-
Notifications
You must be signed in to change notification settings - Fork 2.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ipsec: Fatal on unsupported, <4.19 kernels in tunneling mode #14525
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me, thanks
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Minor nits 👍
bda4591
to
a729ef2
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, minor nits for docs and optional code compaction suggestion
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, @christarazi pointed out the other aspect of my prior feedback - now the daemon-side check can be simpler.
a729ef2
to
8ea9a8d
Compare
When using IPSec with Cilium in tunneling mode, we need support for the xfrm state output mask in the kernel (cf. #14381). This commit probes for such kernel support, introduced upstream in 9b42c1f ("xfrm: Extend the output_mark to support input direction and masking"), on startup and fatals if the kernel is too old. The lack of kernel support only breaks policy enforcement across nodes and we can probably make it work in the future, but in the meantime, it's best to cleanly fatal. Signed-off-by: Paul Chaignon <paul@cilium.io>
8ea9a8d
to
127c0ab
Compare
K8s-1.20-kernel-4.9 failed with known flake #13774. Other tests are passing. |
When using IPSec with Cilium in tunneling mode, we need support for the xfrm state output mask in the kernel (cf. #14381). This pull request probes for such kernel support, introduced upstream in
9b42c1f
("xfrm: Extend the output_mark to support input direction and masking"), on startup and fatals if the kernel is too old.The lack of kernel support only breaks policy enforcement across nodes and we can probably make it work in the future, but in the meantime, it's best to cleanly fatal.