-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Assume Ingress identity also for cluster internal traffic via Ingress #24826
Conversation
/test |
306966f
to
9b60458
Compare
/test |
84392c8
to
a4082f3
Compare
/test |
a4082f3
to
5d725b1
Compare
Updated to new |
IntegrationTest failed to start due to:
restarted. |
/test |
5d725b1
to
92b00f0
Compare
Updated to pick ownerReference change in CEC for shared Ingress. |
FYI. CI is failing on a test added yesterday #24835, so this branch might need to be rebased to get it to go away. (hitting the same on one of my PRs) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good for @cilium/vendor changes.
Thanks a lot, I was wondering why egress tests failed suddenly 🎖️ |
This commit is to improve the Ingress coverage with below cases: - no policy, requests should pass. - default denied for all endpoints, request should fail. - default denied for all endpoints, but allow Ingress identity, requests should pass. Relates: cilium/cilium#24826 Signed-off-by: Tam Mach <tam.mach@cilium.io>
Some Envoy API fields were renamed for clarity. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
Add 'useOriginalSourceAddr' parameter to ParseResources() to inform if the listener should use original source address or not. Pass this as 'true' from C/CEC watchers if OwnerReferences does not contain Kind=Ingress. That is, do not use original source addressing for Ingress listeners. This makes upstream connections from Ingress listeners to use node's allocated Ingress addresses in all cases, so that the source if Ingress traffic within the cluster is seen as 'ReservedIdentityIngress' (8). Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
10fd4da
to
189c142
Compare
Rebased to pick up an egress gw fix, this should be good to review/merge given that @sayboras added an integration test for this in cilium/cilium-cli#1533. |
/test |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, one small comment as per below.
if owner.Kind == "Ingress" { | ||
return true | ||
} | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the same might need to be done for GatewayAPI resources (e.g. Gateway)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let's do that on a separate PR as that would not need to be backported to 1.13, right?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@jrajahalme pinging you directly for exposure in #28254. it seems this hasn't been backported for gateway api?
why doesn't this pull request have |
Fixed that, sorry. This was an author-backport and so far for me that has been a manual process. Forgot to flip the label, that's all. |
This commit is to improve the Ingress coverage with below cases: - no policy, requests should pass. - default denied for all endpoints, request should fail. - default denied for all endpoints, but allow Ingress identity, requests should pass. Relates: cilium/cilium#24826 Signed-off-by: Tam Mach <tam.mach@cilium.io>
This commit is to improve the Ingress coverage with below cases: - no policy, requests should pass. - default denied for all endpoints, request should fail. - default denied for all endpoints, but allow Ingress identity, requests should pass. Relates: cilium#24826 Signed-off-by: Tam Mach <tam.mach@cilium.io>
Add 'useOriginalSourceAddr' parameter to ParseResources() to inform if
the listener should use original source address or not. Pass this as
'true' from C/CEC watchers if OwnerReferences does not contain
Kind=Ingress. That is, do not use original source addressing for Ingress
listeners. This makes upstream connections from Ingress listeners to use
node's allocated Ingress addresses in all cases, so that the source if
Ingress traffic within the cluster is seen as 'ReservedIdentityIngress'
(8).
Fixes: #24536