New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
identity: Fix user-space security identity lookup in cluster mesh #13205
identity: Fix user-space security identity lookup in cluster mesh #13205
Conversation
@@ -201,7 +201,8 @@ func (w *identityWatcher) stop() { | |||
|
|||
// LookupIdentity looks up the identity by its labels but does not create it. | |||
// This function will first search through the local cache and fall back to | |||
// querying the kvstore. | |||
// querying all connected kvstores (first the main kvstore, followed by any | |||
// watched remote kvstores in clustermesh) | |||
func (m *CachingIdentityAllocator) LookupIdentity(ctx context.Context, lbls labels.Labels) *identity.Identity { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Note to reviewers: While we surely want to fix the lookup in this function for the API to work correctly (any identity returned by /v1/identities
should also be fetchable via labels), the only non-API call site (outside of unit tests) of this function is in the IPCache:
Line 118 in 3a49c6c
if id := IdentityAllocator.LookupIdentity(context.TODO(), cidr.GetCIDRLabels(prefix)); id != nil { |
IPCache is performing a lookup on CIDR labels. I don't think we want to send that lookup to remote kvstores (since CIDR identies are always local), so maybe we have to introduce an additional lookup function for the IPCache usecase? Unfortunatley I'm not too familiar with local identity management, so feedback welcome.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, CIDR identities are purely local to the agent (not even shared across the cluster), so we should follow up to change the lookup function to reflect this usage.
test-me-please |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM except for what we discussed on Zoom
When looking up a security identity (either by its numeric id or by labels) in user-space (e.g. in Hubble or the API), we want to ensure to also include identities owned by remote clusters in cluster mesh too. Before this commit, `GetIdentities` function of the identity allocator (e.g. used for `cilium identity list`) would return all global identities (i.e. including the ones from remote clusters as well), while `LookupIdentity{,ByID}` would only return identities found the main kvstore, ignoring any indentities cached from remote kvstores. This fixes multiple missed annotations which can occur in cluster-mesh setups: - Hubble failed to annotate identities from remote clusters (#13076). - While the API would list remote identities in `/v1/identities`, performing a lookup on identities from remote clusters via API would fail with a "not found error". This 404 could be observed in `cilium identity get <remote-id>` or in `cilium bpf policy get`. - DNS proxy logrecords would not have the destination endpoint labels populated. - The `CiliumEndpoint.Status.Policy` CRD field would not contain labels for identities for remote clusters (if CEP status updates were enabled). Fixes: #13076 Signed-off-by: Sebastian Wicki <sebastian@isovalent.com>
4d2ed3b
to
b2ea910
Compare
Pushed the discussed change to not query remote backends in order avoid accidental DDoS. We now only check the remote caches. Diff of change since approval |
test-me-please |
@@ -201,7 +201,8 @@ func (w *identityWatcher) stop() { | |||
|
|||
// LookupIdentity looks up the identity by its labels but does not create it. | |||
// This function will first search through the local cache and fall back to | |||
// querying the kvstore. | |||
// querying all connected kvstores (first the main kvstore, followed by any | |||
// watched remote kvstores in clustermesh) | |||
func (m *CachingIdentityAllocator) LookupIdentity(ctx context.Context, lbls labels.Labels) *identity.Identity { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, CIDR identities are purely local to the agent (not even shared across the cluster), so we should follow up to change the lookup function to reflect this usage.
Reserved and CIDR identities are local to the agent and not stored in the kvstore. This commit changes the identity cache to avoid performing a kvstore lookup for CIDR entries (which is currently done when a CIDR identity is released). This is a follow-up to #13205 (comment) Signed-off-by: Sebastian Wicki <sebastian@isovalent.com>
Reserved and CIDR identities are local to the agent and not stored in the kvstore. This commit changes the identity cache to avoid performing a kvstore lookup for CIDR entries (which is currently done when a CIDR identity is released). This is a follow-up to #13205 (comment) Signed-off-by: Sebastian Wicki <sebastian@isovalent.com>
[ upstream commit f3424a3 ] Reserved and CIDR identities are local to the agent and not stored in the kvstore. This commit changes the identity cache to avoid performing a kvstore lookup for CIDR entries (which is currently done when a CIDR identity is released). This is a follow-up to #13205 (comment) Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> Signed-off-by: Michal Rostecki <mrostecki@opensuse.org>
[ upstream commit f3424a3 ] Reserved and CIDR identities are local to the agent and not stored in the kvstore. This commit changes the identity cache to avoid performing a kvstore lookup for CIDR entries (which is currently done when a CIDR identity is released). This is a follow-up to #13205 (comment) Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> Signed-off-by: Michal Rostecki <mrostecki@opensuse.org>
[ upstream commit f3424a3 ] Reserved and CIDR identities are local to the agent and not stored in the kvstore. This commit changes the identity cache to avoid performing a kvstore lookup for CIDR entries (which is currently done when a CIDR identity is released). This is a follow-up to #13205 (comment) Signed-off-by: Sebastian Wicki <sebastian@isovalent.com>
[ upstream commit f3424a3 ] Reserved and CIDR identities are local to the agent and not stored in the kvstore. This commit changes the identity cache to avoid performing a kvstore lookup for CIDR entries (which is currently done when a CIDR identity is released). This is a follow-up to #13205 (comment) Signed-off-by: Sebastian Wicki <sebastian@isovalent.com>
[ upstream commit f3424a3 ] Reserved and CIDR identities are local to the agent and not stored in the kvstore. This commit changes the identity cache to avoid performing a kvstore lookup for CIDR entries (which is currently done when a CIDR identity is released). This is a follow-up to #13205 (comment) Signed-off-by: Sebastian Wicki <sebastian@isovalent.com>
[ upstream commit f3424a3 ] Reserved and CIDR identities are local to the agent and not stored in the kvstore. This commit changes the identity cache to avoid performing a kvstore lookup for CIDR entries (which is currently done when a CIDR identity is released). This is a follow-up to #13205 (comment) Signed-off-by: Sebastian Wicki <sebastian@isovalent.com>
[ upstream commit f3424a3 ] Reserved and CIDR identities are local to the agent and not stored in the kvstore. This commit changes the identity cache to avoid performing a kvstore lookup for CIDR entries (which is currently done when a CIDR identity is released). This is a follow-up to #13205 (comment) Signed-off-by: Sebastian Wicki <sebastian@isovalent.com>
When looking up a security identity (either by its numeric id or by
labels) in user-space (e.g. in Hubble or the API), we want to ensure to
also include identities owned by remote clusters in cluster mesh too.
Before this commit,
GetIdentities
function of the identity allocator(e.g. used for
cilium identity list
) would return all globalidentities (i.e. including the ones from remote clusters as well), while
LookupIdentity{,ByID}
would only return identitiies found the mainkvstore, ignoring any attached remote kvstores. This commit
This fixes multiple missed annotations which can occur in cluster-mesh
setups:
Hubble failed to annotate identities from remote clusters (Hubble fails to resolve identities across a cluster mesh. #13076).
While the API would list remote identities in
/v1/identities
,performing a lookup on identities from remote clusters via API would
fail with a "not found error". This 404 could be observed in
cilium identity get <remote-id>
or incilium bpf policy get
.DNS proxy logrecords would not have the destination endpoint labels
populated.
The
CiliumEndpoint.Status.Policy
CRD field would not containlabels for identities for remote clusters (if CEP status updates
were enabled).
Fixes: #13076