Skip to content

CFP: Operator Manages Cilium Identities #27752

New issue
New issue
Open
Enhancement
1 of 2 issues completed
Open
CFP: Operator Manages Cilium Identities#27752
Enhancement
1 of 2 issues completed
Assignees
ovidiutirladlapcevic
Labels
area/agentCilium agent related.kind/featureThis introduces new functionality.
@dlapcevic

Description

@dlapcevic
dlapcevic
opened on Aug 28, 2023

Cilium Feature Proposal

Thanks for taking time to make a feature proposal for Cilium! If you have usage questions, please try the slack channel and see the FAQ first.

Is your proposed feature related to a problem?

CID - Cilium Identity

CIDs are presenting issues with reliability and scalability, and are causing network policies to be in a broken state. Most notable cases:

  • Reaching maximum number (65k) of CIDs in the cluster.
  • eBPF policy maps overflowing with over 16k entries.
  • CID garbage collection malfunction.
  • Network policy incorrectly dropping connections on KCP upgrade, when cilium-agent restarts. Related to CID duplication
  • Unhealthy cluster state that is difficult (or impossible) to recover from - related to numbers of IDs (and other Cilium custom resources) and CID duplication.

Describe the feature you'd like

Centralize CID management to a single pod (Operator), instead of distributed management, done by all Agents. The goal is to improve security, reliability, performance and scalability of CID, and enable more advanced optimizations.

(Optional) Describe your proposed solution

CFP document

Phase 1: Operator manages Cilium Identities.
Move CID creation from cilium-agent to cilium-operator.

Phase 2: CID lazy creation
Create IDs only for labels used in network policies to greatly reduce the number of CIDs. Only pod labels used in the peer pod label selector of network policies will be relevant for ID creation.

A separate CFP is required for the Phase 2.

Please complete this section if you have ideas / suggestions on how to implement the feature. We strongly recommend discussing your approach with Cilium committers before spending lots of time implementing a change.

For longer proposals, you are welcome to link to an external doc (e.g. a Google doc). We have a Cilium Feature Proposal template to help you structure your proposal - if you would like to use it, please make a copy and ensure it's publicly visible, and then add the link here.

Once the CFP is close to being finalized, please add it as a PR to the design-cfps repo for final approval.

Sub-issues

Metadata

Metadata

Assignees

Labels

area/agentCilium agent related.kind/featureThis introduces new functionality.

Type

Enhancement

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions