Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ingress policy enforcement v1.25 #402

Closed
wants to merge 3 commits into from
Closed

Ingress policy enforcement v1.25 #402

wants to merge 3 commits into from

Commits on Oct 13, 2023

  1. fix: Flush on proxylib close 

    [ upstream commit f7871bb ]

Flush on proxylib close so that any remaining data is not cut off.

Signed-off-by: Jarno Rajahalme <[email protected]>
    @jrajahalme
    jrajahalme committed Oct 13, 2023
    Configuration menu
    Copy the full SHA
    0867273 View commit details
    Browse the repository at this point in the history

  2. policy: Enforce ingress policy for Ingress 

    [ upstream commit 553af5a ]

Add enforce_policy_on_l7_lb to bpf_metadata config to maintain backwards
compatibility by explicitly turning on policy enforcement on Ingress to
support older Cilium releases on the same Envoy build.

Store the original source identity for enforcing ingress policy for
Ingress, that otherwise only enforces the egress policy, as it operates
on the egress path. Now both ingress and egress policies for the ingress
identity are enforced when enforce_policy_on_l7_lb is configured as
'true'.

Ingress arrives to Cilium nodes at node ports, which are meaningless for
Cilium Network Policies. To remedy this the destination port of the
selected backend is used also in ingress path policy enforcement. Note
that this destination port may be different from the one the traffic was
first received at the external load balancer.

Signed-off-by: Jarno Rajahalme <[email protected]>
    @jrajahalme
    jrajahalme committed Oct 13, 2023
    Configuration menu
    Copy the full SHA
    476cd7f View commit details
    Browse the repository at this point in the history

  3. bpf_metadata: refactor Config::getMetadata(), error out on invalid input 

    [ upstream commit ee919e1 ]

Refactor Config::getMetadata() processing of L7 LB config to be more
explicit and to error out on invalid config so that invalid traffic does
not accidentally slip through.

Adjust tests accordingly and add new tests to cover the new
'enforce_policy_on_l7lb' option.

Signed-off-by: Jarno Rajahalme <[email protected]>
    @jrajahalme
    jrajahalme committed Oct 13, 2023
    Configuration menu
    Copy the full SHA
    3639622 View commit details
    Browse the repository at this point in the history