New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ipsec: fixes for key rotation #27319
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I briefly looked over the changes and nothing alarming stood out. I'd prefer someone with more familiarity with this part of the codebase to take a closer look.
/test |
d03d566
to
a67ec3e
Compare
/test |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks!
Marking as backport/author to avoid this getting in the backporter bucket, as it's expected to have conflicts. @jschwinger233 will take care of the backports. |
I've added a release note. |
Fixups to ensure keys are correctly in place before deleting the old key.
Instantiate all xfrm rules when new key shows up instead of waiting for nodeUpdate events through validator to happen. Its not always the case on larger clusters that the nodeUpdate logic will trigger before the key retention logic triggers to delete old keys. In this case we may be missing xfrm rules for new keys for some nodes.
Ensure rules are in place before key is updated. Current logic updates datapath key before updating the BPF maps creating smallish window where pkts can be marked for the new key but the BPF maps and datapath wont have the mapping to do this yet resulting in dropped pkts.
Both of these intend to address an increased policy block counter in recent versions.