Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

endpoint: fix policy map sync warning due to policymap authtype diffs #26218

Merged
merged 2 commits into from Jun 14, 2023
Merged

endpoint: fix policy map sync warning due to policymap authtype diffs #26218

merged 2 commits into from Jun 14, 2023

Conversation

mhofstetter
Copy link
Member

PolicyMap sync warns about diffs in mapstate entries where authentication is enabled - even though the policy map is in sync.

level=debug msg="map[dumpedPolicyMap:map[Identity=0,DestPort=0,Nexthdr=0,TrafficDirection=1:ProxyPort=0 Identity=1,DestPort=0,Nexthdr=0,TrafficDirection=0:ProxyPort=0 Identity=8689,DestPort=80,Nexthdr=6,TrafficDirection=0:ProxyPort=14197]]syncPolicyMapWithDump" containerID=662cba3891 datapathPolicyRevision=4 desiredPolicyRevision=4 endpointID=98 identity=52226 ipv4=10.244.2.131 ipv6="fd00:10:244:2::b2ee" k8sPodName=mtls-test/test2-fff868488-xrb47 subsys=endpoint
level=debug msg="map[dumpedDiffs:[{true Identity=8689,DestPort=80,Nexthdr=6,TrafficDirection=0 ProxyPort=14197}]]syncPolicyMapWithDump" containerID=662cba3891 datapathPolicyRevision=4 desiredPolicyRevision=4 endpointID=98 identity=52226 ipv4=10.244.2.131 ipv6="fd00:10:244:2::b2ee" k8sPodName=mtls-test/test2-fff868488-xrb47 subsys=endpoint

with

Identity=8689,DestPort=80,Nexthdr=6,TrafficDirection=0 => ProxyPort=12894,IsDeny=false,AuthType=disabled
!=
Identity=8689,DestPort=80,Nexthdr=6,TrafficDirection=0 => ProxyPort=12894,IsDeny=false,AuthType=spire

The problem is that dumping the map state doesn't map the property auth type, which results in an unwanted diff.

This PR adds the auth type property to the mapping.

In addition, the fields IsDeny & AuthType have been added to MapStateEntry.String

@meyskens: thanks for reporting the issue!

@mhofstetter
policy: include IsDeny & AuthType in MapStateEntry.String
00e84f1 
Currently, only the field `ProxyPort` is part of the String method of
`MapStateEntry`. This doesn't enough insights - e.g. when
logging the a MapState diff.

This commit adds the missing fields `IsDeny` & `AuthType` to the
`String` method.

Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com>
@mhofstetter
endpoint: fix policy map sync warning due to authtype diffs
acccf37 
PolicyMap sync warns about diffs in mapstate entries where
authentication is enabled - even though the policy map is in sync.

The problem is that dumping the map state doesn't map the property auth
type, which results in an unwanted diff.

This commit adds the auth type property to the mapping.

Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com>
@mhofstetter mhofstetter added kind/bug This is a bug in the Cilium logic. release-note/major This PR introduces major new functionality to Cilium. area/servicemesh GH issues or PRs regarding servicemesh feature/authentication labels Jun 14, 2023
@mhofstetter mhofstetter requested review from a team as code owners June 14, 2023 09:57
@mhofstetter mhofstetter added release-note/misc This PR makes changes that have no direct user impact. and removed release-note/major This PR introduces major new functionality to Cilium. labels Jun 14, 2023
meyskens
meyskens approved these changes Jun 14, 2023
View reviewed changes
Copy link
Member

@meyskens meyskens left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changes LGTM

Deploying this is my home cluster where i found the error and running it for a wile (as for 3 minutes running it seems to work)

jrajahalme
jrajahalme approved these changes Jun 14, 2023
View reviewed changes
Copy link
Member

@jrajahalme jrajahalme left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the fix!

@mhofstetter
Copy link
Member Author

/test

@maintainer-s-little-helper maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Jun 14, 2023
@tklauser tklauser merged commit 5750e50 into cilium:main Jun 14, 2023
66 checks passed
@mhofstetter mhofstetter deleted the pr/mhofstetter/policy-fix-mapstate-props branch June 14, 2023 13:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@meyskens meyskens meyskens approved these changes

@jrajahalme jrajahalme jrajahalme approved these changes

Assignees
No one assigned
Labels
area/servicemesh GH issues or PRs regarding servicemesh feature/authentication kind/bug This is a bug in the Cilium logic. ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/misc This PR makes changes that have no direct user impact.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@mhofstetter @meyskens @jrajahalme @tklauser