Skip to content

[v1.18] endpoint/bpf: remove change empty condition for updateEnvoy#44616

Merged
julianwiedmann merged 1 commit intocilium:v1.18from
liyihuang:v1.18_backport_test
Mar 16, 2026
Merged

[v1.18] endpoint/bpf: remove change empty condition for updateEnvoy#44616
julianwiedmann merged 1 commit intocilium:v1.18from
liyihuang:v1.18_backport_test

Conversation

@liyihuang
Copy link
Copy Markdown
Contributor

@liyihuang liyihuang commented Mar 3, 2026
edited
Loading

This is the follow up for #44519. The backport causes a lot of failure. It looks like that's because 1.18 implementation is a bit different from 1.19 where we need extra condition check to get it working.

I leave the current CI failure for review so people can see it's not from this commit.

@maintainer-s-little-helper maintainer-s-little-helper bot added backport/1.18 This PR represents a backport for Cilium 1.18.x of a PR that was merged to main. kind/backports This PR provides functionality previously merged into master. labels Mar 3, 2026
@liyihuang
Copy link
Copy Markdown
Contributor Author

liyihuang commented Mar 3, 2026

/test

@liyihuang liyihuang force-pushed the v1.18_backport_test branch from cb742f5 to c5899ef Compare March 5, 2026 17:12
@liyihuang
Copy link
Copy Markdown
Contributor Author

liyihuang commented Mar 5, 2026

/test

1 similar comment
@liyihuang
Copy link
Copy Markdown
Contributor Author

liyihuang commented Mar 5, 2026

/test

@liyihuang liyihuang force-pushed the v1.18_backport_test branch from c5899ef to 5387c9a Compare March 5, 2026 17:54
@liyihuang
Copy link
Copy Markdown
Contributor Author

liyihuang commented Mar 5, 2026

/test

@liyihuang liyihuang requested a review from squeed March 5, 2026 20:46
@liyihuang liyihuang marked this pull request as ready for review March 5, 2026 20:46
@liyihuang liyihuang requested a review from a team as a code owner March 5, 2026 20:46
@liyihuang liyihuang force-pushed the v1.18_backport_test branch from 5387c9a to 717423b Compare March 9, 2026 14:38
@liyihuang
Copy link
Copy Markdown
Contributor Author

liyihuang commented Mar 9, 2026

/test

@liyihuang liyihuang added the release-blocker/1.18 This issue will prevent the release of the next version of Cilium. label Mar 9, 2026
@github-project-automation github-project-automation bot moved this from Proposed to Active in Release blockers Mar 9, 2026
@liyihuang liyihuang force-pushed the v1.18_backport_test branch from 717423b to 13eef05 Compare March 13, 2026 07:23
@gentoo-root gentoo-root force-pushed the v1.18_backport_test branch from 13eef05 to 6803b3f Compare March 13, 2026 08:48
@liyihuang @gentoo-root
endpoint/bpf: remove change empty condition for updateEnvoy
b5153cc 
This commit removes the !changes.Empty() condition to avoid the bug when
the bpf map is no change but we still need to update the envoy network
policy and add the version validation in 1.18

When there is SNI network policy with FQDN network policy, we will
redirect egress all traffic to the envoy.  The identity could change
with wildcard FQDN policy and bpf map will keep the same. that will
cause the enovy network policy not getting updated.

For example,we could have the following identities in the beginning

1677721   fqdn:sts.*.amazonaws.com
           reserved:world
16777220   fqdn:*.amazonaws.com
           reserved:world

When the DNS resolves the IP for sts.*.amazonaws.com, we will generate
the new identity

16777223   fqdn:*.*.amazonaws.com
           fqdn:sts.*.amazonaws.com
           reserved:world

If we have the SNI network policy for the pod, that will make the bpf
map look like the following.

root@kind-worker8:/home/cilium# cilium bpf policy get 2782
POLICY   DIRECTION   LABELS (source:key[=value])
PORT/PROTO   PROXY PORT   AUTH TYPE   BYTES   PACKETS   PREFIX   LEVEL
Allow    Ingress     ANY
ANY          NONE         disabled    0       0         0        0
Allow    Ingress     reserved:host
ANY          NONE         disabled    0       0         0        0
Allow    Egress      ANY
443/TCP      13379        disabled    5904    33        24       0

With the current check logic, there is no change to the map. Then we
will skip updating the envoy network policy causing envoy holding the
stale identity and block the traffic.

Signed-off-by: Liyi Huang <liyi.huang@isovalent.com>
@gentoo-root gentoo-root force-pushed the v1.18_backport_test branch from 6803b3f to b5153cc Compare March 13, 2026 09:04
@gentoo-root
Copy link
Copy Markdown
Contributor

gentoo-root commented Mar 13, 2026

/test

@maintainer-s-little-helper maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Mar 13, 2026
@julianwiedmann julianwiedmann changed the title endpoint/bpf: remove change empty condition for updateEnvoy [v1.18] endpoint/bpf: remove change empty condition for updateEnvoy Mar 16, 2026
@julianwiedmann julianwiedmann added this pull request to the merge queue Mar 16, 2026
Merged via the queue into cilium:v1.18 with commit 370be42 Mar 16, 2026
69 of 70 checks passed
@github-project-automation github-project-automation bot moved this from Active to Done in Release blockers Mar 16, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@squeed squeed squeed approved these changes

Assignees

No one assigned

Labels

backport/1.18 This PR represents a backport for Cilium 1.18.x of a PR that was merged to main. kind/backports This PR provides functionality previously merged into master. ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-blocker/1.18 This issue will prevent the release of the next version of Cilium.

Projects

Release blockers
Archived in project

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@liyihuang @gentoo-root @squeed @msune @julianwiedmann