New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
chaining: source security ID in hairpin might lead to policy denies in >=v1.7.4 #12136
Comments
Is this a potential collision in the mark value? |
It looks like some bits changed:
|
@aanm How did you get into this state? |
In that case yes, but it is more common to be off by 1 |
This could be a |
To close out discussion, this was caused by a conflicting mark value. So added a PR to opt-out of setting identity field in the mark. This will force the ingress path to do another lookup and obfuscate the trace logs some, but will allow policy to work correctly. |
[Only thing left here is a doc follow-up to update the chaining guide.] |
Bisecting blame 60b4210
The security ID in the endpoint is different from the one being generated by the datapath:
The text was updated successfully, but these errors were encountered: