Skip to content

node: Skip ipcache for remote node IPs if IPsec is enabled #17511

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Oct 14, 2021
Merged

node: Skip ipcache for remote node IPs if IPsec is enabled #17511

merged 2 commits into from
Oct 14, 2021

Conversation

pchaigno
Copy link
Member

@pchaigno pchaigno commented Oct 1, 2021
edited
Loading

Before this pull request, if IPsec is enabled, we add all remote node IP addresses to the ipcache of all nodes, regardless of whether enable-remote-node-identity is true or false.

This pull request reverts that behavior to only add those IP addresses if remote-node identities, node encryption, or encryption+tunneling are enabled. If encryption+native routing is enabled, we don't need to expose the remote node IP addresses via the ipcache.

@pchaigno pchaigno added release-note/bug This PR fixes an issue in a previous release of Cilium. area/encryption Impacts encryption support such as IPSec, WireGuard, or kTLS. labels Oct 1, 2021
@pchaigno pchaigno force-pushed the test-ipsec-no-remote-node-ipcache branch 2 times, most recently from 2b2db7f to f7ba86a Compare October 4, 2021 22:21
@pchaigno pchaigno added the kind/bug This is a bug in the Cilium logic. label Oct 4, 2021
@pchaigno pchaigno marked this pull request as ready for review October 4, 2021 22:32
@pchaigno pchaigno requested a review from a team October 4, 2021 22:32
@pchaigno pchaigno requested a review from a team as a code owner October 4, 2021 22:32
@pchaigno pchaigno requested a review from jrfastab October 4, 2021 22:32
@christarazi christarazi self-requested a review October 4, 2021 22:35
christarazi
christarazi approved these changes Oct 5, 2021
View reviewed changes
Copy link
Member

@christarazi christarazi left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, change makes sense.

One minor code style nit: now that we've defined (*DaemonConfig).TunnelingEnabled(), maybe we could replace all instances of

grep -F ' != option.TunnelDisabled' daemon/

with the newly introduced helper, for consistency's sake.

@pchaigno
option: Introduce TunnelingEnabled helper
8c4a206 
This new method will be used in the following commit to check if
tunneling is enabled from the node package.

Signed-off-by: Paul Chaignon <paul@cilium.io>
@pchaigno
node: Skip ipcache for remote node IPs if IPsec is enabled
842637a 
Before this commit, if IPsec is enabled, we add all remote node IP
addresses to the ipcache of all nodes, regardless of whether
enable-remote-node-identity is true or false.

This commit reverts that behavior to only add those IP addresses if
remote-node identities, node encryption, or encryption+tunneling are
enabled. If encryption+native routing is enabled, we don't need to
expose the remote node IP addresses via the ipcache.

Signed-off-by: Paul Chaignon <paul@cilium.io>
@pchaigno pchaigno force-pushed the test-ipsec-no-remote-node-ipcache branch from f7ba86a to 842637a Compare October 12, 2021 20:38
@pchaigno pchaigno requested a review from christarazi October 12, 2021 20:39
@pchaigno
Copy link
Member Author

/test

@pchaigno
Copy link
Member Author

pchaigno commented Oct 13, 2021
edited
Loading

The GKE node was running an outdated Go version. This has been fixed this morning.
test-gke

@jrfastab
Copy link
Contributor

This will additionally mean pod->node is not encrypted for routing use cases. I think this is OK.

@pchaigno
Copy link
Member Author

This will additionally mean pod->node is not encrypted for routing use cases. I think this is OK.

@jrfastab That's already the case, no?

@jrfastab
Copy link
Contributor

jrfastab commented Oct 13, 2021
edited
Loading

If there is a keyID in the ipcache entry we would use it. But, I just checked and we don't include keys in nodeIP entries so you are correct as far as I can see.

@pchaigno pchaigno added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Oct 13, 2021
@joestringer joestringer merged commit 7d58110 into cilium:master Oct 14, 2021
@pchaigno pchaigno deleted the test-ipsec-no-remote-node-ipcache branch October 14, 2021 08:07
@maintainer-s-little-helper maintainer-s-little-helper bot removed the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Oct 19, 2021
@joamaki joamaki mentioned this pull request Oct 20, 2021
Merged
@kkourt kkourt mentioned this pull request Oct 21, 2021
Closed
@nebril nebril mentioned this pull request Oct 28, 2021
Merged
@joestringer joestringer mentioned this pull request Nov 5, 2021
Merged
@joestringer joestringer mentioned this pull request Dec 10, 2021
Merged
@pchaigno pchaigno mentioned this pull request Sep 5, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jrfastab jrfastab jrfastab approved these changes

@christarazi christarazi christarazi approved these changes

@michi-covalent michi-covalent michi-covalent approved these changes

@borkmann borkmann Awaiting requested review from borkmann

Assignees

@borkmann borkmann

Labels
area/encryption Impacts encryption support such as IPSec, WireGuard, or kTLS. kind/bug This is a bug in the Cilium logic. release-note/bug This PR fixes an issue in a previous release of Cilium.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
10 participants
@pchaigno @jrfastab @christarazi @michi-covalent @kkourt @borkmann @joamaki @joestringer @nebril @aanm