[v1.13] Remove remote-node labels from ipcache on node delete #28972
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
e57c426 to
876abc4
Compare
[ upstream commit 6d1c07e ] [ backporter's note: several merge conflict in pkg/node/manager/manager.go: 1) Removed additional (*IPCache).RemoveMetadata in pkg/ipcache/metadata.go in favor of the existing implementation in pkg/ipcache/ipcache.go. 2) Changed RemoveMetadata in IPCache interface to RemoveLabels and adjusted parameters so pkg/ipcache.(*IPCache) satisfies the interface. 3) Adjusted m.deleteIPCache calls in (*Manager).NodeUpdated for health IPs by adding identity.IdentityUnknown and the resource ID to the existing calls. 4) Adjusted (*Manager).deleteIPCache and (*Manager).removeFromIDMD parameters to match what (*IPCache).RemoveLabels expects. 5) Use prefix in call to m.removeFromIDMD, per https://github.com/cilium/cilium/pull/27010/files#r1342807054 ] Previously the node manager code only ever performed upserts into the ipcache for remote-node labels on node creation/update events. However, it never cleaned up these labels upon delete. As a result, if a node was ever removed, then Cilium would continue to consider traffic towards that IP as traffic reaching towards a remote node. In extreme cases, this IP could be reallocated to another host in the network which could cause connectivity disruption to that peer, particularly if the new peer is subject to CIDR or Entities based policies. Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Tobias Klauser <tobias@cilium.io>
876abc4 to
6555df0
Compare
|
/test-backport-1.13 Job 'Cilium-PR-K8s-1.26-kernel-net-next' failed: Click to show.Test NameFailure OutputJenkins URL: https://jenkins.cilium.io/job/Cilium-PR-K8s-1.26-kernel-net-next/1032/ If it is a flake and a GitHub issue doesn't already exist to track it, comment Then please upload the Jenkins artifacts to that issue. |
|
/test-1.26-net-next Looks like #23309: https://jenkins.cilium.io/job/Cilium-PR-K8s-1.26-kernel-net-next/1032/ |
|
/test-1.22-4.19 VM provisioning failed: https://jenkins.cilium.io/job/Cilium-PR-K8s-1.22-kernel-4.19/285/ |
christarazi
approved these changes
Nov 7, 2023
squeed
reviewed
Nov 8, 2023
squeed
approved these changes
Nov 8, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Forward port #27406 to
v1.13with several edits (partially following #27010) without the revert of #26958, because that was never applied tov1.13. Supersedes #27010.Passes the first two test cases of the test script for v1.13 (slightly adjusted from the v1.12 test script used for #27406):
See commit message for detailed backporter notes.
Closes #27010