Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

proxy: Ignore visibility annotation if proxy is disabled #27597

Merged
merged 2 commits into from Aug 23, 2023
Merged

proxy: Ignore visibility annotation if proxy is disabled #27597

merged 2 commits into from Aug 23, 2023

Conversation

sayboras
Copy link
Member

Description

This is to avoid the below error if proxy is disabled as part of
installation, but the visibility annotation is added to pods later.

2023-08-11T12:42:41.390575371Z goroutine 1522 [running]:
2023-08-11T12:42:41.390581994Z github.com/cilium/cilium/pkg/proxy.(*Proxy).CreateOrUpdateRedirect(0x0, {0x3ae74b8, 0xc000650280}, {0x3aeb440?, 0xc0016e4560?}, {0xc0010ba1b0, 0x12}, {0x3afd260, 0xc000982000}, 0xc001c9c980)
2023-08-11T12:42:41.390589198Z  github.com/cilium/cilium/pkg/proxy/proxy.go:459 +0xb7
2023-08-11T12:42:41.390596081Z github.com/cilium/cilium/pkg/endpoint.(*Endpoint).addVisibilityRedirects(0xc000982000, 0x1, 0xc001874ba0?, 0xc001c9c980?)
2023-08-11T12:42:41.390602613Z  github.com/cilium/cilium/pkg/endpoint/bpf.go:343 +0x443
2023-08-11T12:42:41.390614345Z github.com/cilium/cilium/pkg/endpoint.(*Endpoint).addNewRedirects(0xc000982000, 0xc001874870?)
2023-08-11T12:42:41.390651325Z  github.com/cilium/cilium/pkg/endpoint/bpf.go:424 +0x3c5
2023-08-11T12:42:41.390658068Z github.com/cilium/cilium/pkg/endpoint.(*Endpoint).runPreCompilationSteps(0xc000982000, 0xc000e31800, 0x0)
2023-08-11T12:42:41.390663999Z  github.com/cilium/cilium/pkg/endpoint/bpf.go:802 +0x4fe
2023-08-11T12:42:41.390669690Z github.com/cilium/cilium/pkg/endpoint.(*Endpoint).regenerateBPF(0xc000982000, 0xc000e31800)
2023-08-11T12:42:41.390675451Z  github.com/cilium/cilium/pkg/endpoint/bpf.go:542 +0x1a5
2023-08-11T12:42:41.390681112Z github.com/cilium/cilium/pkg/endpoint.(*Endpoint).regenerate(0xc000982000, 0xc000e31800)
2023-08-11T12:42:41.390686893Z  github.com/cilium/cilium/pkg/endpoint/policy.go:467 +0x9c6
2023-08-11T12:42:41.390692564Z github.com/cilium/cilium/pkg/endpoint.(*EndpointRegenerationEvent).Handle(0xc000131b50, 0x0?)
2023-08-11T12:42:41.390698385Z  github.com/cilium/cilium/pkg/endpoint/events.go:53 +0x325
2023-08-11T12:42:41.390704045Z github.com/cilium/cilium/pkg/eventqueue.(*EventQueue).run.func1()
2023-08-11T12:42:41.390709716Z  github.com/cilium/cilium/pkg/eventqueue/eventqueue.go:245 +0x142

Fixes: #27594

Testing

Testing was done locally with l7Proxy=false, and then annotate a pod with visibility annotation

$ k annotate pod client-77bf9989dc-984xp policy.cilium.io/proxy-visibility="<Egress/80/TCP/HTTP>" --overwrite
pod/client-77bf9989dc-984xp annotate
$ ksyslo ds/cilium --timestamps | zgrep "ignoring L7 proxy visibility policy as L7 proxy is disabled"
2023-08-20T13:02:08.241508927Z level=warning msg="ignoring L7 proxy visibility policy as L7 proxy is disabled" ciliumEndpointName=default/client-77bf9989dc-984xp containerID=1ea0a77f5d containerInterface=eth0 datapathPolicyRevision=0 desiredPolicyRevision=0 endpointID=759 identity=831 ipv4=10.244.0.19 ipv6= k8sPodName=default/client-77bf9989dc-984xp subsys=endpoint

@maintainer-s-little-helper maintainer-s-little-helper bot added the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Aug 20, 2023
@sayboras sayboras added release-note/bug This PR fixes an issue in a previous release of Cilium. needs-backport/1.12 needs-backport/1.13 This PR / issue needs backporting to the v1.13 branch needs-backport/1.14 This PR / issue needs backporting to the v1.14 branch labels Aug 20, 2023
@maintainer-s-little-helper maintainer-s-little-helper bot removed dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. labels Aug 20, 2023
@sayboras
Copy link
Member Author

/test

@sayboras
Copy link
Member Author

/test

@sayboras
Copy link
Member Author

/test

@sayboras sayboras marked this pull request as ready for review August 21, 2023 11:23
@sayboras sayboras requested review from a team as code owners August 21, 2023 11:23
zacharysarah
zacharysarah requested changes Aug 21, 2023
View reviewed changes
Copy link
Contributor

@zacharysarah zacharysarah left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@sayboras Small changes for clarity and consistency, otherwise LGTM for docs.

Documentation/observability/visibility.rst Outdated Show resolved Hide resolved
@sayboras
proxy: Ignore visibility annotation if proxy is disabled
437df5e 
This is to avoid the below error if proxy is disabled as part of
installation, but the visibility annotation is added to pods later.

```
2023-08-11T12:42:41.390575371Z goroutine 1522 [running]:
2023-08-11T12:42:41.390581994Z github.com/cilium/cilium/pkg/proxy.(*Proxy).CreateOrUpdateRedirect(0x0, {0x3ae74b8, 0xc000650280}, {0x3aeb440?, 0xc0016e4560?}, {0xc0010ba1b0, 0x12}, {0x3afd260, 0xc000982000}, 0xc001c9c980)
2023-08-11T12:42:41.390589198Z  github.com/cilium/cilium/pkg/proxy/proxy.go:459 +0xb7
2023-08-11T12:42:41.390596081Z github.com/cilium/cilium/pkg/endpoint.(*Endpoint).addVisibilityRedirects(0xc000982000, 0x1, 0xc001874ba0?, 0xc001c9c980?)
2023-08-11T12:42:41.390602613Z  github.com/cilium/cilium/pkg/endpoint/bpf.go:343 +0x443
2023-08-11T12:42:41.390614345Z github.com/cilium/cilium/pkg/endpoint.(*Endpoint).addNewRedirects(0xc000982000, 0xc001874870?)
2023-08-11T12:42:41.390651325Z  github.com/cilium/cilium/pkg/endpoint/bpf.go:424 +0x3c5
2023-08-11T12:42:41.390658068Z github.com/cilium/cilium/pkg/endpoint.(*Endpoint).runPreCompilationSteps(0xc000982000, 0xc000e31800, 0x0)
2023-08-11T12:42:41.390663999Z  github.com/cilium/cilium/pkg/endpoint/bpf.go:802 +0x4fe
2023-08-11T12:42:41.390669690Z github.com/cilium/cilium/pkg/endpoint.(*Endpoint).regenerateBPF(0xc000982000, 0xc000e31800)
2023-08-11T12:42:41.390675451Z  github.com/cilium/cilium/pkg/endpoint/bpf.go:542 +0x1a5
2023-08-11T12:42:41.390681112Z github.com/cilium/cilium/pkg/endpoint.(*Endpoint).regenerate(0xc000982000, 0xc000e31800)
2023-08-11T12:42:41.390686893Z  github.com/cilium/cilium/pkg/endpoint/policy.go:467 +0x9c6
2023-08-11T12:42:41.390692564Z github.com/cilium/cilium/pkg/endpoint.(*EndpointRegenerationEvent).Handle(0xc000131b50, 0x0?)
2023-08-11T12:42:41.390698385Z  github.com/cilium/cilium/pkg/endpoint/events.go:53 +0x325
2023-08-11T12:42:41.390704045Z github.com/cilium/cilium/pkg/eventqueue.(*EventQueue).run.func1()
2023-08-11T12:42:41.390709716Z  github.com/cilium/cilium/pkg/eventqueue/eventqueue.go:245 +0x142
```

Fixes: cilium#27594

Signed-off-by: Tam Mach <tam.mach@cilium.io>
@sayboras
helm: Add validation rule for Envoy L7 Load Balancer
2b7caae 
This is to ensure that proxy must be enabled if Envoy L7 Load balancer
feature is enabled.

Signed-off-by: Tam Mach <tam.mach@cilium.io>
@sayboras
Copy link
Member Author

/test

@maintainer-s-little-helper maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Aug 23, 2023
@jrajahalme jrajahalme merged commit 3f23ba7 into cilium:main Aug 23, 2023
60 checks passed
@sayboras sayboras deleted the tam/visibility-proxy-false branch August 23, 2023 12:46
@tklauser tklauser mentioned this pull request Aug 23, 2023
Merged
7 tasks
@sayboras sayboras mentioned this pull request Aug 23, 2023
Closed
2 tasks
@tklauser tklauser mentioned this pull request Aug 24, 2023
Merged
9 tasks
@tklauser tklauser added backport-pending/1.14 The backport for Cilium 1.14.x for this PR is in progress. backport-done/1.12 The backport for Cilium 1.12.x for this PR is done. and removed needs-backport/1.14 This PR / issue needs backporting to the v1.14 branch backport-pending/1.12 labels Aug 24, 2023
@joestringer joestringer added backport-done/1.14 The backport for Cilium 1.14.x for this PR is done. and removed backport-pending/1.14 The backport for Cilium 1.14.x for this PR is in progress. labels Aug 25, 2023
@pippolo84 pippolo84 mentioned this pull request Aug 28, 2023
Merged
3 tasks
@pippolo84 pippolo84 added backport-pending/1.13 The backport for Cilium 1.13.x for this PR is in progress. and removed needs-backport/1.13 This PR / issue needs backporting to the v1.13 branch labels Aug 28, 2023
@michi-covalent michi-covalent mentioned this pull request Sep 9, 2023
Merged
@michi-covalent michi-covalent added backport-done/1.13 The backport for Cilium 1.13.x for this PR is done. and removed backport-pending/1.13 The backport for Cilium 1.13.x for this PR is in progress. labels Sep 9, 2023
This was referenced Sep 9, 2023
Merged
Merged
@GoVulnBot GoVulnBot mentioned this pull request Sep 27, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kaworu kaworu kaworu approved these changes

@zacharysarah zacharysarah zacharysarah approved these changes

@jrajahalme jrajahalme jrajahalme approved these changes

@youngnick youngnick youngnick approved these changes

Assignees
No one assigned
Labels
backport-done/1.12 The backport for Cilium 1.12.x for this PR is done. backport-done/1.13 The backport for Cilium 1.13.x for this PR is done. backport-done/1.14 The backport for Cilium 1.14.x for this PR is done. ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/bug This PR fixes an issue in a previous release of Cilium.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

annotate pod policy.cilium.io/proxy-visibility causing cilium to panic with WireGuard
9 participants
@sayboras @kaworu @zacharysarah @jrajahalme @youngnick @tklauser @joestringer @pippolo84 @michi-covalent