Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

envoy: Update to Envoy 1.27.0, drop privileges #27498

Merged
merged 2 commits into from
Sep 13, 2023
Merged

envoy: Update to Envoy 1.27.0, drop privileges #27498

merged 2 commits into from
Sep 13, 2023

Conversation

jrajahalme
Copy link
Member

@jrajahalme jrajahalme commented Aug 14, 2023
edited
Loading

Use cilium-envoy-starter image that runs cilium-envoy process without any privileges. cilium-envoy-starter retains privileges to be able to integrate with Cilium BPF datapath.

Review notes:

  • 1st commit is an update of generated Go API files with no functional changes in the features used by Cilium
Update to Envoy 1.27.0, run cilium-envoy process without any privileges.

@jrajahalme jrajahalme requested review from a team as code owners August 14, 2023 23:28
@maintainer-s-little-helper maintainer-s-little-helper bot added the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Aug 14, 2023
@jrajahalme jrajahalme marked this pull request as draft August 14, 2023 23:28
@jrajahalme jrajahalme force-pushed the envoy-drop-privileges branch 3 times, most recently from 863b13b to 3512a87 Compare August 17, 2023 15:48
@jrajahalme
Copy link
Member Author

/test

@jrajahalme
Copy link
Member Author

/test

@jrajahalme jrajahalme force-pushed the envoy-drop-privileges branch 2 times, most recently from f553ec5 to 654f7d6 Compare August 31, 2023 10:47
@jrajahalme jrajahalme added the release-note/minor This PR changes functionality that users may find relevant to operating Cilium. label Aug 31, 2023
@maintainer-s-little-helper maintainer-s-little-helper bot removed the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Aug 31, 2023
@jrajahalme
Copy link
Member Author

/test

@jrajahalme
Copy link
Member Author

/test

@jrajahalme
Copy link
Member Author

/test

@jrajahalme
Copy link
Member Author

/test

@jrajahalme jrajahalme marked this pull request as ready for review September 11, 2023 18:38
@jrajahalme jrajahalme requested a review from a team as a code owner September 11, 2023 18:38
kaworu
kaworu approved these changes Sep 12, 2023
View reviewed changes
Copy link
Member

@kaworu kaworu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Helm changes LGTM

@jrajahalme
Copy link
Member Author

/test

@jrajahalme
Copy link
Member Author

Unrelated flake in Travis CI, restarted

mhofstetter
mhofstetter approved these changes Sep 13, 2023
View reviewed changes
Copy link
Member

@mhofstetter mhofstetter left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 🚀

@jrajahalme jrajahalme merged commit 3166f95 into cilium:main Sep 13, 2023
58 of 60 checks passed
mhofstetter added a commit to mhofstetter/cilium that referenced this pull request Nov 30, 2023
@mhofstetter
envoy: perform version check directly on envoy binary (not starter)
9fb58ef 
With the introduction of the envoy starter (cilium#27498), the Envoy version
check of the embedded mode calls out to the starter binary instead
of the envoy binary directly.

Depending on the permissions the agent runs with, the capabilities
check within the starter might fail.

To prevent unexpected errors, this commit re-introduces that the
Envoy version check is performed on the Envoy binary directly.

Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com>
@mhofstetter mhofstetter mentioned this pull request Nov 30, 2023
Merged
github-merge-queue bot pushed a commit that referenced this pull request Dec 4, 2023
@mhofstetter @ti-mo
envoy: perform version check directly on envoy binary (not starter)
5985553 
With the introduction of the envoy starter (#27498), the Envoy version
check of the embedded mode calls out to the starter binary instead
of the envoy binary directly.

Depending on the permissions the agent runs with, the capabilities
check within the starter might fail.

To prevent unexpected errors, this commit re-introduces that the
Envoy version check is performed on the Envoy binary directly.

Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com>
pjablonski123 pushed a commit to pjablonski123/cilium that referenced this pull request Dec 15, 2023
@mhofstetter @pjablonski123
envoy: perform version check directly on envoy binary (not starter)
47ddc12 
With the introduction of the envoy starter (cilium#27498), the Envoy version
check of the embedded mode calls out to the starter binary instead
of the envoy binary directly.

