-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Test IPsec + KPR #31760
Test IPsec + KPR #31760
Conversation
f7cf28a
to
5069a4a
Compare
This comment was marked as resolved.
This comment was marked as resolved.
14b88c4
to
5069a4a
Compare
5069a4a
to
7800822
Compare
7800822
to
0c7b583
Compare
With previous fixes, we can now have IPsec enabled together with KPR. IPsec will encrypt traffic between pods as usual. Note that requests to a NodePort that are being forwarded from the receiving node to a node with a backend won't be encrypted. Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
We can reuse the two configs that had --devices set because KPR will cause devices to be autodetected anyway. We then need to add one other config to cover VXLAN. Upgrade tests are not extended to cover KPR because it isn't supported in the previous stable. We will need to wait for the next minor release to be able to extend those tests. Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
To be able to cover this configuration without removing coverage for others, we need to add one more test case. Fortunately, it will run in parallel to other test case. Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
0c7b583
to
2ad6401
Compare
if option.Config.EnableIPSec { | ||
return fmt.Errorf("IPSec cannot be used with BPF NodePort") | ||
} | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
From a look at what additional feature combinations this allows (with features that depend on EnableNodePort
, and thus were previously incompatible), the two that stand out are:
- XDP NodePort acceleration
- BPF Masquerade (and all of its dependencies, like Egress Gateway)
Should we explicitly reject these two, until we have fully understood the implications and added sufficient test coverage?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, it's probably best. Should I already disable for WireGuard or do we have coverage in that case?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm note quite parsing
Should I already disable for WireGuard or do we have coverage in that case?
You mean whether WireGuard should also conflict against XDP and/or BPF Masquerade? I think that ship has sailed already, breaking potentially existing configs is a much tougher decision. Coverage-wise, I see that we have WireGuard + EGW in the e2e test.
I would also expect that those features have much more user exposure to WireGuard already (because IPsec was not an option until now).
This pull request adds end-to-end CI coverage for IPsec + KPR, including coverage of key rotations and up/downgrades.