Fix clustermesh policy with endpoint-routes mode #12694
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
joestringer
added
release-note/bug
joestringer
changed the title
|
Coverage decreased (-0.05%) to 37.161% when pulling 1dcdd6c5da8965e24c5f302fd77a080cf4448898 on joestringer:submit/identity-clustermesh-fix into 56a9c1f on cilium:master. |
|
I dropped the older backport labels as this is unlikely to affect existing users due to the unusual combination of configurations. |
|
retest-4.9 |
|
retest-4.19 |
|
retest-netnext |
|
Kernel-4.9 passed: https://jenkins.cilium.io/job/Cilium-PR-K8s-1.19-kernel-4.9/53/ I'll rekick the entire CI since I forgot before and the trigger attempts from Nate above don't seem to be working. |
|
test-me-please |
|
VM provisioning failed on net-next, seems like it timed out for some weird reason: https://jenkins.cilium.io/job/Cilium-PR-K8s-1.12-net-next/66/flowGraphTable/ |
|
retest-net-next |
|
retest-gke |
|
Looks like this PR needs a rebase to get commit 4ea0ea4 which will fix the Go-related checks / lint action. |
tklauser
added
the
dont-merge/needs-rebase
In endpoint-routes mode, we encode the source identity in the ctx->mark when locally routing the packet to the destination device for ingress policy assessment. Previously we only encoded the local cluster identity in the mark, thereby omitting the original cluster portion of the identity. Found by code inspection. Fixes: 654303a ("bpf: Skip ingress policy at egress of source if egress prog is in use") Signed-off-by: Joe Stringer <joe@cilium.io>
joestringer
force-pushed
the
submit/identity-clustermesh-fix
branch
from
1dcdd6c
to
e394e8f
Compare
joestringer
removed
the
dont-merge/needs-rebase
|
test-me-please |
kkourt
reviewed
Sep 3, 2020
kkourt
approved these changes
Sep 4, 2020
joestringer
moved this from Needs backport from master
to Backport done to v1.8
in 1.8.4
joestringer
added a commit
to joestringer/cilium
that referenced
this pull request
Oct 26, 2020
When this flag was set to false (not the default), it failed to compile due to the typo. Fix it. The bpf build_all target also did not pick up on this, add these options to the permutations for building. Fixes: d7433cf ("bpf: Fix clustermesh policy with endpoint-routes") Fixes: cilium#12694 Signed-off-by: Joe Stringer <joe@cilium.io>
joestringer
added a commit
that referenced
this pull request
Oct 27, 2020
When this flag was set to false (not the default), it failed to compile due to the typo. Fix it. The bpf build_all target also did not pick up on this, add these options to the permutations for building. Fixes: d7433cf ("bpf: Fix clustermesh policy with endpoint-routes") Fixes: #12694 Signed-off-by: Joe Stringer <joe@cilium.io>
aditighag
pushed a commit
to aditighag/cilium
that referenced
this pull request
Oct 29, 2020
[ upstream commit e784604 ] When this flag was set to false (not the default), it failed to compile due to the typo. Fix it. The bpf build_all target also did not pick up on this, add these options to the permutations for building. Fixes: d7433cf ("bpf: Fix clustermesh policy with endpoint-routes") Fixes: cilium#12694 Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Aditi Ghag <aditi@cilium.io>
joestringer
added a commit
that referenced
this pull request
Nov 2, 2020
[ upstream commit e784604 ] When this flag was set to false (not the default), it failed to compile due to the typo. Fix it. The bpf build_all target also did not pick up on this, add these options to the permutations for building. Fixes: d7433cf ("bpf: Fix clustermesh policy with endpoint-routes") Fixes: #12694 Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Aditi Ghag <aditi@cilium.io>
tklauser
pushed a commit
that referenced
this pull request
Nov 3, 2020
[ upstream commit e784604 ] When this flag was set to false (not the default), it failed to compile due to the typo. Fix it. The bpf build_all target also did not pick up on this, add these options to the permutations for building. Fixes: d7433cf ("bpf: Fix clustermesh policy with endpoint-routes") Fixes: #12694 Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
joestringer
added a commit
that referenced
this pull request
Nov 4, 2020
[ upstream commit e784604 ] When this flag was set to false (not the default), it failed to compile due to the typo. Fix it. The bpf build_all target also did not pick up on this, add these options to the permutations for building. Fixes: d7433cf ("bpf: Fix clustermesh policy with endpoint-routes") Fixes: #12694 Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
In endpoint-routes mode, we encode the source identity in the
ctx->markwhen locally routing the packet to the destination device for ingress
policy assessment. Previously we only encoded the local cluster
identity in the mark, thereby omitting the original cluster portion of
the identity.
Found by code inspection.
Fixes: 654303a ("bpf: Skip ingress policy at egress of source if egress prog is in use")
This unlikely to affect many users as by default users do not typically configure clustermesh + endpoint-routes (or ENI) mode at the same time.