Depending on the permissions the agent runs with, the capabilities
check within the starter might fail.

To prevent unexpected errors, this commit re-introduces that the
Envoy version check is performed on the Envoy binary directly.

Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com>
@mhofstetter mhofstetter mentioned this pull request Jan 24, 2024
Closed
2 tasks
mhofstetter added a commit to mhofstetter/cilium that referenced this pull request Jan 24, 2024
@mhofstetter
envoy: Bump envoy image to fix SO_REUSEPORT with BPF TPROXY
fe7d498 
Currently, if BPF TPROXY is enabled (`bpf.tproxy=true`), the BPF
socket lookup for the proxy port fails because Envoys Proxy listener
socket is always configured with the socket option `SO_REUSEPORT`.

It ignores the fact that port reuse on the Listener socket is
explicitly disabled via Envoy Listener API (`enable_reuse_port=false`)
if BPF TPROXY is enabled (due to incompatibilities).

Therefore, this commit bumpfs the envoy image to the latest version
that doesn't set the socket option `SO_REUSEPORT` on the Listener
socket.

Relates: cilium/proxy#505
Fixes: cilium#27498

Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com>
mhofstetter added a commit to mhofstetter/cilium that referenced this pull request Jan 24, 2024
@mhofstetter
envoy: Bump envoy image to fix SO_REUSEPORT with BPF TPROXY
a948f47 
Currently, if BPF TPROXY is enabled (`bpf.tproxy=true`), the BPF
socket lookup for the proxy port fails because Envoys Proxy listener
socket is always configured with the socket option `SO_REUSEPORT`.

It ignores the fact that port reuse on the Listener socket is
explicitly disabled via Envoy Listener API (`enable_reuse_port=false`)
if BPF TPROXY is enabled (due to incompatibilities).

Therefore, this commit bumps the envoy image to the latest version
that doesn't set the socket option `SO_REUSEPORT` on the Listener
socket.

Relates: cilium/proxy#505
Fixes: cilium#27498

Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com>
@mhofstetter mhofstetter mentioned this pull request Jan 24, 2024
Merged
mhofstetter added a commit to mhofstetter/cilium that referenced this pull request Jan 24, 2024
@mhofstetter
envoy: Bump envoy image to fix SO_REUSEPORT with BPF TPROXY
dc36c73 
Currently, if BPF TPROXY is enabled (`bpf.tproxy=true`), the BPF
socket lookup for the proxy port fails because Envoys Proxy listener
socket is always configured with the socket option `SO_REUSEPORT`.

It ignores the fact that port reuse on the Listener socket is
explicitly disabled via Envoy Listener API (`enable_reuse_port=false`)
if BPF TPROXY is enabled (due to incompatibilities).

Therefore, this commit bumps the envoy image to the latest version
that doesn't set the socket option `SO_REUSEPORT` on the Listener
socket.

Relates: cilium/proxy#505
Fixes: cilium#27498

Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com>
github-merge-queue bot pushed a commit that referenced this pull request Jan 25, 2024
@mhofstetter @sayboras
envoy: Bump envoy image to fix SO_REUSEPORT with BPF TPROXY
39a4749 
Currently, if BPF TPROXY is enabled (`bpf.tproxy=true`), the BPF
socket lookup for the proxy port fails because Envoys Proxy listener
socket is always configured with the socket option `SO_REUSEPORT`.

It ignores the fact that port reuse on the Listener socket is
explicitly disabled via Envoy Listener API (`enable_reuse_port=false`)
if BPF TPROXY is enabled (due to incompatibilities).

Therefore, this commit bumps the envoy image to the latest version
that doesn't set the socket option `SO_REUSEPORT` on the Listener
socket.

Relates: cilium/proxy#505
Fixes: #27498

Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com>
mhofstetter added a commit to mhofstetter/cilium that referenced this pull request Jan 26, 2024
@mhofstetter
envoy: Bump envoy image to fix SO_REUSEPORT with BPF TPROXY
0185642 
Currently, if BPF TPROXY is enabled (`bpf.tproxy=true`), the BPF
socket lookup for the proxy port fails because Envoys Proxy listener
socket is always configured with the socket option `SO_REUSEPORT`.

