Skip to content

Commit

Permalink
Merge pull request #16929 from ana-aguilar7/lrp-feat
Browse files Browse the repository at this point in the history
feat(cilium): adding EnableLocalRedirectPolicy parameter
  • Loading branch information
k8s-ci-robot authored Nov 3, 2024
2 parents 27daf5a + 7b2f02f commit 71df35a
Show file tree
Hide file tree
Showing 35 changed files with 73 additions and 10 deletions.
7 changes: 7 additions & 0 deletions k8s/crds/kops.k8s.io_clusters.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -5424,6 +5424,13 @@ spec:
EnableL7Proxy enables L7 proxy for L7 policy enforcement.
Default: true
type: boolean
enableLocalRedirectPolicy:
description: |-
EnableLocalRedirectPolicy that enables pod traffic destined to an IP address and port/protocol
tuple or Kubernetes service to be redirected locally to backend pod(s) within a node, using eBPF.
https://docs.cilium.io/en/stable/network/kubernetes/local-redirect-policy/
Default: false
type: boolean
enableNodePort:
description: |-
EnableNodePort replaces kube-proxy with Cilium's BPF implementation.
Expand Down
5 changes: 5 additions & 0 deletions pkg/apis/kops/networking.go
Original file line number Diff line number Diff line change
Expand Up @@ -370,6 +370,11 @@ type CiliumNetworkingSpec struct {
// EnableL7Proxy enables L7 proxy for L7 policy enforcement.
// Default: true
EnableL7Proxy *bool `json:"enableL7Proxy,omitempty"`
// EnableLocalRedirectPolicy that enables pod traffic destined to an IP address and port/protocol
// tuple or Kubernetes service to be redirected locally to backend pod(s) within a node, using eBPF.
// https://docs.cilium.io/en/stable/network/kubernetes/local-redirect-policy/
// Default: false
EnableLocalRedirectPolicy *bool `json:"enableLocalRedirectPolicy,omitempty"`
// EnableBPFMasquerade enables masquerading packets from endpoints leaving the host with BPF instead of iptables.
// Default: false
EnableBPFMasquerade *bool `json:"enableBPFMasquerade,omitempty"`
Expand Down
5 changes: 5 additions & 0 deletions pkg/apis/kops/v1alpha2/networking.go
Original file line number Diff line number Diff line change
Expand Up @@ -372,6 +372,11 @@ type CiliumNetworkingSpec struct {
// EnableL7Proxy enables L7 proxy for L7 policy enforcement.
// Default: true
EnableL7Proxy *bool `json:"enableL7Proxy,omitempty"`
// EnableLocalRedirectPolicy that enables pod traffic destined to an IP address and port/protocol
// tuple or Kubernetes service to be redirected locally to backend pod(s) within a node, using eBPF.
// https://docs.cilium.io/en/stable/network/kubernetes/local-redirect-policy/
// Default: false
EnableLocalRedirectPolicy *bool `json:"enableLocalRedirectPolicy,omitempty"`
// EnableBPFMasquerade enables masquerading packets from endpoints leaving the host with BPF instead of iptables.
// Default: false
EnableBPFMasquerade *bool `json:"enableBPFMasquerade,omitempty"`
Expand Down
2 changes: 2 additions & 0 deletions pkg/apis/kops/v1alpha2/zz_generated.conversion.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

5 changes: 5 additions & 0 deletions pkg/apis/kops/v1alpha2/zz_generated.deepcopy.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

5 changes: 5 additions & 0 deletions pkg/apis/kops/v1alpha3/networking.go
Original file line number Diff line number Diff line change
Expand Up @@ -333,6 +333,11 @@ type CiliumNetworkingSpec struct {
// EnableL7Proxy enables L7 proxy for L7 policy enforcement.
// Default: true
EnableL7Proxy *bool `json:"enableL7Proxy,omitempty"`
// EnableLocalRedirectPolicy that enables pod traffic destined to an IP address and port/protocol
// tuple or Kubernetes service to be redirected locally to backend pod(s) within a node, using eBPF.
// https://docs.cilium.io/en/stable/network/kubernetes/local-redirect-policy/
// Default: false
EnableLocalRedirectPolicy *bool `json:"enableLocalRedirectPolicy,omitempty"`
// EnableBPFMasquerade enables masquerading packets from endpoints leaving the host with BPF instead of iptables.
// Default: false
EnableBPFMasquerade *bool `json:"enableBPFMasquerade,omitempty"`
Expand Down
2 changes: 2 additions & 0 deletions pkg/apis/kops/v1alpha3/zz_generated.conversion.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

5 changes: 5 additions & 0 deletions pkg/apis/kops/v1alpha3/zz_generated.deepcopy.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

5 changes: 5 additions & 0 deletions pkg/apis/kops/zz_generated.deepcopy.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

