envoy: Fix xds server npds listeners accounting#44830
Merged
jrajahalme merged 3 commits intocilium:mainfrom Mar 26, 2026
Merged
envoy: Fix xds server npds listeners accounting#44830jrajahalme merged 3 commits intocilium:mainfrom
jrajahalme merged 3 commits intocilium:mainfrom
Conversation
cb8a6a6 to
bc0513c
Compare
Member
Author
|
/ci-l7 |
bc0513c to
26c0b07
Compare
Member
Author
|
/ci-l7 |
3 similar comments
|
/ci-l7 |
Member
Author
|
/ci-l7 |
|
/ci-l7 |
80441f1 to
37d9247
Compare
Member
Author
|
/ci-l7 |
1 similar comment
|
/ci-l7 |
37d9247 to
44c8201
Compare
Member
Author
|
/ci-l7 |
1 similar comment
|
/ci-l7 |
Member
Author
|
/test |
jrajahalme
requested changes
Mar 20, 2026
Member
jrajahalme
left a comment
There was a problem hiding this comment.
Small fix needed to the CancelCompletions call
44c8201 to
922c3e2
Compare
When a network policy is updated, the decision to wait on ACK from envoy depends on weather or not there is any listener filter that requires NPDS(presence of `cilium.bpf_metadata` filter). Before this change, only internal proxy listeners were accounted. This caused NetworkPolicy update wait to be skipped if **only** the listeners configured through CiliumEnvoyConfig were present. Given that all CEC listeners get injected with `cilium.bpf_metadata` filter for L3 policy enforcement, incorrect accounting leads to a race condition where BPF policy map redirects can be configured before envoy receives the up-to-date policy information. This can cause traffic interruption due to policy denials in envoy. This commit fixes this issue by keeping track of `cilium.bpf_metadata` filter across all envoy listeners to determine the need of NPDS subscription. Signed-off-by: Deepesh Pathak <deepeshpathak09@gmail.com>
This commit adds a new connectivity test to validate toFQDN rules compounded with a CEC listener for L7 processing. The new test creates a CNP that redirects http traffic destined for external target to envoy, where a listener configured through CCEC proxies the request to the requested origin. Signed-off-by: Deepesh Pathak <deepeshpathak09@gmail.com>
This commit downgrades the severity of "Missing proxy redirect" message in incremental policy update path to INFO for redirects with listener references. Signed-off-by: Deepesh Pathak <deepeshpathak09@gmail.com>
922c3e2 to
6ae9e3d
Compare
Member
Author
|
/test |
1 similar comment
|
/test |
jrajahalme
approved these changes
Mar 24, 2026
Member
|
@christarazi This needs a ci-structure review, could you help out? |
christarazi
approved these changes
Mar 25, 2026
Contributor
|
@fristonio I've labeled the PR with Is it ok? |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
6 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
See commit message for details.
This affects v1.17 where if a
toFQDNsrule is compounded with a CEC listener(and no other proxy listeners), the DNS response to client would skip waiting for Envoy network policy configuration. This leads to a race, where envoynetwork policy update happens after client resolves the DNS and makes the request causing connection failure. For cilium version >= v1.18 we preallocate identities for FQDN selectors, so envoy doesn't need network policy update on DNS lookup.