-
Notifications
You must be signed in to change notification settings - Fork 2.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
clustermesh: Ignore symlink files on fsnotify events #14565
Conversation
Kubernetes secrets are mapped into the pod using symlinks. The initial scan was already correctly ignoring symlinks but the fsnotify events have not been. This has resulted in invalid cluster configurations being added: ``` ClusterMesh: 0/3 clusters ready, 0 global-services cluster2: not-ready, 0 nodes, 0 identities, 0 services, 0 failures (last: never) └ Waiting for initial connection to be established ..2021_01_08_21_11_57.892158678: not-ready, 0 nodes, 0 identities, 0 services, 0 failures (last: never) └ Waiting for initial connection to be established ..data: not-ready, 0 nodes, 0 identities, 0 services, 0 failures (last: never) └ Waiting for initial connection to be established ``` Fixes: 076b018 ("Inter cluster connectivity (ClusterMesh)") Signed-off-by: Thomas Graf <thomas@cilium.io>
@kaworu can we reuse the same code done for hubble-relay certificates in here? It looks to me the code use in both places have the same functionalities |
test-me-please |
I agree that's a good refactoring but we should fix the existing code first so we back backport the minimal fix. |
retest-gke |
If I understand correctly, the use case is a little different between clustermesh and hubble mTLS. In the clustermesh case we don't know what paths are going to show up, whereas in the Hubble mTLS case we know all the paths we should watch at startup. Although this should not be blocking (if correct) the change is probably not trivial and separate warrant a refactor as @tgraf suggested. Question: here we are watching the symlinks under |
Yes, I agree with your statement: Because K8s uses indirect symlinks (see example below), the code here will observe cluster file being added and clusters being removed, but not cluster files being modified. Not sure how much of an issue that is, I lack a bit conext when it comes to clustermesh. As a reminder, the symlink structure of K8s is as follows:
Thus When K8s updates the secret mount (e.g. when a cluster file is modified), the new version of each file is copied into a new directory called
Now the The old and new code here will pick up the creation and deletion of the However: I believe the fact that cluster file modifications are not tracked is already present in the old version of the code (because the |
Yes, the lack of notification is potentially an issue although the primary use case is to detect new files and deletions as modifications will be extremely rare. The cluster name to IP mapping is not in the secret but in the |
GKE scaling failure https://jenkins.cilium.io/job/Cilium-PR-K8s-GKE/3892/ retest-gke |
Kubernetes secrets are mapped into the pod using symlinks. The initial
scan was already correctly ignoring symlinks but the fsnotify events
have not been. This has resulted in invalid cluster configurations being
added:
Fixes: 076b018 ("Inter cluster connectivity (ClusterMesh)")