New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
k8s / policy: allow all services for toServices when using highscale ipcache #26127
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There are some lint errors regarding option.Config.HighScaleIPcacheEnabled()
e86b015
to
8983299
Compare
/test Job 'Cilium-PR-K8s-1.25-kernel-4.19' failed: Click to show.Test Name
Failure Output
Jenkins URL: https://jenkins.cilium.io/job/Cilium-PR-K8s-1.25-kernel-4.19/695/ If it is a flake and a GitHub issue doesn't already exist to track it, comment Then please upload the Jenkins artifacts to that issue. Job 'Cilium-PR-K8s-1.26-kernel-net-next' hit: #25958 (92.62% similarity) |
Checkpatch is complaining with
Maybe format the commit msg to
? |
https://github.com/cilium/cilium/actions/runs/5259867178 is failing all for the same test 🤔 |
Normally, toServices rules only allow Endpoints that are external to the cluster. This is to prevent conflict with entries already existing in the ipcache. However, this is not relevant with highscale ipcache, where podips are normally excluded from the ipcache anyways. So, allow all services to be specified in toServices egress rules when highscale is enabled. Signed-off-by: Casey Callendrello <cdc@isovalent.com>
8983299
to
cbb0d5c
Compare
cloudflare blip :-/. |
/test |
All approvals are in, CI is fully green. Merging |
Is there a test for this at all? Doesn't Cilium just ignore these rule sections if they're not translated? |
Normally, toServices rules only allow Endpoints that are external to the cluster. This is to prevent conflict with entries already existing in the ipcache.
However, this is not relevant with highscale ipcache, where podips are normally excluded from the ipcache anyways. So, allow all services to be specified in toServices egress rules when highscale is enabled.