Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Auth use signalmap #25284

Merged
merged 4 commits into from
May 23, 2023
Merged

Auth use signalmap #25284

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
84beaa4
node: Add GetNodeIP() to NodeHandler
jrajahalme May 9, 2023
6ead984
daemon: Remove eventsmap and signalmap from map status
jrajahalme May 6, 2023
7c98b54
signal: Generalize for multiple targets
jrajahalme May 10, 2023
b4d31dc
signal: Use signalmap for auth required
jrajahalme May 9, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
2 changes: 1 addition & 1 deletion Documentation/cmdref/cilium-agent.md
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion Documentation/cmdref/cilium-agent_hive.md
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion Documentation/cmdref/cilium-agent_hive_dot-graph.md
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

9 changes: 7 additions & 2 deletions bpf/Makefile.bpf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -59,14 +59,19 @@ force:
@$(ECHO_CC)
$(QUIET) ${LLC} $(LLC_FLAGS) -filetype=asm -o $@ $(patsubst %.s,%.ll,$@)

#
# TODO: revert addition of ignore MACRO_ARG_REUSE below once cilium-checkpatch
# image is updated to ignore it.
#
CHECKPATCH_IMAGE := quay.io/cilium/cilium-checkpatch:a8f73eced11c29d8c5003ba75071fb9ff91251e4@sha256:9fba31c924b0e675ee45dada3788ded045cd63c979fae3cddcb08636ed2e00da
ifneq ($(CHECKPATCH_DEBUG),)
# Run script with "bash -x"
CHECKPATCH_IMAGE_AND_ENTRY := \
--entrypoint /bin/bash $(CHECKPATCH_IMAGE) -x /checkpatch/checkpatch.sh
--entrypoint /bin/bash $(CHECKPATCH_IMAGE) -x /checkpatch/checkpatch.sh -- --ignore MACRO_ARG_REUSE
else
# Use default entrypoint
CHECKPATCH_IMAGE_AND_ENTRY := $(CHECKPATCH_IMAGE)
CHECKPATCH_IMAGE_AND_ENTRY := \
--entrypoint /bin/bash $(CHECKPATCH_IMAGE) /checkpatch/checkpatch.sh -- --ignore MACRO_ARG_REUSE
endif
checkpatch:
@$(ECHO_CHECK) "(checkpatch)"
Expand Down
10 changes: 6 additions & 4 deletions bpf/bpf_lxc.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -463,7 +463,7 @@ static __always_inline int handle_ipv6_from_lxc(struct __ctx_buff *ctx, __u32 *d
&policy_match_type, &audited, ext_err, &proxy_port);

if (verdict == DROP_POLICY_AUTH_REQUIRED)
verdict = auth_lookup(SECLABEL, *dst_sec_identity, node_id, (__u8)*ext_err);
verdict = auth_lookup(ctx, SECLABEL, *dst_sec_identity, node_id, (__u8)*ext_err);

/* Emit verdict if drop or if allow for CT_NEW or CT_REOPENED. */
if (verdict != CTX_ACT_OK || ct_status != CT_ESTABLISHED) {
Expand Down Expand Up @@ -895,7 +895,7 @@ static __always_inline int handle_ipv4_from_lxc(struct __ctx_buff *ctx, __u32 *d
&policy_match_type, &audited, ext_err, &proxy_port);

if (verdict == DROP_POLICY_AUTH_REQUIRED)
verdict = auth_lookup(SECLABEL, *dst_sec_identity, node_id, (__u8)*ext_err);
verdict = auth_lookup(ctx, SECLABEL, *dst_sec_identity, node_id, (__u8)*ext_err);

/* Emit verdict if drop or if allow for CT_NEW or CT_REOPENED. */
if (verdict != CTX_ACT_OK || ct_status != CT_ESTABLISHED) {
Expand Down Expand Up @@ -1487,7 +1487,8 @@ ipv6_policy(struct __ctx_buff *ctx, int ifindex, __u32 src_label,
struct remote_endpoint_info *sep = lookup_ip6_remote_endpoint(&orig_sip, 0);

if (sep)
verdict = auth_lookup(SECLABEL, src_label, sep->node_id, (__u8)*ext_err);
verdict = auth_lookup(ctx, SECLABEL, src_label, sep->node_id,
(__u8)*ext_err);
}

