bpf: Skip policy enforcements for service loopback case #15321
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
91ba240 to
c759535
Compare
|
test-me-please |
3749b7f to
0bae7f5
Compare
pchaigno
requested changes
Mar 12, 2021
There was a problem hiding this comment.
Just posting to keep the context on changes, but I have a new version locally. I added the same for the IPv6 path and removed policy verdict notifications, but I'm still testing changes to address my second comment (ingress path). It's a bit more tortuous than I thought.
078659e to
58fb824
Compare
joestringer
reviewed
Mar 12, 2021
pchaigno
reviewed
Mar 12, 2021
pchaigno
approved these changes
Mar 12, 2021
joestringer
reviewed
Mar 12, 2021
|
The single failure is https://jenkins.cilium.io/job/Cilium-PR-K8s-1.20-kernel-4.9/953/testReport/junit/Suite-k8s-1/20/K8sDatapathConfig_AutoDirectNodeRoutes_Check_direct_connectivity_with_per_endpoint_routes/. |
|
We've hit a complexity issue on 4.9: |
|
I've removed the v1.9 backport label until we address the complexity issue. |
It's a very corner case for the policy enforcement. Shall we just say - this won't work on v1.9, so just use v1.10 instead if you want this? |
|
It already works in v1.8, we can't break it in v1.9. |
|
Then we can list it as undefined behavior on < v1.10. If users are hit by this, then they 1) can switch to the socket-LB or 2) modify a netpol to accept packets from the svc loopback IP addr. |
This was referenced Apr 28, 2021
aditighag
added a commit
to aditighag/cilium
that referenced
this pull request
Apr 29, 2021
Test for PR cilium#15321 - tests the case where a pod connects to itself via service clusterIP when selected by a policy. Signed-off-by: Aditi Ghag <aditi@cilium.io>
aditighag
added a commit
that referenced
this pull request
Apr 29, 2021
[ upstream commit 799bc1 ] Test for PR #15321 - tests the case where a pod connects to itself via service clusterIP when selected by a policy. Signed-off-by: Aditi Ghag <aditi@cilium.io>
rolinh
pushed a commit
that referenced
this pull request
Apr 30, 2021
Test for PR #15321 - tests the case where a pod connects to itself via service clusterIP when selected by a policy. Signed-off-by: Aditi Ghag <aditi@cilium.io>
glibsm
pushed a commit
to glibsm/cilium
that referenced
this pull request
May 4, 2021
[ upstream commit 69f10ed ] Test for PR cilium#15321 - tests the case where a pod connects to itself via service clusterIP when selected by a policy. backport-1.8: Resolved conflicts in test change and variable aligning Signed-off-by: Aditi Ghag <aditi@cilium.io> Signed-off-by: Glib Smaga <code@gsmaga.com>
joestringer
pushed a commit
that referenced
this pull request
May 6, 2021
[ upstream commit 69f10ed ] Test for PR #15321 - tests the case where a pod connects to itself via service clusterIP when selected by a policy. backport-1.8: Resolved conflicts in test change and variable aligning Signed-off-by: Aditi Ghag <aditi@cilium.io> Signed-off-by: Glib Smaga <code@gsmaga.com>
2 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
bpf: Skip policy enforcements for service loopback case
When an endpoint connects to itself via service clusterIP, we hairpin the
flow using a loopback IP address (configured using
--ipv4-service-loopback-address).The destination clusterIP (on egress) and loopback IP (on ingress) map to incorrect identities.
As a result, the subsequent egress and ingress policy enforcements lead to packet drops.
This is evident from the monitor output -
<- endpoint 1844 flow 0x96c8d52 identity 55108->unknown state new ifindex 0 orig-ip 0.0.0.0: 10.12.0.123:58242 -> 172.20.0.130:80 tcp SYN Policy verdict log: flow 0x96c8d52 local EP ID 1844, remote ID world, proto 6, egress, action deny, match none, 169.254.42.1:58242 -> 10.12.0.123:80 tcp SYNSkip policy enforcements (ingress and egress) in such cases since we
should allow a pod to connect to itself.
Release note
Signed-off-by: Aditi Ghag aditi@cilium.io
Co-authored-by: Paul Chaignon paul@cilium.io
Fixes: #11593