-
Notifications
You must be signed in to change notification settings - Fork 2.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix L7 ingress proxy in endpoint routes mode #8930
Conversation
This currently causes some havoc with |
1ef149b
to
0460d73
Compare
test-me-please EDIT: I think we're finally making progress. Now it's only connectivity to the remote node's |
0460d73
to
4fc3f39
Compare
test-me-please |
4fc3f39
to
136bc2a
Compare
test-me-please |
test-me-please |
136bc2a
to
1e3f42c
Compare
test-me-please |
6f05efd
to
883685b
Compare
test-me-please EDIT: Successful k8s-1.10 run: Other runs failed due to CI infrastructure issues. |
test-me-please EDIT: Green CI run. |
@joestringer needs a rebase to deal with |
The endpoint routes mode has only ever been validated in direct routing mode, but the test was merged without specifying this which meant that it relied upon tunneling (and avoiding endpoint routes) for forwarding. Fix it. Signed-off-by: Joe Stringer <joe@cilium.io>
Signed-off-by: Joe Stringer <joe@cilium.io>
Reorder the initialization of 'healthIP' to prefer IPv4 over IPv6 when both are enabled. This makes the health endpoint less likely to fail out in some of the newly introduced datapath configuration modes. Signed-off-by: Joe Stringer <joe@cilium.io>
Previously, even when the daemon is configured with --enable-endpoint-routes, the cilium-health endpoint was not configured with per-endpoint routes which meant that the routing for that endpoint is different from other endpoints. Fix it by applying the appropriate endpoint datapath configuration. Signed-off-by: Joe Stringer <joe@cilium.io>
When endpoint routes are enabled, we don't need to install the ip rules or routes to ensure that the traffic from the ingress proxy goes into cilium_host; Instead, we configure BPF programs attached to the TC egress filter of the endpoint device to ensure that it implements the policy logic. Treat this case as datapath mode "routed", where we will now skip those rules. All other datapath configuration should be equivalent to direct mode. If we don't do this, then when applying L7 ingress policy, the traffic from the ingress proxy towards the pod is first directed towards the cilium_host device, then subsequently passed to the stack and re-routed towards the endpoint device, which causes the BPF to lose the context that this traffic comes from the proxy and hence the BPF program treats it as newly inbound traffic from the world. As a result, inbound HTTP requests see a message like: upstream connect error or disconnect/reset before headers Signed-off-by: Joe Stringer <joe@cilium.io>
883685b
to
9dc92b5
Compare
test-me-please |
Fix per-endpoint route mode with the cilium-health endpoint, and configure
it such that the daemon prefers to connect over IPv4 rather than IPv6 when
both protocols are enabled in the daemon. Otherwise we hit CI issues in
the endpoint routes mode datapath configuration test (See #8956).
Fix up the per-endpoint route mode tests so they actually test per-endpoint
routes in the supported direct routing mode rather than in tunnel mode.
Fix routing from a host proxy towards local pods in endpoint routes mode:
This fixes the following policy cases:
This change is