Disable and deprecate force-local-policy-eval-at-source
#22190
Conversation
The force-local-policy-eval-at-source flag was introduced in commit c525c75 ("bpf: Continue to enforce policy at source endpoint unless disabled"). It is enabled by default and causes Cilium to always enforce policies at the source when the destination is a local pod. Unfortunately, this flag is also causing issues when both endpoint routes and tunneling are enabled [1] (a configuration that was not possible at the time the flag was introduced). We have enough test coverage (L7 on multiple cloud providers) now to be able to safely disable this flag by default. We can remove it after a couple releases. 1 - cilium#14657 Signed-off-by: Paul Chaignon <paul@cilium.io>
pchaigno
added
the
release-note/minor
|
/test |
I'll triage the tests once the second review is in. From a quick look, they all appear to be known flakes. |
|
This took too long to review and the Jenkins results were recycled: |
|
/test-runtime |
|
If I understand commit c525c75 correctly, one concern back then was the reconfig scenario where per-EP-routes gets switched on. And the source program (eg. That feels like a legit concern - but maybe it's no longer valid in today's code base? |
We've discussed this and concluded that switching the endpoint routes setting isn't supported today without downtime. We would need additional logic to support it. |
maintainer-s-little-helper
bot
added
the
ready-to-merge
Makes sense 👍. Would be nice to have this conclusion in the docs somewhere. |
pchaigno
removed
the
ready-to-merge
This should never have been exposed to users in the first place. It also causes issues when set to true, as explained in the previous commit. There are other ways to control if policy enforcement happens at the source or not (enable-endpoint-routes). Signed-off-by: Paul Chaignon <paul@cilium.io>
pchaigno
force-pushed
the
disable-forcelocalpolicyevalatsource
branch
from
5a7a34b
to
a59c368
Compare
|
I've pushed a small change to address @AwesomePatrol's review and didn't rebase. As illustrated by MLH's label, all tests were passing before this change. Given the change is trivial and everything still compiles, I think it's fine to merge without rerunning the full CI. |
pchaigno
added
the
ready-to-merge
There isn't much more than what the title says here, but do check the commit descriptions of course.
Tested manually on GKE and AKS (given those workflows are disabled) with a 3-nodes cluster where I ran the connectivity tests 5 times (different pods each time).
Fixes: #15452.