Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(cilium): adding EnableLocalRedirectPolicy parameter #16929

Merged
merged 1 commit into from
Nov 3, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 7 additions & 0 deletions k8s/crds/kops.k8s.io_clusters.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -5424,6 +5424,13 @@ spec:
EnableL7Proxy enables L7 proxy for L7 policy enforcement.
Default: true
type: boolean
enableLocalRedirectPolicy:
description: |-
EnableLocalRedirectPolicy that enables pod traffic destined to an IP address and port/protocol
tuple or Kubernetes service to be redirected locally to backend pod(s) within a node, using eBPF.
https://docs.cilium.io/en/stable/network/kubernetes/local-redirect-policy/
Default: false
type: boolean
enableNodePort:
description: |-
EnableNodePort replaces kube-proxy with Cilium's BPF implementation.
Expand Down
5 changes: 5 additions & 0 deletions pkg/apis/kops/networking.go
Original file line number Diff line number Diff line change
Expand Up @@ -370,6 +370,11 @@ type CiliumNetworkingSpec struct {
// EnableL7Proxy enables L7 proxy for L7 policy enforcement.
// Default: true
EnableL7Proxy *bool `json:"enableL7Proxy,omitempty"`
// EnableLocalRedirectPolicy that enables pod traffic destined to an IP address and port/protocol
// tuple or Kubernetes service to be redirected locally to backend pod(s) within a node, using eBPF.
// https://docs.cilium.io/en/stable/network/kubernetes/local-redirect-policy/
// Default: false
EnableLocalRedirectPolicy *bool `json:"enableLocalRedirectPolicy,omitempty"`
// EnableBPFMasquerade enables masquerading packets from endpoints leaving the host with BPF instead of iptables.
// Default: false
EnableBPFMasquerade *bool `json:"enableBPFMasquerade,omitempty"`
Expand Down
5 changes: 5 additions & 0 deletions pkg/apis/kops/v1alpha2/networking.go
Original file line number Diff line number Diff line change
Expand Up @@ -372,6 +372,11 @@ type CiliumNetworkingSpec struct {
// EnableL7Proxy enables L7 proxy for L7 policy enforcement.
// Default: true
EnableL7Proxy *bool `json:"enableL7Proxy,omitempty"`
// EnableLocalRedirectPolicy that enables pod traffic destined to an IP address and port/protocol
// tuple or Kubernetes service to be redirected locally to backend pod(s) within a node, using eBPF.
// https://docs.cilium.io/en/stable/network/kubernetes/local-redirect-policy/
// Default: false
EnableLocalRedirectPolicy *bool `json:"enableLocalRedirectPolicy,omitempty"`
// EnableBPFMasquerade enables masquerading packets from endpoints leaving the host with BPF instead of iptables.
// Default: false
EnableBPFMasquerade *bool `json:"enableBPFMasquerade,omitempty"`
Expand Down
2 changes: 2 additions & 0 deletions pkg/apis/kops/v1alpha2/zz_generated.conversion.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

5 changes: 5 additions & 0 deletions pkg/apis/kops/v1alpha2/zz_generated.deepcopy.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

5 changes: 5 additions & 0 deletions pkg/apis/kops/v1alpha3/networking.go
Original file line number Diff line number Diff line change
Expand Up @@ -333,6 +333,11 @@ type CiliumNetworkingSpec struct {
// EnableL7Proxy enables L7 proxy for L7 policy enforcement.
// Default: true
EnableL7Proxy *bool `json:"enableL7Proxy,omitempty"`
// EnableLocalRedirectPolicy that enables pod traffic destined to an IP address and port/protocol
// tuple or Kubernetes service to be redirected locally to backend pod(s) within a node, using eBPF.
// https://docs.cilium.io/en/stable/network/kubernetes/local-redirect-policy/
// Default: false
EnableLocalRedirectPolicy *bool `json:"enableLocalRedirectPolicy,omitempty"`
// EnableBPFMasquerade enables masquerading packets from endpoints leaving the host with BPF instead of iptables.
// Default: false
EnableBPFMasquerade *bool `json:"enableBPFMasquerade,omitempty"`
Expand Down
2 changes: 2 additions & 0 deletions pkg/apis/kops/v1alpha3/zz_generated.conversion.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

5 changes: 5 additions & 0 deletions pkg/apis/kops/v1alpha3/zz_generated.deepcopy.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

5 changes: 5 additions & 0 deletions pkg/apis/kops/zz_generated.deepcopy.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

4 changes: 4 additions & 0 deletions pkg/model/components/cilium.go
Original file line number Diff line number Diff line change
Expand Up @@ -139,6 +139,10 @@ func (b *CiliumOptionsBuilder) BuildOptions(o *kops.Cluster) error {
c.EnableL7Proxy = fi.PtrTo(true)
}

if c.EnableLocalRedirectPolicy == nil {
c.EnableLocalRedirectPolicy = fi.PtrTo(false)
}

Comment on lines +142 to +145
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please remove these changes. Defaults are needed only when set to true. The generated output should not change.

if c.DisableCNPStatusUpdates == nil {
c.DisableCNPStatusUpdates = fi.PtrTo(true)
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -212,6 +212,7 @@ spec:
enableBPFMasquerade: false
enableEndpointHealthChecking: true
enableL7Proxy: true
enableLocalRedirectPolicy: false
enableRemoteNodeIdentity: true
enableUnreachableRoutes: false
hubble:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -106,7 +106,7 @@ spec:
version: 9.99.0
- id: k8s-1.16
manifest: networking.cilium.io/k8s-1.16-v1.15.yaml
manifestHash: 0c83f79dd943a154662cf1734b14afd5b3f57f945e26f5805ea263fc9cd7c733
manifestHash: 3dec2f27921f9e61bd722d058ec85a68e459d1fe3f09055ef9d8b03acf1a55dd
name: networking.cilium.io
needsRollingUpdate: all
selector:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,7 @@ data:
enable-ipv6: "true"
enable-ipv6-masquerade: "false"
enable-l7-proxy: "true"
enable-local-redirect-policy: "false"
enable-node-port: "false"
enable-remote-node-identity: "true"
enable-service-topology: "false"
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -204,6 +204,7 @@ spec:
enableBPFMasquerade: false
enableEndpointHealthChecking: true
enableL7Proxy: true
enableLocalRedirectPolicy: false
enableRemoteNodeIdentity: true
enableUnreachableRoutes: false
hubble:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -99,7 +99,7 @@ spec:
version: 9.99.0
- id: k8s-1.16
manifest: networking.cilium.io/k8s-1.16-v1.15.yaml
manifestHash: e20102c57059c105762a9e526913d54064345c7a6f462bb194481df9491b9e09
manifestHash: bc7f7e8765ce60f4a51faa622445f05312d6f6ff5c2cdae2bbc2b7fdaabf35fa
name: networking.cilium.io
needsRollingUpdate: all
selector:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,7 @@ data:
enable-ipv6: "false"
enable-ipv6-masquerade: "false"
enable-l7-proxy: "true"
enable-local-redirect-policy: "false"
enable-node-port: "false"
enable-remote-node-identity: "true"
enable-service-topology: "false"
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -184,6 +184,7 @@ spec:
enableBPFMasquerade: false
enableEndpointHealthChecking: true
enableL7Proxy: true
enableLocalRedirectPolicy: false
enableNodePort: true
enableRemoteNodeIdentity: true
enableUnreachableRoutes: false
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -55,7 +55,7 @@ spec:
version: 9.99.0
- id: k8s-1.16
manifest: networking.cilium.io/k8s-1.16-v1.15.yaml
manifestHash: 54bfa4260f0111b78afdae9dd0cded3f0cbb815b3f3104cbfbf71347edd96a4a
manifestHash: b09e39b605118cc04f98b48d24b0fa6c88487b04a0108574a61692c222f68e1b
name: networking.cilium.io
needsRollingUpdate: all
selector:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,7 @@ data:
enable-ipv6: "false"
enable-ipv6-masquerade: "false"
enable-l7-proxy: "true"
enable-local-redirect-policy: "false"
enable-node-port: "true"
enable-remote-node-identity: "true"
enable-service-topology: "false"
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -206,6 +206,7 @@ spec:
enableBPFMasquerade: true
enableEndpointHealthChecking: true
enableL7Proxy: true
enableLocalRedirectPolicy: false
enableRemoteNodeIdentity: true
enableUnreachableRoutes: false
hubble:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -99,7 +99,7 @@ spec:
version: 9.99.0
- id: k8s-1.16
manifest: networking.cilium.io/k8s-1.16-v1.15.yaml
manifestHash: cee3b0b1d69ab6822b004ccada95ae75a9964e5edab73b7b9ad7cec349e7313b
manifestHash: f7612a95ce7e6eb6c7f4aff40ef362372345b45c4697b46ef78f5518d279e566
name: networking.cilium.io
needsRollingUpdate: all
selector:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,7 @@ data:
enable-ipv6: "false"
enable-ipv6-masquerade: "false"
enable-l7-proxy: "true"
enable-local-redirect-policy: "false"
enable-node-port: "false"
enable-remote-node-identity: "true"
enable-service-topology: "false"
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -210,6 +210,7 @@ spec:
enableBPFMasquerade: false
enableEndpointHealthChecking: true
enableL7Proxy: true
enableLocalRedirectPolicy: false
enableRemoteNodeIdentity: true
enableUnreachableRoutes: false
hubble:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -99,7 +99,7 @@ spec:
version: 9.99.0
- id: k8s-1.16
manifest: networking.cilium.io/k8s-1.16-v1.15.yaml
manifestHash: e406ff605e0421c49f3fe01fa04f07928c341bc79a7d5fe71305a035d5f1d076
manifestHash: 36722e061be4bc322c060c5b28ebe41678b94361e32327bf652b53ef316972f0
name: networking.cilium.io
needsRollingUpdate: all
selector:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,7 @@ data:
enable-ipv6: "false"
enable-ipv6-masquerade: "false"
enable-l7-proxy: "true"
enable-local-redirect-policy: "false"
enable-node-port: "false"
enable-remote-node-identity: "true"
enable-service-topology: "false"
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -204,6 +204,7 @@ spec:
enableBPFMasquerade: false
enableEndpointHealthChecking: true
enableL7Proxy: true
enableLocalRedirectPolicy: false
enableRemoteNodeIdentity: true
enableUnreachableRoutes: false
hubble:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -155,7 +155,7 @@ spec:
version: 9.99.0
- id: k8s-1.16
manifest: networking.cilium.io/k8s-1.16-v1.15.yaml
manifestHash: 9c423eebef5ac27defdcdff9c7024b33861adcbd62928c6a0c8a3db4b897cb69
manifestHash: ac9d01d0a3554b4774f2fd65840adaaae75b8512fcba39a487b80741e99de7c1
name: networking.cilium.io
needsPKI: true
needsRollingUpdate: all
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -69,6 +69,7 @@ data:
enable-ipv6: "false"
enable-ipv6-masquerade: "false"
enable-l7-proxy: "true"
enable-local-redirect-policy: "false"
enable-node-port: "false"
enable-remote-node-identity: "true"
enable-service-topology: "false"
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -216,6 +216,7 @@ spec:
enableBPFMasquerade: true
enableEndpointHealthChecking: true
enableL7Proxy: true
enableLocalRedirectPolicy: false
enableNodePort: true
enableRemoteNodeIdentity: true
enableUnreachableRoutes: false
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -99,7 +99,7 @@ spec:
version: 9.99.0
- id: k8s-1.16
manifest: networking.cilium.io/k8s-1.16-v1.15.yaml
manifestHash: 59dd2dba26c98808b12efde637d423130af3020d865de67b56bd9066c87c765f
manifestHash: 8c601006d81de04e5d79a68f6bb155eb0ef45ca3d53305dbc2c0a1d458092426
name: networking.cilium.io
needsRollingUpdate: all
selector:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,7 @@ data:
enable-ipv6: "false"
enable-ipv6-masquerade: "false"
enable-l7-proxy: "true"
enable-local-redirect-policy: "false"
enable-node-port: "true"
enable-remote-node-identity: "true"
enable-service-topology: "false"
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -279,6 +279,10 @@ data:
# enable-l7-proxy enables L7 proxy for L7 policy enforcement. (default true)
enable-l7-proxy: "{{ .EnableL7Proxy }}"

