CFP: Operator Manages Cilium Identities #27752
Labels
kind/feature
This introduces new functionality.
sig/agent
Cilium agent related.
stale
The stale bot thinks this issue is old. Add "pinned" label to prevent this from becoming stale.
Comments
|
This issue has been automatically marked as stale because it has not |
github-actions
bot
added
the
stale
2 tasks
|
The implementation is in progress. |
github-actions
bot
removed
the
stale
|
Hi there! I wanted to mention Rob proposed xDS adapter for Cilium which may be relevant here, PTAL: https://docs.google.com/document/d/1U4pO_dTaHERKOtrneNA8njW19HSVbq3sBM3x8an4878/edit#heading=h.y3v1ksm0ev6r |
|
This issue has been automatically marked as stale because it has not |
github-actions
bot
added
the
stale
dlapcevic
pushed a commit
to dlapcevic/cilium
that referenced
this issue
Mar 22, 2024
**Feature: Operator Manages Cilium Identities** CFP: cilium#27752 **Description** A new feature hidden behind a flag. Disabled by default. Besides the new flag that enables the feature, there are no other user visible changes. cilium-operator is going to manage (create and delete) Cilium Identity API objects instead of cilium-agent. cilium-operator calculates the desired state for Cilium Identities based on watched events for Cilium Identities, Pods, Namespaces and Cilium Endpoint Slices (if enabled). cilium-operator creates Cilium Identities on pod updates for a unique label set based on pod and namespace labels. cilium-operator deletes Cilium Identities when their labels are not used by any pods. cilium-agent no longer writes to Cilium Identities. cilium-agent only watches Cilium Identities. In case when there is no Cilium Identity in the watcher store for a newly created or updated pod, a temporary security identity (temp id) will be created and used locally by the agent, until it's replaced by a global identity (Cilium Identity). ```release-note Feature: Operator Manages Cilium Identities A new feature hidden behind a flag. Disabled by default. cilium-operator is going to manage (create and delete) Cilium Identity API objects instead of cilium-agent. ``` kind/feature Signed-off-by: Dorde Lapcevic <dordel@google.com>
|
This issue has not seen any activity since it was marked stale. |
dlapcevic
pushed a commit
to dlapcevic/cilium
that referenced
this issue
Apr 11, 2024
**Feature: Operator Manages Cilium Identities** CFP: cilium#27752 **Description** A new feature hidden behind a flag. Disabled by default. Besides the new flag that enables the feature, there are no other user visible changes. cilium-operator is going to manage (create and delete) Cilium Identity API objects instead of cilium-agent. cilium-operator calculates the desired state for Cilium Identities based on watched events for Cilium Identities, Pods, Namespaces and Cilium Endpoint Slices (if enabled). cilium-operator creates Cilium Identities on pod updates for a unique label set based on pod and namespace labels. cilium-operator deletes Cilium Identities when their labels are not used by any pods. cilium-agent no longer writes to Cilium Identities. cilium-agent only watches Cilium Identities. In case when there is no Cilium Identity in the watcher store for a newly created or updated pod, a temporary security identity (temp id) will be created and used locally by the agent, until it's replaced by a global identity (Cilium Identity). ```release-note Feature: Operator Manages Cilium Identities A new feature hidden behind a flag. Disabled by default. cilium-operator is going to manage (create and delete) Cilium Identity API objects instead of cilium-agent. ``` kind/feature Signed-off-by: Dorde Lapcevic <dordel@google.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Cilium Feature Proposal
Thanks for taking time to make a feature proposal for Cilium! If you have usage questions, please try the slack channel and see the FAQ first.
Is your proposed feature related to a problem?
CID - Cilium Identity
CIDs are presenting issues with reliability and scalability, and are causing network policies to be in a broken state. Most notable cases:
Describe the feature you'd like
Centralize CID management to a single pod (Operator), instead of distributed management, done by all Agents. The goal is to improve security, reliability, performance and scalability of CID, and enable more advanced optimizations.
(Optional) Describe your proposed solution
CFP document
Phase 1: Operator manages Cilium Identities.
Move CID creation from cilium-agent to cilium-operator.
Phase 2: CID lazy creation
Create IDs only for labels used in network policies to greatly reduce the number of CIDs. Only pod labels used in the peer pod label selector of network policies will be relevant for ID creation.
A separate CFP is required for the Phase 2.
Please complete this section if you have ideas / suggestions on how to implement the feature. We strongly recommend discussing your approach with Cilium committers before spending lots of time implementing a change.
For longer proposals, you are welcome to link to an external doc (e.g. a Google doc). We have a Cilium Feature Proposal template to help you structure your proposal - if you would like to use it, please make a copy and ensure it's publicly visible, and then add the link here.
Once the CFP is close to being finalized, please add it as a PR to the design-cfps repo for final approval.
The text was updated successfully, but these errors were encountered: