-
Notifications
You must be signed in to change notification settings - Fork 2.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
node: Skip ipcache for remote node IPs if IPsec is enabled #17511
node: Skip ipcache for remote node IPs if IPsec is enabled #17511
Conversation
2b2db7f
to
f7ba86a
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, change makes sense.
One minor code style nit: now that we've defined (*DaemonConfig).TunnelingEnabled()
, maybe we could replace all instances of
grep -F ' != option.TunnelDisabled' daemon/
with the newly introduced helper, for consistency's sake.
This new method will be used in the following commit to check if tunneling is enabled from the node package. Signed-off-by: Paul Chaignon <paul@cilium.io>
Before this commit, if IPsec is enabled, we add all remote node IP addresses to the ipcache of all nodes, regardless of whether enable-remote-node-identity is true or false. This commit reverts that behavior to only add those IP addresses if remote-node identities, node encryption, or encryption+tunneling are enabled. If encryption+native routing is enabled, we don't need to expose the remote node IP addresses via the ipcache. Signed-off-by: Paul Chaignon <paul@cilium.io>
f7ba86a
to
842637a
Compare
/test |
The GKE node was running an outdated Go version. This has been fixed this morning. |
@jrfastab That's already the case, no? |
If there is a keyID in the ipcache entry we would use it. But, I just checked and we don't include keys in nodeIP entries so you are correct as far as I can see. |
Before this pull request, if IPsec is enabled, we add all remote node IP addresses to the ipcache of all nodes, regardless of whether
enable-remote-node-identity
is true or false.This pull request reverts that behavior to only add those IP addresses if remote-node identities, node encryption, or encryption+tunneling are enabled. If encryption+native routing is enabled, we don't need to expose the remote node IP addresses via the ipcache.