/* Emit verdict if drop or if allow for CT_NEW or CT_REOPENED. */
Expand Down Expand Up @@ -1810,7 +1811,8 @@ ipv4_policy(struct __ctx_buff *ctx, int ifindex, __u32 src_label, enum ct_status
struct remote_endpoint_info *sep = lookup_ip4_remote_endpoint(orig_sip, 0);

if (sep)
verdict = auth_lookup(SECLABEL, src_label, sep->node_id, (__u8)*ext_err);
verdict = auth_lookup(ctx, SECLABEL, src_label, sep->node_id,
(__u8)*ext_err);
}
/* Emit verdict if drop or if allow for CT_NEW or CT_REOPENED. */
if (verdict != CTX_ACT_OK || ret != CT_ESTABLISHED)
Expand Down
5 changes: 4 additions & 1 deletion bpf/lib/auth.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,9 +7,11 @@
#include "common.h"
#include "maps.h"
#include "utime.h"
#include "signal.h"

static __always_inline int
auth_lookup(__u32 local_id, __u32 remote_id, __u16 remote_node_id, __u8 auth_type)
auth_lookup(struct __ctx_buff *ctx, __u32 local_id, __u32 remote_id, __u16 remote_node_id,
__u8 auth_type)
{
struct auth_info *auth;
struct auth_key key = {
Expand All @@ -28,6 +30,7 @@ auth_lookup(__u32 local_id, __u32 remote_id, __u16 remote_node_id, __u8 auth_typ
return CTX_ACT_OK;
}

send_signal_auth_required(ctx, &key);
return DROP_POLICY_AUTH_REQUIRED;
}
#endif
2 changes: 1 addition & 1 deletion bpf/lib/common.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -363,7 +363,7 @@ struct policy_entry {
struct auth_key {
__u32 local_sec_label;
__u32 remote_sec_label;
__u16 remote_node_id;
__u16 remote_node_id; /* zero for local node */
__u8 auth_type;
__u8 pad;
};
Expand Down
8 changes: 4 additions & 4 deletions bpf/lib/host_firewall.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -78,7 +78,7 @@ __ipv6_host_policy_egress(struct __ctx_buff *ctx, struct ipv6hdr *ip6,
verdict = policy_can_egress6(ctx, tuple, HOST_ID, dst_sec_identity,
&policy_match_type, &audited, ext_err, &proxy_port);
if (verdict == DROP_POLICY_AUTH_REQUIRED)
verdict = auth_lookup(HOST_ID, dst_sec_identity, node_id, (__u8)*ext_err);
verdict = auth_lookup(ctx, HOST_ID, dst_sec_identity, node_id, (__u8)*ext_err);

/* Only create CT entry for accepted connections */
if (ret == CT_NEW && verdict == CTX_ACT_OK) {
Expand Down Expand Up @@ -192,7 +192,7 @@ __ipv6_host_policy_ingress(struct __ctx_buff *ctx, struct ipv6hdr *ip6,
tuple->nexthdr, false,
&policy_match_type, &audited, ext_err, &proxy_port);
if (verdict == DROP_POLICY_AUTH_REQUIRED)
verdict = auth_lookup(HOST_ID, *src_sec_identity, node_id, (__u8)*ext_err);
verdict = auth_lookup(ctx, HOST_ID, *src_sec_identity, node_id, (__u8)*ext_err);

/* Only create CT entry for accepted connections */
if (ret == CT_NEW && verdict == CTX_ACT_OK) {
Expand Down Expand Up @@ -345,7 +345,7 @@ __ipv4_host_policy_egress(struct __ctx_buff *ctx, bool is_host_id __maybe_unused
verdict = policy_can_egress4(ctx, tuple, HOST_ID, dst_sec_identity,
&policy_match_type, &audited, ext_err, &proxy_port);
if (verdict == DROP_POLICY_AUTH_REQUIRED)
verdict = auth_lookup(HOST_ID, dst_sec_identity, node_id, (__u8)*ext_err);
verdict = auth_lookup(ctx, HOST_ID, dst_sec_identity, node_id, (__u8)*ext_err);

/* Only create CT entry for accepted connections */
if (ret == CT_NEW && verdict == CTX_ACT_OK) {
Expand Down Expand Up @@ -463,7 +463,7 @@ __ipv4_host_policy_ingress(struct __ctx_buff *ctx, struct iphdr *ip4,
is_untracked_fragment,
&policy_match_type, &audited, ext_err, &proxy_port);
if (verdict == DROP_POLICY_AUTH_REQUIRED)
verdict = auth_lookup(HOST_ID, *src_sec_identity, node_id, (__u8)*ext_err);
verdict = auth_lookup(ctx, HOST_ID, *src_sec_identity, node_id, (__u8)*ext_err);

/* Only create CT entry for accepted connections */
if (ret == CT_NEW && verdict == CTX_ACT_OK) {
Expand Down
41 changes: 24 additions & 17 deletions bpf/lib/signal.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@
#define __LIB_SIGNAL_H_

