Skip to content

Prepare datapath for policy changes for kube-apiserver#17668

Closed
joestringer wants to merge 3 commits intocilium:masterfrom
joestringer:submit/apiserver-datapath
Closed

Prepare datapath for policy changes for kube-apiserver#17668
joestringer wants to merge 3 commits intocilium:masterfrom
joestringer:submit/apiserver-datapath

Conversation

@joestringer
Copy link
Copy Markdown
Member

@joestringer joestringer commented Oct 22, 2021

  • bpf: Refactor node identity checking
  • bpf: Add kube-apiserver identity
  • DONOTMERGE: Datapath-related things to check for apiserver identity

Read commit-by-commit.

WIP, to be folded into ongoing work with @christarazi.

@maintainer-s-little-helper
Copy link
Copy Markdown

maintainer-s-little-helper Bot commented Oct 22, 2021

Commit 0ab49daa7c206fdbb1f926d9b54bbbee14f60b73 does not contain "Signed-off-by".

Please follow instructions provided in https://docs.cilium.io/en/stable/contributing/development/contributing_guide/#developer-s-certificate-of-origin

@maintainer-s-little-helper maintainer-s-little-helper Bot added dont-merge/needs-sign-off The author needs to add signoff to their commits before merge. dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. labels Oct 22, 2021
@joestringer
Copy link
Copy Markdown
Member Author

joestringer commented Oct 22, 2021

test-only --focus="K8sVerifier" --kernel_version="net-next"

joestringer
joestringer commented Oct 22, 2021
View reviewed changes
Comment thread pkg/identity/numericidentity.go Outdated
Copy link
Copy Markdown
Member Author

@joestringer joestringer Oct 22, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actually I'm not sure if we really want or need to do this, this can end up in packets which means it could introduce upgrade concerns. Also this code seems to be more related to external workloads which likely means that we would never associate the kube-apiserver identity with this node.

Copy link
Copy Markdown
Member Author

@joestringer joestringer Oct 22, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

On the other hand, if this could be a breaking change for that scenario and we ever wanted to assign that identity to that external workload node then maybe we should teach this code about kube-apiserver identity now....?

@joestringer
bpf: Refactor node identity checking
d3468ff 
Create dedicated functions for checking whether an identity represents
any node in the cluster or a remote node in the cluster. This will be
useful for an upcoming commit where a remote node may have the
REMOTE_NODE_ID identity or alternatively another hardcoded identity.

Signed-off-by: Joe Stringer <joe@cilium.io>
@joestringer
bpf: Add kube-apiserver identity
2a0bbb2 
This identity will be used to identify remote nodes which also have the
kube-apiserver colocated, and allows policy at the higher layer to
differentiate nodes with this identity vs. other nodes in the cluster.

Signed-off-by: Joe Stringer <joe@cilium.io>
@joestringer
DONOTMERGE: Datapath-related things to check for apiserver identity
494e013
@joestringer joestringer force-pushed the submit/apiserver-datapath branch from 0ab49da to 494e013 Compare October 22, 2021 00:38
@maintainer-s-little-helper
Copy link
Copy Markdown

maintainer-s-little-helper Bot commented Oct 22, 2021

Commit 494e013 does not contain "Signed-off-by".

Please follow instructions provided in https://docs.cilium.io/en/stable/contributing/development/contributing_guide/#developer-s-certificate-of-origin

@joestringer
Copy link
Copy Markdown
Member Author

joestringer commented Oct 22, 2021
edited
Loading

test-only --focus="K8sVerifier" --kernel_version="419"

EDIT: Results: https://jenkins.cilium.io/job/Cilium-PR-Tests-Kernel-Focus/325/testReport/

@joestringer
Copy link
Copy Markdown
Member Author

joestringer commented Oct 22, 2021
edited
Loading

test-only --focus="K8sVerifier" --kernel_version="54"

EDIT: Results: https://jenkins.cilium.io/job/Cilium-PR-Tests-Kernel-Focus/326/

@joestringer
Copy link
Copy Markdown
Member Author

joestringer commented Oct 22, 2021
edited
Loading

test-only --focus="K8sVerifier" --kernel_version="49"

EDIT: Results: https://jenkins.cilium.io/job/Cilium-PR-Tests-Kernel-Focus/327/

@joestringer
Copy link
Copy Markdown
Member Author

joestringer commented Oct 22, 2021

test-only --focus="K8sVerifier" --kernel_version="netnext"

@christarazi christarazi mentioned this pull request Oct 26, 2021
Closed
8 tasks
@joestringer
Copy link
Copy Markdown
Member Author

joestringer commented Nov 5, 2021

/ci-gke

@joestringer
Copy link
Copy Markdown
Member Author

joestringer commented Nov 9, 2021

Superseded by #17823 .

@joestringer joestringer closed this Nov 9, 2021
@joestringer joestringer deleted the submit/apiserver-datapath branch November 9, 2021 01:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. dont-merge/needs-sign-off The author needs to add signoff to their commits before merge.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@joestringer