New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
cilium: fixes transparent encryption #11974
Conversation
Encryption fixes, when setting the encrypt ctx->mark field we need to skip resetting it with the source identity. Its not needed in the encryption case anywasy because we already checked the endpoint is remote before encoding encryption signal. Next if fib lookup is not available we will discover the route at init time and encode it in the ENCRYPT_IFACE define. If this field is non-zero we should use it. Otherwise in some configurations where there is not a route to egress in the main routing table the packet will be dropped. Fixes: 86db0fd ("cilium: encryption, use fib_lookup to rewrite dmac/smac") Fixes: f25d8b9 ("bpf: Preserve source identity for hairpin via stack") Signed-off-by: John Fastabend <john.fastabend@gmail.com>
Please set the appropriate release note label. |
test-focus K8sDatapathConfig.*Check connectivity with transparent encryption" |
pkg/k8s/factory_functions.go
Outdated
@@ -684,7 +686,7 @@ func ConvertToCiliumEndpoint(obj interface{}) interface{} { | |||
Labels: nil, | |||
Annotations: nil, | |||
}, | |||
Encryption: &concreteObj.Status.Encryption, | |||
Encryption: &encryptVal, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this change really needed?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't understand it at the moment but its causing encryption key to be zero without it on my GKE cluster.
We observed in the K8sWatcher for "ciliumendpoints" the call ConvertToCiliumEndpointAddFunc was taking an endpoint event with a valid Encryption field and converting it to '0'. To fix we can make the translation more explicit. Fixes: 720c0b0 ("pkg/k8s: do not DeepCopy when converting to CiliumEndpoint") Signed-off-by: John Fastabend <john.fastabend@gmail.com> Signed-off-by: André Martins <andre@cilium.io>
test-me-please |
Issue filed for K8s-1.11-Kernel-netnext, that appears to be unrelated those tests are running without encryption. |
retest-net-next |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM thanks
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM thanks!
Fix a couple issues with transparent encryption. First ensure encryption mark field is not replaced with source identity. If packet is being encrypted it is a remote packet and source identity in the mark field is not needed. Next on kernels without FIB support we may still have a encryption interface. By using the interface with redirect encryption will continue to work even when an explicit route has not been configured. With above two fixes GKE using standard configuration from guides will work correctly.
Finally, on GKE systems and a local cluster the endpoint k8s watcher was reporting a zero key. By doing an explicit assignment this is resolved. I'm not entirely clear what is happening here but its clear the event has a correct encryption key identifier and the post translated even drops the encryption key id. By doing the assignment directly the key is now correct. TBD understand golang parts here.