Skip to content

Exclude topology.kubernetes.io labels by default#43725

Merged
aanm merged 1 commit intocilium:mainfrom
moscicky:exclude-topology-labels
Jan 14, 2026
Merged

Exclude topology.kubernetes.io labels by default#43725
aanm merged 1 commit intocilium:mainfrom
moscicky:exclude-topology-labels

Conversation

@moscicky
Copy link
Copy Markdown
Contributor

@moscicky moscicky commented Jan 13, 2026

Starting from version 1.35 Kuberentes propagetes topology.kubernetes.io labels from nodes to pods. This causes CID duplication and can lead to CID exhaustion.

This patch adds !topology.kubernetes.io label filter to default label filters

Fixes: #43723

Exclude topology.kubernetes.io labels from security labels by default

@moscicky
Exclude topology.kubernetes.io labels by default
c61bdf0 
Starting from version 1.35 Kuberentes propagetes topology.kubernetes.io labels from nodes to pods. This causes CID duplication and can lead to CID exhaustion.

This patch adds !topology.kubernetes.io label filter to default label filters

Fixes: cilium#43723

Signed-off-by: Maciej Moscicki <mmoscicki@google.com>
@maintainer-s-little-helper maintainer-s-little-helper bot added the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Jan 13, 2026
@github-actions github-actions bot added the kind/community-contribution This was a contribution made by a community member. label Jan 13, 2026
@joestringer joestringer added the needs-backport/1.19 This PR / issue needs backporting to the v1.19 branch label Jan 13, 2026
@joestringer
Copy link
Copy Markdown
Member

joestringer commented Jan 13, 2026

I'll at least nominate this for 1.19 backport, but we may want to think about backports to earlier releases as well (while balancing the risk). That said this is not a review, will defer to others on that for now.

@moscicky moscicky marked this pull request as ready for review January 14, 2026 08:14
@moscicky moscicky requested a review from a team as a code owner January 14, 2026 08:14
@moscicky moscicky requested a review from derailed January 14, 2026 08:14
@maintainer-s-little-helper
Copy link
Copy Markdown

maintainer-s-little-helper bot commented Jan 14, 2026

Commit a542840 does not match "(?m)^Signed-off-by:".

Please follow instructions provided in https://docs.cilium.io/en/stable/contributing/development/contributing_guide/#developer-s-certificate-of-origin

@maintainer-s-little-helper maintainer-s-little-helper bot added the dont-merge/needs-sign-off The author needs to add signoff to their commits before merge. label Jan 14, 2026
@moscicky moscicky mentioned this pull request Jan 14, 2026
Closed
3 tasks
@moscicky moscicky force-pushed the exclude-topology-labels branch from a542840 to c61bdf0 Compare January 14, 2026 08:17
@maintainer-s-little-helper maintainer-s-little-helper bot removed the dont-merge/needs-sign-off The author needs to add signoff to their commits before merge. label Jan 14, 2026
@squeed squeed added release-note/minor This PR changes functionality that users may find relevant to operating Cilium. affects/v1.16 This issue affects v1.16 branch affects/v1.17 This issue affects v1.17 branch needs-backport/1.18 This PR / issue needs backporting to the v1.18 branch affects/v1.18 This issue affects v1.18 branch labels Jan 14, 2026
@maintainer-s-little-helper maintainer-s-little-helper bot removed the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Jan 14, 2026
@squeed
Copy link
Copy Markdown
Contributor

squeed commented Jan 14, 2026

/test

@squeed
Copy link
Copy Markdown
Contributor

squeed commented Jan 14, 2026

I'm strongly in favor of backporting this; it's not really a "code change" as much as it is a configuration update. Unexpected identity churn can quickly destabilize a cluster.

@aanm aanm enabled auto-merge January 14, 2026 08:41
@aanm
Copy link
Copy Markdown
Member

aanm commented Jan 14, 2026

/test

@squeed
Copy link
Copy Markdown
Contributor

squeed commented Jan 14, 2026

I'm strongly in favor of backporting this;

Additionally, labels in the kubernetes.io "domain" are reserved for kubernetes' use. If anyone was using them, it was in error.

@aanm aanm added this pull request to the merge queue Jan 14, 2026
Merged via the queue into cilium:main with commit f92627b Jan 14, 2026
132 of 133 checks passed
@maksymilianPadalak
Copy link
Copy Markdown

maksymilianPadalak commented Jan 14, 2026

What a change! Good job @moscicky

@gandro gandro mentioned this pull request Jan 15, 2026
Merged
4 tasks
@gandro gandro added backport-pending/1.18 The backport for Cilium 1.18.x for this PR is in progress. and removed needs-backport/1.18 This PR / issue needs backporting to the v1.18 branch affects/v1.18 This issue affects v1.18 branch labels Jan 15, 2026
@gandro gandro mentioned this pull request Jan 15, 2026
Merged
3 tasks
@gandro gandro added backport-pending/1.19 The backport for Cilium 1.19.x for this PR is in progress. and removed needs-backport/1.19 This PR / issue needs backporting to the v1.19 branch labels Jan 15, 2026
@github-actions github-actions bot added backport-done/1.18 The backport for Cilium 1.18.x for this PR is done. backport-done/1.19 The backport for Cilium 1.19.x for this PR is done. and removed backport-pending/1.18 The backport for Cilium 1.18.x for this PR is in progress. backport-pending/1.19 The backport for Cilium 1.19.x for this PR is in progress. labels Jan 15, 2026
@cilium-release-bot cilium-release-bot bot moved this to Released in cilium v1.19.0 Feb 3, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@squeed squeed squeed approved these changes

@derailed derailed Awaiting requested review from derailed derailed is a code owner automatically assigned from cilium/sig-policy

Assignees

No one assigned

Labels

affects/v1.16 This issue affects v1.16 branch affects/v1.17 This issue affects v1.17 branch backport-done/1.18 The backport for Cilium 1.18.x for this PR is done. backport-done/1.19 The backport for Cilium 1.19.x for this PR is done. kind/community-contribution This was a contribution made by a community member. release-note/minor This PR changes functionality that users may find relevant to operating Cilium.

Projects

No open projects
cilium v1.19.0
Status: Released

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

topology.kubernetes.io labels should be removed from security labels

6 participants

@moscicky @joestringer @squeed @aanm @maksymilianPadalak @gandro