New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
bpf & envoy: Add support for authentication on ingress policies #23839
bpf & envoy: Add support for authentication on ingress policies #23839
Conversation
/test |
6e79764
to
149123d
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looking good, thanks!
/test Job 'Cilium-PR-K8s-1.25-kernel-4.19' failed: Click to show.Test Name
Failure Output
If it is a flake and a GitHub issue doesn't already exist to track it, comment |
/test-1.24-5.4 |
/test-1.25-4.19 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looking good to me. Will not block on the little nit
701ec44
to
d0b3ccb
Compare
sorry, had to rebase to master (ingress conformance sanity test flaked (LB IP was always empty)). seems to be ok now. -> due to functionality which has been added in the added in the meantime and was part of the conformance tests -> #23719 |
/test |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM 👍
/test-1.25-4.19 |
/test-1.26-net-next |
/test-1.26-net-next |
Pass authentication type in case of ingress LXC traffic to support authentication on ingress policies. Without this change, the auth type which gets passed to the monitor is always none which results in blocked ingress traffic. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com>
The connect-timeout of the Envoy Proxy needs to be increased from 1s to 2s. This ensures that there's enough time for a re-delivery of a dropped packet due to authentication on the same connection. Without this change, authentication on ingress network policies might not work in certain scenarios, because the connection times out before the packet gets re-delivered. (L7 policies applied (proxy is used), auth enabled, Pods on same node in a kind cluster) Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com>
Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com>
Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com>
d0b3ccb
to
d65f18d
Compare
-> #23448 |
/test |
/test-runtime |
Pass authentication type in case of ingress LXC traffic to support authentication on ingress policies.
Without this change, the auth type which gets passed to the monitor is always none which results in blocked ingress traffic.
In addition, the connect-timeout of the Envoy Proxy needs to be increased from 1s to 2s. This ensures that there's enough time for a re-delivery of a dropped packet due to authentication on the same connection.
Without this change, authentication on ingress network policies might not work in certain scenarios, because the connection times out before the packet gets re-delivered. (L7 policies applied (proxy is used), auth enabled, Pods on same node in a kind cluster)