New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
auth: Use authmap for auth_required policies #24410
Conversation
90f8ada
to
4f4800b
Compare
4f4800b
to
a04f29f
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I only reviewed my files; looks fine.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM for the Go bits.
/test |
I did run this to test in a e2e test and I got a nil pointer that seems to be related to this
|
030d83b
to
65cf37e
Compare
/test |
bpf test fails are due to master breakage, not by this PR. There is a separate PR #24534 for the fix. |
65cf37e
to
2e58c9f
Compare
Rebased to pick up master fixes. |
/test |
c1ed947
to
6700218
Compare
6700218
to
316c427
Compare
/test Job 'Cilium-PR-K8s-1.26-kernel-net-next' failed: Click to show.Test Name
Failure Output
Jenkins URL: https://jenkins.cilium.io/job/Cilium-PR-K8s-1.26-kernel-net-next/1689/ If it is a flake and a GitHub issue doesn't already exist to track it, comment |
Restarted ci-eks due to timeout waiting for pods to become ready on install. |
ci-eks fail due to:
|
net-next failed on k8s auth error:
|
/test-1.26-net-next |
/test-1.26-net-next Job 'Cilium-PR-K8s-1.26-kernel-net-next' failed: Click to show.Test Name
Failure Output
Jenkins URL: https://jenkins.cilium.io/job/Cilium-PR-K8s-1.26-kernel-net-next/1695/ If it is a flake and a GitHub issue doesn't already exist to track it, comment |
/ci-eks |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
configmap changes LGTM! Thanks for reworking :)
Rename pkg/maps/auth as pkg/maps/authmap to avoid requiring explicitly importing it as "authmap" when also importing the pkg/auth. Most of the other maps packages have the "map" suffix, so adds to this consistency in package naming. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
Add a new config map for passing runtime configuration values that may change often enough to not warrant recompiling the affected bpf programs, and whose changes will not have an effect to the structure of the bpf programs. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
Define "utime" as positive Unix epoch time, in 512 nanosecod units. This unit is chosen as the largest exponentian of base 2 that yields a whole integer multiplier to get from seconds to utime units without any loss of accuracy, and to gain more future time range. "utime" is an unsigned 64 bit integer, so the range is from the Unix epoch (1.1.1970) to September 3rd of year 301261. With this formulation, the result of ktime_get_ns() can be shifted right by 9 bits to gain the current monotonic clock in "utime" units. Finally, this commit adds an entry to the configmap, the offset to add to the shifted monotonic clock to get the current time in Unix epoch time. This offset is periodically updated by Cilium agent to account for the boot time of the system, any NTP time jumps, and the difference between boottime and monotonic clocks (such as suspend time). Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
Use the new auth map for auth_required policy instead of the CT map. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
This reverts commit 1f7ed72. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
316c427
to
8cd3c52
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Updated to not move from_tunnel
bit in conntrack flags around.
/test |
Travis test had failed on |
ci-eks is failing on almost every run (last successful run is from yesterday). |
ci-eks is broken, so disregarding it and marking this as ready-to-merge. |
@jrajahalme is there an issue filed for the ci-eks breakage? Is someone following up on that, do we need to mark the job as "not required"? We shouldn't be marking |
The ci-eks breakage is being tracked in #24774. Lets continue the discussion about temporary fixes there. I believe it should not hold back this PR at this time. |
Use the auth map (added in PR #24218) for auth_required policy instead of the CT map.