in the above
`<custom-list>`, the `cilium_host` endpoint will lose its `reserved:host`
label.

When rolling back to the default configuration, that is, setting `--labels=""`
and restarting the agent, cilium agent will raise errors like following:

```
level=warning msg="Regeneration of endpoint failed" .. error="Exposing new BPF failed: invalid LXC MAC: invalid MAC address "
level=error msg="endpoint regeneration failed" ..  error="Exposing new BPF failed: invalid LXC MAC: invalid MAC address "
```

And subsequently, all pods' traffic on this node will be interrupted.

This is because the agent relies on this label to distinguish `cilium_host`
endpoint from normal endpoints, and the former has no `lxcMAC`.
We should never exclude reserved labels from default label list.
Add reserved labels to the default label list could solve the problem.

Appendix:

Sample custom label file (--label-prefix-file) to overwrite the default base
label list:

```
{
    "version": 1,
    "valid-prefixes": [
    {
            "source": "k8s",
            "prefix": "io.kubernetes.pod.namespace"
    }, {
            "source": "k8s",
          "prefix": ":io.cilium.k8s.namespace.labels"
    }, {
            "source": "k8s",
            "prefix": "app.kubernetes.io"
    },{
            "source": "k8s",
            "prefix": "k8s!:io.kubernetes"
    },{
            "source": "k8s",
            "prefix": "!kubernetes.io"
    },{
            "source": "k8s",
            "prefix": "!.*beta.kubernetes.io"
    },{
            "source": "k8s",
            "prefix": "!k8s.io"
    },{
            "source": "k8s",
            "prefix": "!pod-template-generation"
    },{
            "source": "k8s",
            "prefix": "!pod-template-hash"
    },{
            "source": "k8s",
            "prefix": "!controller-revision-hash"
    },{
            "source": "k8s",
            "prefix": "!annotation.*"
    },{
            "source": "k8s",
            "prefix": "!etcd_node"
    ]
}
```

Signed-off-by: ArthurChiao <arthurchiao@hotmail.com>
Signed-off-by: Michi Mutsuzaki <michi@isovalent.com>
  • Loading branch information
@ArthurChiao @michi-covalent
ArthurChiao authored and michi-covalent committed Feb 11, 2021
1 parent dc4e93a commit 6d84d94
Show file tree
Hide file tree
Showing 3 changed files with 42 additions and 9 deletions.
1 change: 1 addition & 0 deletions Documentation/operations/scalability/identity-relevant-labels.rst
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@ By default, Cilium evaluates the following labels:
=================================== ==================================================
Label Description
----------------------------------- --------------------------------------------------
``reserved:.*`` Include all ``reserved`` labels
``k8s:io.kubernetes.pod.namespace`` Include all ``io.kubernetes.pod.namespace`` labels
``k8s:app.kubernetes.io`` Include all ``app.kubernetes.io`` labels
``k8s:!io.kubernetes`` Ignore all ``io.kubernetes`` labels
Expand Down
2 changes: 1 addition & 1 deletion pkg/endpointmanager/manager.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -514,7 +514,7 @@ func (mgr *EndpointManager) AddHostEndpoint(ctx context.Context, owner regenerat
// Give the endpoint a security identity
newCtx, cancel := context.WithTimeout(ctx, launchTime)
defer cancel()
ep.UpdateLabels(newCtx, epLabels, nil, true)
ep.UpdateLabels(newCtx, epLabels, epLabels, true)
if errors.Is(newCtx.Err(), context.DeadlineExceeded) {
log.WithError(newCtx.Err()).Warning("Timed out while updating security identify for host endpoint")
}
Expand Down
48 changes: 40 additions & 8 deletions pkg/labelsfilter/filter.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,9 @@ var (
const (
// LPCfgFileVersion represents the version of a Label Prefix Configuration File
LPCfgFileVersion = 1

// reservedLabelsPattern is the prefix pattern for all reserved labels
reservedLabelsPattern = labels.LabelSourceReserved + ":.*"
)

// LabelPrefix is the cilium's representation of a container label.
Expand Down Expand Up @@ -113,11 +116,25 @@ func parseLabelPrefix(label string) (*LabelPrefix, error) {
// of valid prefixes. Both are optional. If both are provided, both list are
// appended together.
func ParseLabelPrefixCfg(prefixes []string, file string) error {
cfg, err := readLabelPrefixCfgFrom(file)
if err != nil {
return fmt.Errorf("unable to read label prefix file: %s", err)
var cfg *labelPrefixCfg
var err error
var fromCustomFile bool

// Use default label prefix if configuration file not provided
if file == "" {
log.Info("Parsing base label prefixes from default label list")
cfg = defaultLabelPrefixCfg()
} else {
log.Infof("Parsing base label prefixes from file %s", file)
cfg, err = readLabelPrefixCfgFrom(file)
if err != nil {
return fmt.Errorf("unable to read label prefix file: %s", err)
}

fromCustomFile = true
}

log.Infof("Parsing additional label prefixes from user inputs: %v", prefixes)
for _, label := range prefixes {
p, err := parseLabelPrefix(label)
if err != nil {
Expand All @@ -131,9 +148,24 @@ func ParseLabelPrefixCfg(prefixes []string, file string) error {
cfg.LabelPrefixes = append(cfg.LabelPrefixes, p)
}

if fromCustomFile {
found := false
for _, label := range cfg.LabelPrefixes {
if label.Source+":"+label.Prefix == reservedLabelsPattern {
found = true
break
}
}

if !found {
log.Errorf("'%s' needs to be included in the final label list for "+
"Cilium to work properly.", reservedLabelsPattern)
}
}

validLabelPrefixes = cfg

log.Info("Valid label prefix configuration:")
log.Info("Final label prefixes to be used for identity evaluation:")
for _, l := range validLabelPrefixes.LabelPrefixes {
log.Infof(" - %s", l)
}
Expand Down Expand Up @@ -161,6 +193,7 @@ func defaultLabelPrefixCfg() *labelPrefixCfg {
}

expressions := []string{
reservedLabelsPattern, // include all reserved labels
k8sConst.PodNamespaceLabel, // include io.kubernetes.pod.namespace
k8sConst.PodNamespaceMetaLabels, // include all namespace labels
k8sConst.AppKubernetes, // include app.kubernetes.io
Expand All @@ -187,12 +220,11 @@ func defaultLabelPrefixCfg() *labelPrefixCfg {
return cfg
}

// readLabelPrefixCfgFrom reads a label prefix configuration file from fileName. If the
// version is not supported by us it returns an error.
// readLabelPrefixCfgFrom reads a label prefix configuration file from fileName.
// return an error if fileName is empty, or if version is not supported.
func readLabelPrefixCfgFrom(fileName string) (*labelPrefixCfg, error) {
// if not file is specified, the default is empty
if fileName == "" {
return defaultLabelPrefixCfg(), nil
return nil, fmt.Errorf("label prefix file not provided")
}

f, err := os.Open(fileName)
Expand Down

0 comments on commit 6d84d94

Please sign in to comment.