Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Service Mesh mTLS: introduce auth map #24218

Merged
merged 2 commits into from Mar 14, 2023
Merged

Service Mesh mTLS: introduce auth map #24218

merged 2 commits into from Mar 14, 2023

Conversation

mhofstetter
Copy link
Member

@mhofstetter mhofstetter commented Mar 7, 2023
edited

Currently, authentication state (if required by a policy) is tracked as property in the conntrack map which requires authentication in the userspace on a per connection basis.

These changes introduce the bpf map auth which enables keeping track of authentication state between security identities in combination with the remote node id, auth type and an expiration.

@maintainer-s-little-helper maintainer-s-little-helper bot added the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Mar 7, 2023
@mhofstetter mhofstetter added release-note/misc This PR makes changes that have no direct user impact. area/servicemesh GH issues or PRs regarding servicemesh labels Mar 7, 2023
@maintainer-s-little-helper maintainer-s-little-helper bot removed the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Mar 7, 2023
@mhofstetter mhofstetter force-pushed the pr/mhofstetter/auth-map branch 2 times, most recently from e41e82b to 54a387c Compare March 7, 2023 15:33
jrajahalme
jrajahalme approved these changes Mar 7, 2023
View reviewed changes
Copy link
Member

@jrajahalme jrajahalme left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Small nits only :-)

bpf/lib/common.h Outdated Show resolved Hide resolved
cilium/cmd/bpf_auth_list.go Outdated Show resolved Hide resolved
pkg/maps/auth/auth_map.go Outdated Show resolved Hide resolved
pkg/maps/auth/auth_map.go Outdated Show resolved Hide resolved
@jrajahalme
Copy link
Member

New map types need to be added to the alignchecker like for example in commit 16e132e, both in bpf/bpf_alignchecker.c and pkg/datapath/alignchecker/alignchecker.go

@mhofstetter mhofstetter force-pushed the pr/mhofstetter/auth-map branch 4 times, most recently from 7216939 to d333ebe Compare March 7, 2023 16:18
@mhofstetter mhofstetter marked this pull request as ready for review March 7, 2023 16:50
@mhofstetter mhofstetter requested review from a team as code owners March 7, 2023 16:50
@mhofstetter mhofstetter mentioned this pull request Mar 8, 2023
Closed
dylandreimerink
dylandreimerink approved these changes Mar 9, 2023
View reviewed changes
Copy link
Member

@dylandreimerink dylandreimerink left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@mhofstetter
Copy link
Member Author

/test

@mhofstetter
Copy link
Member Author

E2E Tests failed with

Found 2 k8s-app=cilium logs matching list of errors that must be investigated:
[2023-03-09T17:00:37.178Z]     2023-03-09T17:00:16.900966073Z level=warning msg="Skipping symbol substitution" subsys=elf symbol=cilium_auth_map
...

added cilium_auth_map to ignoredELFPrefixes

@mhofstetter
Copy link
Member Author

/test

qmonnet
qmonnet requested changes Mar 10, 2023
View reviewed changes
Documentation/spelling_wordlist.txt Show resolved Hide resolved
pkg/maps/auth/auth_map.go Outdated Show resolved Hide resolved
@mhofstetter mhofstetter requested review from a team as code owners March 13, 2023 10:57
@mhofstetter mhofstetter requested a review from kaworu March 13, 2023 10:57
@mhofstetter
Copy link
Member Author

rebased to master and resolved conflicts in generated documentation files (without any other changes)

@mhofstetter
auth, bpf: introduce bpf map auth
2b86120 
Prior to this commit, auth information were kept as additional property
in the ct map which required authentication on a per connection basis.

This commit introduces the bpf map auth which keeps track of
authentication state between security identities in combination with the
remote node id, auth type and an expiration.

Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com>
@mhofstetter
auth: Add bpf map auth to cilium cli commands
d8b7420 
Introduce cilium CLI command "cilium bpf auth list" to inspect the
entries of the bpf auth map.

Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com>
qmonnet
qmonnet approved these changes Mar 13, 2023
View reviewed changes
Copy link
Member

@qmonnet qmonnet left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me, thank you!

@mhofstetter
Copy link
Member Author

/test

meyskens
meyskens approved these changes Mar 14, 2023
View reviewed changes
Copy link
Member

@meyskens meyskens left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM for me

@jrajahalme jrajahalme merged commit b8eb6bd into cilium:master Mar 14, 2023
@mhofstetter mhofstetter deleted the pr/mhofstetter/auth-map branch March 14, 2023 14:40
@jrajahalme jrajahalme mentioned this pull request Mar 16, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@meyskens meyskens meyskens approved these changes

@dylandreimerink dylandreimerink dylandreimerink approved these changes

@jrajahalme jrajahalme jrajahalme approved these changes

@qmonnet qmonnet qmonnet approved these changes

@nathanjsweet nathanjsweet Awaiting requested review from nathanjsweet nathanjsweet was automatically assigned from cilium/cli

@kaworu kaworu Awaiting requested review from kaworu kaworu was automatically assigned from cilium/helm

Assignees
No one assigned
Labels
area/servicemesh GH issues or PRs regarding servicemesh release-note/misc This PR makes changes that have no direct user impact.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@mhofstetter @jrajahalme @meyskens @dylandreimerink @qmonnet