#include <bpf/api.h>
#include <lib/common.h>

struct {
__uint(type, BPF_MAP_TYPE_PERF_EVENT_ARRAY);
Expand All @@ -17,6 +18,7 @@ struct {
enum {
SIGNAL_NAT_FILL_UP = 0,
SIGNAL_CT_FILL_UP,
SIGNAL_AUTH_REQUIRED,
};

enum {
Expand All @@ -30,36 +32,41 @@ struct signal_msg {
struct {
__u32 proto;
};
struct auth_key auth;
};
};

static __always_inline void send_signal(struct __ctx_buff *ctx,
struct signal_msg *msg)
{
ctx_event_output(ctx, &SIGNAL_MAP, BPF_F_CURRENT_CPU,
msg, sizeof(*msg));
}
/**
* SEND_SIGNAL sets a single union MEMBER to VALUE and only includes that
* member (and signal_nr) in message size. Used to avoid referencing
* uninitialized memory if trying to send the whole msg.
*/
#define SEND_SIGNAL(CTX, SIGNAL, MEMBER, VALUE) \
{ \
struct signal_msg msg = { \
.signal_nr = (SIGNAL), \
.MEMBER = (VALUE), \
}; \
ctx_event_output((CTX), &SIGNAL_MAP, BPF_F_CURRENT_CPU, &msg, \
sizeof(msg.signal_nr) + sizeof(msg.MEMBER)); \
}

static __always_inline void send_signal_nat_fill_up(struct __ctx_buff *ctx,
__u32 proto)
{
struct signal_msg msg = {
.signal_nr = SIGNAL_NAT_FILL_UP,
.proto = proto,
};

send_signal(ctx, &msg);
SEND_SIGNAL(ctx, SIGNAL_NAT_FILL_UP, proto, proto);
}

static __always_inline void send_signal_ct_fill_up(struct __ctx_buff *ctx,
__u32 proto)
{
struct signal_msg msg = {
.signal_nr = SIGNAL_CT_FILL_UP,
.proto = proto,
};
SEND_SIGNAL(ctx, SIGNAL_CT_FILL_UP, proto, proto);
}

send_signal(ctx, &msg);
static __always_inline void send_signal_auth_required(struct __ctx_buff *ctx,
const struct auth_key *auth)
{
SEND_SIGNAL(ctx, SIGNAL_AUTH_REQUIRED, auth, *auth);
}

#endif /* __LIB_SIGNAL_H_ */
4 changes: 4 additions & 0 deletions daemon/cmd/cells.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@ import (
nodeManager "github.com/cilium/cilium/pkg/node/manager"
"github.com/cilium/cilium/pkg/option"
"github.com/cilium/cilium/pkg/pprof"
"github.com/cilium/cilium/pkg/signal"
)

var (
Expand Down Expand Up @@ -97,6 +98,9 @@ var (
// The BGP Control Plane which enables various BGP related interop.
bgpv1.Cell,

// Brokers datapath signals from signalmap
signal.Cell,

// Auth is responsible for authenticating a request if required by a policy.
auth.Cell,

Expand Down
2 changes: 1 addition & 1 deletion daemon/cmd/daemon.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -578,7 +578,7 @@ func newDaemon(ctx context.Context, cleaner *daemonCleanup, params *daemonParams
ipcachemap.IPCacheMap().Close()
}

if err := d.initPolicy(params.AuthManager); err != nil {
if err := d.initPolicy(); err != nil {
return nil, nil, fmt.Errorf("error while initializing policy subsystem: %w", err)
}

Expand Down
2 changes: 0 additions & 2 deletions daemon/cmd/daemon_main.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,6 @@ import (
"github.com/cilium/cilium/api/v1/server/restapi"
"github.com/cilium/cilium/daemon/cmd/cni"
"github.com/cilium/cilium/pkg/api"
"github.com/cilium/cilium/pkg/auth"
"github.com/cilium/cilium/pkg/aws/eni"
bgpv1 "github.com/cilium/cilium/pkg/bgpv1/agent"
"github.com/cilium/cilium/pkg/bpf"
Expand Down Expand Up @@ -1610,7 +1609,6 @@ type daemonParams struct {
EndpointManager endpointmanager.EndpointManager
CertManager certificatemanager.CertificateManager
SecretManager certificatemanager.SecretManager
AuthManager auth.Manager
IdentityAllocator CachingIdentityAllocator
Policy *policy.Repository
PolicyUpdater *policy.Updater
Expand Down
3 changes: 3 additions & 0 deletions daemon/cmd/daemon_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,8 @@ import (
"github.com/cilium/cilium/pkg/maps/authmap"
fakeauthmap "github.com/cilium/cilium/pkg/maps/authmap/fake"
"github.com/cilium/cilium/pkg/maps/egressmap"
"github.com/cilium/cilium/pkg/maps/signalmap"
fakesignalmap "github.com/cilium/cilium/pkg/maps/signalmap/fake"
"github.com/cilium/cilium/pkg/metrics"
monitorAPI "github.com/cilium/cilium/pkg/monitor/api"
"github.com/cilium/cilium/pkg/option"
Expand Down Expand Up @@ -167,6 +169,7 @@ func (ds *DaemonSuite) SetUpTest(c *C) {
func() datapath.Datapath { return fakeDatapath.NewDatapath() },
func() *option.DaemonConfig { return option.Config },
func() cnicell.CNIConfigManager { return &fakecni.FakeCNIConfigManager{} },
func() signalmap.Map { return fakesignalmap.NewFakeSignalMap([][]byte{}, time.Second) },
func() authmap.Map { return fakeauthmap.NewFakeAuthMap() },
func() egressmap.PolicyMap { return nil },
),
Expand Down
5 changes: 0 additions & 5 deletions daemon/cmd/datapath.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,6 @@ import (
"github.com/cilium/cilium/pkg/maps/neighborsmap"
"github.com/cilium/cilium/pkg/maps/nodemap"
"github.com/cilium/cilium/pkg/maps/policymap"
"github.com/cilium/cilium/pkg/maps/signalmap"
"github.com/cilium/cilium/pkg/maps/srv6map"
"github.com/cilium/cilium/pkg/maps/tunnel"
"github.com/cilium/cilium/pkg/maps/vtep"
Expand Down Expand Up @@ -382,10 +381,6 @@ func (d *Daemon) initMaps() error {
return err
}

