[v1.14] Backports 2023-11-28-2 #29447
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
maintainer-s-little-helper
bot
added
backport/1.14
sayboras
force-pushed
the
tam/backport-28126
branch
from
24a167f
to
7da6164
Compare
sayboras
force-pushed
the
tam/backport-28126
branch
from
7da6164
to
b3575fc
Compare
|
/test-backport-1.14 |
sayboras
force-pushed
the
tam/backport-28126
branch
from
b3575fc
to
6ca9ece
Compare
|
Commit 6ca9ece does not match "Signed-off-by". Please follow instructions provided in https://docs.cilium.io/en/stable/contributing/development/contributing_guide/#developer-s-certificate-of-origin |
maintainer-s-little-helper
bot
added
the
dont-merge/needs-sign-off
sayboras
force-pushed
the
tam/backport-28126
branch
from
6ca9ece
to
d53f842
Compare
|
Commit 6ca9ece does not match "Signed-off-by". Please follow instructions provided in https://docs.cilium.io/en/stable/contributing/development/contributing_guide/#developer-s-certificate-of-origin |
sayboras
removed
the
dont-merge/needs-sign-off
|
/test-backport-1.14 |
[ upstream commit 9959153 ] Generate the ingress/egress network policy also when l4 filter is nil. This enables creating allow-all rules when policy is not enforced. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
sayboras
force-pushed
the
tam/backport-28126
branch
from
d53f842
to
6f27987
Compare
[ upstream commit 34415bd ] This commit is to perform the below: - Update envoy image to latest build from v1.26 branch - Include new resources into pkg/envoy/resource for serialization - grpc related resources are for upcoming support with GRPCRoute - Change policy id to uint32, related to cilium/proxy@f37daf7 Related build: https://github.com/cilium/proxy/actions/runs/7070197416/job/19246669763 Signed-off-by: Tam Mach <tam.mach@cilium.io>
[ upstream commit de085db ] Fix comments that still had references to the now-deprecated uint64 policy IDs. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
[ upstream commit 04f19e9 ] Add Cilium Endpoint representing Ingress. It is defined without a veth interface and no bpf programs or maps are created for it. Ingress endpoint is needed so that the network policy is computed and configured to Envoy, so that ingress/egress network policy defined for Ingress can be enforced. Cilium Ingress is implemented as L7 LB, which is an Envoy redirect on the egress packet path. Egress CNP policies are already enforced when defined. Prior to this commit CNPs defined for reserved:ingress identity were not computed, however, and all traffic was passed through by Cilium Ingress was allowed to egress towards the backends. When the backends receive such packets, they are identified as coming from Cilium Ingress, so any ingress policies at the backends can not discern the original source of the traffic. This commit adds a Cilium endpoint for the reserved:ingress identity, which makes the Cilium node compute and pass policies whose endpoint selector selects this identity (e.g., by selecting all entities) to Envoy, so that they can be enforced. Envoy listener will then enforce not just the egress policy but also the ingress policy for the original incoming source security identity. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
[ upstream commit b035460 ] Tell envoy package to use the IPs allocated for reserved:ingress identity also when a CEC/CCEC is owned by Gateway API in addition to Cilium Ingress. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
[ upstream commit 7646b69 ] Turn on ingress policy enforcement on L7 LB. With this cilium-envoy starts dropping Ingress traffic unless Cilium Agent configures it with a passing policy via the Ingress endpoint (with the reserved:ingress identity). Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
sayboras
force-pushed
the
tam/backport-28126
branch
from
6f27987
to
040d384
Compare
|
/test-backport-1.14 |
youngnick
approved these changes
Dec 4, 2023
borkmann
approved these changes
Dec 4, 2023
jrajahalme
approved these changes
Dec 6, 2023
maintainer-s-little-helper
bot
added
the
ready-to-merge
2 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Once this PR is merged, a GitHub action will update the labels of these PRs: