Skip to content

Don't enable host firewall bypass unless host firewall is enabled #40942

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Aug 20, 2025
Merged

Don't enable host firewall bypass unless host firewall is enabled #40942

merged 1 commit into from
Aug 20, 2025

Conversation

atykhyy
Copy link
Contributor

@atykhyy atykhyy commented Aug 5, 2025

An analysis of e2e conformance test failures reported in #40682 and attributed to #40346 (k8s host firewall bypass) being enabled by default showed that these failures appear in test jobs where IPSec is enabled. However, IPSec cannot be used with the host firewall, whereas the whole host (node) FQDN-based egress rules feature, which creates the need for a bypass, only makes sense with the host firewall. This PR ensures that the bypass is not enabled unless the host firewall is enabled.

Fixes: #40682
Related: #40346

@atykhyy
Don't enable host firewall bypass unless host firewall is enabled
9ef97e8 
Signed-off-by: Anton Tykhyy <atykhyy@gmail.com>
@atykhyy atykhyy requested a review from a team as a code owner August 5, 2025 08:28
@atykhyy atykhyy requested a review from joamaki August 5, 2025 08:28
@maintainer-s-little-helper maintainer-s-little-helper bot added the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Aug 5, 2025
@github-actions github-actions bot added the kind/community-contribution This was a contribution made by a community member. label Aug 5, 2025
@joestringer
Copy link
Member

/test

@joestringer joestringer added the release-note/misc This PR makes changes that have no direct user impact. label Aug 5, 2025
@maintainer-s-little-helper maintainer-s-little-helper bot removed the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Aug 5, 2025
@atykhyy
Copy link
Contributor Author

atykhyy commented Aug 5, 2025

For what it's worth, the failure in ci-clustermesh test is the same as in a dozen other unrelated runs today. ci-gateway-api is less flaky but I found several runs with similar errors and one with the same error (albeit in a different job), so it does not look to be caused by changes in this PR either.

@joestringer
Copy link
Member

FWIW for future reference it's easier for committers to understand the status of the PR if CI results are reported with issue links (related: CI Failure Triage Docs).

Example:

Given these issues have been reported by others, I think it's fair to say this PR is not introducing these failures.

joestringer
joestringer reviewed Aug 20, 2025
View reviewed changes
@joestringer joestringer self-assigned this Aug 20, 2025
@joestringer
Copy link
Member

This seems ready to merge. Thanks for your patience.

@joestringer joestringer merged commit 316777c into cilium:main Aug 20, 2025
72 of 74 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@joestringer joestringer joestringer left review comments

@joamaki joamaki joamaki approved these changes

Assignees

@joestringer joestringer

Labels
kind/community-contribution This was a contribution made by a community member. release-note/misc This PR makes changes that have no direct user impact.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

CI: check-log-errors/ - subsys=resolve-labels pod.core "[...]" not found when --enable-k8s-host-firewall-bypass=true
3 participants
@atykhyy @joestringer @joamaki