4 changes: 4 additions & 0 deletions pkg/model/components/cilium.go
Original file line number Diff line number Diff line change
Expand Up @@ -139,6 +139,10 @@ func (b *CiliumOptionsBuilder) BuildOptions(o *kops.Cluster) error {
c.EnableL7Proxy = fi.PtrTo(true)
}

if c.EnableLocalRedirectPolicy == nil {
c.EnableLocalRedirectPolicy = fi.PtrTo(false)
}

if c.DisableCNPStatusUpdates == nil {
c.DisableCNPStatusUpdates = fi.PtrTo(true)
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -212,6 +212,7 @@ spec:
enableBPFMasquerade: false
enableEndpointHealthChecking: true
enableL7Proxy: true
enableLocalRedirectPolicy: false
enableRemoteNodeIdentity: true
enableUnreachableRoutes: false
hubble:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -106,7 +106,7 @@ spec:
version: 9.99.0
- id: k8s-1.16
manifest: networking.cilium.io/k8s-1.16-v1.15.yaml
manifestHash: 0c83f79dd943a154662cf1734b14afd5b3f57f945e26f5805ea263fc9cd7c733
manifestHash: 3dec2f27921f9e61bd722d058ec85a68e459d1fe3f09055ef9d8b03acf1a55dd
name: networking.cilium.io
needsRollingUpdate: all
selector:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,7 @@ data:
enable-ipv6: "true"
enable-ipv6-masquerade: "false"
enable-l7-proxy: "true"
enable-local-redirect-policy: "false"
enable-node-port: "false"
enable-remote-node-identity: "true"
enable-service-topology: "false"
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -204,6 +204,7 @@ spec:
enableBPFMasquerade: false
enableEndpointHealthChecking: true
enableL7Proxy: true
enableLocalRedirectPolicy: false
enableRemoteNodeIdentity: true
enableUnreachableRoutes: false
hubble:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -99,7 +99,7 @@ spec:
version: 9.99.0
- id: k8s-1.16
manifest: networking.cilium.io/k8s-1.16-v1.15.yaml
manifestHash: e20102c57059c105762a9e526913d54064345c7a6f462bb194481df9491b9e09
manifestHash: bc7f7e8765ce60f4a51faa622445f05312d6f6ff5c2cdae2bbc2b7fdaabf35fa
name: networking.cilium.io
needsRollingUpdate: all
selector:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,7 @@ data:
enable-ipv6: "false"
enable-ipv6-masquerade: "false"
enable-l7-proxy: "true"
enable-local-redirect-policy: "false"
enable-node-port: "false"
enable-remote-node-identity: "true"
enable-service-topology: "false"
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -184,6 +184,7 @@ spec:
enableBPFMasquerade: false
enableEndpointHealthChecking: true
enableL7Proxy: true
enableLocalRedirectPolicy: false
enableNodePort: true
enableRemoteNodeIdentity: true
enableUnreachableRoutes: false
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -55,7 +55,7 @@ spec:
version: 9.99.0
- id: k8s-1.16
manifest: networking.cilium.io/k8s-1.16-v1.15.yaml
manifestHash: 54bfa4260f0111b78afdae9dd0cded3f0cbb815b3f3104cbfbf71347edd96a4a
manifestHash: b09e39b605118cc04f98b48d24b0fa6c88487b04a0108574a61692c222f68e1b
name: networking.cilium.io
needsRollingUpdate: all
selector:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,7 @@ data:
enable-ipv6: "false"
enable-ipv6-masquerade: "false"
enable-l7-proxy: "true"
enable-local-redirect-policy: "false"
enable-node-port: "true"
enable-remote-node-identity: "true"
enable-service-topology: "false"
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -206,6 +206,7 @@ spec:
enableBPFMasquerade: true
enableEndpointHealthChecking: true
enableL7Proxy: true
enableLocalRedirectPolicy: false
enableRemoteNodeIdentity: true
enableUnreachableRoutes: false
hubble:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -99,7 +99,7 @@ spec:
version: 9.99.0
- id: k8s-1.16
manifest: networking.cilium.io/k8s-1.16-v1.15.yaml
manifestHash: cee3b0b1d69ab6822b004ccada95ae75a9964e5edab73b7b9ad7cec349e7313b
manifestHash: f7612a95ce7e6eb6c7f4aff40ef362372345b45c4697b46ef78f5518d279e566
name: networking.cilium.io
needsRollingUpdate: all
selector:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,7 @@ data:
enable-ipv6: "false"
enable-ipv6-masquerade: "false"
enable-l7-proxy: "true"
enable-local-redirect-policy: "false"
enable-node-port: "false"
enable-remote-node-identity: "true"
enable-service-topology: "false"
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -210,6 +210,7 @@ spec:
enableBPFMasquerade: false
enableEndpointHealthChecking: true
enableL7Proxy: true
enableLocalRedirectPolicy: false
enableRemoteNodeIdentity: true
enableUnreachableRoutes: false
hubble:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -99,7 +99,7 @@ spec:
version: 9.99.0
- id: k8s-1.16
manifest: networking.cilium.io/k8s-1.16-v1.15.yaml
manifestHash: e406ff605e0421c49f3fe01fa04f07928c341bc79a7d5fe71305a035d5f1d076
manifestHash: 36722e061be4bc322c060c5b28ebe41678b94361e32327bf652b53ef316972f0
name: networking.cilium.io
needsRollingUpdate: all
selector:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,7 @@ data:
enable-ipv6: "false"
enable-ipv6-masquerade: "false"
enable-l7-proxy: "true"
enable-local-redirect-policy: "false"
enable-node-port: "false"
enable-remote-node-identity: "true"
enable-service-topology: "false"
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -204,6 +204,7 @@ spec:
enableBPFMasquerade: false
enableEndpointHealthChecking: true
enableL7Proxy: true
enableLocalRedirectPolicy: false
enableRemoteNodeIdentity: true
enableUnreachableRoutes: false
hubble:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -155,7 +155,7 @@ spec:
version: 9.99.0
- id: k8s-1.16
manifest: networking.cilium.io/k8s-1.16-v1.15.yaml
manifestHash: 9c423eebef5ac27defdcdff9c7024b33861adcbd62928c6a0c8a3db4b897cb69
manifestHash: ac9d01d0a3554b4774f2fd65840adaaae75b8512fcba39a487b80741e99de7c1
name: networking.cilium.io
needsPKI: true
needsRollingUpdate: all
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -69,6 +69,7 @@ data:
enable-ipv6: "false"
enable-ipv6-masquerade: "false"
enable-l7-proxy: "true"
enable-local-redirect-policy: "false"
enable-node-port: "false"
enable-remote-node-identity: "true"
enable-service-topology: "false"
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -216,6 +216,7 @@ spec:
enableBPFMasquerade: true
enableEndpointHealthChecking: true
enableL7Proxy: true
enableLocalRedirectPolicy: false
enableNodePort: true
enableRemoteNodeIdentity: true
enableUnreachableRoutes: false
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -99,7 +99,7 @@ spec:
version: 9.99.0
- id: k8s-1.16
manifest: networking.cilium.io/k8s-1.16-v1.15.yaml
manifestHash: 59dd2dba26c98808b12efde637d423130af3020d865de67b56bd9066c87c765f
manifestHash: 8c601006d81de04e5d79a68f6bb155eb0ef45ca3d53305dbc2c0a1d458092426
name: networking.cilium.io
needsRollingUpdate: all
selector:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,7 @@ data:
enable-ipv6: "false"
enable-ipv6-masquerade: "false"
enable-l7-proxy: "true"
enable-local-redirect-policy: "false"
enable-node-port: "true"
enable-remote-node-identity: "true"
enable-service-topology: "false"
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -279,6 +279,10 @@ data:
# enable-l7-proxy enables L7 proxy for L7 policy enforcement. (default true)
enable-l7-proxy: "{{ .EnableL7Proxy }}"

