New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
daemon: Add option conntrackGCMaxInterval #27870
daemon: Add option conntrackGCMaxInterval #27870
Conversation
a267177
to
731e9f8
Compare
731e9f8
to
7af1eed
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks!
e0d81f1
to
045ccb9
Compare
/test |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Small grammar nit, but otherwise LGTM.
One suggestion I do have, which isn't necessary but would be nice, is somehow changing the value for the conntrackGCMaxInterval
to the actual default that Cilium will use if it isn't set. Having a default value for 0s
is a bit confusing.
f6efccd
to
a5f95cd
Compare
/test |
When ToFQDN policies are in use (CIDR) identities are created for each IP in a DNS response that matches a ToFQDN policy. These identities are garbage collected when 1) all endpoints with ToFQDN policies are removed 2) the maximum number of IPs per host is reached (tofqdn-max-ips-per-host) 3) when the identity has been unused and not refreshed by conntrack map GC Problems arise when he conntrack GC interval becomes very long. If it's backed by a LRU BPF map, the maximum is set to 12 hours (defaults.ConntrackGCMaxLRUInterval), meaning it will take 12 hours before unused identities are marked dead and collected (unless tofqdn-max-ips-per-host limit is reached for the FQDN entry). To allow user to have more control over this add the conntrackGCMaxInterval option that will allow limiting the maximum interval to something less than the 12 hours. Signed-off-by: Jussi Maki <jussi@isovalent.com>
a5f95cd
to
5ad0e56
Compare
/test |
The FQDN proxy will GC IP addresses that are both: - past their DNS TTLs, and - no longer in use by active connections However, many applications do not immediately re-resolve names between connections, even if the TTL has expired. This can cause traffic to be dropped unexpectedly. Previously, this was not an issue, as FQDN GC happened very rarely. This has been improved, however, by cilium#27572 and cilium#27870. Now, end-users occasionally being surprised by this. This sets the default grace period to 60 seconds, in an attempt to find a good balance between application needs and security. Signed-off-by: Casey Callendrello <cdc@isovalent.com>
When ToFQDN policies are in use (CIDR) identities are created for each IP in a DNS response that matches a ToFQDN policy. These identities are garbage collected when
Problems arise when he conntrack GC interval becomes very long. If it's backed by a LRU BPF map, the maximum is set to 12 hours (defaults.ConntrackGCMaxLRUInterval), meaning it will take 12 hours before unused identities are marked dead and collected (unless tofqdn-max-ips-per-host limit is reached for the FQDN entry).
To allow user to have more control over this add the conntrackGCMaxInterval option that will allow limiting the maximum interval to something less than the 12 hours.