Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[1.13] ci: Add IPsec leak detection for ci-ipsec-e2e #33080

Draft
wants to merge 7 commits into
base: v1.13
Choose a base branch
from
Draft

[1.13] ci: Add IPsec leak detection for ci-ipsec-e2e #33080

wants to merge 7 commits into from

Conversation

jschwinger233
Copy link
Member

jschwinger233 and others added 6 commits June 12, 2024 13:30
@jschwinger233
ci: Add conn-disrupt-test-{setup,check} actions
32bbc31 
[ upstream commit: 0f957a7 ]

They are to replace conn-disrupt-test action for better flexibility.

Please note the new conn-disrupt-test-check doesn't run full tests by
default.

Signed-off-by: gray <gray.liang@isovalent.com>
@jschwinger233
ci: Decouple ipsec-key-rotate action from conn-disrupt-test action
4df44d4 
[ upstream commit: c430572 ]

[ backporter's note: 1.13 doesn't have ipsec-key-rotate action, we just
get ride of conn-disrupt-test from ci-ipsec-e2e. ]

So in future we can add encryption leak detection right after key
rotation to avoid certain issues.

ci-ipsec-e2e and ci-eks also has been adjusted to use
conn-disrupt-test-* actions before and after ipsec-key-rotate action.

Signed-off-by: gray <gray.liang@isovalent.com>
@jschwinger233
ci: Use conn-disrupt-test-{setup,check} for ci-ipsec-upgrade
ba6a053 
[ upstream commit: 364ff9e ]

Signed-off-by: gray <gray.liang@isovalent.com>
@jschwinger233
ci: Delete deprecated conn-disrupt-test action
a875def 
[ upstream commit: ec1b796 ]

Signed-off-by: gray <gray.liang@isovalent.com>
@giorio94 @jschwinger233
conformance-ipsec-e2e: add leaked unencrypted packets check
4a57b23 
[ upstream commit: e3fe4bc ]

Extend the conformance-ipsec-e2e GHA workflow to additionally check that
we don't leak any unencrypted packets during the connectivity test.
This aims to complement the validation already performed as part of
the connectivity tests by the Cilium CLI.

Specifically, we leverage bpftrace to analyze the packets forwarded by
the bridge device (used by kind), and report those that are not encrypted.
We flag packets with both the source and the destination belonging to
the IPv4/6 PodCIDR, and we consider the inner headers if packets are
encapsulated. In this case, we additionally skip packets originating
or targeting CiliumInternalIP addresses (as these are used for node-to-pod
traffic when running in tunnel mode, which is not encrypted by design).

Extra checks are finally added to always include packets originating
from the L7 and DNS proxies, as their source IP is not that of a pod.

Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
Signed-off-by: gray <gray.liang@isovalent.com>
@jschwinger233
ci: check-ipsec-leaks.bt can tolerate proxy traffic not found
0a53348 
[ upstream commit: 230c200 ]

Add an argument to tell check-ipsec-leaks.bt whether to report errors
if proxy traffic not found.

Signed-off-by: gray <gray.liang@isovalent.com>
@maintainer-s-little-helper maintainer-s-little-helper bot added backport/1.13 This PR represents a backport for Cilium 1.13.x of a PR that was merged to main. kind/backports This PR provides functionality previously merged into master. labels Jun 12, 2024
@jschwinger233
Copy link
Member Author

/ci-ipsec-e2e

@jschwinger233
Copy link
Member Author

/ci-ipsec-upgrade

@julianwiedmann @jschwinger233
conformance-ipsec-e2e: run leak check before/after key rotation
1d8e7de 
[ upstream commit: 4e2a66d ]

[ backporter's note: In 1.13 ci-ipsec-e2e disables IPv6, we need to
suppress "no IPv6 connections" errors in check-ipsec-leaks.bt ]

This is because we saw a racing issue if leak detection covers the whole
rotation + conn-disrupt-check: cilium connectivity will remove
conn-disrupt pods in the end of connectivity test, leaving some linger
packets recognized as leaked traffic.

This commit avoids the issue by running leak checks separately for key
rotation and after-rotation test.

Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
Signed-off-by: gray <gray.liang@isovalent.com>
@jschwinger233 jschwinger233 force-pushed the pr/gray/1.13/ipsec-leak-detection branch from 5fe94e3 to 1d8e7de Compare June 12, 2024 06:51
@jschwinger233
Copy link
Member Author

/test-backport-1.13

@jschwinger233
Copy link
Member Author

/test-1.17-4.19

1 similar comment
@jschwinger233
Copy link
Member Author

/test-1.17-4.19

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
backport/1.13 This PR represents a backport for Cilium 1.13.x of a PR that was merged to main. kind/backports This PR provides functionality previously merged into master.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@jschwinger233 @giorio94 @julianwiedmann