New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix encryption in IPAM ENI mode #14924
Conversation
Signed-off-by: Aditi Ghag <aditi@cilium.io>
47ca44c
to
e759990
Compare
test-me-please |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice! Core idea of the PR seems good to me. I have some questions on how we handle dependencies / importing packages.
Yeah, that makes sense. We'll need to iterate over the document once |
b20da6d
to
5aaaedd
Compare
test-me-please |
test-me-please |
GKE job hit known flake #14915 , otherwise CI looks good. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, thanks! Mostly minor nits to followup on; not urgent
routingInfo, err = linuxrouting.NewRoutingInfo(result.GatewayIP, result.CIDRs, | ||
result.PrimaryMAC, result.InterfaceNumber, option.Config.EnableIPv4Masquerade) | ||
if err != nil { | ||
err = fmt.Errorf("failed to create router info %w", err) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"failed to create router info: %w"
(colon)
// SetupRules installs routing rules based on the passed attributes. It accounts | ||
// for option.Config.EgressMultiHomeIPRuleCompat while configuring the rules. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Might make sense to clarify this to say routing rules for Azure / ENI modes
@@ -195,6 +196,44 @@ func Delete(ip net.IP, compat bool) error { | |||
return nil | |||
} | |||
|
|||
// SetupRules installs routing rules based on the passed attributes. It accounts | |||
// for option.Config.EgressMultiHomeIPRuleCompat while configuring the rules. | |||
func SetupRules(from, to *net.IPNet, mac string, ifaceNum int) error { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Might also make sense to call this SetupEgressRules
return route.ReplaceRule(route.Rule{ | ||
Priority: prio, | ||
From: from, | ||
To: to, | ||
Table: tableId, | ||
}) | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You could now use this function to replace where Configure()
creates egress rules (just a few lines above)
tableId int | ||
) | ||
|
||
if option.Config.EgressMultiHomeIPRuleCompat { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If we converge the egress rule creation with Configure()
, then we can leverage the fact that Configure()
already takes in a compat
bool which represents this option, so we can get rid of this line and replace it with:
if compat {
func retrieveIfaceIdxFromMAC(mac string) (int, error) { | ||
iface, err := retrieveIfaceFromMAC(mac) | ||
if err != nil { | ||
err = fmt.Errorf("failed to get iface index with MAC %w", err) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"failed to get iface index with MAC %w"
->
"failed to get iface index by MAC: %w"
info := node.GetRouterInfo() | ||
cidrs := info.GetIPv4CIDRs() | ||
routerIP := net.IPNet{ | ||
IP: nodeAddressing.IPv4().Router(), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Were you able to call node.GetInternalIP()
to get rid of the additional param to this function?
mac := info.GetMac() | ||
iface, err := linuxrouting.RetrieveIfaceNameFromMAC(mac.String()) | ||
if err != nil { | ||
log.WithError(err).WithField("mac", mac).Fatal("Failed to set encrypt interface in the ENI ipam mode") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
logfields.MAC
The PR consists of two main fixes to make encryption functional on EKS -
bpf_network
program to the correct interface for decryption to workFollowing is out of scope of the PR, and will be addressed in follow-up PRs to simplify backporting :
loader.Reinitialize(...)
RoutingInfo
IPV4_ENCRYPT_IFACE
andENCRYPT_IFACE
)Release note