-
Notifications
You must be signed in to change notification settings - Fork 2.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Follow ups for host firewall support of endpoint routes #15942
Merged
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
13 tasks
5a1a886
to
87f8c17
Compare
The host firewall is now supported when running with endpoint routes enabled. We can remove the note from the getting started guide. Signed-off-by: Paul Chaignon <paul@cilium.io>
Detail why we won't loop when jumping from bpf_lxc to bpf_host and back for ingress to the pods with host firewall enabled. Suggested-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Paul Chaignon <paul@cilium.io>
When endpoint routes are enabled, the host firewall requires the remote-node identity to be enabled as well to function properly. The host identity is used to detect traffic that should be sent through bpf_host on egress/ingress of bpf_lxc. If the remote-node identity is disabled, the host identity then also matches remote-node IPs. Reported-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Paul Chaignon <paul@cilium.io>
HOST_EP_ID was defined as a static data variable in a695f53 ("Endpoint for host") because the ID of the host endpoint wasn't known at the time we generated the datapath header files. Commit 81f0626 ("datapath: Include the host endpoint ID in all endpoint headers") changed this by making the host endpoint ID available globally to the agent via the node package and by setting the ID sooner on startup. We can therefore define the HOST_EP_ID as a normal constant now, without needing static data. That in turns allows us to revert commit 04cbfa1 ("bpf: Lift constraint for inline asm of static tail calls"). We however still use a template-specific value in bpf_host for the BPF program injected in the policy map (see TEMPLATE_HOST_EP_ID). We could instead directly use HOST_EP_ID for the program's name, but we would then have to ignore that symbol when replacing symbols in the ELF [1]. To ignore that symbol we would also have to ignore similar symbols corresponding to pod endpoints (i.e., all "1/xxxx" symbols), opening the door to silent errors. It's probably not worth it since there's no benefit to using HOST_EP_ID for the program's name directly. 1 - https://github.com/cilium/cilium/blob/v1.10.0-rc0/pkg/datapath/loader/cache.go#L39 Suggested-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Paul Chaignon <paul@cilium.io>
87f8c17
to
35f215e
Compare
test-me-please |
qmonnet
approved these changes
May 7, 2021
jibi
approved these changes
May 10, 2021
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
area/host-firewall
Impacts the host firewall or the host endpoint.
ready-to-merge
This PR has passed all tests and received consensus from code owners to merge.
release-note/misc
This PR makes changes that have no direct user impact.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
See commits for details.
Updates: #13121.