Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable configuration of the source IP verification per endpoint #23985

Merged
merged 2 commits into from Feb 28, 2023
Merged

Enable configuration of the source IP verification per endpoint #23985

merged 2 commits into from Feb 28, 2023

Conversation

pchaigno
Copy link
Member

This pull request exposes as a per-endpoint config the existing setting to disable the source IP verification pods' egress. That setting was introduced in #16134. See commits for details.

@oblazek I'd love a review from you 馃檪

@pchaigno
bpf: Rename {DISABLE,ENABLE_SIP_VERIFICATION}
8daa77a 
Most of our feature macros follow the pattern ENABLE_XXX. Let's ensure
that one does as well. It simplifies a bit the following patch.

Fixes: 9c72798 ("datapath: optionaly disable SIP verification")
Signed-off-by: Paul Chaignon <paul@cilium.io>
@pchaigno
option, daemon: Allow disabling the SIP verification per endpoints
0dfaaf8 
Commit 9c72798 ("datapath: optionaly disable SIP verification")
introduced a new setting to allow disabling the SIP verification. That
setting was however not exposed through the usual API and could only be
changed if calling directly into the endpoint creation logic (initial
use case was for Cilium integration on OpenStack IIRC).

We now have another use case where users of Cilium's L4LB want to
terminate the tunnel between L4LB and backend into the backend pod
itself. As a result, when DSR is enabled, the replies leave the backend
pod with a VIP as the source. To enable that, we thus need to disable
the SIP verification for those backend pods.

This commit enables that by exposing the setting as a usual per-endpoint
setting (same as e.g. the policy verdict and audit settings).

Signed-off-by: Paul Chaignon <paul@cilium.io>
@pchaigno pchaigno added sig/datapath Impacts bpf/ or low-level forwarding details, including map management and monitor messages. release-note/minor This PR changes functionality that users may find relevant to operating Cilium. labels Feb 23, 2023
@pchaigno pchaigno marked this pull request as ready for review February 23, 2023 23:47
@pchaigno pchaigno requested review from a team as code owners February 23, 2023 23:47
@oblazek
Copy link
Contributor

oblazek commented Feb 27, 2023
edited

this looks great, I don't see a problem with it as long as we can override this with endpointDatapathConfig 馃憤

@pchaigno pchaigno added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Feb 27, 2023
@sayboras sayboras merged commit bc373d9 into cilium:master Feb 28, 2023
@pchaigno pchaigno deleted the expose-sip-verification-setting branch February 28, 2023 09:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nathanjsweet nathanjsweet nathanjsweet approved these changes

@thorn3r thorn3r Awaiting requested review from thorn3r thorn3r was automatically assigned from cilium/sig-agent

Assignees
No one assigned
Labels
ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/minor This PR changes functionality that users may find relevant to operating Cilium. sig/datapath Impacts bpf/ or low-level forwarding details, including map management and monitor messages.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@pchaigno @oblazek @nathanjsweet @sayboras