New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Service Mesh mTLS: introduce auth map #24218
Service Mesh mTLS: introduce auth map #24218
Conversation
e41e82b
to
54a387c
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Small nits only :-)
New map types need to be added to the alignchecker like for example in commit 16e132e, both in |
7216939
to
d333ebe
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM!
/test |
d333ebe
to
60a7b87
Compare
E2E Tests failed with
added |
/test |
60a7b87
to
6915649
Compare
6915649
to
90339aa
Compare
rebased to master and resolved conflicts in generated documentation files (without any other changes) |
Prior to this commit, auth information were kept as additional property in the ct map which required authentication on a per connection basis. This commit introduces the bpf map auth which keeps track of authentication state between security identities in combination with the remote node id, auth type and an expiration. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com>
Introduce cilium CLI command "cilium bpf auth list" to inspect the entries of the bpf auth map. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com>
90339aa
to
d8b7420
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me, thank you!
/test |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM for me
Currently, authentication state (if required by a policy) is tracked as property in the conntrack map which requires authentication in the userspace on a per connection basis.
These changes introduce the bpf map
auth
which enables keeping track of authentication state between security identities in combination with the remote node id, auth type and an expiration.