Make private Envoy sockets localhost only #24011
Conversation
maintainer-s-little-helper
bot
added
the
dont-merge/needs-release-note-label
meyskens
force-pushed
the
meyskens/envoy-listen-local
branch
from
7d26d66
to
2913bb1
Compare
meyskens
added
kind/cleanup
maintainer-s-little-helper
bot
removed
the
dont-merge/needs-release-note-label
meyskens
force-pushed
the
meyskens/envoy-listen-local
branch
4 times, most recently
from
0ebe11b
to
5f5852e
Compare
|
/test |
| @@ -361,7 +361,7 @@ func ParseResources(cecNamespace string, cecName string, anySlice []cilium_v2.XD | |||
| // Do this only after all other possible error cases. | |||
| for _, listener := range resources.Listeners { | |||
| if listener.GetAddress() == nil { | |||
| port, err := portAllocator.AllocateProxyPort(listener.Name, false) | |||
| port, err := portAllocator.AllocateProxyPort(listener.Name, false, true) | |||
There was a problem hiding this comment.
Was this meant to ever be configurable?
There was a problem hiding this comment.
It kind of is already, you can specify an address and port in the Listener spec. This path is only executed when there is no address in the Listener spec, meaning that "let each Cilium Agent pick a local port". With this change that now includes the fact the locally allocated port is listened only on localhost interfaces. The locally allocated port is essentially random, so it is different on each node and is not exposed in any user facing API. Given this it would be hard to send traffic to that port from the outside of the node anyway, so listening on localhost only does not change much. Other than have one less open port on external interfaces potentially vulnerable for port scanning.
meyskens
force-pushed
the
meyskens/envoy-listen-local
branch
from
5f5852e
to
879026c
Compare
meyskens
force-pushed
the
meyskens/envoy-listen-local
branch
from
879026c
to
6bf753b
Compare
This change makes parts of Envoy that do not need public access bind to localhost only. This was previously not possible as it could not bind on both ipv4 and v6. In Envoy 1.24 multi listeners were added making this improvement possible. Signed-off-by: Maartje Eyskens <maartje.eyskens@isovalent.com>
This change adds the ability to make proxy rules run over the local interface. To do this it adds the underlying IP to the iptable ruleset for --on-ip instead ot it defaulting to any ip. Signed-off-by: Maartje Eyskens <maartje.eyskens@isovalent.com>
This change adds a lookup to the localhost IP in the tproxy code. It will first look for a localhost socket, failing that it will fall back to the previous behaviour of 0.0.0.0/:: Co-authored-by: Jarno Rajahalme <jarno@isovalent.com> Signed-off-by: Maartje Eyskens <maartje.eyskens@isovalent.com>
meyskens
force-pushed
the
meyskens/envoy-listen-local
branch
from
6bf753b
to
e180093
Compare
jrajahalme
added
the
ready-to-merge
|
The loader area change is a trivial interface function prototype change, no point asking a review from the loader area, so marking this as ready-to-merge. |
jrajahalme
removed
the
ready-to-merge
|
/test Job 'Cilium-PR-K8s-1.25-kernel-4.19' failed: Click to show.Test NameFailure OutputIf it is a flake and a GitHub issue doesn't already exist to track it, comment Job 'Cilium-PR-K8s-1.26-kernel-net-next' failed: Click to show.Test NameFailure OutputIf it is a flake and a GitHub issue doesn't already exist to track it, comment |
|
Noticed ginkgo tests had not run after recent force pushes, running the tests now. |
meyskens
added
the
ready-to-merge
|
The two test fails are for unrelated image pulling errors. Images exist but Cilium pods as in image-pull-backoff. |
This change makes parts of Envoy that do not need public access bind to
localhost only. This was previously not possible as it could not bind
on both ipv4 and v6. In Envoy 1.24 multi listeners were added making
this improvement possible.
Depends on #23940(merged)Fixes a part of #23353 (there are more cilium agent ports which are not managed by envoy)