It ignores the fact that port reuse on the Listener socket is
explicitly disabled via Envoy Listener API (`enable_reuse_port=false`)
if BPF TPROXY is enabled (due to incompatibilities).

Therefore, this commit bumps the envoy image to the latest version
that doesn't set the socket option `SO_REUSEPORT` on the Listener
socket.

Relates: cilium/proxy#505
Fixes: cilium#27498

Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com>
@mhofstetter mhofstetter mentioned this pull request Jan 26, 2024
Merged
joestringer pushed a commit that referenced this pull request Jan 26, 2024
@mhofstetter @joestringer
envoy: Bump envoy image to fix SO_REUSEPORT with BPF TPROXY
69b62e8 
Currently, if BPF TPROXY is enabled (`bpf.tproxy=true`), the BPF
socket lookup for the proxy port fails because Envoys Proxy listener
socket is always configured with the socket option `SO_REUSEPORT`.

It ignores the fact that port reuse on the Listener socket is
explicitly disabled via Envoy Listener API (`enable_reuse_port=false`)
if BPF TPROXY is enabled (due to incompatibilities).

Therefore, this commit bumps the envoy image to the latest version
that doesn't set the socket option `SO_REUSEPORT` on the Listener
socket.

Relates: cilium/proxy#505
Fixes: #27498

Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com>
@sayboras sayboras added backport/author The backport will be carried out by the author of the PR. needs-backport/1.14 This PR / issue needs backporting to the v1.14 branch labels Feb 27, 2024
@sayboras sayboras mentioned this pull request Feb 27, 2024
Merged
2 tasks
@sayboras sayboras added the needs-backport/1.13 This PR / issue needs backporting to the v1.13 branch label Feb 27, 2024
@mhofstetter mhofstetter mentioned this pull request Mar 13, 2024
Merged
@sayboras sayboras mentioned this pull request Mar 19, 2024
Merged
4 tasks
@github-actions github-actions bot added the backport-done/1.14 The backport for Cilium 1.14.x for this PR is done. label Mar 27, 2024
@sayboras sayboras added the backport-done/1.13 The backport for Cilium 1.13.x for this PR is done. label Apr 2, 2024
@julianwiedmann julianwiedmann removed needs-backport/1.13 This PR / issue needs backporting to the v1.13 branch needs-backport/1.14 This PR / issue needs backporting to the v1.14 branch labels Apr 3, 2024
@asauber asauber mentioned this pull request Apr 11, 2024
Merged
sayboras pushed a commit that referenced this pull request Jun 10, 2024
@mhofstetter @michi-covalent
envoy: Bump envoy image to fix SO_REUSEPORT with BPF TPROXY
4a0d2f2 
Currently, if BPF TPROXY is enabled (`bpf.tproxy=true`), the BPF
socket lookup for the proxy port fails because Envoys Proxy listener
socket is always configured with the socket option `SO_REUSEPORT`.

It ignores the fact that port reuse on the Listener socket is
explicitly disabled via Envoy Listener API (`enable_reuse_port=false`)
if BPF TPROXY is enabled (due to incompatibilities).

Therefore, this commit bumps the envoy image to the latest version
that doesn't set the socket option `SO_REUSEPORT` on the Listener
socket.

Relates: cilium/proxy#505
Fixes: #27498

Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com>
Signed-off-by: Michi Mutsuzaki <michi@isovalent.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kaworu kaworu kaworu approved these changes

@rolinh rolinh rolinh approved these changes

@mhofstetter mhofstetter mhofstetter approved these changes

@joamaki joamaki Awaiting requested review from joamaki joamaki is a code owner automatically assigned from cilium/sig-k8s

Assignees
No one assigned
Labels
backport/author The backport will be carried out by the author of the PR. backport-done/1.13 The backport for Cilium 1.13.x for this PR is done. backport-done/1.14 The backport for Cilium 1.14.x for this PR is done. release-note/minor This PR changes functionality that users may find relevant to operating Cilium.
Projects
No open projects
cilium v1.14.10
Status: Released
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@jrajahalme @kaworu @rolinh @mhofstetter @sayboras @julianwiedmann