daemon: Add --disable-sip-verification flag

Add flag to disable sip veification. This will allow to configure the datapath so it dose'nt drop packets due to invalid source ip in the datapath. This is helpful when routing IP payload from external ip networks through kubernets via ip tunnels. See cilium#16134 for more infomations. Signed-off-by: Michael Raskansky <michaelraskansky@gmail.com>
michaelraskansky · Jan 22, 2022 · ec4f6f0 · ec4f6f0
1 parent 527c2fe
commit ec4f6f0
Show file tree

Hide file tree

Showing 5 changed files with 22 additions and 5 deletions.
diff --git a/Documentation/cmdref/cilium-agent.md b/Documentation/cmdref/cilium-agent.md
diff --git a/daemon/cmd/daemon_main.go b/daemon/cmd/daemon_main.go
@@ -1049,6 +1049,9 @@ func initializeFlags() {
 	flags.Bool(option.EnableK8sTerminatingEndpoint, true, "Enable auto-detect of terminating endpoint condition")
 	option.BindEnv(option.EnableK8sTerminatingEndpoint)
 
+	flags.Bool(option.DisableSipVerification, defaults.DisableSipVerification, "Disable source ip verification")
+	option.BindEnv(option.DisableSipVerification)
+
 	viper.BindPFlags(flags)
 }
 

diff --git a/daemon/cmd/endpoint.go b/daemon/cmd/endpoint.go
@@ -295,11 +295,10 @@ func (m *endpointCreationManager) DebugStatus() (output string) {
 // createEndpoint attempts to create the endpoint corresponding to the change
 // request that was specified.
 func (d *Daemon) createEndpoint(ctx context.Context, owner regeneration.Owner, epTemplate *models.EndpointChangeRequest) (*endpoint.Endpoint, int, error) {
+	if epTemplate.DatapathConfiguration == nil {
+		epTemplate.DatapathConfiguration = &models.EndpointDatapathConfiguration{}
+	}
 	if option.Config.EnableEndpointRoutes {
-		if epTemplate.DatapathConfiguration == nil {
-			epTemplate.DatapathConfiguration = &models.EndpointDatapathConfiguration{}
-		}
-
 		// Indicate to insert a per endpoint route instead of routing
 		// via cilium_host interface
 		epTemplate.DatapathConfiguration.InstallEndpointRoute = true
@@ -315,6 +314,10 @@ func (d *Daemon) createEndpoint(ctx context.Context, owner regeneration.Owner, e
 		epTemplate.DatapathConfiguration.RequireRouting = &disabled
 	}
 
+	if option.Config.DisableSipVerification {
+		epTemplate.DatapathConfiguration.DisableSipVerification = true
+	}
+
 	log.WithFields(logrus.Fields{
 		"addressing":            epTemplate.Addressing,
 		logfields.ContainerID:   epTemplate.ContainerID,
@@ -1045,7 +1048,6 @@ func (h *putEndpointIDLabels) Handle(params PatchEndpointIDLabelsParams) middlew
 func (d *Daemon) QueueEndpointBuild(ctx context.Context, epID uint64) (func(), error) {
 	// Acquire build permit. This may block.
 	err := d.buildEndpointSem.Acquire(ctx, 1)
-
 	if err != nil {
 		return nil, err // Acquire failed
 	}

diff --git a/pkg/defaults/defaults.go b/pkg/defaults/defaults.go
@@ -437,4 +437,7 @@ const (
 
 	// ARPBaseReachableTime resembles the kernel's NEIGH_VAR_BASE_REACHABLE_TIME which defaults to 30 seconds.
 	ARPBaseReachableTime = 30 * time.Second
+
+	// DisableSipVerification disables source ip verification
+	DisableSipVerification = false
 )
diff --git a/pkg/option/config.go b/pkg/option/config.go
@@ -994,6 +994,9 @@ const (
 	// regardless of whether it's available in the pool.
 	BypassIPAvailabilityUponRestore = "bypass-ip-availability-upon-restore"
 
+	// DisableSipVerification disable sip verification
+	DisableSipVerification = "disable-sip-verification"
+
 	// EnableK8sTerminatingEndpoint enables the option to auto detect terminating
 	// state for endpoints in order to support graceful termination.
 	EnableK8sTerminatingEndpoint = "enable-k8s-terminating-endpoint"
@@ -2043,6 +2046,9 @@ type DaemonConfig struct {
 	// regardless of whether it's available in the pool.
 	BypassIPAvailabilityUponRestore bool
 
+	// DisableSipVerification bypasses sip verification
+	DisableSipVerification bool
+
 	// EnableK8sTerminatingEndpoint enables auto-detect of terminating state for
 	// Kubernetes service endpoints.
 	EnableK8sTerminatingEndpoint bool
@@ -2088,6 +2094,7 @@ var (
 		K8sEnableAPIDiscovery:        defaults.K8sEnableAPIDiscovery,
 		AllocatorListTimeout:         defaults.AllocatorListTimeout,
 		EnableICMPRules:              defaults.EnableICMPRules,
+		DisableSipVerification:       defaults.DisableSipVerification,
 
 		K8sEnableLeasesFallbackDiscovery: defaults.K8sEnableLeasesFallbackDiscovery,
 		APIRateLimit:                     make(map[string]string),
@@ -2912,6 +2919,7 @@ func (c *DaemonConfig) Populate() {
 	c.DisableCNPStatusUpdates = viper.GetBool(DisableCNPStatusUpdates)
 	c.EnableICMPRules = viper.GetBool(EnableICMPRules)
 	c.BypassIPAvailabilityUponRestore = viper.GetBool(BypassIPAvailabilityUponRestore)
+	c.DisableSipVerification = viper.GetBool(DisableSipVerification)
 	c.EnableK8sTerminatingEndpoint = viper.GetBool(EnableK8sTerminatingEndpoint)
 }