New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
envoy: Support internal listeners in CiliumEnvoyConfig CRDs #29026
envoy: Support internal listeners in CiliumEnvoyConfig CRDs #29026
Conversation
/test |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. only a non-blocking nit for better readability
f0afacc
to
ff0ef24
Compare
rebased for CI fixes |
/test |
Envoy Internal listeners do not have a real listening socket, nor is the downstream connection backed by a socket, so socket options can not be applied on them. Allow use of Envoy internal listeners by refraining from injecting Cilium filters on internal listeners, so that socket options are not applied. This also means that Cilium policy enforcement is not performed on internal listeners, so they must be used with caution. This should be addressed in a future commit to propagate Cilium metadata to the internal listener from the previous, real listener. Note that as of now Envoy Internal listeners is not a stable feature, so Envoy emits the following warning during bootstrap: [misc] [external/envoy/source/common/protobuf/message_validator_impl.cc:35] message 'envoy.extensions.bootstrap.internal_listener.v3.InternalListener' is contained in proto file 'envoy/extensions/bootstrap/internal_listener/v3/internal_listener.proto' marked as work-in-progress. API features marked as work-in-progress are not considered stable, are not covered by the threat model, are not supported by the security team, and are subject to breaking changes. Do not use this feature without understanding each of the previous points. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
ff0ef24
to
bd8d274
Compare
/test |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Changes look good, just some non blocking questions/suggestions.
Envoy Internal listeners do not have a real listening socket, nor is the downstream connection backed by a socket, so socket options can not be applied on them. Allow use of Envoy internal listeners by refraining from injecting Cilium filters on internal listeners, so that socket options are not applied. This also means that Cilium policy enforcement is not performed on internal listeners, so they must be used with caution.
This should be addressed in a future commit to propagate Cilium metadata to the internal listener from the previous, real listener.
Note that as of now Envoy Internal listeners is not a stable feature, so Envoy emits the following warning during bootstrap: