Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bpf & envoy: Add support for authentication on ingress policies #23839

Merged
merged 4 commits into from Feb 21, 2023
Merged

bpf & envoy: Add support for authentication on ingress policies #23839

merged 4 commits into from Feb 21, 2023

Conversation

mhofstetter
Copy link
Member

Pass authentication type in case of ingress LXC traffic to support authentication on ingress policies.

Without this change, the auth type which gets passed to the monitor is always none which results in blocked ingress traffic.

In addition, the connect-timeout of the Envoy Proxy needs to be increased from 1s to 2s. This ensures that there's enough time for a re-delivery of a dropped packet due to authentication on the same connection.

Without this change, authentication on ingress network policies might not work in certain scenarios, because the connection times out before the packet gets re-delivered. (L7 policies applied (proxy is used), auth enabled, Pods on same node in a kind cluster)

@mhofstetter mhofstetter added the release-note/misc This PR makes changes that have no direct user impact. label Feb 17, 2023
@mhofstetter
Copy link
Member Author

/test

jrajahalme
jrajahalme reviewed Feb 17, 2023
View reviewed changes
bpf/bpf_lxc.c Outdated Show resolved Hide resolved
@mhofstetter mhofstetter force-pushed the pr/mhofstetter/ingress-auth-bpf branch 2 times, most recently from 6e79764 to 149123d Compare February 17, 2023 10:31
jrajahalme
jrajahalme approved these changes Feb 17, 2023
View reviewed changes
Copy link
Member

@jrajahalme jrajahalme left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looking good, thanks!

@jrajahalme
Copy link
Member

jrajahalme commented Feb 17, 2023
edited by maintainer-s-little-helper bot

/test

Job 'Cilium-PR-K8s-1.25-kernel-4.19' failed:

Click to show.

Test Name

K8sDatapathVerifier Runs the kernel verifier against Cilium's BPF datapath

Failure Output

FAIL: terminating containers are not deleted after timeout

If it is a flake and a GitHub issue doesn't already exist to track it, comment /mlh new-flake Cilium-PR-K8s-1.25-kernel-4.19 so I can create one.

@mhofstetter mhofstetter marked this pull request as ready for review February 17, 2023 10:51
@mhofstetter mhofstetter requested review from a team as code owners February 17, 2023 10:51
@mhofstetter
Copy link
Member Author

/test-1.24-5.4

@mhofstetter
Copy link
Member Author

/test-1.25-4.19

@pchaigno pchaigno removed the request for review from a team February 18, 2023 10:55
dylandreimerink
dylandreimerink approved these changes Feb 20, 2023
View reviewed changes
Copy link
Member

@dylandreimerink dylandreimerink left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looking good to me. Will not block on the little nit

bpf/lib/policy.h Show resolved Hide resolved
@mhofstetter mhofstetter requested a review from a team as a code owner February 20, 2023 12:15
@mhofstetter mhofstetter requested review from youngnick and removed request for thorn3r February 20, 2023 12:15
@mhofstetter mhofstetter force-pushed the pr/mhofstetter/ingress-auth-bpf branch 2 times, most recently from 701ec44 to d0b3ccb Compare February 20, 2023 18:14
@mhofstetter
Copy link
Member Author

mhofstetter commented Feb 20, 2023
edited

sorry, had to rebase to master (ingress conformance sanity test flaked (LB IP was always empty)). seems to be ok now.

-> due to functionality which has been added in the added in the meantime and was part of the conformance tests -> #23719

@mhofstetter
Copy link
Member Author

/test

thorn3r
thorn3r approved these changes Feb 20, 2023
View reviewed changes
Copy link
Contributor

@thorn3r thorn3r left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 👍

@mhofstetter
Copy link
Member Author

mhofstetter commented Feb 21, 2023
edited

[2023-02-20T19:17:31.550Z] VBoxManage: error: Medium '....vmdk' is locked for reading by another task

/test-1.25-4.19

@mhofstetter
Copy link
Member Author

/test-1.26-net-next

@mhofstetter
Copy link
Member Author

/test-1.26-net-next

@mhofstetter mhofstetter mentioned this pull request Feb 21, 2023
Closed
@mhofstetter
bpf: Add support for authentication on ingress policies
856a251 
Pass authentication type in case of ingress LXC traffic to support
authentication on ingress policies.

Without this change, the auth type which gets passed to the monitor
is always none which results in blocked ingress traffic.

Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com>
@mhofstetter
envoy: increase default proxy-connect-timeout to 2s
368d48c 
The connect-timeout of the Envoy Proxy needs to be increased from 1s to
2s. This ensures that there's enough time for a re-delivery of a dropped
packet due to authentication on the same connection.

Without this change, authentication on ingress network policies might
not work in certain scenarios, because the connection times out before
the packet gets re-delivered. (L7 policies applied (proxy is used),
auth enabled, Pods on same node in a kind cluster)

Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com>
@mhofstetter
auth: Log traffic direction (ingress/egress) in authmanager
4762fa8 
Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com>
@mhofstetter
bpf: document ext_err argument on policy_can_access_ingress
d65f18d 
Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com>
@mhofstetter mhofstetter force-pushed the pr/mhofstetter/ingress-auth-bpf branch from d0b3ccb to d65f18d Compare February 21, 2023 13:27
@mhofstetter
Copy link
Member Author

K8sDatapathEgressGatewayTest is failing due to changes on master

CiliumEgressGatewayPolicy in version "v2" cannot be handled as a CiliumEgressGatewayPolicy: strict decoding error: unknown field "spec.excludedCIDRs"

-> #23448
-> rebase 🙈

@mhofstetter
Copy link
Member Author

/test

@mhofstetter
Copy link
Member Author

mhofstetter commented Feb 21, 2023
edited

test-runtime failed with flaky test #23272

-> https://jenkins.cilium.io/job/Cilium-PR-Runtime-net-next/5134/testReport/junit/(root)/Suite-runtime/RuntimeDatapathPrivilegedUnitTests_Run_Tests/

/test-runtime

@maintainer-s-little-helper maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Feb 21, 2023
@pchaigno pchaigno added the sig/datapath Impacts bpf/ or low-level forwarding details, including map management and monitor messages. label Feb 21, 2023
@pchaigno pchaigno merged commit 88c0394 into cilium:master Feb 21, 2023
@mhofstetter mhofstetter deleted the pr/mhofstetter/ingress-auth-bpf branch February 22, 2023 07:48
@mhofstetter mhofstetter added the area/servicemesh GH issues or PRs regarding servicemesh label Mar 13, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dylandreimerink dylandreimerink dylandreimerink approved these changes

@aanm aanm aanm approved these changes

@jrajahalme jrajahalme jrajahalme approved these changes

@youngnick youngnick youngnick approved these changes

@thorn3r thorn3r thorn3r approved these changes

Assignees
No one assigned
Labels
area/servicemesh GH issues or PRs regarding servicemesh ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/misc This PR makes changes that have no direct user impact. sig/datapath Impacts bpf/ or low-level forwarding details, including map management and monitor messages.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
7 participants
@mhofstetter @jrajahalme @dylandreimerink @aanm @youngnick @thorn3r @pchaigno