if err := signalmap.InitMap(possibleCPUs); err != nil {
return err
}

if err := policymap.InitCallMaps(option.Config.EnableEnvoyConfig); err != nil {
return err
}
Expand Down
6 changes: 1 addition & 5 deletions daemon/cmd/policy.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,6 @@ import (
"github.com/cilium/cilium/api/v1/models"
. "github.com/cilium/cilium/api/v1/server/restapi/policy"
"github.com/cilium/cilium/pkg/api"
"github.com/cilium/cilium/pkg/auth"
"github.com/cilium/cilium/pkg/crypto/certificatemanager"
datapath "github.com/cilium/cilium/pkg/datapath/types"
"github.com/cilium/cilium/pkg/endpoint"
Expand Down Expand Up @@ -46,9 +45,7 @@ import (
)

// initPolicy initializes the core policy components of the daemon.
func (d *Daemon) initPolicy(
authManager auth.Manager,
) error {
func (d *Daemon) initPolicy() error {
// Reuse policy.TriggerMetrics and PolicyTriggerInterval here since
// this is only triggered by agent configuration changes for now and
// should be counted in pol.TriggerMetrics.
Expand All @@ -63,7 +60,6 @@ func (d *Daemon) initPolicy(
}
d.datapathRegenTrigger = rt

d.monitorAgent.RegisterNewConsumer(authManager)
return nil
}

Expand Down
15 changes: 5 additions & 10 deletions daemon/cmd/status.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,13 +26,11 @@ import (
"github.com/cilium/cilium/pkg/kvstore"
"github.com/cilium/cilium/pkg/lock"
"github.com/cilium/cilium/pkg/logging/logfields"
"github.com/cilium/cilium/pkg/maps/eventsmap"
ipcachemap "github.com/cilium/cilium/pkg/maps/ipcache"
ipmasqmap "github.com/cilium/cilium/pkg/maps/ipmasq"
"github.com/cilium/cilium/pkg/maps/lbmap"
"github.com/cilium/cilium/pkg/maps/lxcmap"
"github.com/cilium/cilium/pkg/maps/metricsmap"
"github.com/cilium/cilium/pkg/maps/signalmap"
tunnelmap "github.com/cilium/cilium/pkg/maps/tunnel"
"github.com/cilium/cilium/pkg/node"
nodeTypes "github.com/cilium/cilium/pkg/node/types"
Expand Down Expand Up @@ -330,10 +328,6 @@ func (d *Daemon) getBPFMapStatus() *models.BPFMapStatus {
Name: "Endpoint policy",
Size: int64(lxcmap.MaxEntries),
},
{
Name: "Events",
Size: int64(eventsmap.MaxEntries),
},
{
Name: "IP cache",
Size: int64(ipcachemap.MaxEntries),
Expand Down Expand Up @@ -390,10 +384,6 @@ func (d *Daemon) getBPFMapStatus() *models.BPFMapStatus {
Name: "Session affinity",
Size: int64(lbmap.AffinityMapMaxEntries),
},
{
Name: "Signal",
Size: int64(signalmap.MaxEntries),
},
{
Name: "Sock reverse NAT",
Size: int64(option.Config.SockRevNatEntries),
Expand Down Expand Up @@ -532,6 +522,11 @@ func (c *clusterNodesClient) AllocateNodeID(_ net.IP) uint16 {
return 0
}

func (c *clusterNodesClient) GetNodeIP(_ uint16) string {
// no-op
return ""
}

func (c *clusterNodesClient) DumpNodeIDs() []*models.NodeID {
// no-op
return nil
Expand Down