envoy: Support internal listeners in CiliumEnvoyConfig CRDs #29026
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
jrajahalme
added
area/proxy
|
/test |
nebril
approved these changes
Nov 7, 2023
mhofstetter
approved these changes
Nov 7, 2023
jrajahalme
force-pushed
the
envoy-initial-support-for-internal-listeners
branch
from
f0afacc
to
ff0ef24
Compare
|
rebased for CI fixes |
|
/test |
Envoy Internal listeners do not have a real listening socket, nor is the
downstream connection backed by a socket, so socket options can not be
applied on them. Allow use of Envoy internal listeners by refraining from
injecting Cilium filters on internal listeners, so that socket options
are not applied. This also means that Cilium policy enforcement is not
performed on internal listeners, so they must be used with caution.
This should be addressed in a future commit to propagate Cilium metadata
to the internal listener from the previous, real listener.
Note that as of now Envoy Internal listeners is not a stable feature, so
Envoy emits the following warning during bootstrap:
[misc] [external/envoy/source/common/protobuf/message_validator_impl.cc:35]
message 'envoy.extensions.bootstrap.internal_listener.v3.InternalListener'
is contained in proto file
'envoy/extensions/bootstrap/internal_listener/v3/internal_listener.proto'
marked as work-in-progress. API features marked as work-in-progress are not
considered stable, are not covered by the threat model, are not supported
by the security team, and are subject to breaking changes. Do not use this
feature without understanding each of the previous points.
Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
jrajahalme
force-pushed
the
envoy-initial-support-for-internal-listeners
branch
from
ff0ef24
to
bd8d274
Compare
|
/test |
tommyp1ckles
approved these changes
Nov 10, 2023
maintainer-s-little-helper
bot
added
the
ready-to-merge
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Envoy Internal listeners do not have a real listening socket, nor is the downstream connection backed by a socket, so socket options can not be applied on them. Allow use of Envoy internal listeners by refraining from injecting Cilium filters on internal listeners, so that socket options are not applied. This also means that Cilium policy enforcement is not performed on internal listeners, so they must be used with caution.
This should be addressed in a future commit to propagate Cilium metadata to the internal listener from the previous, real listener.
Note that as of now Envoy Internal listeners is not a stable feature, so Envoy emits the following warning during bootstrap: