Skip to content

ClusterMesh: improve validation of remote endpoints and identities #32785

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 6 commits into from
Jun 4, 2024
Merged

ClusterMesh: improve validation of remote endpoints and identities #32785

merged 6 commits into from
Jun 4, 2024

Conversation

giorio94
Copy link
Member

Explicitly validate that the identities retrieved from a remote cluster match the expected range based on the corresponding clusterID, to ensure improved consistency and prevent the propagation of corrupted data. Additionally, ensure that said identities include the cluster label matching the expected cluster name for the given cluster. Similarly, ensure that the unmarshaled endpoint data matches the kvstore key it was retrieved from.

Please review commit by commit, and refer to the individual descriptions for additional details.
Related: #29602, #32749

@maintainer-s-little-helper maintainer-s-little-helper bot added the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label May 30, 2024
@github-actions github-actions bot added the sig/policy Impacts whether traffic is allowed or denied based on user-defined policies. label May 30, 2024
@giorio94 giorio94 added area/clustermesh Relates to multi-cluster routing functionality in Cilium. release-note/misc This PR makes changes that have no direct user impact. and removed sig/policy Impacts whether traffic is allowed or denied based on user-defined policies. labels May 30, 2024
@maintainer-s-little-helper maintainer-s-little-helper bot removed the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label May 30, 2024
@giorio94 giorio94 added area/agent Cilium agent related. area/kvstore Impacts the KVStore package interactions. labels May 30, 2024
@giorio94
Copy link
Member Author

/test

@giorio94 giorio94 marked this pull request as ready for review May 30, 2024 12:38
@giorio94 giorio94 requested review from a team as code owners May 30, 2024 12:38
@giorio94 giorio94 force-pushed the mio/clustermesh-ip-identities-validation branch from cc38a40 to 3542a55 Compare May 30, 2024 16:22
@giorio94
Copy link
Member Author

Rebased onto main to fix conflict.

@giorio94
Copy link
Member Author

/test

@giorio94
ipcache: validate unmarshaled IPIdentityPair information
a528ccb 
Ensure that the unmarshaled data matches the kvstore key it was
retrieved from, to ensure consistency and prevent the propagation
of corrupted data.

Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
@giorio94 giorio94 force-pushed the mio/clustermesh-ip-identities-validation branch from 3542a55 to dbffa40 Compare May 31, 2024 09:11
@giorio94
Copy link
Member Author

Rebased onto main to fix conflict.

@giorio94
Copy link
Member Author

/test

asauber
asauber approved these changes May 31, 2024
View reviewed changes
pippolo84
pippolo84 approved these changes May 31, 2024
View reviewed changes
Copy link
Member

@pippolo84 pippolo84 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks! 🚀
Just a non-blocking suggestion left inline.

giorio94 added 5 commits June 3, 2024 08:56
@giorio94
identity: parametrize AllocationIdentity range functions
96913a4 
Take the clusterID as parameter, rather than retrieving it from the
global option. This allows to reuse the same methods also for clusterIDs
different from the one configured locally.

Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
@giorio94
identity/crd: fix incorrect comparison in UpdateFunc handler
1f27f32 
Fix the handling of CiliumIdentity events received from the k8s informer
to correctly compare the old and new object, rather than the new one
with itself, and propagate modification events as expected. Although
identities are never expected to be modified (only added and removed),
this ensures that the corresponding warnings are emitted as expected.

Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
@giorio94
identity/cache: merge OnAdd and OnModify into OnUpsert
ead63e5 
In preparation for the subsequent commits, and to simplify the overall
logic, let's remove the difference between Add and Modify events, in
favor of a single Upsert one. Identities are never expected to be
modified (only added and removed), hence this change is effectively a
no-op. However, differentiating add and modify events is typically
fragile and can lead to possible inconsistencies (e.g., if incomplete
or invalid Add events are filtered out, while subsequent updates are
propagated). Additionally, the downstream logic is already designed to
correctly handle (and ignore, when appropriate) updates.

Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
@giorio94
identity/cache: add support for validating identity events
b6c88d5 
In preparation for the subsequent commit, let's introduce the
possibility of configuring additional validators to filter out
invalid identity events received from CRD or kvstore. Upsert
events marked as invalid are directly skipped. Deletions, instead,
are propagated for previously known identities only, to avoid
leaving stale identities behind.

Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
@giorio94
clustermesh: additional validation of remote identities
0a40f14 
Explicitly validate that the identities retrieved from a remote cluster
match the expected range based on the corresponding clusterID, to ensure
improved consistency and prevent the propagation of corrupted data.
Additionally, ensure that said identities include the cluster label
matching the expected cluster name for the given cluster.

Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
@giorio94 giorio94 force-pushed the mio/clustermesh-ip-identities-validation branch from dbffa40 to 0a40f14 Compare June 3, 2024 06:57
@giorio94
Copy link
Member Author

giorio94 commented Jun 3, 2024

/test

marseel
marseel approved these changes Jun 3, 2024
View reviewed changes
Copy link
Contributor

@marseel marseel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice 💯

@maintainer-s-little-helper maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Jun 3, 2024
@julianwiedmann julianwiedmann added this pull request to the merge queue Jun 4, 2024
Merged via the queue into cilium:main with commit fa8d121 Jun 4, 2024
This was referenced Jun 10, 2024
Merged
Closed
@giorio94 giorio94 mentioned this pull request Jul 24, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nebril nebril nebril approved these changes

@pippolo84 pippolo84 pippolo84 approved these changes

@marseel marseel marseel approved these changes

@asauber asauber asauber approved these changes

Assignees
No one assigned
Labels
area/agent Cilium agent related. area/clustermesh Relates to multi-cluster routing functionality in Cilium. area/kvstore Impacts the KVStore package interactions. ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/misc This PR makes changes that have no direct user impact.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@giorio94 @nebril @pippolo84 @marseel @asauber @julianwiedmann