Skip to content

Ciliumidentity: newly allocated ciliumidentity may become dirty data and the amount of ciliumidentity increase forever #35947

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Nov 22, 2024
Merged

Ciliumidentity: newly allocated ciliumidentity may become dirty data and the amount of ciliumidentity increase forever #35947

merged 1 commit into from
Nov 22, 2024

Conversation

orange30
Copy link
Contributor

@orange30 orange30 commented Nov 13, 2024
edited
Loading

When pod changes label and immediately is deleted, the newly allocated identity may become a dirty data in Allocator's localKeys for the race between "resolve-identity controller -> identityLabelsChanged" and "func (e *Endpoint) Stop()" . But in func (a *Allocator) syncLocalKeys, which is called periodically every five minites, for every data in Allocator's localKeys, especially for the dirty data, it will delete the ciliumidentity's annotation "io.cilium.heartbeat" which is attached by the cilium-operator ciliumidentity gc. Then the amount of ciliumidentity in apiserver and etcd will increase forever, it is a big threat to apiserver and etcd.

Please ensure your pull request adheres to the following guidelines:

  • For first time contributors, read Submitting a pull request
  • All code is covered by unit and/or runtime tests where feasible.
  • All commits contain a well written commit description including a title,
    description and a Fixes: #XXX line if the commit addresses a particular
    GitHub issue.
  • If your commit description contains a Fixes: <commit-id> tag, then
    please add the commit author[s] as reviewer[s] to this issue.
  • All commits are signed off. See the section Developer’s Certificate of Origin
  • Provide a title or release-note blurb suitable for the release notes.
  • Are you a user of Cilium? Please add yourself to the Users doc
  • Thanks for contributing!

Fixes: #35946

Fixes a bug where identities may be leaked if a pod changes labels and is immediately deleted.

@orange30 orange30 requested a review from a team as a code owner November 13, 2024 08:01
@orange30 orange30 requested a review from tklauser November 13, 2024 08:01
@maintainer-s-little-helper maintainer-s-little-helper bot added the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Nov 13, 2024
@github-actions github-actions bot added the kind/community-contribution This was a contribution made by a community member. label Nov 13, 2024
@orange30 orange30 changed the title Ciliumidentity: newly allocated ciliumidentity may become dirty data Ciliumidentity: newly allocated ciliumidentity may become dirty data and the amount of ciliumidentity increase forever Nov 13, 2024
@aanm aanm requested review from squeed and marseel and removed request for tklauser November 18, 2024 08:49
@aanm aanm added the release-note/bug This PR fixes an issue in a previous release of Cilium. label Nov 18, 2024
@maintainer-s-little-helper maintainer-s-little-helper bot removed the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Nov 18, 2024
@aanm
Copy link
Member

aanm commented Nov 18, 2024

/test

squeed
squeed approved these changes Nov 19, 2024
View reviewed changes
Copy link
Contributor

@squeed squeed left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

very good catch!

@squeed squeed added the dont-merge/bad-bot To prevent MLH from marking ready-to-merge. label Nov 19, 2024
@squeed
Copy link
Contributor

squeed commented Nov 19, 2024

Marking as don't merge until a proper release note is added (and CI is green :-) )

@ovidiutirla
Copy link
Contributor

Could we also have some tests added so we can prevent any regressions?

@orange30
Copy link
Contributor Author

release note

The release note has been modified, please help to check it again, thanks!

@orange30 orange30 requested a review from squeed November 20, 2024 03:10
@marseel
Copy link
Contributor

marseel commented Nov 20, 2024

/test

@orange30
ciliumidentity: newly allocated ciliumidentity may become dirty data
ad07544 
When pod changes label and immediately is deleted, the newly allocated identity may become a dirty data in Allocator's localKeys for the race between "resolve-identity controller -> identityLabelsChanged" and "func (e *Endpoint) Stop()" . But in func (a *Allocator) syncLocalKeys, which is called periodically every five minites, for every data in Allocator's localKeys, especially for the dirty data, it will delete the ciliumidentity's annotation "io.cilium.heartbeat" which is attached by the cilium-operator ciliumidentity gc. Then the amount of ciliumidentity in apiserver and etcd will increase forever, it is a big threat to apiserver and etcd.

Fixes: cilium#35946

Signed-off-by: zhikuodu <duzhk@qq.com>
@marseel
Copy link
Contributor

marseel commented Nov 20, 2024

/test

@squeed squeed added dont-merge/bad-bot To prevent MLH from marking ready-to-merge. and removed dont-merge/bad-bot To prevent MLH from marking ready-to-merge. labels Nov 20, 2024
@squeed
Copy link
Contributor

squeed commented Nov 20, 2024

@ovidiutirla this is a trick case to try and unit-test; I'm not sure there's a reasonable way to do it :-(.

@maintainer-s-little-helper maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Nov 21, 2024
@tklauser tklauser added this pull request to the merge queue Nov 22, 2024
Merged via the queue into cilium:main with commit 91c6a51 Nov 22, 2024
64 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@squeed squeed squeed approved these changes

@marseel marseel marseel approved these changes

Assignees
No one assigned
Labels
kind/community-contribution This was a contribution made by a community member. ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/bug This PR fixes an issue in a previous release of Cilium.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Ciliumidentity: newly allocated ciliumidentity may become dirty data and the amount of ciliumidentity increase forever
6 participants
@orange30 @aanm @squeed @ovidiutirla @marseel @tklauser