Skip to content

iptables: periodically run rules reconciliation to fix possible drifts #34661

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Sep 4, 2024
Merged

iptables: periodically run rules reconciliation to fix possible drifts #34661

merged 2 commits into from
Sep 4, 2024

Conversation

giorio94
Copy link
Member

@giorio94 giorio94 commented Sep 3, 2024

07b336f ("iptables: Add rules runtime reconciliation") introduced a reconciler to manage the configuration of iptables rules and react to updates of external facing network devices and local node parameters.

As an additional measure to ensure eventual consistency of the iptables rules, let's also periodically rerun the full reconciliation process. This aims to fix possible inconsistencies caused by external modifications, such as due to startup race conditions between Cilium and kube-proxy. The reconciliation interval is currently configured to 30 minutes to limit the amount of additional churn, and the reconciliation gets automatically rescheduled if it had already been triggered in the same period.

@giorio94
iptables: use fake clock in reconciler tests
686e40c 
As a preparation for the subsequent change (and the associated test),
let's modify the iptables reconciler to take a clock instance as
parameter, and leverage the available fake implementation in the unit
test. This enables granular time control for improved testing, as
well as reduced test duration.

Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
@giorio94
iptables: trigger periodic reconciliation to fix possible drifts
dd69812 
07b336f ("iptables: Add rules runtime reconciliation") introduced a
reconciler to manage the configuration of iptables rules and react to
updates of external facing network devices and local node parameters.

As an additional measure to ensure eventual consistency of the iptables
rules, let's also periodically rerun the full reconciliation process. This
aims to fix possible inconsistencies caused by external modifications,
such as due to startup race conditions between Cilium and kube-proxy. The
reconciliation interval is currently configured to 30 minutes to limit
the amount of additional churn, and the reconciliation gets automatically
rescheduled if it had already been triggered in the same period.

Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
@giorio94 giorio94 added release-note/minor This PR changes functionality that users may find relevant to operating Cilium. area/iptables Impacts how Cilium interacts with iptables. labels Sep 3, 2024
@giorio94 giorio94 requested a review from pippolo84 September 3, 2024 09:58
@giorio94
Copy link
Member Author

giorio94 commented Sep 3, 2024

/test

pippolo84
pippolo84 approved these changes Sep 3, 2024
View reviewed changes
Copy link
Member

@pippolo84 pippolo84 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Amazing, thanks! 💯

@giorio94 giorio94 marked this pull request as ready for review September 3, 2024 14:16
@giorio94 giorio94 requested a review from a team as a code owner September 3, 2024 14:16
@giorio94 giorio94 requested a review from ysksuzuki September 3, 2024 14:16
@maintainer-s-little-helper maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Sep 4, 2024
@tklauser tklauser added this pull request to the merge queue Sep 4, 2024
Merged via the queue into cilium:main with commit eceb098 Sep 4, 2024
76 checks passed
@giorio94 giorio94 deleted the mio/iptables-reconciler-periodic-reconciliation branch September 4, 2024 16:13
@borkmann borkmann mentioned this pull request Sep 5, 2024
Closed
3 tasks
HadrienPatte added a commit that referenced this pull request Aug 8, 2025
@HadrienPatte
datapath: Use go 1.23 timers
c9fba25 
This is a followup to #34661. Now that cilium uses go 1.24, it is safe
to remove the pre-go1.23 workaround for timer reset. See https://go.dev/wiki/Go123Timer

Signed-off-by: Hadrien Patte <hadrien.patte@datadoghq.com>
@HadrienPatte HadrienPatte mentioned this pull request Aug 8, 2025
Open
8 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pippolo84 pippolo84 pippolo84 approved these changes

@ysksuzuki ysksuzuki ysksuzuki approved these changes

Assignees
No one assigned
Labels
area/iptables Impacts how Cilium interacts with iptables. ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/minor This PR changes functionality that users may find relevant to operating Cilium.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@giorio94 @pippolo84 @ysksuzuki @tklauser