WireGuard: Deprecate userspace fallback #31867
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
gandro
added
release-note/minor
|
/test |
qmonnet
approved these changes
Apr 10, 2024
brb
approved these changes
Apr 11, 2024
joamaki
approved these changes
Apr 12, 2024
gandro
added
the
dont-merge/needs-rebase
Cilium's WireGuard transparent encryption has the ability to run the WireGuard encryption logic in userspace via the `enable-wireguard-userspace-fallback` flag. When enabled, and the Linux kernel does not support WireGuard, Cilium will run wireguard-go's userspace implementation of WireGuard inside the `cilium-agent` to provide encryption. However, because encryption is done inside the `cilium-agent` process in that mode, any downtime of `cilium-agent` (e.g. during upgrades or pod restarts) means that all pod-to-pod traffic is disrupted during that downtime. This means that `enable-wireguard-userspace-fallback` is unsuitable for production use in its current form. As many cloud providers now have WireGuard support in their kernel, there is less need to provide a userspace fallback. This change therefore deprecates the `enable-wireguard-userspace-fallback` flag, so it can be removed in a future Cilium release. This does not prevent any future re-implementation of the feature using an out-of-process implementation if the need arises. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com>
gandro
force-pushed
the
pr/gandro/deprecate-wireguard-usermode-fallback
branch
from
72cbee6
to
2628b8b
Compare
gandro
removed
the
dont-merge/needs-rebase
|
/test |
squeed
approved these changes
Apr 15, 2024
maintainer-s-little-helper
bot
added
the
ready-to-merge
joestringer
changed the title
|
Given that PR titles end up in release notes, we may want to aim for using the canonical formatting of the name |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Cilium's WireGuard transparent encryption has the ability to run the WireGuard encryption logic in userspace via the
enable-wireguard-userspace-fallbackflag. When enabled, and the Linux kernel does not support WireGuard, Cilium will run wireguard-go's userspace implementation of WireGuard inside thecilium-agentto provide encryption.However, because encryption is done inside the
cilium-agentprocess in that mode, any downtime ofcilium-agent(e.g. during upgrades or pod restarts) means that all pod-to-pod traffic is disrupted during that downtime. This means thatenable-wireguard-userspace-fallbackis unsuitable for production use in its current form. As many cloud providers now have WireGuard support in their kernel, there is less need to provide a userspace fallback. This change therefore deprecates theenable-wireguard-userspace-fallbackflag, so it can be removed in a future Cilium release. This does not prevent any future re-implementation of the feature using an out-of-process implementation if the need arises.