v1.9 backports 2021-04-07 #15601
Merged
v1.9 backports 2021-04-07 #15601
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[ upstream commit 8b434b4 ] When a node is using multiple nodes and traffic is being source routed, or routed some other way, across multiple netdevs we need to ensure our bpf_network programs are attached to all interfaces that can receive pod traffic. This patch adds support for users to specify multiple interfaces. In order to do this lift bpf_network (encryption program) compile and load out of init.sh and do it from go side. Signed-off-by: John Fastabend <john.fastabend@gmail.com>
[ upstream commit a42d442 ] When encryption is enabled with an IPAM using a single IP pool for the entire cluster instead of per node we need to know those CIDRs. This is required so we can place a decrypt/encrypt rules that covers the subnet. In this patch lookup the CIDRs from the routeInfo and use those. Otherwise users would need to manually modify helm charts, yamls, etc. Signed-off-by: John Fastabend <john.fastabend@gmail.com>
[ upstream commit 2c878a5 ] We need to auto-detect network interfaces in the EKS environment that by default uses three interfaces eth0, eth1, and eth2. This patch will walk the list of all devices in the system and attach to any device that is not a veth or lo device. This patch resolves the EKS case and leaves other cases for future work. We could use similar logic with a bit more exclusion logic to handle the general routing cases as well. In the process we pull the IPAMENI IPSec configuration into Reinitialize() path so that if net devices are added/removed we will pick up those at reinit time. Later work can bring the remaining parts, but that required more refactoring than I wanted for a bugfix. Signed-off-by: John Fastabend <john.fastabend@gmail.com>
[ upstream commit bb086ec ] This reverts commit 4ea12ee. Revert ESN support, the initial implementation is incomplete because it also needs to sync sequence numbers across restarts and node joins. For now solve this problem by making key rotation painless and simple through cilium CLI. We can add ESN back once sequence number sync operation is in place. Signed-off-by: John Fastabend <john.fastabend@gmail.com>
[ upstream commit 07c857a ] Rules need to be correctly deleted otherwise its possible if in the future cilium agent picks up a new IP address and then re-enables encryption we may have some conflicting entries in the route table. Also its just cleaner to have only correct entires in the table attempting to debug a system with multiple invalid routes is more difficult than it needs to be. Signed-off-by: John Fastabend <john.fastabend@gmail.com>
[ upstream commit 11a6d4d ] The mask values used to match stale entries in the XFRM state and policy no longer matched the values we use. The result is stale entries get left in the node tables. If subsequently cilium agent picks a new IP address this can result in conflicts in the xfrm {state|policy} lookup Fix to use correct mask field. Signed-off-by: John Fastabend <john.fastabend@gmail.com>
[ upstream commit 0b52fd7 ] In some configurations of tunnel mode, endpoint routes, etc. An encrypted packet will be sent through the stack. If the encrypted packet does not match a fwd policy rule AND it has previously been encrypted without passing through a kernel boundary that clears the cb[] (on older kernels) or skb extension (on newer kernels) fields the xfrm policy will miss and the packet will be dropped. This worked in the past because we mainly had older kernels where xfrm stack used cb[] for metadata and we cleared the cb[] fields from BPF stack. However, we do not clear skb extensions via BPF nor do we have a BPF helper to do this yet. So in order to deal with this case we add fwd xfrm policy rules so that when the routing stack detects the skb extensions for xfrm and attempts to do a policy lookup a policy is found and the packet is not dropped. Signed-off-by: John Fastabend <john.fastabend@gmail.com>
[ upstream commit 99070f6 ] bpf_network is pulling in unneeded headers resulting in compile errors on older kernels. Use the linux/*.h headers for the handful of types that the program actually uses. Signed-off-by: John Fastabend <john.fastabend@gmail.com>
maintainer-s-little-helper
bot
added
backport/1.9
kind/backports
michi-covalent
approved these changes
Apr 8, 2021
|
test-backport-1.9 |
maintainer-s-little-helper
bot
added
the
ready-to-merge
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Once this PR is merged, you can update the PR labels via: