Skip to content

pkg/identity: Watch and update labels for the host#11543

Merged
aanm merged 1 commit intomasterfrom
pr/pchaigno/node-labels
May 19, 2020
Merged

pkg/identity: Watch and update labels for the host#11543
aanm merged 1 commit intomasterfrom
pr/pchaigno/node-labels

Conversation

@pchaigno
Copy link
Copy Markdown
Member

@pchaigno pchaigno commented May 15, 2020

This commit adds a k8s watcher for label updates on the host. It allows node network policies to select the nodes based on labels. For now, the same label filters are used for the nodes as for the labels.

Whatever the labels it receives, because we know there can be only one host endpoint per node, the host endpoint will always retain its security ID of 1. We therefore don't need to reload the host endpoint's datapaths on label updates.

@pchaigno pchaigno added area/k8s Impacts the kubernetes API, or kubernetes -> cilium internals translation layers. release-note/minor This PR changes functionality that users may find relevant to operating Cilium. sig/policy Impacts whether traffic is allowed or denied based on user-defined policies. labels May 15, 2020
aanm
aanm requested changes May 15, 2020
View reviewed changes
Comment thread pkg/k8s/watchers/watcher.go Outdated
@coveralls
Copy link
Copy Markdown

coveralls commented May 15, 2020
edited
Loading

Coverage Status

Coverage decreased (-0.02%) to 36.991% when pulling 85f90ff on pr/pchaigno/node-labels into 7e328b1 on master.

@pchaigno pchaigno marked this pull request as ready for review May 15, 2020 10:45
@pchaigno pchaigno requested a review from a team as a code owner May 15, 2020 10:45
@pchaigno pchaigno requested review from a team May 15, 2020 10:45
@pchaigno pchaigno force-pushed the pr/pchaigno/node-labels branch from 6387ff2 to 45c7275 Compare May 15, 2020 14:14
tgraf
tgraf suggested changes May 18, 2020
View reviewed changes
Copy link
Copy Markdown
Contributor

@tgraf tgraf left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure I fully understand yet what this will enable. This will create an identity id 1 with labels which will always remain in the scope of the node as it is reserved. It will thus enable to refer to the local node by its own labels.

I assume this intends to enable referring to other nodes by node labels at some point. That will require to use a non-reserved identity and to allocate an identity instead based on the node labels found on the node.

It will also require to:

  • Represents the node IPs as CiliumEndpoint and insert them into the kvstore ipcache
  • Individual nodes will no longer have to maintain the ipcache based on CiliumNode or Node events but can instead get their ipcache filled via the CiliumEndpoint or kvstore updates.

Comment thread pkg/endpointmanager/manager.go Outdated
@tgraf
Copy link
Copy Markdown
Contributor

tgraf commented May 18, 2020

I assume this intends to enable referring to other nodes by node labels at some point. That will require to use a non-reserved identity and to allocate an identity instead based on the node labels found on the node.

Discussed with Paul offline. This PR is specifically limited in scope to enable to select what node a policy applies to.

tgraf
tgraf reviewed May 18, 2020
View reviewed changes
Comment thread pkg/k8s/watchers/node.go Outdated
aanm
aanm requested changes May 18, 2020
View reviewed changes
Comment thread pkg/k8s/watchers/node.go Outdated
@pchaigno
pkg/identity: Watch and update labels for the host
85f90ff 
This commit adds a k8s watcher for label updates on the host. It allows
node network policies to select the nodes based on labels. For now, the
same label filters are used for the nodes as for the labels.

Whatever the labels it receives, because we know there can be only one
host endpoint per node, the host endpoint will always retain its
security ID of 1. We therefore don't need to reload the host endpoint's
datapaths on label updates.

Signed-off-by: Paul Chaignon <paul@cilium.io>
@pchaigno pchaigno force-pushed the pr/pchaigno/node-labels branch from 45c7275 to 85f90ff Compare May 18, 2020 17:08
@pchaigno pchaigno requested a review from aanm May 18, 2020 17:09
@pchaigno
Copy link
Copy Markdown
Member Author

pchaigno commented May 18, 2020

retest-runtime

@aanm aanm merged commit 8d0211c into master May 19, 2020
@aanm aanm deleted the pr/pchaigno/node-labels branch May 19, 2020 09:59
@pchaigno pchaigno mentioned this pull request May 22, 2020
Merged
@pchaigno pchaigno added the area/host-firewall Impacts the host firewall or the host endpoint. label Jul 20, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@aanm aanm aanm approved these changes

+1 more reviewer

@tgraf tgraf tgraf approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

area/host-firewall Impacts the host firewall or the host endpoint. area/k8s Impacts the kubernetes API, or kubernetes -> cilium internals translation layers. release-note/minor This PR changes functionality that users may find relevant to operating Cilium. sig/policy Impacts whether traffic is allowed or denied based on user-defined policies.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@pchaigno @coveralls @tgraf @aanm