egressgw: drop traffic if no gateway is found

[MrFreezeex]

Switch to dropping traffic when no gateway are found for an egressgw instead of the previous behavior consisting of allowing traffic without the snat.

Please ensure your pull request adheres to the following guidelines:

• For first time contributors, read Submitting a pull request
• All code is covered by unit and/or runtime tests where feasible.
• All commits contain a well written commit description including a title,
  description and a Fixes: #XXX line if the commit addresses a particular
  GitHub issue.
• If your commit description contains a Fixes: <commit-id> tag, then
  please add the commit author[s] as reviewer[s] to this issue.
• All commits are signed off. See the section Developer’s Certificate of Origin
• Provide a title or release-note blurb suitable for the release notes.
• Are you a user of Cilium? Please add yourself to the Users doc
• Thanks for contributing!

Fixes: #issue-number

Drop traffic matching an egress gateway policy when no gateway are found

[MrFreezeex]

Hi @jibi 👋, it's me again for the second part of the work to actually drop traffic that doesn't match any gateway :D (for reference/other people tuning in you will be able to find more context here #24449 (comment)).

[pchaigno]

/test

Job 'Cilium-PR-K8s-1.16-kernel-4.19' failed:

Click to show.

Test Name

K8sDatapathConfig MonitorAggregation Checks that monitor aggregation flags send notifications

Failure Output

FAIL: Timed out after 240.001s.

Jenkins URL: https://jenkins.cilium.io/job/Cilium-PR-K8s-1.16-kernel-4.19/898/

If it is a flake and a GitHub issue doesn't already exist to track it, comment /mlh new-flake Cilium-PR-K8s-1.16-kernel-4.19 so I can create one.

[jibi]

Looks good! Just a couple of small comments

[jibi]

🤔

2023-04-18T11:55:51.342505519Z level=fatal msg="auto-direct-node-routes cannot be used with tunneling. Packets must be routed through the tunnel device." subsys=daemon

can you try rebasing on top of master please?

[rolinh]

Hubble API changes lgtm.

[jibi]

We should also update docs (both the egressgw one as well as the upgrade guide) to point out that from now on we'll start dropping packets in case no gateway is found, but this can be done in a follow up PR since CI is already green

[christarazi]

One second thought since I saw the upgrade-impact label, should we include some note in the upgrade guide about this?
cc @pchaigno @jibi

@christarazi we should add some notes in the upgrade guide as we are changing the behavior of the no gateway case, see my previous message #24835 (review).

But I don't think the upgrade-impact label is still accurate. When I added it I thought the feature that this PR (and the previous related one) are changing was already in v1.13, but that's not the case

Oops, you caught me not reading other reviews 😅.

I'll keep my review as "requesting changes" because otherwise the merge button is green. Thanks!

[jibi]

I'll keep my review as "requesting changes" because otherwise the merge button is green. Thanks!

fair enough 👍 @MrFreezeex could you please add a note about the new behaviour:

• in the 1.14 upgrade guide: https://github.com/cilium/cilium/blob/main/Documentation/operations/upgrade.rst#114-upgrade-notes
• as well as in the egressgw guide: https://github.com/cilium/cilium/blob/main/Documentation/network/egress-gateway.rst (perhaps in the section about the gateway node selection)

[christarazi]

Thanks!

[zacharysarah]

@MrFreezeex Thanks for the update. Minor edits, otherwise LGTM

[jibi]

/test

[MrFreezeex]

Conformance job failure (https://github.com/cilium/cilium/actions/runs/4740958766/jobs/8417418731?pr=24835) seems related to #24622

[jibi]

All good here with reviews and CI, merging this 🚢 thanks again for the great work!