# enable-local-redirect-policy EnableLocalRedirectPolicy that enables pod traffic destined to an IP address and port/protocol
# tuple or Kubernetes service to be redirected locally to backend pod(s) within a node, using eBPF. (default false)
enable-local-redirect-policy: "{{ .EnableLocalRedirectPolicy }}"

cgroup-root: /run/cilium/cgroupv2

disable-cnp-status-updates: "{{ .DisableCNPStatusUpdates }}"
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -99,7 +99,7 @@ spec:
version: 9.99.0
- id: k8s-1.16
manifest: networking.cilium.io/k8s-1.16-v1.15.yaml
manifestHash: e36f5ab6a807e2ab12f741978b535f59927bf9618d3239ca9ed65af010838468
manifestHash: 45bddd141fefbbd61619eb858684854c1a4a92239f00098495ff97fe97201aef
name: networking.cilium.io
needsRollingUpdate: all
selector:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -113,7 +113,7 @@ spec:
version: 9.99.0
- id: k8s-1.16
manifest: networking.cilium.io/k8s-1.16-v1.15.yaml
manifestHash: e36f5ab6a807e2ab12f741978b535f59927bf9618d3239ca9ed65af010838468
manifestHash: 45bddd141fefbbd61619eb858684854c1a4a92239f00098495ff97fe97201aef
name: networking.cilium.io
needsRollingUpdate: all
selector:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -170,7 +170,7 @@ spec:
version: 9.99.0
- id: k8s-1.16
manifest: networking.cilium.io/k8s-1.16-v1.15.yaml
manifestHash: e36f5ab6a807e2ab12f741978b535f59927bf9618d3239ca9ed65af010838468
manifestHash: 45bddd141fefbbd61619eb858684854c1a4a92239f00098495ff97fe97201aef
name: networking.cilium.io
needsRollingUpdate: all
selector:
Expand Down
Loading