-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add option to disable ExternalIP mitigation (CVE-2020-8554). #31513
Add option to disable ExternalIP mitigation (CVE-2020-8554). #31513
Conversation
dad3ddf
to
586279a
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Helm/Agent looks good to me!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@kvaster LGTM - Thank you for this update!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for the fix! Just two smaller aspects worth addressing.
586279a
to
0f2ca7a
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm so far, ty! One suggestion below to get the BPF stylechecker ✔️ .
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Left one nit comment for docs, but looks good otherwise.
69236fa
to
ac198aa
Compare
ac198aa
to
8be5d81
Compare
/test |
Telling the truth, I don't know why helm charts test is failing... I've rechecked it twice... |
https://github.com/cilium/cilium/actions/runs/8611642349/job/23599228700?pr=31513#step:3:111 is what's needed:
(it updates |
8be5d81
to
afe1d20
Compare
It looks strange for me, cause I've done this several times before... |
This mitigation has it's own drawbacks for some setups. It prevents pods communication in same cluster via ExternalIP when DSR is enabled. Fixes cilium#28187 Signed-off-by: Viktor Kuzmin <kvaster@gmail.com>
afe1d20
to
d238758
Compare
/test |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm, thank you!
This mitigation has it's own drawbacks for some setups. It prevents pods communication in same cluster via ExternalIP when DSR is enabled.
Fixes #28187