identity: Fix user-space security identity lookup in cluster mesh #13205
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
gandro
added
release-note/bug
gandro
commented
Sep 17, 2020
| @@ -201,7 +201,8 @@ func (w *identityWatcher) stop() { | |||
|
|
|||
| // LookupIdentity looks up the identity by its labels but does not create it. | |||
| // This function will first search through the local cache and fall back to | |||
| // querying the kvstore. | |||
| // querying all connected kvstores (first the main kvstore, followed by any | |||
| // watched remote kvstores in clustermesh) | |||
| func (m *CachingIdentityAllocator) LookupIdentity(ctx context.Context, lbls labels.Labels) *identity.Identity { | |||
There was a problem hiding this comment.
Note to reviewers: While we surely want to fix the lookup in this function for the API to work correctly (any identity returned by /v1/identities should also be fetchable via labels), the only non-API call site (outside of unit tests) of this function is in the IPCache:
Line 118 in 3a49c6c
IPCache is performing a lookup on CIDR labels. I don't think we want to send that lookup to remote kvstores (since CIDR identies are always local), so maybe we have to introduce an additional lookup function for the IPCache usecase? Unfortunatley I'm not too familiar with local identity management, so feedback welcome.
There was a problem hiding this comment.
Yeah, CIDR identities are purely local to the agent (not even shared across the cluster), so we should follow up to change the lookup function to reflect this usage.
|
test-me-please |
tgraf
approved these changes
Sep 17, 2020
When looking up a security identity (either by its numeric id or by
labels) in user-space (e.g. in Hubble or the API), we want to ensure to
also include identities owned by remote clusters in cluster mesh too.
Before this commit, `GetIdentities` function of the identity allocator
(e.g. used for `cilium identity list`) would return all global
identities (i.e. including the ones from remote clusters as well), while
`LookupIdentity{,ByID}` would only return identities found the main
kvstore, ignoring any indentities cached from remote kvstores.
This fixes multiple missed annotations which can occur in cluster-mesh
setups:
- Hubble failed to annotate identities from remote clusters (#13076).
- While the API would list remote identities in `/v1/identities`,
performing a lookup on identities from remote clusters via API would
fail with a "not found error". This 404 could be observed in
`cilium identity get <remote-id>` or in `cilium bpf policy get`.
- DNS proxy logrecords would not have the destination endpoint labels
populated.
- The `CiliumEndpoint.Status.Policy` CRD field would not contain
labels for identities for remote clusters (if CEP status updates
were enabled).
Fixes: #13076
Signed-off-by: Sebastian Wicki <sebastian@isovalent.com>
gandro
force-pushed
the
pr/gandro/hubble-fix-identity-lookup-in-cluster-mesh
branch
from
4d2ed3b
to
b2ea910
Compare
|
Pushed the discussed change to not query remote backends in order avoid accidental DDoS. We now only check the remote caches. Diff of change since approval |
|
test-me-please |
joestringer
approved these changes
Sep 17, 2020
| @@ -201,7 +201,8 @@ func (w *identityWatcher) stop() { | |||
|
|
|||
| // LookupIdentity looks up the identity by its labels but does not create it. | |||
| // This function will first search through the local cache and fall back to | |||
| // querying the kvstore. | |||
| // querying all connected kvstores (first the main kvstore, followed by any | |||
| // watched remote kvstores in clustermesh) | |||
| func (m *CachingIdentityAllocator) LookupIdentity(ctx context.Context, lbls labels.Labels) *identity.Identity { | |||
There was a problem hiding this comment.
Yeah, CIDR identities are purely local to the agent (not even shared across the cluster), so we should follow up to change the lookup function to reflect this usage.
maintainer-s-little-helper
bot
added
the
ready-to-merge
joestringer
deleted the
pr/gandro/hubble-fix-identity-lookup-in-cluster-mesh
branch
maintainer-s-little-helper
bot
moved this from Needs backport from master
to Backport pending to v1.7
in 1.7.10
maintainer-s-little-helper
bot
moved this from Needs backport from master
to Backport pending to v1.7
in 1.7.10
maintainer-s-little-helper
bot
moved this from Needs backport from master
to Backport pending to v1.8
in 1.8.4
maintainer-s-little-helper
bot
moved this from Backport pending to v1.7
to Backport done to v1.7
in 1.7.10
maintainer-s-little-helper
bot
moved this from Backport pending to v1.8
to Backport done to v1.8
in 1.8.4
maintainer-s-little-helper
bot
moved this from Backport pending to v1.8
to Backport done to v1.8
in 1.8.4
gandro
added a commit
that referenced
this pull request
Sep 22, 2020
Reserved and CIDR identities are local to the agent and not stored in the kvstore. This commit changes the identity cache to avoid performing a kvstore lookup for CIDR entries (which is currently done when a CIDR identity is released). This is a follow-up to #13205 (comment) Signed-off-by: Sebastian Wicki <sebastian@isovalent.com>
qmonnet
pushed a commit
that referenced
this pull request
Sep 22, 2020
Reserved and CIDR identities are local to the agent and not stored in the kvstore. This commit changes the identity cache to avoid performing a kvstore lookup for CIDR entries (which is currently done when a CIDR identity is released). This is a follow-up to #13205 (comment) Signed-off-by: Sebastian Wicki <sebastian@isovalent.com>
vadorovsky
pushed a commit
that referenced
this pull request
Sep 25, 2020
[ upstream commit f3424a3 ] Reserved and CIDR identities are local to the agent and not stored in the kvstore. This commit changes the identity cache to avoid performing a kvstore lookup for CIDR entries (which is currently done when a CIDR identity is released). This is a follow-up to #13205 (comment) Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> Signed-off-by: Michal Rostecki <mrostecki@opensuse.org>
vadorovsky
pushed a commit
that referenced
this pull request
Sep 25, 2020
[ upstream commit f3424a3 ] Reserved and CIDR identities are local to the agent and not stored in the kvstore. This commit changes the identity cache to avoid performing a kvstore lookup for CIDR entries (which is currently done when a CIDR identity is released). This is a follow-up to #13205 (comment) Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> Signed-off-by: Michal Rostecki <mrostecki@opensuse.org>
gandro
added a commit
that referenced
this pull request
Sep 29, 2020
[ upstream commit f3424a3 ] Reserved and CIDR identities are local to the agent and not stored in the kvstore. This commit changes the identity cache to avoid performing a kvstore lookup for CIDR entries (which is currently done when a CIDR identity is released). This is a follow-up to #13205 (comment) Signed-off-by: Sebastian Wicki <sebastian@isovalent.com>
gandro
added a commit
that referenced
this pull request
Sep 29, 2020
[ upstream commit f3424a3 ] Reserved and CIDR identities are local to the agent and not stored in the kvstore. This commit changes the identity cache to avoid performing a kvstore lookup for CIDR entries (which is currently done when a CIDR identity is released). This is a follow-up to #13205 (comment) Signed-off-by: Sebastian Wicki <sebastian@isovalent.com>
gandro
added a commit
that referenced
this pull request
Sep 29, 2020
[ upstream commit f3424a3 ] Reserved and CIDR identities are local to the agent and not stored in the kvstore. This commit changes the identity cache to avoid performing a kvstore lookup for CIDR entries (which is currently done when a CIDR identity is released). This is a follow-up to #13205 (comment) Signed-off-by: Sebastian Wicki <sebastian@isovalent.com>
aanm
pushed a commit
that referenced
this pull request
Sep 29, 2020
[ upstream commit f3424a3 ] Reserved and CIDR identities are local to the agent and not stored in the kvstore. This commit changes the identity cache to avoid performing a kvstore lookup for CIDR entries (which is currently done when a CIDR identity is released). This is a follow-up to #13205 (comment) Signed-off-by: Sebastian Wicki <sebastian@isovalent.com>
christarazi
pushed a commit
that referenced
this pull request
Sep 29, 2020
[ upstream commit f3424a3 ] Reserved and CIDR identities are local to the agent and not stored in the kvstore. This commit changes the identity cache to avoid performing a kvstore lookup for CIDR entries (which is currently done when a CIDR identity is released). This is a follow-up to #13205 (comment) Signed-off-by: Sebastian Wicki <sebastian@isovalent.com>
This was referenced Sep 30, 2020
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
When looking up a security identity (either by its numeric id or by
labels) in user-space (e.g. in Hubble or the API), we want to ensure to
also include identities owned by remote clusters in cluster mesh too.
Before this commit,
GetIdentitiesfunction of the identity allocator(e.g. used for
cilium identity list) would return all globalidentities (i.e. including the ones from remote clusters as well), while
LookupIdentity{,ByID}would only return identitiies found the mainkvstore, ignoring any attached remote kvstores. This commit
This fixes multiple missed annotations which can occur in cluster-mesh
setups:
Hubble failed to annotate identities from remote clusters (Hubble fails to resolve identities across a cluster mesh. #13076).
While the API would list remote identities in
/v1/identities,performing a lookup on identities from remote clusters via API would
fail with a "not found error". This 404 could be observed in
cilium identity get <remote-id>or incilium bpf policy get.DNS proxy logrecords would not have the destination endpoint labels
populated.
The
CiliumEndpoint.Status.PolicyCRD field would not containlabels for identities for remote clusters (if CEP status updates
were enabled).
Fixes: #13076