New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
cilium-dbg: New encrypt flush --stale
flag
#31159
Merged
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
pchaigno
added
release-note/minor
This PR changes functionality that users may find relevant to operating Cilium.
area/cli
Impacts the command line interface of any command in the repository.
area/encryption
Impacts encryption support such as IPSec, WireGuard, or kTLS.
feature/ipsec
Relates to Cilium's IPsec feature
labels
Mar 5, 2024
pchaigno
force-pushed
the
ipsec-cli-clean-stale-xfrm
branch
from
March 5, 2024 11:14
e4efdb5
to
a21a490
Compare
This commit slightly changes the behavior of the "encrypt flush" command in case of errors when trying to delete XFRM rules. The tool currently lists rules, filters them based on user-given arguments, and then deletes them. If an XFRM rule is deleted by the agent or the user while we're filtering, the deletion will fail. The current behavior in that case is to fatal. On busy clusters, that might mean that we always fatal because XFRM states and policies are constently added and removed. This commit changes the behavior to proceed with subsequent deletions in case one fails. Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
This commit refactors the code a bit simplify a latter commit. No functional changes. This may be a bit excessive in commit splitting, but at least I can claim my last commit is free of any refactoring 😅 Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
This new flag will allow users to clean stale XFRM states and policies based on the node ID map contents. If XFRM states or policies are found with a node ID that is not in the BPF map, then we probably have a leak somewhere. Such leaks can lead in extreme cases to performance degradation when the number of XFRM states and policies grows large (and if using ENI or Azure IPAM). Having a tool to cleanup these XFRM states and policies until the leak is fixed can therefore be critical. The new flag is incompatible with the --spi and --node-id filter flags. We first dump the XFRM rules and then dump the map content. In that way, if a new node ID is allocated while we're running the tool, we will simply ignore the corresponding XFRM rules. If a node ID is removed while running the tool, we will fail to remove the corresponding XFRM rules and continue with the others. Tested on a GKE cluster by adding fake XFRM states and policies that the tool was able to remove. Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
pchaigno
force-pushed
the
ipsec-cli-clean-stale-xfrm
branch
from
March 5, 2024 11:30
a21a490
to
1c58224
Compare
/test |
jschwinger233
approved these changes
Mar 6, 2024
pchaigno
added
needs-backport/1.13
This PR / issue needs backporting to the v1.13 branch
needs-backport/1.14
This PR / issue needs backporting to the v1.14 branch
needs-backport/1.15
This PR / issue needs backporting to the v1.15 branch
labels
Mar 6, 2024
jibi
added
backport-pending/1.13
The backport for Cilium 1.13.x for this PR is in progress.
and removed
needs-backport/1.13
This PR / issue needs backporting to the v1.13 branch
labels
Mar 11, 2024
jibi
added
needs-backport/1.13
This PR / issue needs backporting to the v1.13 branch
and removed
backport-pending/1.13
The backport for Cilium 1.13.x for this PR is in progress.
labels
Mar 13, 2024
maintainer-s-little-helper
bot
moved this from Backport pending to v1.13
to Needs backport from main
in 1.13.13
Mar 13, 2024
jibi
added
backport-pending/1.13
The backport for Cilium 1.13.x for this PR is in progress.
backport-pending/1.14
The backport for Cilium 1.14.x for this PR is in progress.
and removed
needs-backport/1.13
This PR / issue needs backporting to the v1.13 branch
needs-backport/1.14
This PR / issue needs backporting to the v1.14 branch
labels
Mar 13, 2024
maintainer-s-little-helper
bot
moved this from Needs backport from main
to Backport pending to v1.14
in 1.14.8
Mar 13, 2024
jibi
added
backport-pending/1.15
The backport for Cilium 1.15.x for this PR is in progress.
and removed
needs-backport/1.15
This PR / issue needs backporting to the v1.15 branch
labels
Mar 13, 2024
github-actions
bot
added
backport-done/1.13
The backport for Cilium 1.13.x for this PR is done.
backport-done/1.14
The backport for Cilium 1.14.x for this PR is done.
backport-done/1.15
The backport for Cilium 1.15.x for this PR is done.
and removed
backport-pending/1.13
The backport for Cilium 1.13.x for this PR is in progress.
backport-pending/1.14
The backport for Cilium 1.14.x for this PR is in progress.
backport-pending/1.15
The backport for Cilium 1.15.x for this PR is in progress.
labels
Mar 16, 2024
jrajahalme
moved this from Needs backport from main
to Backport done to v1.15
in 1.15.3
Mar 26, 2024
jrajahalme
moved this from Backport pending to v1.14
to Backport done to v1.14
in 1.14.9
Mar 26, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
area/cli
Impacts the command line interface of any command in the repository.
area/encryption
Impacts encryption support such as IPSec, WireGuard, or kTLS.
backport-done/1.13
The backport for Cilium 1.13.x for this PR is done.
backport-done/1.14
The backport for Cilium 1.14.x for this PR is done.
backport-done/1.15
The backport for Cilium 1.15.x for this PR is done.
feature/ipsec
Relates to Cilium's IPsec feature
release-note/minor
This PR changes functionality that users may find relevant to operating Cilium.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
First commit changes how we handle errors. Second commit refactors the confirmation logic. Last commit introduces the new flag.