-
Notifications
You must be signed in to change notification settings - Fork 2.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Resolve named ports for DNS policies #29023
Resolve named ports for DNS policies #29023
Conversation
/test |
/test |
8bb76fd
to
0e1e44c
Compare
rebased for CI fixes |
/test |
0e1e44c
to
6f603da
Compare
6f603da
to
19c78bc
Compare
/test |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't have much context. Perhaps it's best reviewed by someone from the policy team. /cc @cilium/sig-policy
Since DNS port is typically 53, it seems likely that named ports would not be used in DNS policies in practice.
I don't quite follow this. K8s mandates named ports when there are more than one port defined in a pod spec.
I was referring to use in CNPs, which for a long time did not support named ports at all, so all examples of DNS policies use the port number |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just one tiny suggestion, I'm fine either case.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, I agree with @aanm's suggestion which simplifies the code.
19c78bc
to
c9c6a16
Compare
Adding more tests fails due to missing selector cache notifier mock and leaking of endpoint identities in a global manager between tests. Address these and also remove unnecessary logging. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
Implement l4Policy wrapper with resolved named port so that proxy package can get the actual resolved named port number when calling GetPort(). Previously, if policy used a named port, GetPort returned 0. GetPort() is only used for DNS proxy function UpdateAllowed(). This means that using a named port for a DNS policy destination port likely has not functioned as intended. Since DNS port is typically 53, it seems likely that named ports are not used in DNS policies. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
c9c6a16
to
fdbca05
Compare
/test |
Commit 10f04fd (endpoint: Resolve named ports for redirects) fixed redirect creation for L7 policies using a named port, but failed to use the resolved destination port also in proxy stats. This commit does that. Fixes: cilium#29023 Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
Commit 10f04fd (endpoint: Resolve named ports for redirects) fixed redirect creation for L7 policies using a named port, but failed to use the resolved destination port also in proxy stats. This commit does that. Fixes: cilium#29023 Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
Commit 10f04fd (endpoint: Resolve named ports for redirects) fixed redirect creation for L7 policies using a named port, but failed to use the resolved destination port also in proxy stats. This commit does that. Fixes: cilium#29023 Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
Commit 10f04fd (endpoint: Resolve named ports for redirects) fixed redirect creation for L7 policies using a named port, but failed to use the resolved destination port also in proxy stats. This commit does that. Fixes: cilium#29023 Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
Commit 10f04fd (endpoint: Resolve named ports for redirects) fixed redirect creation for L7 policies using a named port, but failed to use the resolved destination port also in proxy stats. This commit does that. Fixes: cilium#29023 Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
Commit 10f04fd (endpoint: Resolve named ports for redirects) fixed redirect creation for L7 policies using a named port, but failed to use the resolved destination port also in proxy stats. This commit does that. Fixes: cilium#29023 Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
[ upstream commit a573bb4 ] Commit 10f04fd (endpoint: Resolve named ports for redirects) fixed redirect creation for L7 policies using a named port, but failed to use the resolved destination port also in proxy stats. This commit does that. Fixes: cilium#29023 Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
[ upstream commit a573bb4 ] Commit 10f04fd (endpoint: Resolve named ports for redirects) fixed redirect creation for L7 policies using a named port, but failed to use the resolved destination port also in proxy stats. This commit does that. Fixes: #29023 Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
[ upstream commit a573bb4 ] Commit 10f04fd (endpoint: Resolve named ports for redirects) fixed redirect creation for L7 policies using a named port, but failed to use the resolved destination port also in proxy stats. This commit does that. Fixes: #29023 Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com> Signed-off-by: Gilberto Bertin <jibi@cilium.io>
Implement
l4Policy
wrapper with resolved named port so that proxy package can get the actual resolved named port number when callingGetPort
. Previously, if policy used a named port,GetPort
returned0
.GetPort
is only used for DNS proxy functionUpdateAllowed
. This means that using a named port for a DNS policy destination port likely has not functioned as intended. Since DNS port is typically53
, it seems likely that named ports would not be used in DNS policies in practice.Fixes: #11092