-
Notifications
You must be signed in to change notification settings - Fork 2.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
WireGuard: Deprecate userspace fallback #31867
Merged
squeed
merged 1 commit into
cilium:main
from
gandro:pr/gandro/deprecate-wireguard-usermode-fallback
Apr 15, 2024
Merged
WireGuard: Deprecate userspace fallback #31867
squeed
merged 1 commit into
cilium:main
from
gandro:pr/gandro/deprecate-wireguard-usermode-fallback
Apr 15, 2024
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
gandro
added
release-note/minor
This PR changes functionality that users may find relevant to operating Cilium.
area/encryption
Impacts encryption support such as IPSec, WireGuard, or kTLS.
feature/wireguard
Relates to Cilium's Wireguard feature
labels
Apr 9, 2024
/test |
qmonnet
approved these changes
Apr 10, 2024
brb
approved these changes
Apr 11, 2024
joamaki
approved these changes
Apr 12, 2024
gandro
added
the
dont-merge/needs-rebase
This PR needs to be rebased because it has merge conflicts.
label
Apr 15, 2024
Cilium's WireGuard transparent encryption has the ability to run the WireGuard encryption logic in userspace via the `enable-wireguard-userspace-fallback` flag. When enabled, and the Linux kernel does not support WireGuard, Cilium will run wireguard-go's userspace implementation of WireGuard inside the `cilium-agent` to provide encryption. However, because encryption is done inside the `cilium-agent` process in that mode, any downtime of `cilium-agent` (e.g. during upgrades or pod restarts) means that all pod-to-pod traffic is disrupted during that downtime. This means that `enable-wireguard-userspace-fallback` is unsuitable for production use in its current form. As many cloud providers now have WireGuard support in their kernel, there is less need to provide a userspace fallback. This change therefore deprecates the `enable-wireguard-userspace-fallback` flag, so it can be removed in a future Cilium release. This does not prevent any future re-implementation of the feature using an out-of-process implementation if the need arises. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com>
gandro
force-pushed
the
pr/gandro/deprecate-wireguard-usermode-fallback
branch
from
April 15, 2024 07:57
72cbee6
to
2628b8b
Compare
gandro
removed
the
dont-merge/needs-rebase
This PR needs to be rebased because it has merge conflicts.
label
Apr 15, 2024
/test |
squeed
approved these changes
Apr 15, 2024
maintainer-s-little-helper
bot
added
the
ready-to-merge
This PR has passed all tests and received consensus from code owners to merge.
label
Apr 15, 2024
joestringer
changed the title
wireguard: Deprecate userspace fallback
WireGuard: Deprecate userspace fallback
May 2, 2024
Given that PR titles end up in release notes, we may want to aim for using the canonical formatting of the name |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
area/encryption
Impacts encryption support such as IPSec, WireGuard, or kTLS.
feature/wireguard
Relates to Cilium's Wireguard feature
ready-to-merge
This PR has passed all tests and received consensus from code owners to merge.
release-note/minor
This PR changes functionality that users may find relevant to operating Cilium.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Cilium's WireGuard transparent encryption has the ability to run the WireGuard encryption logic in userspace via the
enable-wireguard-userspace-fallback
flag. When enabled, and the Linux kernel does not support WireGuard, Cilium will run wireguard-go's userspace implementation of WireGuard inside thecilium-agent
to provide encryption.However, because encryption is done inside the
cilium-agent
process in that mode, any downtime ofcilium-agent
(e.g. during upgrades or pod restarts) means that all pod-to-pod traffic is disrupted during that downtime. This means thatenable-wireguard-userspace-fallback
is unsuitable for production use in its current form. As many cloud providers now have WireGuard support in their kernel, there is less need to provide a userspace fallback. This change therefore deprecates theenable-wireguard-userspace-fallback
flag, so it can be removed in a future Cilium release. This does not prevent any future re-implementation of the feature using an out-of-process implementation if the need arises.