Skip to content

endpoint/bpf: remove change empty conditon for updateEnvoy#44462

Merged
squeed merged 1 commit intocilium:mainfrom
liyihuang:pr/liyih/update_envoy_network_policy
Feb 23, 2026
Merged

endpoint/bpf: remove change empty conditon for updateEnvoy#44462
squeed merged 1 commit intocilium:mainfrom
liyihuang:pr/liyih/update_envoy_network_policy

Conversation

@liyihuang
Copy link
Copy Markdown
Contributor

@liyihuang liyihuang commented Feb 21, 2026
edited
Loading

see the commit message

Fixed an issue where wildcard FQDN network policy identities were not correctly pushed to Envoy when using SNI-based policies.

@maintainer-s-little-helper maintainer-s-little-helper bot added the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Feb 21, 2026
@liyihuang liyihuang force-pushed the pr/liyih/update_envoy_network_policy branch from ed02ce1 to 1b85244 Compare February 21, 2026 04:23
@liyihuang liyihuang added kind/bug This is a bug in the Cilium logic. release-note/bug This PR fixes an issue in a previous release of Cilium. backport/1.18 This PR represents a backport for Cilium 1.18.x of a PR that was merged to main. backport/1.19 This PR represents a backport for Cilium 1.19.x of a PR that was merged to main. labels Feb 21, 2026
@maintainer-s-little-helper maintainer-s-little-helper bot removed the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Feb 21, 2026
@liyihuang
endpoint/bpf: remove change empty condition for updateEnvoy
727024c 
This commit removes the !changes.Empty() condition to avoid the bug when
the bpf map is no change but we still need to update the envoy network
policy.

When there is SNI network policy with FQDN network policy, we will
redirect egress all traffic to the envoy.  The identity could change
with wildcard FQDN policy and bpf map will keep the same. that will
cause the enovy network policy not getting updated.

For example,we could have the following identities in the beginning

1677721   fqdn:sts.*.amazonaws.com
           reserved:world
16777220   fqdn:*.amazonaws.com
           reserved:world

When the DNS resolves the IP for sts.*.amazonaws.com, we will generate
the new identity

16777223   fqdn:*.*.amazonaws.com
           fqdn:sts.*.amazonaws.com
           reserved:world

If we have the SNI network policy for the pod, that will make the bpf
map look like the following.

root@kind-worker8:/home/cilium# cilium bpf policy get 2782
POLICY   DIRECTION   LABELS (source:key[=value])
PORT/PROTO   PROXY PORT   AUTH TYPE   BYTES   PACKETS   PREFIX   LEVEL
Allow    Ingress     ANY
ANY          NONE         disabled    0       0         0        0
Allow    Ingress     reserved:host
ANY          NONE         disabled    0       0         0        0
Allow    Egress      ANY
443/TCP      13379        disabled    5904    33        24       0

With the current check logic, there is no change to the map. Then we
will skip updating the envoy network policy causing envoy holding the
stale identity and block the traffic.

Signed-off-by: Liyi Huang <liyi.huang@isovalent.com>
@liyihuang liyihuang force-pushed the pr/liyih/update_envoy_network_policy branch from 1b85244 to 727024c Compare February 21, 2026 04:25
@liyihuang
Copy link
Copy Markdown
Contributor Author

liyihuang commented Feb 21, 2026

/test

@liyihuang liyihuang requested a review from squeed February 21, 2026 18:13
@liyihuang liyihuang marked this pull request as ready for review February 21, 2026 18:13
@liyihuang liyihuang requested a review from a team as a code owner February 21, 2026 18:13
@squeed
Copy link
Copy Markdown
Contributor

squeed commented Feb 23, 2026

I'm not sure I understand the exact bug here. From the commit message, it seems to be something like

  1. A DNS answer is intercepted that needs to allocate a new identity
  2. Something is making changes.Empty()==true., we don't actually change the BPF policy map, so...
  3. We don't send any updates to Envoy

Do you know why changes.Empty() is true? Is this because there is a wildcard selector, and thus the new identity is not added to the bpf map?

@squeed
Copy link
Copy Markdown
Contributor

squeed commented Feb 23, 2026

The change looks good, I just want to understand the issue first.

@maintainer-s-little-helper maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Feb 23, 2026
@squeed squeed added this pull request to the merge queue Feb 23, 2026
Merged via the queue into cilium:main with commit 308d172 Feb 23, 2026
81 checks passed
@liyihuang liyihuang added backport/1.16 This PR represents a backport for Cilium 1.16.x of a PR that was merged to main. backport/1.17 This PR represents a backport for Cilium 1.17.x of a PR that was merged to main. labels Feb 23, 2026
@squeed squeed added needs-backport/1.18 This PR / issue needs backporting to the v1.18 branch needs-backport/1.19 This PR / issue needs backporting to the v1.19 branch affects/v1.16 This issue affects v1.16 branch affects/v1.17 This issue affects v1.17 branch and removed backport/1.16 This PR represents a backport for Cilium 1.16.x of a PR that was merged to main. backport/1.17 This PR represents a backport for Cilium 1.17.x of a PR that was merged to main. backport/1.18 This PR represents a backport for Cilium 1.18.x of a PR that was merged to main. backport/1.19 This PR represents a backport for Cilium 1.19.x of a PR that was merged to main. labels Feb 23, 2026
@YutaroHayakawa YutaroHayakawa mentioned this pull request Feb 24, 2026
Merged
21 tasks
@YutaroHayakawa YutaroHayakawa added backport-pending/1.19 The backport for Cilium 1.19.x for this PR is in progress. and removed needs-backport/1.19 This PR / issue needs backporting to the v1.19 branch labels Feb 24, 2026
@YutaroHayakawa YutaroHayakawa mentioned this pull request Feb 25, 2026
Merged
5 tasks
@YutaroHayakawa YutaroHayakawa added backport-pending/1.18 The backport for Cilium 1.18.x for this PR is in progress. and removed needs-backport/1.18 This PR / issue needs backporting to the v1.18 branch labels Feb 25, 2026
@github-actions github-actions bot added backport-done/1.19 The backport for Cilium 1.19.x for this PR is done. and removed backport-pending/1.19 The backport for Cilium 1.19.x for this PR is in progress. labels Mar 2, 2026
@YutaroHayakawa YutaroHayakawa added backport/author The backport will be carried out by the author of the PR. needs-backport/1.18 This PR / issue needs backporting to the v1.18 branch and removed backport-pending/1.18 The backport for Cilium 1.18.x for this PR is in progress. labels Mar 2, 2026
@github-actions github-actions bot added the backport-done/1.18 The backport for Cilium 1.18.x for this PR is done. label Mar 3, 2026
@julianwiedmann julianwiedmann removed the needs-backport/1.18 This PR / issue needs backporting to the v1.18 branch label Mar 16, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@squeed squeed squeed approved these changes

Assignees

No one assigned

Labels

affects/v1.16 This issue affects v1.16 branch affects/v1.17 This issue affects v1.17 branch backport/author The backport will be carried out by the author of the PR. backport-done/1.18 The backport for Cilium 1.18.x for this PR is done. backport-done/1.19 The backport for Cilium 1.19.x for this PR is done. kind/bug This is a bug in the Cilium logic. ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/bug This PR fixes an issue in a previous release of Cilium.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@liyihuang @squeed @msune @YutaroHayakawa @julianwiedmann