Fix incompatibility issue between Egress Gateway and L7 Policy #32828
Conversation
egress_gw_request_needs_redirect* functions already returun proper error code. So don't need to return DROP_NO_EGRESS_GATEWAY from the caller side. Signed-off-by: Yusuke Suzuki <yusuke.suzuki@isovalent.com>
Currently packets from Pods selected by an egress gateway policy will not be forwarded to a gateway if there's an L7 policy applied to those packets. That's because we apply the egress gateway policy at bpf_lxc right after the L7 policy redirection. Therefore the Egress Gateway logic will be skipped if packets are redirected to the L7 proxy. This commit adds the egress gateway handling code at to-netdev@bpf_host so that packets from the L7 proxy can be properly redirected to an egress gw. We will keep the egress gw code in from-container@bpf_lxc around until v1.17 to avoid disruption of traffic to egress gateway. It’s possible that the datapath becomes an incomplete state where bpf_lxc has been upgraded while bpf_host hasn't during the upgrade. If that situation were to occur, traffic destined for egress gateway would be broken for that period of time. So we will keep the egress gateway code at both bpf_lxc and bpf_host to avoid this scenario. Fixes: cilium#19642 Signed-off-by: Yusuke Suzuki <yusuke.suzuki@isovalent.com>
Signed-off-by: Yusuke Suzuki <yusuke.suzuki@isovalent.com>
Signed-off-by: Yusuke Suzuki <yusuke.suzuki@isovalent.com>
Signed-off-by: Yusuke Suzuki <yusuke.suzuki@isovalent.com>
|
/test |
There was a problem hiding this comment.
My understanding is, skbs are still redirected to L7 proxy from lxc, then we will handle egress gw business at to_netdev@eth0 for proxy traffic. But this relies on routing mode doesn't it?
(I suppose egress gw is compatible with tunnel.) When tunnel is enabled with egw, L7 proxy's packets are routed to cilium_host, where the skbs are bpf_redirected to cilium_vxlan for encap. In this case, to_netdev bpf doesn't have chance to process egress gateway logic for the proxy traffic, is this the correct assumption?
Actually, that's not quite right. Since traffic leaving the cluster is not redirected to cilium_vxlan there, it should be handled by the egress gateway logic at to-netdev. Regarding the EgressGW, we only care traffic leaving the cluster. |
This option was suggested to deal with an incompatibility between EGW and L7 policies. The incompatibility has been addressed by cilium#32828. Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
This option was suggested to deal with an incompatibility between EGW and L7 policies. The incompatibility has been addressed by cilium#32828. Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
This option was suggested to deal with an incompatibility between EGW and L7 policies. The incompatibility has been addressed by #32828. Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
This option was suggested to deal with an incompatibility between EGW and L7 policies. The incompatibility has been addressed by cilium#32828. Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
|
@julianwiedmann Since you have removed the imcompatibility notice in EgressGateway documentation https://github.com/cilium/cilium/pull/32828/files/e169996613bc2cd9b6ce48df991e792401b4f3be#diff-254749e3152a2d97fdff438b3b2a1611eb7e575f1f0f665ebb534f977d5b661cL72 I guess that |
Yep! Can you please open a PR? |
Cleaning up a minor oversight in the documentation following this merge cilium#32828 Signed-off-by: cdtzabra <22188574+cdtzabra@users.noreply.github.com>
Here is the PR #33516 |
Cleaning up a minor oversight in the documentation following this merge #32828 Signed-off-by: cdtzabra <22188574+cdtzabra@users.noreply.github.com>
In v1.16 we added an EGW policy hook in to-netdev (as part of cilium#32828), and the hook in from-container only stayed around for seamless upgrade compatibility. With v1.17 it's now time to remove the hook in from-container, and all associated test infrastructure. Fixes: cilium#32994 Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
In v1.16 we added an EGW policy hook in to-netdev (as part of #32828), and the hook in from-container only stayed around for seamless upgrade compatibility. With v1.17 it's now time to remove the hook in from-container, and all associated test infrastructure. Fixes: #32994 Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
#32828 resolved the incompatibility in Cilium v1.16. Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
#32828 resolved the incompatibility in Cilium v1.16. Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
#32828 resolved the incompatibility in Cilium v1.16. Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
Currently packets from Pods selected by an egress gateway policy will not be forwarded to a gateway if there's an L7 policy applied to those packets. That's because we apply the egress gateway policy at bpf_lxc right after the L7 policy redirection. Therefore the Egress Gateway logic will be skipped if packets are redirected to the L7 proxy.
This PR adds the egress gateway handling code at to-netdev@bpf_host so that packets from the L7 proxy can be properly redirected to an egress gw.
Fixes: #19642