New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Make private Envoy sockets localhost only #24011
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice, some early comments below.
7d26d66
to
2913bb1
Compare
0ebe11b
to
5f5852e
Compare
/test |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Small nits only. Use of local only ports on DNS proxy may warrant further discussion, though.
@@ -361,7 +361,7 @@ func ParseResources(cecNamespace string, cecName string, anySlice []cilium_v2.XD | |||
// Do this only after all other possible error cases. | |||
for _, listener := range resources.Listeners { | |||
if listener.GetAddress() == nil { | |||
port, err := portAllocator.AllocateProxyPort(listener.Name, false) | |||
port, err := portAllocator.AllocateProxyPort(listener.Name, false, true) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Was this meant to ever be configurable?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It kind of is already, you can specify an address and port in the Listener spec. This path is only executed when there is no address in the Listener spec, meaning that "let each Cilium Agent pick a local port". With this change that now includes the fact the locally allocated port is listened only on localhost interfaces. The locally allocated port is essentially random, so it is different on each node and is not exposed in any user facing API. Given this it would be hard to send traffic to that port from the outside of the node anyway, so listening on localhost only does not change much. Other than have one less open port on external interfaces potentially vulnerable for port scanning.
5f5852e
to
879026c
Compare
879026c
to
6bf753b
Compare
This change makes parts of Envoy that do not need public access bind to localhost only. This was previously not possible as it could not bind on both ipv4 and v6. In Envoy 1.24 multi listeners were added making this improvement possible. Signed-off-by: Maartje Eyskens <maartje.eyskens@isovalent.com>
This change adds the ability to make proxy rules run over the local interface. To do this it adds the underlying IP to the iptable ruleset for --on-ip instead ot it defaulting to any ip. Signed-off-by: Maartje Eyskens <maartje.eyskens@isovalent.com>
This change adds a lookup to the localhost IP in the tproxy code. It will first look for a localhost socket, failing that it will fall back to the previous behaviour of 0.0.0.0/:: Co-authored-by: Jarno Rajahalme <jarno@isovalent.com> Signed-off-by: Maartje Eyskens <maartje.eyskens@isovalent.com>
6bf753b
to
e180093
Compare
The loader area change is a trivial interface function prototype change, no point asking a review from the loader area, so marking this as ready-to-merge. |
/test Job 'Cilium-PR-K8s-1.25-kernel-4.19' failed: Click to show.Test Name
Failure Output
If it is a flake and a GitHub issue doesn't already exist to track it, comment Job 'Cilium-PR-K8s-1.26-kernel-net-next' failed: Click to show.Test Name
Failure Output
If it is a flake and a GitHub issue doesn't already exist to track it, comment |
Noticed ginkgo tests had not run after recent force pushes, running the tests now. |
The two test fails are for unrelated image pulling errors. Images exist but Cilium pods as in image-pull-backoff. |
This change makes parts of Envoy that do not need public access bind to
localhost only. This was previously not possible as it could not bind
on both ipv4 and v6. In Envoy 1.24 multi listeners were added making
this improvement possible.
Depends on #23940(merged)Fixes a part of #23353 (there are more cilium agent ports which are not managed by envoy)