# enable-local-redirect-policy EnableLocalRedirectPolicy that enables pod traffic destined to an IP address and port/protocol
# tuple or Kubernetes service to be redirected locally to backend pod(s) within a node, using eBPF. (default false)
enable-local-redirect-policy: "{{ .EnableLocalRedirectPolicy }}"

cgroup-root: /run/cilium/cgroupv2

disable-cnp-status-updates: "{{ .DisableCNPStatusUpdates }}"
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -99,7 +99,7 @@ spec:
version: 9.99.0
- id: k8s-1.16
manifest: networking.cilium.io/k8s-1.16-v1.15.yaml
manifestHash: e36f5ab6a807e2ab12f741978b535f59927bf9618d3239ca9ed65af010838468
manifestHash: 45bddd141fefbbd61619eb858684854c1a4a92239f00098495ff97fe97201aef
name: networking.cilium.io
needsRollingUpdate: all
selector:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -113,7 +113,7 @@ spec:
version: 9.99.0
- id: k8s-1.16
manifest: networking.cilium.io/k8s-1.16-v1.15.yaml
manifestHash: e36f5ab6a807e2ab12f741978b535f59927bf9618d3239ca9ed65af010838468
manifestHash: 45bddd141fefbbd61619eb858684854c1a4a92239f00098495ff97fe97201aef
name: networking.cilium.io
needsRollingUpdate: all
selector:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -170,7 +170,7 @@ spec:
version: 9.99.0
- id: k8s-1.16
manifest: networking.cilium.io/k8s-1.16-v1.15.yaml
manifestHash: e36f5ab6a807e2ab12f741978b535f59927bf9618d3239ca9ed65af010838468
manifestHash: 45bddd141fefbbd61619eb858684854c1a4a92239f00098495ff97fe97201aef
name: networking.cilium.io
needsRollingUpdate: all
selector:
Expand Down

0 comments on commit 71df35a

Please sign in to comment.