cilium: fixes transparent encryption #11974
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Encryption fixes, when setting the encrypt ctx->mark field we need to skip resetting it with the source identity. Its not needed in the encryption case anywasy because we already checked the endpoint is remote before encoding encryption signal. Next if fib lookup is not available we will discover the route at init time and encode it in the ENCRYPT_IFACE define. If this field is non-zero we should use it. Otherwise in some configurations where there is not a route to egress in the main routing table the packet will be dropped. Fixes: 86db0fd ("cilium: encryption, use fib_lookup to rewrite dmac/smac") Fixes: f25d8b9 ("bpf: Preserve source identity for hairpin via stack") Signed-off-by: John Fastabend <john.fastabend@gmail.com>
|
Please set the appropriate release note label. |
|
test-focus K8sDatapathConfig.*Check connectivity with transparent encryption" |
aanm
requested changes
Jun 9, 2020
pkg/k8s/factory_functions.go
Outdated
| @@ -684,7 +686,7 @@ func ConvertToCiliumEndpoint(obj interface{}) interface{} { | |||
| Labels: nil, | |||
| Annotations: nil, | |||
| }, | |||
| Encryption: &concreteObj.Status.Encryption, | |||
| Encryption: &encryptVal, | |||
There was a problem hiding this comment.
I don't understand it at the moment but its causing encryption key to be zero without it on my GKE cluster.
We observed in the K8sWatcher for "ciliumendpoints" the call ConvertToCiliumEndpointAddFunc was taking an endpoint event with a valid Encryption field and converting it to '0'. To fix we can make the translation more explicit. Fixes: 720c0b0 ("pkg/k8s: do not DeepCopy when converting to CiliumEndpoint") Signed-off-by: John Fastabend <john.fastabend@gmail.com> Signed-off-by: André Martins <andre@cilium.io>
|
test-me-please |
aanm
added
needs-backport/1.8
release-note/misc
aanm
approved these changes
Jun 9, 2020
borkmann
approved these changes
Jun 9, 2020
|
Issue filed for K8s-1.11-Kernel-netnext, that appears to be unrelated those tests are running without encryption. |
|
retest-net-next |
joestringer
approved these changes
Jun 9, 2020
aanm
approved these changes
Jun 9, 2020
maintainer-s-little-helper
bot
moved this from Needs backport from master
to Backport pending to v1.7
in 1.7.5
maintainer-s-little-helper
bot
moved this from Needs backport from master
to Backport pending to v1.8
in 1.8.0
maintainer-s-little-helper
bot
moved this from Needs backport from master
to Backport pending to v1.8
in 1.8.0
maintainer-s-little-helper
bot
moved this from Backport pending to v1.8
to Backport done to v1.8
in 1.8.0
maintainer-s-little-helper
bot
moved this from Backport pending to v1.7
to Backport done to v1.7
in 1.7.5
maintainer-s-little-helper
bot
moved this from Backport pending to v1.7
to Backport done to v1.7
in 1.7.5
aanm
added
release-note/bug
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fix a couple issues with transparent encryption. First ensure encryption mark field is not replaced with source identity. If packet is being encrypted it is a remote packet and source identity in the mark field is not needed. Next on kernels without FIB support we may still have a encryption interface. By using the interface with redirect encryption will continue to work even when an explicit route has not been configured. With above two fixes GKE using standard configuration from guides will work correctly.
Finally, on GKE systems and a local cluster the endpoint k8s watcher was reporting a zero key. By doing an explicit assignment this is resolved. I'm not entirely clear what is happening here but its clear the event has a correct encryption key identifier and the post translated even drops the encryption key id. By doing the assignment directly the key is now correct. TBD understand golang parts here.