Ztunnel/populate service account #41276
Merged
+495
−207
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
aanm
approved these changes
Aug 19, 2025
MikeZappa87
reviewed
Aug 19, 2025
pkg/k8s/apis/cilium.io/client/crds/v2alpha1/ciliumendpointslices.yaml
Outdated
Show resolved
Hide resolved
hemanthmalla
approved these changes
Aug 19, 2025
6769fe6 to
b7dd66a
Compare
|
/test |
giorio94
requested changes
Aug 20, 2025
f414c3e to
a4092fc
Compare
a4092fc to
adbff1b
Compare
adbff1b to
aa15582
Compare
In preparation for ztunnel integration, make a CEP's service account visible to the k8s CEP watcher. ZTunnel identifies workloads by their namespace/service account pair. It also requires the Cilium agent to forward CEP add/delete events to it, so it can keep its own proxy cache. Therefore, we need the service account of a CEP present to forward this information to ztunnel. While we can obtain the namespace from the object's meta, the service account is not available. Therefore, populate the service account information during endpoint manager synchornization. This pushes the CEP CRD up to the control plane with the service account field populated. Signed-off-by: Louis DeLosSantos <louis.delos@isovalent.com>
To support ztunnel integration with Cilium in CiliumEndpointSlice mode we must populate the service account field in the CoreCiliumEndpoint structure. This allows agents to obtain the service account of a endpoint when the endpoint is encoded as a CoreCiliumEndpoint within a CiliumEndpointSlice. The agent will require this field when integrating ztunnel, since ztunnel considers this a key component of an Endpoint's identifier. Note: the 'omitempty` json tag on the Encryption field within this patchset was done to silence a linting error stating is was redundant for struct field members Signed-off-by: Louis DeLosSantos <louis.delos@isovalent.com>
In preparation for ztunnel integration when Cilium is in kvstore mode we populate the distributed identity structures with a servivce account. This allows an agent to understand the service account of a remote identity, which is a requirement for ztunnel. Signed-off-by: Louis DeLosSantos <louis.delos@isovalent.com>
aa15582 to
5d60c7b
Compare
|
/test |
MrFreezeex
approved these changes
Aug 21, 2025
bimmlerd
requested changes
Aug 21, 2025
joestringer
reviewed
Aug 21, 2025
bimmlerd
approved these changes
Aug 22, 2025
|
I'd suggest adjusting the release note to just something like "Add Kubernetes ServiceAccount to CiliumEndpoint and CiliumEndpointSlice structures" since this is a generic change. |
|
@joestringer done! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR is a precursor for integrating with the ztunnel mTLS proxy.
Ztunnel's control plane expects a cluster-wide view of endpoints. It groups endpoints into trust anchors via their namespace and service account details.
Historically, the service account details for remote endpoints were not communicated via the agent.
In this PR we update the necessary identity structures to push the service account's visible into the agent.
In the ztunnel integration proper, the ztunnel control plane component will hook into the K8s watcher to inform ztunnel of created or deleted endpoints. Support for kvstore involves more work around the Identity watcher and will be deferred for the time being.