-
Notifications
You must be signed in to change notification settings - Fork 2.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
datapath: Add support to delegate routing to other plugins, such as AWS-CNI #29111
Conversation
@aditighag would you be able to trigger the tests please? |
Did you consider whether to just deploy Cilium with endpoint-routes mode disabled as an alternative to this approach? It seems like there's a discrepancy here where on one hand Cilium is deployed with endpoint-routes enabled, but on the other hand it should not be configured this way in order to properly configure connectivity between Pods on the nodes. Something else that's worth keeping in mind here is that depending on how traffic is routed towards Pods on the node, there's a risk that disabling endpoint routes mode may cause endpoint ingress policy to break. Though that said, CI or the cilium-cli connectivity tests should be able to pick up such misconfigurations if that is an issue with this particular deployment configuration. |
/ci-awscni |
Hi @joestringer, thanks for taking a look. We did consider it, but because it appears to break L7 policy I wanted to implement a more specific resolution. In my view you shouldn't rely on a config option to fix something that only occasionally happens but can be fully reasoned out (this happens when the pod is on the same node on a vlan, so we know the route it is trying to upsert). Having said that I don't fully understand the implication of this on traffic policy, so happy to gate this behind a feature flag, and would also like to see if it causes any issues in the tests. I also guess a test is needed to pick up this edge case, I would assume there is no current test in the CI that checks for pod to pod traffic on the same node with aws-cni chaining and one SG. |
My first thought was: why not disable endpoint routes? (Joe already raised this question.)
Can you point to an existing issue if it exists, or create a new one with your findings? |
Yes, the issue linked in the PR covers it: #27152 |
I'm a bit surprised, but the awscni tests pass with this patch. I am not sure if that's because the patch is ineffective or if that's because it's effective and everything works with this change. To confirm I would suggest doing an That said, configuring Cilium with endpoint-routes mode disabled is functionally equivalent to this proposal as-is. I can see that this proposal only changes these settings in the case where aws-cni is in use, but if you just disable endpoint routes mode in environments with aws-cni then Cilium will configure the datapath for the endpoints in the same way. Whatever bugs or incompatibilities that may impact you with that configuration will also impact you with this patch. The main issue I have with this patch is that it is attempting to make a special case to override the cilium-agent global configuration for this very specific case, but you can achieve the exact same thing with no code changes by just configuring the global flag. |
This was my first thought as well. However, it's possible that there are some more ifdefs in the datapath that pertain to disabling the endpoint-routes config as opposed to what this PR proposes (skip installing per ep routes).
+1
I don't see any details around why L7 policy datapath is broken. I only see this -
|
Yes, that's the exact behaviour we see.
I'm not necessarily sure this is true. As @aditighag says, surely the only endpoints aren't pods on the same node? And as for L7, the issue is correct, I can no longer see traffic on the envoy sidecar for these pods for things like filtering on HTTP method. This is the reason why I applied this patch. It means that I loose this functionality for fewer pods. Having said that, if you don't think this is a sensible approach then I will close the PR. Unfortunately I don't understand the datapath well enough to fix the route issue here, but that is probably one for the AWS CNI team. |
I took a closer look at the changes given the feedback from @aditighag, @Alex-Waring and I realized that I was wrong in my previous assessment. I now understand better exactly how this applies and why the core change here addresses the reported issue. We can see that in the config check around the code that changes here that there are a few options being enabled:
Broadly speaking this comes down to the
Evidently, aws-cni wants to configure the routing table. If an external agent configures the routing table, then Cilium doesn't need to configure routes for this endpoint (point 1). However, we do need to configure the BPF programs at receive (point 2). That's why the change makes a difference. Based on the above, I think that it would be more generic if we exposed this as a flag, and autodetected that aws-cni matches this case. Here's a patch (untested) that should achieve the same, but will also allow other plugins that are responsible for routing to also be configured in this mode in future:
I think that this (incremental) proposal above will be a bit more obvious around how the change works, as well as making it future-proof due to the new CLI argument. If we agree this is the path forward, you're welcome to add these changes on top of your patch and add these tags to the commit message to indicate the partial origin of the patch:
|
94826eb
to
c50f8d1
Compare
Thank you @joestringer, I've applied the patch to my commit after confirming this resolves the issue locally. I still think the backport will need a manual change due to a difference to how the CNI config is retrieved and I'm not sure how to go about that. Any tips greatly appreciated! Also, hubble relay seems to be unhappy in the CI, but this change doesn't impact it so i'm unsure what's going on there. |
f2dc873
to
020d187
Compare
From the summary page of one of the CI failures (link), there's as sysdump. Downloading and opening it up, there is a logs-hubble-relay-*-prev.log which seems to be mostly healthy, just shows that hubble-relay was requested to shut down:
The
Searching |
Given that the current failures seem unrelated to the PR, I'll trigger the full testsuite for further feedback. I would expect that only the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks 🍒
Thanks for fixing #27152, will test the fix once released. Maybe need consider to update documentation describing the Cilium + SGFP setup where the flag |
Got it, thanks! I missed the point that the newly introduced flag is activated automatically when in chaining mode, meaning there is no need to explicitly configure it and disable the previous flag - very user-firendly implementation |
AWS uses VLAN interfaces for SG routing, and intentionally avoids upserting a route
so that traffic flows through the VPC and SG rules can be evaluated. Cilium will
upsert the route when an endpoint is created, and this causes traffic to be dropped
due to assymetric routing.
This exposes a wider issue where, when cilium is not in charge of routing traffic,
there is no ability to avoid creating the route (
InstallEndointRoute
) while stillconfiguring the BPF programs (
RequireEgressProg
). This PR implements a config optionto do just that, meaning we allow the host CNI to configure routing but still enable
network policy for those endpoints (Pods).
This flag is automatically set to True when running with aws-cni, as this is required
due to the issue mentioned above.
I would like this backported to 1.13, however the way to access to cni chaining mode seems to have changed, meaning it may need to be manual.
Fixes: #27152
Please ensure your pull request adheres to the following guidelines:
description and a
Fixes: #XXX
line if the commit addresses a particularGitHub issue.
Fixes: <commit-id>
tag, thenplease add the commit author[s] as reviewer[s] to this issue.
Fixes: #27152