Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
k8s/utils: filter out cilium-owned labels on pod update
Currently `io.cilium.k8s.*` pod labels are only filtered out on pod
creation. On pod update, they are currently not filtered which leads to
a situation where no pod label update is reflected in the endpoint
anymore in case of a `io.cilium.k8s.*` label set on the pod:
$ cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Pod
metadata:
name: foo
namespace: default
labels:
app: foobar
io.cilium.k8s.something: bazbar
spec:
containers:
- name: nginx
image: nginx:1.25.4
ports:
- containerPort: 80
EOF
$ kubectl -n kube-system exec -it cilium-nnnn -- cilium-dbg endpoint list
ENDPOINT POLICY (ingress) POLICY (egress) IDENTITY LABELS (source:key[=value]) IPv6 IPv4 STATUS
ENFORCEMENT ENFORCEMENT
252 Disabled Disabled 50316 k8s:app=foobar fd00:10:244:1::8b69 10.244.1.78 ready
k8s:io.cilium.k8s.namespace.labels.kubernetes.io/metadata.name=default
k8s:io.cilium.k8s.policy.cluster=kind-kind
k8s:io.cilium.k8s.policy.serviceaccount=default
k8s:io.kubernetes.pod.namespace=default
$ kubectl label pods foo app=nothing --overwrite
$ kubectl describe pod foo
[...]
Labels: app=nothing
io.cilium.k8s.something=bazbar
[...]
$ kubectl describe cep foo
[...]
Labels: app=foobar
io.cilium.k8s.something=bazbar
[...]
$ kubectl -n kube-system exec -it cilium-nnnn -- cilium-dbg endpoint list
ENDPOINT POLICY (ingress) POLICY (egress) IDENTITY LABELS (source:key[=value]) IPv6 IPv4 STATUS
ENFORCEMENT ENFORCEMENT
252 Disabled Disabled 50316 k8s:app=foobar fd00:10:244:1::8b69 10.244.1.78 ready
k8s:io.cilium.k8s.namespace.labels.kubernetes.io/metadata.name=default
k8s:io.cilium.k8s.policy.cluster=kind-kind
k8s:io.cilium.k8s.policy.serviceaccount=default
k8s:io.kubernetes.pod.namespace=default
1285 Disabled Disabled 1 reserved:host ready
1297 Disabled Disabled 4 reserved:health fd00:10:244:1::ebfb 10.244.1.222 ready
Note that the `app` label didn't change from `foobar` to `nothing` in
the endpoint and the CiliumEndpoint CRD
This is because the filtered labels are passed wrongly passed
to `(*Endpoint).ModifyIdentityLabels` which in turn calls
`e.OpLabels.ModifyIdentityLabels` which checks whether all of the
deleted labels (which contains the filtered label on pod update
for the example above) were present before, i.e. on pod creation. This
check fails however because the labels were filtered out on pod
creation.
Fix this issue by also filtering out the labels on pod update and thus
allowing the label update to successfully complete in the presence of
filtered labels.
After this change, the labels are correctly updated on the endpoint and
the CiliumEndpoint CRD:
$ kubectl label pods foo app=nothing --overwrite
$ kubectl describe pod foo
[...]
Labels: app=nothing
io.cilium.k8s.something=bazbar
[...]
$ kubectl describe cep foo
[...]
Labels: app=nothing
io.cilium.k8s.something=bazbar
[...]
$ kubectl -n kube-system exec -it cilium-x2x5r -- cilium-dbg endpoint list
ENDPOINT POLICY (ingress) POLICY (egress) IDENTITY LABELS (source:key[=value]) IPv6 IPv4 STATUS
ENFORCEMENT ENFORCEMENT
57 Disabled Disabled 56486 k8s:app=nothing fd00:10:244:1::71b7 10.244.1.187 ready
k8s:io.cilium.k8s.namespace.labels.kubernetes.io/metadata.name=default
k8s:io.cilium.k8s.policy.cluster=kind-kind
k8s:io.cilium.k8s.policy.serviceaccount=default
k8s:io.kubernetes.pod.namespace=default
201 Disabled Disabled 4 reserved:health fd00:10:244:1::c8de 10.244.1.221 ready
956 Disabled Disabled 1 reserved:host ready
Fixes: 599dde3 ("k8s: Filter out cilium owned from pod labels")
Signed-off-by: Tobias Klauser <tobias@cilium.io>- Loading branch information
