wireguard: improve tracking of `allowedIPs`

[julianwiedmann]

Consider the cilium datapath config when deciding which IPs need to be tracked as allowedIPs:

• for overlay routing, we expect that all pod traffic is encapsulated in VXLAN / GENEVE. Hence we shouldn't need to track pod IPs.
• for native routing, we should be able to register PodCIDRs (instead of individual pod IPs).
• for native routing without per-node PodCIDRs, @marseel suggested looking into prefix delegation.

[smagnani96]

This is just to raise visibility on the activity: I'm experimenting a bit in https://github.com/smagnani96/cilium/tree/pr/allowed-ips.
Not ready for a PR yet though, need further consideration:

1. Testing
2. PrefixDelegation

[jschwinger233]

(you can always draft a pr and close it later.

[smagnani96]

benchmark.zip

I carried out a benchmark to understand and estimate the pros and cons of different implementations.
The main blocker here is only the ENIPrefixDelegation: the prefixes are visibile in the k8s object and accessed/retrieved by our IPAM, but we do not propagate this to the nodeConfig. Therefore, as for now --correct me if I'm wrong --, from the WireGuard agent there's no way to access this information (at least not yet). As a result, we continue to see all the /32 IPs upserted through IPCache and we have no way to check if those are within pod allocation CIDRs/Prefixes in ENIPrefixDelegationMode.

For this reason, before going straight to one path, I decided to carry out a benchmark to validate multiple solutions:

1. bitlpm.CIDRTrie
2. custom data structure with inner HashMap + Slice
3. custom data structure with inner HashMap + Trie

In the provided zip folder you can find all the setup with some results, as well as a README with explanations.
After this analysis, I believe that having a pure (1) bitlpm.CIDRTrie wouldn't significantly affect our performance that much even in the worst case of having all /32 (as for the prefix-delegation). For all the other cases, it works smoothly and provides a clean solution without having to support new and custom data structures + potential flaws (and if in the future we are able to retrieve those prefixes in ENI, we wouldn't need to track single all /32 anymore).

[gandro]

(and if in the future we are able to retrieve those prefixes in ENI, we wouldn't need to track single all /32 anymore).

Apologies for the drive-by comment. There will always be IPAM modes (legacy Azure, AlibabaCloud, "crd" mode, delegated IPAM) that have neither prefixes nor pod CIDRs, right?

Since I think we will have to support cidr-less IPAM anyways, any solution we come up with needs to keep working with individual IPs even once we fix the ENI PD case.

[smagnani96]

Thanks @gandro for the feedback!

Apologies for the drive-by comment. There will always be IPAM modes (legacy Azure, AlibabaCloud, "crd" mode, delegated IPAM) that have neither prefixes nor pod CIDRs, right?

I think I was not fully aware of this, but it is super useful for deciding the implementation.
Newbie question:

1. In case we DO have the pod CIDRs, how many of them do we expect to have (order of magnitude)?
2. Do we expect CIDRs to be ipcache-upserted (in the future)?

Since I think we will have to support cidr-less IPAM anyways, any solution we come up with needs to keep working with individual IPs even once we fix the ENI PD case.

That's a must, I'm accounting for this. All the proposed method should not cause disruption.

[gandro]

1. In case we DO have the pod CIDRs, how many of them do we expect to have (order of magnitude)?

• ipam: clusterpool and ipam: kubernetes: always exactly one (or exactly two, in case of dual stack) pod CIDR(s) per node
• ipam: multi-pool (beta), and ENI PD: highly depends on the user configuration and number of pods per node. I'd say on average 2-4 per node (4-8 in dual-stack), up to a couple dozen CIDRs (per node) realistically at most

2. Do we expect CIDRs to be ipcache-upserted (in the future)?

Maybe? I recall some discussions where we considered that to detect traffic to CiliumEndpoints that have not been discovered yet, which could be useful for defense-in-depth mechanisms in policy and encryption. But I don't think there are concrete plans for this at the moment

[jschwinger233]

I think ipam mode doesn't even matter if we enable tunnel routing. We can handle tunnel routing as the first step.

[gandro]

Turns out chaining mode complicates the picture, as a node might announce a pod CIDR (and use it to allocate the router IP) but the chained CNI plugin can still allocate IPs outside of that pod CIDR. Thus only adding the pod CIDR to the allowedIPs list for that peer would be wrong, as we would also have to add the individual pod IPs allocated by the chained CNI plugin as well to capture the traffic of those pods.

Given that, I believe these two assumptions still hold true:

• If a node has a pod CIDR in the nodeTypes.Node object, no other node will have that pod CIDR in it's nodeTypes.Node object
• If a node has a pod CIDR, there can still be pod IPs hosted on that node which are outside of that pod CIDR

Therefore, I believe that if we merge both pod CIDRs (from the node manager) and individual pod IPs (from IPCache), we should obtain a valid set of allowedIPs. We can reduce the size of that set by using a trie to coalesce pod IPs into pod CIDRs where possible.