envoy: Drop privileges

Use cilium-envoy image that drops privileges from the Envoy process
before it starts.

Envoy now needs to be started as `cilium-envoy-starter`, which drops all
privileges before executing `cilium-envoy`.

If `cilium-envoy` is executed directly with any privileges, it will
terminate with the following error message when any Cilium filters are
first configured:

  "[assert failure: get_capabilities(CAP_EFFECTIVE) == 0 &&
   get_capabilities(CAP_PERMITTED) == 0. Details: cilium-envoy
   running with privileges, exiting"

Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>

images/cilium/Dockerfile

@@ -6,7 +6,7 @@ ARG CILIUM_RUNTIME_IMAGE=quay.io/cilium/cilium-runtime:89492ceb5f0ce72b07f5dcd70
 
 # cilium-envoy from github.com/cilium/proxy
 #
-FROM quay.io/cilium/cilium-envoy:v1.26.4-5a76016dde9a7b4d537f37e3ef84593ea1af87c7@sha256:dbcb20bb208eb0031991f5c234eb6de567f95ebd814520dcbfda868b7c1af210 as cilium-envoy
+FROM quay.io/cilium/cilium-envoy:v1.27.0-49b6a7c9c075b587f26255e73eda3fa08506b3e4@sha256:37168e791fd1bcb456988554e17dea85a200287a30011b6601791b25a354a7d7 as cilium-envoy
 
 #
 # Hubble CLI

install/kubernetes/Makefile.values

@@ -43,8 +43,8 @@ export CILIUM_NODEINIT_REPO:=quay.io/cilium/startup-script
 export CILIUM_NODEINIT_VERSION:=62093c5c233ea914bfa26a10ba41f8780d9b737f
 
 export CILIUM_ENVOY_REPO:=quay.io/cilium/cilium-envoy
-export CILIUM_ENVOY_VERSION:=v1.26.4-5a76016dde9a7b4d537f37e3ef84593ea1af87c7
-export CILIUM_ENVOY_DIGEST:=sha256:dbcb20bb208eb0031991f5c234eb6de567f95ebd814520dcbfda868b7c1af210
+export CILIUM_ENVOY_VERSION:=v1.27.0-49b6a7c9c075b587f26255e73eda3fa08506b3e4
+export CILIUM_ENVOY_DIGEST:=sha256:37168e791fd1bcb456988554e17dea85a200287a30011b6601791b25a354a7d7
 
 export ETCD_REPO:=quay.io/coreos/etcd
 export ETCD_VERSION:=v3.5.4

install/kubernetes/cilium/templates/cilium-envoy/daemonset.yaml

@@ -61,7 +61,7 @@ spec:
         image: {{ include "cilium.image" .Values.envoy.image | quote }}
         imagePullPolicy: {{ .Values.envoy.image.pullPolicy }}
         command:
-        - /usr/bin/cilium-envoy
+        - /usr/bin/cilium-envoy-starter
         args:
         - '-c /var/run/cilium/envoy/bootstrap-config.json'
         - '--base-id 0'

pkg/envoy/ciliumenvoyconfig.go

@@ -17,7 +17,6 @@ import (
 	envoy_config_http "github.com/cilium/proxy/go/envoy/extensions/filters/network/http_connection_manager/v3"
 	envoy_config_tcp "github.com/cilium/proxy/go/envoy/extensions/filters/network/tcp_proxy/v3"
 	envoy_config_tls "github.com/cilium/proxy/go/envoy/extensions/transport_sockets/tls/v3"
-	"golang.org/x/sys/unix"
 	"google.golang.org/protobuf/types/known/anypb"
 	"google.golang.org/protobuf/types/known/wrapperspb"
 
@@ -156,21 +155,6 @@ func ParseResources(cecNamespace string, cecName string, anySlice []cilium_v2.XD
 				}
 			}
 
-			// Inject listener socket option for Cilium datapath, if not already present.
-			{
-				found := false
-				for _, so := range listener.SocketOptions {
-					if so.Level == unix.SOL_SOCKET && so.Name == unix.SO_MARK {
-						found = true
-						break
-					}
-				}
-
-				if !found {
-					listener.SocketOptions = append(listener.SocketOptions, getListenerSocketMarkOption(false /* egress */))
-				}
-			}
-
 			// Fill in SDS & RDS config source if unset
 			for _, fc := range listener.FilterChains {
 				fillInTransportSocketXDS(cecNamespace, cecName, fc.TransportSocket)
@@ -419,9 +403,6 @@ func ParseResources(cecNamespace string, cecName string, anySlice []cilium_v2.XD
 				resources.portAllocations = make(map[string]uint16)
 			}
 			resources.portAllocations[listener.Name] = port
-
-			// Inject Transparent to work with TPROXY
-			listener.Transparent = &wrapperspb.BoolValue{Value: true}
 		}
 		if validate {
 			if err := listener.Validate(); err != nil {

pkg/envoy/embedded_envoy.go

@@ -54,7 +54,7 @@ var (
 )
 
 const (
-	ciliumEnvoy = "cilium-envoy"
+	ciliumEnvoy = "cilium-envoy-starter"
 )
 
 // EnableTracing changes Envoy log level to "trace", producing the most logs.

pkg/envoy/xds_server.go

@@ -28,7 +28,6 @@ import (
 	envoy_type_matcher "github.com/cilium/proxy/go/envoy/type/matcher/v3"
 	"github.com/cilium/proxy/pkg/policy/api/kafka"
 	"github.com/sirupsen/logrus"
-	"golang.org/x/sys/unix"
 	"google.golang.org/protobuf/proto"
 	"google.golang.org/protobuf/types/known/anypb"
 	"google.golang.org/protobuf/types/known/durationpb"
@@ -846,20 +845,6 @@ func getListenerFilter(isIngress bool, useOriginalSourceAddr bool, l7lb bool) *e
 	}
 }
 
-func getListenerSocketMarkOption(isIngress bool) *envoy_config_core.SocketOption {
-	socketMark := int64(0xB00)
-	if isIngress {
-		socketMark = 0xA00
-	}
-	return &envoy_config_core.SocketOption{
-		Description: "Listener socket mark",
-		Level:       unix.SOL_SOCKET,
-		Name:        unix.SO_MARK,
-		Value:       &envoy_config_core.SocketOption_IntValue{IntValue: socketMark},
-		State:       envoy_config_core.SocketOption_STATE_PREBIND,
-	}
-}
-
 func (s *xdsServer) getListenerConf(name string, kind policy.L7ParserType, port uint16, isIngress bool, mayUseOriginalSourceAddr bool) *envoy_config_listener.Listener {
 	clusterName := egressClusterName
 	tlsClusterName := egressTLSClusterName
@@ -874,10 +859,6 @@ func (s *xdsServer) getListenerConf(name string, kind policy.L7ParserType, port
 		Name:                name,
 		Address:             addr,
 		AdditionalAddresses: additionalAddr,
-		Transparent:         &wrapperspb.BoolValue{Value: true},
-		SocketOptions: []*envoy_config_core.SocketOption{
-			getListenerSocketMarkOption(isIngress),
-		},
 		// FilterChains: []*envoy_config_listener.FilterChain
 		ListenerFilters: []*envoy_config_listener.ListenerFilter{
 			// Always insert tls_inspector as the first filter