Skip to content

cec: support for explicit control of Cilium Policy enforcement Envoy filter injection #37868

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Mar 4, 2025
Merged

cec: support for explicit control of Cilium Policy enforcement Envoy filter injection #37868

merged 2 commits into from
Mar 4, 2025

Conversation

mhofstetter
Copy link
Member

@mhofstetter mhofstetter commented Feb 26, 2025
edited
Loading

Currently, the Cilium Envoy network- and L7 policy enforcement filters are always automatically
injected when the CiliumEnvoyConfig is used for L7LB (parameter isL7LB - that
is set to true when Spec.Services are defined on the CEC).

This commit adds the possibility for a more explicit configuration of this
behaviour by adding the annotation cec.cilium.io/inject-cilium-filters.

If the annotation is present on the CiliumEnvoyConfig it is used to decide
whether Cilium Envoy filters should be automatically injected or not.

@mhofstetter mhofstetter added kind/enhancement This would improve or streamline existing functionality. area/proxy Impacts proxy components, including DNS, Kafka, Envoy and/or XDS servers. release-note/misc This PR makes changes that have no direct user impact. area/cec Affects usage of Cilium with CiliumEnvoyConfig labels Feb 26, 2025
@mhofstetter mhofstetter force-pushed the pr/mhofstetter/cec-explicit-injectciliumfilters branch from ffcce63 to d1fa8dc Compare February 26, 2025 11:20
@mhofstetter
cec: pull up upstream filter injection decision
cc63cc4 
This commit places the decision whether upstream Cilium Envoy filters
should be injected closer to the place where the downstream Cilium Envoy
filter decision is made.

Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com>
@mhofstetter mhofstetter force-pushed the pr/mhofstetter/cec-explicit-injectciliumfilters branch from d1fa8dc to d18897c Compare February 27, 2025 09:52
@mhofstetter mhofstetter changed the title cec: support for explicit control of Cilium Envoy filter injection cec: support for explicit control of Cilium Policy enforcement Envoy filter injection Feb 27, 2025
@mhofstetter mhofstetter marked this pull request as ready for review February 27, 2025 13:38
@mhofstetter mhofstetter requested review from a team as code owners February 27, 2025 13:38
@mhofstetter mhofstetter force-pushed the pr/mhofstetter/cec-explicit-injectciliumfilters branch from d18897c to 78b90b8 Compare February 27, 2025 14:11
@mhofstetter mhofstetter reopened this Feb 27, 2025
jrajahalme
jrajahalme approved these changes Feb 27, 2025
View reviewed changes
Copy link
Member

@jrajahalme jrajahalme left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks right :-)

@mhofstetter
cec: support for explicit control of Cilium Envoy filter injection
ba7d4e3 
Currently, the Cilium Envoy network- and L7 filters are always automatically
injected when the CiliumEnvoyConfig is used for L7LB (parameter `isL7LB` - that
is set to true when `Spec.Services` are defined on the CEC).

This commit adds the possibility for a more explicit configuration of this
behaviour by adding the annotation `cec.cilium.io/inject-cilium-filters`.

If the annotation is present on the `CiliumEnvoyConfig` it is used to decide
whether Cilium Envoy filters should be automatically injected or not.

Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com>
@mhofstetter mhofstetter force-pushed the pr/mhofstetter/cec-explicit-injectciliumfilters branch from 78b90b8 to ba7d4e3 Compare February 27, 2025 15:05
@mhofstetter
Copy link
Member Author

/test

@maintainer-s-little-helper maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Mar 4, 2025
@julianwiedmann julianwiedmann added this pull request to the merge queue Mar 4, 2025
Merged via the queue into cilium:main with commit 97eba0e Mar 4, 2025
63 checks passed
@mhofstetter mhofstetter deleted the pr/mhofstetter/cec-explicit-injectciliumfilters branch March 4, 2025 07:16
mhofstetter added a commit to mhofstetter/cilium that referenced this pull request Apr 24, 2025
@mhofstetter
cec: fix missing call to injectCiliumEnvoyFilters
696efad 
PR cilium#37868 introduced the possibility to control Cilium Envoy filter
injection via annotation.

But the PR missed one occurrence that is still only checking for
`len(spec.Services) > 0` instead of calling `injectCiliumEnvoyFilters`.

This commit fixes this.

Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com>
@mhofstetter mhofstetter mentioned this pull request Apr 24, 2025
Merged
mhofstetter added a commit to mhofstetter/cilium that referenced this pull request Apr 30, 2025
@mhofstetter
cec: fix missing call to injectCiliumEnvoyFilters
83fdd3b 
PR cilium#37868 introduced the possibility to control Cilium Envoy filter
injection via annotation.

But the PR missed one occurrence that is still only checking for
`len(spec.Services) > 0` instead of calling `injectCiliumEnvoyFilters`.

This commit fixes this.

Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com>
github-merge-queue bot pushed a commit that referenced this pull request May 5, 2025
@mhofstetter @julianwiedmann
cec: fix missing call to injectCiliumEnvoyFilters
5dd5dc4 
PR #37868 introduced the possibility to control Cilium Envoy filter
injection via annotation.

But the PR missed one occurrence that is still only checking for
`len(spec.Services) > 0` instead of calling `injectCiliumEnvoyFilters`.

This commit fixes this.

Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com>
hsalluri259 pushed a commit to hsalluri259/cilium that referenced this pull request May 14, 2025
@mhofstetter
cec: fix missing call to injectCiliumEnvoyFilters
0295832 
PR cilium#37868 introduced the possibility to control Cilium Envoy filter
injection via annotation.

But the PR missed one occurrence that is still only checking for
`len(spec.Services) > 0` instead of calling `injectCiliumEnvoyFilters`.

This commit fixes this.

Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@christarazi christarazi christarazi approved these changes

@jrajahalme jrajahalme jrajahalme approved these changes

Assignees
No one assigned
Labels
area/cec Affects usage of Cilium with CiliumEnvoyConfig area/proxy Impacts proxy components, including DNS, Kafka, Envoy and/or XDS servers. kind/enhancement This would improve or streamline existing functionality. ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/misc This PR makes changes that have no direct user impact.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@mhofstetter @christarazi @jrajahalme @julianwiedmann