New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix clustermesh policy with endpoint-routes mode #12694
Fix clustermesh policy with endpoint-routes mode #12694
Conversation
Coverage decreased (-0.05%) to 37.161% when pulling 1dcdd6c5da8965e24c5f302fd77a080cf4448898 on joestringer:submit/identity-clustermesh-fix into 56a9c1f on cilium:master. |
I dropped the older backport labels as this is unlikely to affect existing users due to the unusual combination of configurations. |
retest-4.9 |
retest-4.19 |
retest-netnext |
Kernel-4.9 passed: https://jenkins.cilium.io/job/Cilium-PR-K8s-1.19-kernel-4.9/53/ I'll rekick the entire CI since I forgot before and the trigger attempts from Nate above don't seem to be working. |
test-me-please |
VM provisioning failed on net-next, seems like it timed out for some weird reason: https://jenkins.cilium.io/job/Cilium-PR-K8s-1.12-net-next/66/flowGraphTable/ |
retest-net-next |
retest-gke |
Looks like this PR needs a rebase to get commit 4ea0ea4 which will fix the Go-related checks / lint action. |
In endpoint-routes mode, we encode the source identity in the ctx->mark when locally routing the packet to the destination device for ingress policy assessment. Previously we only encoded the local cluster identity in the mark, thereby omitting the original cluster portion of the identity. Found by code inspection. Fixes: 654303a ("bpf: Skip ingress policy at egress of source if egress prog is in use") Signed-off-by: Joe Stringer <joe@cilium.io>
1dcdd6c
to
e394e8f
Compare
test-me-please |
When this flag was set to false (not the default), it failed to compile due to the typo. Fix it. The bpf build_all target also did not pick up on this, add these options to the permutations for building. Fixes: d7433cf ("bpf: Fix clustermesh policy with endpoint-routes") Fixes: cilium#12694 Signed-off-by: Joe Stringer <joe@cilium.io>
When this flag was set to false (not the default), it failed to compile due to the typo. Fix it. The bpf build_all target also did not pick up on this, add these options to the permutations for building. Fixes: d7433cf ("bpf: Fix clustermesh policy with endpoint-routes") Fixes: #12694 Signed-off-by: Joe Stringer <joe@cilium.io>
[ upstream commit e784604 ] When this flag was set to false (not the default), it failed to compile due to the typo. Fix it. The bpf build_all target also did not pick up on this, add these options to the permutations for building. Fixes: d7433cf ("bpf: Fix clustermesh policy with endpoint-routes") Fixes: cilium#12694 Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Aditi Ghag <aditi@cilium.io>
[ upstream commit e784604 ] When this flag was set to false (not the default), it failed to compile due to the typo. Fix it. The bpf build_all target also did not pick up on this, add these options to the permutations for building. Fixes: d7433cf ("bpf: Fix clustermesh policy with endpoint-routes") Fixes: #12694 Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Aditi Ghag <aditi@cilium.io>
[ upstream commit e784604 ] When this flag was set to false (not the default), it failed to compile due to the typo. Fix it. The bpf build_all target also did not pick up on this, add these options to the permutations for building. Fixes: d7433cf ("bpf: Fix clustermesh policy with endpoint-routes") Fixes: #12694 Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
[ upstream commit e784604 ] When this flag was set to false (not the default), it failed to compile due to the typo. Fix it. The bpf build_all target also did not pick up on this, add these options to the permutations for building. Fixes: d7433cf ("bpf: Fix clustermesh policy with endpoint-routes") Fixes: #12694 Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
In endpoint-routes mode, we encode the source identity in the
ctx->mark
when locally routing the packet to the destination device for ingress
policy assessment. Previously we only encoded the local cluster
identity in the mark, thereby omitting the original cluster portion of
the identity.
Found by code inspection.
Fixes: 654303a ("bpf: Skip ingress policy at egress of source if egress prog is in use")
This unlikely to affect many users as by default users do not typically configure clustermesh + endpoint-routes (or ENI) mode at the same time.