Skip to content

identity: Ensure ingress label is reserved label to be node-local #40791

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jul 30, 2025
Merged

identity: Ensure ingress label is reserved label to be node-local #40791

merged 1 commit into from
Jul 30, 2025

Conversation

christarazi
Copy link
Member

@christarazi christarazi commented Jul 29, 2025
edited
Loading

If this check is not present, then Cilium consider global identity to be
node-local if there is a label called "ingress" in the label set.

For example, a workload pod could have the label set:

k8s:foo=bar
k8s:ingress=allowed

and Cilium will incorrectly assign it a node-local identity because the
"ingress" label is present, without checking the source. Hence why we
need to add a check for the reserved source.

A unit test is added to validate this behavior.

Fixes: 226a978 ("identity: Allow local identity for ingress label")
Signed-off-by: Chris Tarazi chris@isovalent.com

Fix bug where the presence of a label called "ingress" causes incorrect assignment of identities to workloads, affecting policy enforcement.

@christarazi christarazi added kind/bug This is a bug in the Cilium logic. area/daemon Impacts operation of the Cilium daemon. release-note/bug This PR fixes an issue in a previous release of Cilium. sig/policy Impacts whether traffic is allowed or denied based on user-defined policies. labels Jul 29, 2025
@christarazi christarazi marked this pull request as ready for review July 29, 2025 18:48
@christarazi christarazi requested a review from a team as a code owner July 29, 2025 18:48
@christarazi christarazi requested a review from fristonio July 29, 2025 18:48
@christarazi christarazi enabled auto-merge July 29, 2025 18:49
@christarazi
Copy link
Member Author

christarazi commented Jul 29, 2025
edited
Loading

/test

Edit:

@christarazi christarazi added affects/v1.17 This issue affects v1.17 branch needs-backport/1.18 This PR / issue needs backporting to the v1.18 branch labels Jul 29, 2025
fristonio
fristonio approved these changes Jul 29, 2025
View reviewed changes
Copy link
Member

@fristonio fristonio left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💚

@joestringer joestringer added needs-backport/1.17 This PR / issue needs backporting to the v1.17 branch and removed affects/v1.17 This issue affects v1.17 branch labels Jul 29, 2025
@joestringer
Copy link
Member

joestringer commented Jul 29, 2025
edited
Loading

Increasing the scope of the backport due to the severity.

EDIT: Looks like actually it doesn't impact v1.17.

joestringer
joestringer approved these changes Jul 29, 2025
View reviewed changes
Copy link
Member

@joestringer joestringer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fix LGTM, thanks!

@joestringer joestringer removed the needs-backport/1.17 This PR / issue needs backporting to the v1.17 branch label Jul 29, 2025
sayboras
sayboras approved these changes Jul 29, 2025
View reviewed changes
Copy link
Member

@sayboras sayboras left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks a lot

@christarazi
Copy link
Member Author

Looks like CI is kinda blocked on #40801

@christarazi
identity: Ensure ingress label is reserved label to be node-local
9e3f981 
If this check is not present, then Cilium consider global identity to be
node-local if there is a label called "ingress" in the label set.

For example, a workload pod could have the label set:

```
k8s:foo=bar
k8s:ingress=allowed
```

and Cilium will incorrectly assign it a node-local identity because the
"ingress" label is present, without checking the source. Hence why we
need to add a check for the reserved source.

A unit test is added to validate this behavior.

Fixes: 226a978 ("identity: Allow local identity for ingress label")
Signed-off-by: Chris Tarazi <chris@isovalent.com>
@christarazi christarazi force-pushed the pr/christarazi/fix-ingress-id-handling branch from 82f8942 to 9e3f981 Compare July 30, 2025 16:00
@christarazi
Copy link
Member Author

christarazi commented Jul 30, 2025
edited
Loading

/test

Edit: #36428

@maintainer-s-little-helper maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Jul 30, 2025
@christarazi christarazi added this pull request to the merge queue Jul 30, 2025
Merged via the queue into cilium:main with commit a692a1b Jul 30, 2025
68 checks passed
@christarazi christarazi deleted the pr/christarazi/fix-ingress-id-handling branch July 30, 2025 19:25
@rastislavs rastislavs mentioned this pull request Jul 31, 2025
Merged
14 tasks
@rastislavs rastislavs added the backport-pending/1.18 The backport for Cilium 1.18.x for this PR is in progress. label Jul 31, 2025
@rastislavs rastislavs removed the needs-backport/1.18 This PR / issue needs backporting to the v1.18 branch label Jul 31, 2025
@github-actions github-actions bot added backport-done/1.18 The backport for Cilium 1.18.x for this PR is done. and removed backport-pending/1.18 The backport for Cilium 1.18.x for this PR is in progress. labels Aug 4, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@joestringer joestringer joestringer approved these changes

@sayboras sayboras sayboras approved these changes

@fristonio fristonio fristonio approved these changes

+1 more reviewer

@Nikhil77Sharma Nikhil77Sharma Nikhil77Sharma approved these changes

Reviewers whose approvals may not affect merge requirements
Assignees
No one assigned
Labels
area/daemon Impacts operation of the Cilium daemon. backport-done/1.18 The backport for Cilium 1.18.x for this PR is done. kind/bug This is a bug in the Cilium logic. ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/bug This PR fixes an issue in a previous release of Cilium. sig/policy Impacts whether traffic is allowed or denied based on user-defined policies.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@christarazi @joestringer @sayboras @fristonio @Nikhil77Sharma @rastislavs