New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
datapath/test: Do not SNAT for WORLD_ID and enable BPF masquerading by default in CI #11426
Conversation
Please set the appropriate release note label. |
1 similar comment
Please set the appropriate release note label. |
test-me-please |
test-focus K8sDatapath* |
test-me-please |
2 similar comments
test-me-please |
test-me-please |
I might need to fix #11464 before this PR can be merged (otherwise, I might introduce flakes) |
Commit 961b375843569b39ae8123d32bced835420c8afe does not contain "Signed-off-by". Please follow instructions provided in https://docs.cilium.io/en/stable/contributing/development/contributing_guide/#developer-s-certificate-of-origin |
961b375
to
bf48cac
Compare
test-me-please |
bf48cac
to
9740e82
Compare
test-me-please |
1 similar comment
test-me-please |
4a384a1
to
12b58cb
Compare
test-me-please |
12b58cb
to
e44ad57
Compare
457d243
to
d304749
Compare
retest-net-next |
test-focus K8sKubeProxyFree* |
test-me-please |
Enable BPF masquerading for the {{4.19,net-next},no-kube-proxy} CI jobs. Signed-off-by: Martynas Pumputis <m@lambda.lt>
d304749
to
95b44a6
Compare
retest-net-next |
test-focus K8sKubeProxy* |
1 similar comment
test-focus K8sKubeProxy* |
Disable the BPF masq in the vxlan tests until PublicInterfaceName is decluttered. The communication between pod and remote node has to be SNAT'd in the case of vxlan, which is currently not feasible, as bpf_netdev is loaded only on PublicInterfaceName. Signed-off-by: Martynas Pumputis <m@lambda.lt>
As we enabled the BPF masq by default, the correct devices (default and private) are already set by DeployCilium(). Signed-off-by: Martynas Pumputis <m@lambda.lt>
Cilium < v1.8 doesn't support multi-dev, so installing e.g. v1.7 with multiple devices (set by default in overwriteHelmOptions()) will crash cilium-agent. Therefore, in the upgrade test use a single device. Signed-off-by: Martynas Pumputis <m@lambda.lt>
As BPF masq is enabled by default, we don't need a dedicated deployments (and test cases) to test the feature. Signed-off-by: Martynas Pumputis <m@lambda.lt>
Unfortunately, we cannot SNAT a packet from a local endpoint only if dst sec id is WORLD_ID. The problem with this is that in the case of an FQDN policy, a world destination can get its own sec id, which makes a packet destined to such target to bypass the check, and bypass the SNAT. To fix this, we SNAT a packet from a local endpoint if dst is neither from native-routing-cidr nor REMOTE_HOST_ID. Signed-off-by: Martynas Pumputis <m@lambda.lt>
Since we changed the SNAT logic in the previous commit, we need to set IPV4_SNAT_EXCLUSION_DST_CIDR (prev. IPV4_NATIVE_ROUTING_CIDR) in any case, otherwise traffic between pods on different nodes will be SNAT'd. Signed-off-by: Martynas Pumputis <m@lambda.lt>
The name of a bpf_netdev object file which is attached to a native device has changed its name - from "bpf_netdev.o" to "bpf_netdev_${NATIVE_DEV_IFACE}.o". E.g.: $ sudo tc filter show dev enp0s8 ingress filter protocol all pref 1 bpf chain 0 filter protocol all pref 1 bpf chain 0 handle 0x1 bpf_netdev_enp0s8.o:[from-netdev] direct-action not_in_hw id 982 tag feca2ca7f6f80c7e jited The change of the name broke the removal of bpf_netdev from previously used native devs. Fixes: a695f53 ("Endpoint for host") Signed-off-by: Martynas Pumputis <m@lambda.lt>
95b44a6
to
f99682d
Compare
retest-net-next |
retest-4.19 |
retest-4.9 |
retest-runtime |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
as per discussion offline
retest-runtime |
CI runtime failed:
|
retest-runtime |
See commit msgs.
Depends on #11572 (let's merge this PR, and then close #11572).
Partially_fix #11442