-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[v1.14] Backports 2023-11-28-2 #29447
Conversation
24a167f
to
7da6164
Compare
7da6164
to
b3575fc
Compare
/test-backport-1.14 |
b3575fc
to
6ca9ece
Compare
Commit 6ca9ece does not match "Signed-off-by". Please follow instructions provided in https://docs.cilium.io/en/stable/contributing/development/contributing_guide/#developer-s-certificate-of-origin |
6ca9ece
to
d53f842
Compare
Commit 6ca9ece does not match "Signed-off-by". Please follow instructions provided in https://docs.cilium.io/en/stable/contributing/development/contributing_guide/#developer-s-certificate-of-origin |
/test-backport-1.14 |
[ upstream commit 9959153 ] Generate the ingress/egress network policy also when l4 filter is nil. This enables creating allow-all rules when policy is not enforced. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
d53f842
to
6f27987
Compare
[ upstream commit 34415bd ] This commit is to perform the below: - Update envoy image to latest build from v1.26 branch - Include new resources into pkg/envoy/resource for serialization - grpc related resources are for upcoming support with GRPCRoute - Change policy id to uint32, related to cilium/proxy@f37daf7 Related build: https://github.com/cilium/proxy/actions/runs/7070197416/job/19246669763 Signed-off-by: Tam Mach <tam.mach@cilium.io>
[ upstream commit de085db ] Fix comments that still had references to the now-deprecated uint64 policy IDs. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
[ upstream commit 04f19e9 ] Add Cilium Endpoint representing Ingress. It is defined without a veth interface and no bpf programs or maps are created for it. Ingress endpoint is needed so that the network policy is computed and configured to Envoy, so that ingress/egress network policy defined for Ingress can be enforced. Cilium Ingress is implemented as L7 LB, which is an Envoy redirect on the egress packet path. Egress CNP policies are already enforced when defined. Prior to this commit CNPs defined for reserved:ingress identity were not computed, however, and all traffic was passed through by Cilium Ingress was allowed to egress towards the backends. When the backends receive such packets, they are identified as coming from Cilium Ingress, so any ingress policies at the backends can not discern the original source of the traffic. This commit adds a Cilium endpoint for the reserved:ingress identity, which makes the Cilium node compute and pass policies whose endpoint selector selects this identity (e.g., by selecting all entities) to Envoy, so that they can be enforced. Envoy listener will then enforce not just the egress policy but also the ingress policy for the original incoming source security identity. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
[ upstream commit b035460 ] Tell envoy package to use the IPs allocated for reserved:ingress identity also when a CEC/CCEC is owned by Gateway API in addition to Cilium Ingress. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
[ upstream commit 7646b69 ] Turn on ingress policy enforcement on L7 LB. With this cilium-envoy starts dropping Ingress traffic unless Cilium Agent configures it with a passing policy via the Ingress endpoint (with the reserved:ingress identity). Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
6f27987
to
040d384
Compare
/test-backport-1.14 |
Once this PR is merged, a GitHub action will update the labels of these PRs: