Skip to content

cilium: Add option for lb src ranges to act as deny cidr list #36120

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Nov 26, 2024
Merged

cilium: Add option for lb src ranges to act as deny cidr list #36120

merged 3 commits into from
Nov 26, 2024

Conversation

borkmann
Copy link
Member

(see commit desc)

@borkmann borkmann added area/datapath Impacts bpf/ or low-level forwarding details, including map management and monitor messages. release-note/minor This PR changes functionality that users may find relevant to operating Cilium. labels Nov 22, 2024
@borkmann borkmann changed the title cilium: Add option for lb src ranges to act as deny list cilium: Add option for lb src ranges to act as deny cidr list Nov 22, 2024
@borkmann borkmann force-pushed the pr/lbsrcranges branch 2 times, most recently from b0a195d to e8cf5a1 Compare November 25, 2024 15:45
@borkmann
cilium, bpf: Extend lb source range check with the option of inversion
90edb30 
Extend BPF side to add a service flag for turning the
loadBalancerSourceRanges into a deny CIDR list. The flag
used is always on the master entry, actual non-master entries
use the flag to indicate that a service backend is quarantined.
Both usage is guaranteed to not overlap.

Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
@borkmann borkmann force-pushed the pr/lbsrcranges branch 2 times, most recently from 39e3eac to c4735f1 Compare November 26, 2024 10:14
@borkmann borkmann marked this pull request as ready for review November 26, 2024 10:27
@borkmann borkmann requested review from a team as code owners November 26, 2024 10:27
@borkmann borkmann requested review from youngnick and a user November 26, 2024 10:27
@borkmann
cilium: Add agent-side handling of src-ranges-policy annotation
d40d939 
Add agent-side handling of the source ranges policy annotation in order
to plumb the flag through into the BPF service map.

Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
@borkmann
cilium, docs: Extend KPR guide to document src-ranges-policy
af614fc 
Extend the KPR guide to document the loadBalancerSourceRanges extension
along with usage examples.

Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
@borkmann
Copy link
Member Author

/test

ghost
ghost approved these changes Nov 26, 2024
View reviewed changes
Copy link

@ghost ghost left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

docs good

@borkmann borkmann merged commit 0127b24 into main Nov 26, 2024
282 of 283 checks passed
@borkmann borkmann deleted the pr/lbsrcranges branch November 26, 2024 13:01
@julianwiedmann julianwiedmann added the area/loadbalancing Impacts load-balancing and Kubernetes service implementations label Nov 26, 2024
joamaki added a commit to joamaki/cilium that referenced this pull request May 14, 2025
@joamaki
loadbalancer: Port SourceRangesPolicy annotation to new control-plane
d7f76dd 
This ports cilium#36120 to the new control-plane.

Signed-off-by: Jussi Maki <jussi@isovalent.com>
@joamaki joamaki mentioned this pull request May 14, 2025
Merged
joamaki added a commit to joamaki/cilium that referenced this pull request May 14, 2025
@joamaki
loadbalancer: Port SourceRangesPolicy annotation to new control-plane
27ca7f4 
This ports cilium#36120 to the new control-plane.

Signed-off-by: Jussi Maki <jussi@isovalent.com>
joamaki added a commit to joamaki/cilium that referenced this pull request May 19, 2025
@joamaki
loadbalancer: Port SourceRangesPolicy annotation to new control-plane
d310b0b 
This ports cilium#36120 to the new control-plane.

Signed-off-by: Jussi Maki <jussi@isovalent.com>
github-merge-queue bot pushed a commit that referenced this pull request May 19, 2025
@joamaki
loadbalancer: Port SourceRangesPolicy annotation to new control-plane
98db769 
This ports #36120 to the new control-plane.

Signed-off-by: Jussi Maki <jussi@isovalent.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tklauser tklauser tklauser approved these changes

@nebril nebril nebril approved these changes

@aspsk aspsk aspsk approved these changes

@mhofstetter mhofstetter mhofstetter approved these changes

@youngnick youngnick Awaiting requested review from youngnick youngnick is a code owner automatically assigned from cilium/sig-k8s

+1 more reviewer
Reviewers whose approvals may not affect merge requirements
Assignees
No one assigned
Labels
area/datapath Impacts bpf/ or low-level forwarding details, including map management and monitor messages. area/loadbalancing Impacts load-balancing and Kubernetes service implementations release-note/minor This PR changes functionality that users may find relevant to operating Cilium.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@borkmann @tklauser @nebril @aspsk @mhofstetter @julianwiedmann