Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Policy fix revert by only recording an "old" value if it existed before the changes #29162

Merged
merged 3 commits into from
Nov 22, 2023
Merged

Policy fix revert by only recording an "old" value if it existed before the changes #29162

merged 3 commits into from
Nov 22, 2023

Conversation

jrajahalme
Copy link
Member

@jrajahalme jrajahalme commented Nov 14, 2023
edited
Loading

Only record an old entry in ChangeState if it existed before this round of changes. We do this by testing if the entry is already in Adds. If not, then we record the old entry key and value. If the Adds entry exists, however, this entry may have only been added on this round of changes and we do not record the old value. This is safe due to the fact that when the Adds entry is created, the Old value is stored before adding the Adds entry, so for the first Adds entry the Old value does not yet exist and will be added.

This removes extraneous Old entries that did not actually originally exist. Before this change ChangeState.Revert could have restored entries the should not exists, based on these extraneous Old entries.

Note that the change in TestMapState_AccumulateMapChangesOnVisibilityKeys on the 3rd commit shows the effect of this change. Previously the test resulted in an entry in ChangeState.Old that did not exist before the changes started, but was recoded due to an entry being first added and then modified within the same set of changes.

Note for backporting: Releases prior to 1.14 should only backport the last commit, as the changes addressed in first two are only in the main branch and are included to make the backports of the last commit easier.

Policy revert used in rare error cases has been corrected.

@jrajahalme jrajahalme added kind/bug This is a bug in the Cilium logic. release-note/bug This PR fixes an issue in a previous release of Cilium. sig/policy Impacts whether traffic is allowed or denied based on user-defined policies. needs-backport/1.12 needs-backport/1.13 This PR / issue needs backporting to the v1.13 branch needs-backport/1.14 This PR / issue needs backporting to the v1.14 branch labels Nov 14, 2023
@jrajahalme jrajahalme requested review from a team as code owners November 14, 2023 09:23
@maintainer-s-little-helper maintainer-s-little-helper bot added this to Needs backport from main in 1.14.4 Nov 14, 2023
@maintainer-s-little-helper maintainer-s-little-helper bot added this to Needs backport from main in 1.13.9 Nov 14, 2023
@jrajahalme
policy: Simplify ChangeState
3b74e18 
Simplify ChangeState by changing 'Old' back to a
'map[Key]MapStateEntry'. This is used only for reverting and in that case
there is no need to optimize scanning deny entries.

Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
@jrajahalme
Copy link
Member Author

/test

bimmlerd
bimmlerd reviewed Nov 14, 2023
View reviewed changes
Copy link
Member

@bimmlerd bimmlerd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

drive-by comment - lgtm otherwise

pkg/policy/mapstate.go Outdated Show resolved Hide resolved
@jrajahalme jrajahalme mentioned this pull request Nov 14, 2023
Merged
@jrajahalme
policy: Add MapState.Diff() for debugging tests
0958be7 
Add a Diff member function so that test failures can report the
difference between the obtained and expected MapState. Takes in an unused
'*testing.T' to make sure this is only used in testing.

Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
@jrajahalme
policy: Only record an old entry if needed
1ef653e 
Only record an old entry in ChangeState if it existed before this round
of changes. We do this by testing if the entry is already in Adds. If
not, then we record the old entry key and value. If the Adds entry
exists, however, this entry may have only been added on this round of
changes and we do not record the old value. This is safe due to the fact
that when the Adds entry is created, the Old value is stored before
adding the Adds entry, so for the first Adds entry the Old value does not
yet exist and will be added.

This removes extraneous Old entries that did not actually originally
exist. Before this ChangeState.Revert did restore an entry the should not
exists based on these extraneous Old entries.

Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
@jrajahalme
Copy link
Member Author

/test

aditighag
aditighag approved these changes Nov 21, 2023
View reviewed changes
Copy link
Member

@aditighag aditighag left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approving pkg/endpoint/bpf.go changes for my codeowners.

@maintainer-s-little-helper maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Nov 21, 2023
@jrajahalme jrajahalme merged commit 9916824 into cilium:main Nov 22, 2023
61 checks passed
This was referenced Nov 29, 2023
Merged
Merged
@joamaki joamaki added the backport/author The backport will be carried out by the author of the PR. label Nov 29, 2023
@joamaki
Copy link
Contributor

joamaki commented Nov 29, 2023

Marking with backport/author as the backports to v1.12, v1.13 and v1.14 are non-trivial and likely require #28352 to be backported first.

@joamaki joamaki mentioned this pull request Nov 29, 2023
Merged
14 tasks
@jrajahalme jrajahalme added needs-backport/1.15 This PR / issue needs backporting to the v1.15 branch release-blocker/1.15 This issue will prevent the release of the next version of Cilium. labels Jan 24, 2024
@aanm aanm removed the needs-backport/1.15 This PR / issue needs backporting to the v1.15 branch label Jan 31, 2024
@aanm
Copy link
Member

aanm commented Jan 31, 2024

This PR is already part of 1.15

@jrajahalme jrajahalme mentioned this pull request Feb 21, 2024
Merged
1 task
@jrajahalme jrajahalme added backport-pending/1.14 The backport for Cilium 1.14.x for this PR is in progress. and removed needs-backport/1.14 This PR / issue needs backporting to the v1.14 branch release-blocker/1.15 This issue will prevent the release of the next version of Cilium. labels Feb 21, 2024
@jrajahalme
Copy link
Member Author

Looked into backporting this to 1.13 and 1.12, and there are a lot of non-backported dependencies that make the backport somewhat risky. Since we don't know of any reports of actual problems cause by the issue fixed here, I'll drop the 1.13 and 1.12 backports for now.

@jrajahalme jrajahalme removed needs-backport/1.12 needs-backport/1.13 This PR / issue needs backporting to the v1.13 branch labels Feb 21, 2024
@github-actions github-actions bot added backport-done/1.14 The backport for Cilium 1.14.x for this PR is done. and removed backport-pending/1.14 The backport for Cilium 1.14.x for this PR is in progress. labels Feb 21, 2024
@julianwiedmann julianwiedmann added affects/v1.12 This issue affects v1.12 branch affects/v1.13 This issue affects v1.13 branch labels Feb 21, 2024
@thorn3r thorn3r mentioned this pull request Mar 13, 2024
Merged
@jrajahalme jrajahalme mentioned this pull request Jun 28, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nebril nebril nebril approved these changes

@bimmlerd bimmlerd bimmlerd approved these changes

@aditighag aditighag aditighag approved these changes

Assignees
No one assigned
Labels
affects/v1.12 This issue affects v1.12 branch affects/v1.13 This issue affects v1.13 branch backport/author The backport will be carried out by the author of the PR. backport-done/1.14 The backport for Cilium 1.14.x for this PR is done. kind/bug This is a bug in the Cilium logic. ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/bug This PR fixes an issue in a previous release of Cilium. sig/policy Impacts whether traffic is allowed or denied based on user-defined policies.
Projects
No open projects
1.13.9
Needs backport from main
1.14.4
Needs backport from main
cilium v1.14.8
Status: Released
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
7 participants
@jrajahalme @joamaki @aanm @nebril @bimmlerd @aditighag @julianwiedmann