Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Do not handle mutual auth for reserved ids #29400

Merged
merged 1 commit into from Jan 9, 2024
Merged

Do not handle mutual auth for reserved ids #29400

merged 1 commit into from Jan 9, 2024

Conversation

meyskens
Copy link
Member

This change adds a check in the auth manager not to do authentication for either IDs if they are reserved.
This could have caused failed handshakes to happen should any of these entities be allowed by policy but with mutual auth enabled. These IDs do are not able to ever complete a handshake as they are not generated by design.

Do not attempt an mTLS handshake between reserved identities in Mutual Auth, as they would always fail

@maintainer-s-little-helper maintainer-s-little-helper bot added the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Nov 27, 2023
@meyskens meyskens added release-note/bug This PR fixes an issue in a previous release of Cilium. area/servicemesh GH issues or PRs regarding servicemesh feature/authentication needs-backport/1.14 This PR / issue needs backporting to the v1.14 branch labels Nov 28, 2023
@maintainer-s-little-helper maintainer-s-little-helper bot removed dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. labels Nov 28, 2023
@meyskens meyskens marked this pull request as ready for review November 28, 2023 13:47
@meyskens meyskens requested a review from a team as a code owner November 28, 2023 13:47
@maintainer-s-little-helper maintainer-s-little-helper bot added this to Needs backport from main in 1.14.5 Nov 28, 2023
@meyskens
Copy link
Member Author

/test

youngnick
youngnick approved these changes Nov 29, 2023
View reviewed changes
Copy link
Contributor

@youngnick youngnick left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, nice work @meyskens.

mhofstetter
mhofstetter reviewed Nov 29, 2023
View reviewed changes
pkg/auth/manager_test.go Outdated Show resolved Hide resolved
pkg/auth/manager.go Show resolved Hide resolved
@nebril nebril added this to Needs backport from main in 1.14.6 Dec 11, 2023
@nebril nebril removed this from Needs backport from main in 1.14.5 Dec 11, 2023
@joestringer joestringer added the needs-backport/1.15 This PR / issue needs backporting to the v1.15 branch label Dec 14, 2023
mhofstetter
mhofstetter approved these changes Dec 20, 2023
View reviewed changes
pkg/auth/manager.go Show resolved Hide resolved
@meyskens
Copy link
Member Author

meyskens commented Jan 4, 2024

/test

@meyskens
Copy link
Member Author

meyskens commented Jan 4, 2024

/test

@meyskens
Do not handle mutual auth for reserved ids
4215193 
This change adds a check in the auth manager not to do authentication
for either IDs if they are reserved.
This could have caused failed handshakes to happen should any of these
entities be allowed by policy but with mutual auth enabled.
These IDs do are not able to ever complete a handshake as they are not
generated by design.

This commit also replaces all IDs used in tests to be high enough
that they do not conflict with reserve IDs.

Signed-off-by: Maartje Eyskens <maartje@eyskens.me>
@meyskens
Copy link
Member Author

meyskens commented Jan 5, 2024

/test

@maintainer-s-little-helper maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Jan 8, 2024
@maintainer-s-little-helper maintainer-s-little-helper bot added this to Needs backport from main in v1.15.0-rc.1 Jan 8, 2024
@dylandreimerink dylandreimerink added this pull request to the merge queue Jan 9, 2024
Merged via the queue into cilium:main with commit e71407b Jan 9, 2024
62 checks passed
This was referenced Jan 11, 2024
Merged
Merged
@jibi jibi added backport-pending/1.15 The backport for Cilium 1.15.x for this PR is in progress. and removed needs-backport/1.15 This PR / issue needs backporting to the v1.15 branch labels Jan 12, 2024
@gandro gandro mentioned this pull request Jan 16, 2024
Merged
5 tasks
@gandro gandro added backport-pending/1.14 The backport for Cilium 1.14.x for this PR is in progress. and removed needs-backport/1.14 This PR / issue needs backporting to the v1.14 branch labels Jan 16, 2024
@maintainer-s-little-helper maintainer-s-little-helper bot moved this from Needs backport from main to Backport pending to v1.15 in v1.15.0-rc.1 Jan 16, 2024
@maintainer-s-little-helper maintainer-s-little-helper bot moved this from Needs backport from main to Backport pending to v1.14 in 1.14.6 Jan 16, 2024
@aanm aanm mentioned this pull request Jan 16, 2024
Merged
@github-actions github-actions bot added backport-done/1.14 The backport for Cilium 1.14.x for this PR is done. and removed backport-pending/1.14 The backport for Cilium 1.14.x for this PR is in progress. labels Jan 17, 2024
@maintainer-s-little-helper maintainer-s-little-helper bot removed this from Backport pending to v1.14 in 1.14.6 Jan 17, 2024
@maintainer-s-little-helper maintainer-s-little-helper bot added this to Backport done to v1.14 in 1.14.6 Jan 17, 2024
@gentoo-root gentoo-root mentioned this pull request Jan 17, 2024
Merged
@giorio94 giorio94 added backport-done/1.15 The backport for Cilium 1.15.x for this PR is done. and removed backport-pending/1.15 The backport for Cilium 1.15.x for this PR is in progress. labels Jan 29, 2024
@maintainer-s-little-helper maintainer-s-little-helper bot moved this from Backport pending to v1.15 to Backport done to v1.15 in v1.15.0-rc.1 Jan 29, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mhofstetter mhofstetter mhofstetter approved these changes

@youngnick youngnick youngnick approved these changes

Assignees
No one assigned
Labels
area/servicemesh GH issues or PRs regarding servicemesh backport-done/1.14 The backport for Cilium 1.14.x for this PR is done. backport-done/1.15 The backport for Cilium 1.15.x for this PR is done. feature/authentication ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/bug This PR fixes an issue in a previous release of Cilium.
Projects
No open projects
1.14.6
Backport done to v1.14
v1.15.0-rc.1
Backport done to v1.15
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
8 participants
@meyskens @mhofstetter @youngnick @gandro @jibi @joestringer @dylandreimerink @giorio94