Conversation
Make it more clear that the Cilium agent never pulls in this code, but that this is really only used from unit tests. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Dmitriy says:
When --bpf-lb-algorithm-annotation feature is enabled, BPF code
in run-time may not select load balancer algorithm for service at
all for previously existing services. Thus, this behavior broke
all new network connections to the service if it had an unknown
algorithm value in service bpf map entry. This bug is stably
reproducible for NodePort, HostPort, LocalRedirect service types.
This commit solves the problem as follows: in the situation where
the BPF service map contains an unknown LB algorithm, it simply uses
the default LB algorithm from the --bpf-lb-algorithm option.
lb{4,6}_algorithm() should return a proper algorithm that is going to
be used in the datapath. Either a service had an annotation, or if not
then the user configured default should be picked.
One corner case is when we come from a future Cilium version where
users had an algorithm annotation on the service, which the current
Cilium version does not support. In that case we can only treat this
as a hint and need to fallback to the default.
Note that in the old code before the LB control plane rework, the
GetAnnotationServiceLoadBalancingAlgorithm() was pushing through
any annotation which was not loadbalancer.SVCLoadBalancingAlgorithmUndef
and otherwise the function was returning the default selected algorithm.
After the rework we just propagate loadbalancer.ToSVCLoadBalancingAlgorithm()
directly.
This meant that handling of loadbalancer.SVCLoadBalancingAlgorithmUndef
was pushed to runtime, therefore for services with no explicit annotation
this triggered the default case which led to drops.
Another side-note: loadbalancer.ToSVCLoadBalancingAlgorithm() does not
translate LB_SELECTION_FIRST. The latter is only ever used in BPF unit
tests.
Co-developed-by: Dmitriy Andreychenko <dmitriy.andreychenko@flant.com>
Signed-off-by: Dmitriy Andreychenko <dmitriy.andreychenko@flant.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Member
Author
|
/test |
aspsk
approved these changes
Aug 21, 2025
8 tasks
joamaki
approved these changes
Aug 21, 2025
dna787
reviewed
Aug 21, 2025
8 tasks
17 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
6 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
(see commit msg)