Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

daemon: Reject BPF Host Routing without KPR=strict #25803

Merged
merged 1 commit into from
Jun 1, 2023
Merged

daemon: Reject BPF Host Routing without KPR=strict #25803

merged 1 commit into from
Jun 1, 2023

Conversation

pchaigno
Copy link
Member

It's currently possible to enable BPF Host Routing with KPR=partial if masquerading is disabled. If masquerading is enabled, then we will require it to be BPF masquerading, which itself requires KPR. But if masquerading is disabled, then we currently don't have a check that prevents KPR=partial from being enabled at the same time as BPF Host Routing.

Reject incorrect configuration enable-host-legacy-routing=false kube-proxy-replacement=partial.

@pchaigno
daemon: Reject BPF Host Routing without KPR=strict
5bd821a 
It's currently possible to enable BPF Host Routing with KPR=partial if
masquerading is disabled. If masquerading is enabled, then we will
require it to be BPF masquerading, which itself requires KPR. But if
masquerading is disabled, then we currently don't have a check that
prevents KPR=partial from being enabled at the same time as BPF Host
Routing.

Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
@pchaigno pchaigno added sig/datapath Impacts bpf/ or low-level forwarding details, including map management and monitor messages. area/daemon Impacts operation of the Cilium daemon. release-note/bug This PR fixes an issue in a previous release of Cilium. needs-backport/1.13 This PR / issue needs backporting to the v1.13 branch labels May 31, 2023
@pchaigno pchaigno requested a review from a team as a code owner May 31, 2023 18:41
@maintainer-s-little-helper maintainer-s-little-helper bot added this to Needs backport from main in 1.13.4 May 31, 2023
@pchaigno
Copy link
Member Author

/test

julianwiedmann
julianwiedmann approved these changes Jun 1, 2023
View reviewed changes
Copy link
Member

@julianwiedmann julianwiedmann left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

The patch description didn't parse well for me. So for posterity:

If kube-proxy is needed for any kind of service handling (KPR != strict), we can't bypass netfilter. Thus we mustn't use BPF Host Routing in such a config. The existing config validations already cover some scenarios where KPR != strict, but it's not complete. So add an explicit validation.

@maintainer-s-little-helper maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Jun 1, 2023
@julianwiedmann julianwiedmann merged commit 6c81859 into cilium:main Jun 1, 2023
62 checks passed
@pchaigno pchaigno deleted the fatal-bpf-host-routing-without-kpr branch June 1, 2023 11:13
@sayboras sayboras mentioned this pull request Jun 2, 2023
Merged
8 tasks
@sayboras sayboras added backport-pending/1.13 The backport for Cilium 1.13.x for this PR is in progress. and removed needs-backport/1.13 This PR / issue needs backporting to the v1.13 branch labels Jun 2, 2023
@YutaroHayakawa YutaroHayakawa added backport-done/1.13 The backport for Cilium 1.13.x for this PR is done. and removed backport-pending/1.13 The backport for Cilium 1.13.x for this PR is in progress. labels Jun 7, 2023
@maintainer-s-little-helper maintainer-s-little-helper bot moved this from Needs backport from main to Backport done to v1.13 in 1.13.4 Jun 7, 2023
@maintainer-s-little-helper maintainer-s-little-helper bot moved this from Needs backport from main to Backport done to v1.13 in 1.13.4 Jun 7, 2023
@qmonnet qmonnet mentioned this pull request Jun 9, 2023
Closed
This was referenced Jun 9, 2023
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@julianwiedmann julianwiedmann julianwiedmann approved these changes

Assignees
No one assigned
Labels
area/daemon Impacts operation of the Cilium daemon. backport-done/1.13 The backport for Cilium 1.13.x for this PR is done. ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/bug This PR fixes an issue in a previous release of Cilium. sig/datapath Impacts bpf/ or low-level forwarding details, including map management and monitor messages.
Projects
No open projects
1.13.4
Backport done to v1.13
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@pchaigno @julianwiedmann @sayboras @YutaroHayakawa