Skip to content

nodediscovery: Fix local host identity propagation#17836

Merged
aanm merged 1 commit intocilium:masterfrom
joestringer:submit/node-discovery-identity-mismatch
Nov 11, 2021
Merged

nodediscovery: Fix local host identity propagation#17836
aanm merged 1 commit intocilium:masterfrom
joestringer:submit/node-discovery-identity-mismatch

Conversation

@joestringer
Copy link
Copy Markdown
Member

@joestringer joestringer commented Nov 9, 2021
edited
Loading

The local NodeDiscovery implementation was previously informing the rest
of the Cilium agent that the local node's identity is "Remote Node"
because of the statically initialized "identity.GetLocalNodeID" value.
However, that value should only ever be used for external workloads
cases in order to prepare the source identity used for transmitting
traffic to other Cilium nodes. It should not be used for locally
determining the identity of traffic coming from the host itself.

Fix this by hardcoding the identity to "Host" identity.

Fixes: c864fd3 ("daemon: Split IPAM bootstrap, join cluster in between")

Fix issue where local host IPs may be briefly associated with the remote-node identity, causing policy drops when policy should allow traffic from the host.

@joestringer joestringer requested a review from a team as a code owner November 9, 2021 21:34
@joestringer joestringer added the release-note/bug This PR fixes an issue in a previous release of Cilium. label Nov 9, 2021
@maintainer-s-little-helper maintainer-s-little-helper Bot added dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. and removed dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. labels Nov 9, 2021
@joestringer
nodediscovery: Fix local host identity propagation
073c301 
The local NodeDiscovery implementation was previously informing the rest
of the Cilium agent that the local node's identity is "Remote Node"
because of the statically initialized "identity.GetLocalNodeID" value.
However, that value should only ever be used for external workloads
cases in order to prepare the source identity used for transmitting
traffic to other Cilium nodes. It should not be used for locally
determining the identity of traffic coming from the host itself.

Fix this by hardcoding the identity to "Host" identity.

Fixes: c864fd3 ("daemon: Split IPAM bootstrap, join cluster in between")

Signed-off-by: Joe Stringer <joe@cilium.io>
@joestringer joestringer force-pushed the submit/node-discovery-identity-mismatch branch from 537f450 to 073c301 Compare November 9, 2021 21:38
@joestringer
Copy link
Copy Markdown
Member Author

joestringer commented Nov 9, 2021
edited
Loading

/test

EDIT: ci-gke failed

@joestringer joestringer mentioned this pull request Nov 10, 2021
Merged
9 tasks
@joestringer
Copy link
Copy Markdown
Member Author

joestringer commented Nov 10, 2021

/ci-gke

@aanm aanm merged commit 7bf60a5 into cilium:master Nov 11, 2021
@ti-mo ti-mo mentioned this pull request Nov 12, 2021
Merged
@pchaigno pchaigno mentioned this pull request Nov 12, 2021
Merged
@joestringer joestringer deleted the submit/node-discovery-identity-mismatch branch November 15, 2021 19:32
@joestringer joestringer mentioned this pull request Dec 10, 2021
Merged
@joestringer joestringer mentioned this pull request Jan 18, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pchaigno pchaigno pchaigno approved these changes

@jrajahalme jrajahalme Awaiting requested review from jrajahalme

Assignees

@jrajahalme jrajahalme

Labels

release-note/bug This PR fixes an issue in a previous release of Cilium.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

7 participants

@joestringer @pchaigno @gandro @ti-mo @aanm @jrajahalme @qmonnet