Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

pkg/identity: Watch and update labels for the host #11543

Merged
merged 1 commit into from
May 19, 2020
Merged

pkg/identity: Watch and update labels for the host #11543

merged 1 commit into from
May 19, 2020

Conversation

pchaigno
Copy link
Member

This commit adds a k8s watcher for label updates on the host. It allows node network policies to select the nodes based on labels. For now, the same label filters are used for the nodes as for the labels.

Whatever the labels it receives, because we know there can be only one host endpoint per node, the host endpoint will always retain its security ID of 1. We therefore don't need to reload the host endpoint's datapaths on label updates.

@pchaigno pchaigno added sig/k8s Impacts the kubernetes API, or kubernetes -> cilium internals translation layers. release-note/minor This PR changes functionality that users may find relevant to operating Cilium. sig/policy Impacts whether traffic is allowed or denied based on user-defined policies. labels May 15, 2020
aanm
aanm requested changes May 15, 2020
View reviewed changes
pkg/k8s/watchers/watcher.go Outdated Show resolved Hide resolved
@coveralls
Copy link

coveralls commented May 15, 2020
edited
Loading

Coverage Status

Coverage decreased (-0.02%) to 36.991% when pulling 85f90ff on pr/pchaigno/node-labels into 7e328b1 on master.

@pchaigno pchaigno marked this pull request as ready for review May 15, 2020 10:45
@pchaigno pchaigno requested a review from a team as a code owner May 15, 2020 10:45
@pchaigno pchaigno requested review from a team May 15, 2020 10:45
@pchaigno pchaigno force-pushed the pr/pchaigno/node-labels branch from 6387ff2 to 45c7275 Compare May 15, 2020 14:14
tgraf
tgraf requested changes May 18, 2020
View reviewed changes
Copy link
Member

@tgraf tgraf left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure I fully understand yet what this will enable. This will create an identity id 1 with labels which will always remain in the scope of the node as it is reserved. It will thus enable to refer to the local node by its own labels.

I assume this intends to enable referring to other nodes by node labels at some point. That will require to use a non-reserved identity and to allocate an identity instead based on the node labels found on the node.

It will also require to:

  • Represents the node IPs as CiliumEndpoint and insert them into the kvstore ipcache
  • Individual nodes will no longer have to maintain the ipcache based on CiliumNode or Node events but can instead get their ipcache filled via the CiliumEndpoint or kvstore updates.

pkg/endpointmanager/manager.go Show resolved Hide resolved
@tgraf
Copy link
Member

tgraf commented May 18, 2020

I assume this intends to enable referring to other nodes by node labels at some point. That will require to use a non-reserved identity and to allocate an identity instead based on the node labels found on the node.

Discussed with Paul offline. This PR is specifically limited in scope to enable to select what node a policy applies to.

tgraf
tgraf reviewed May 18, 2020
View reviewed changes
pkg/k8s/watchers/node.go Outdated Show resolved Hide resolved
aanm
aanm requested changes May 18, 2020
View reviewed changes
pkg/k8s/watchers/node.go Outdated Show resolved Hide resolved
@pchaigno
pkg/identity: Watch and update labels for the host
85f90ff 
This commit adds a k8s watcher for label updates on the host. It allows
node network policies to select the nodes based on labels. For now, the
same label filters are used for the nodes as for the labels.

Whatever the labels it receives, because we know there can be only one
host endpoint per node, the host endpoint will always retain its
security ID of 1. We therefore don't need to reload the host endpoint's
datapaths on label updates.

Signed-off-by: Paul Chaignon <[email protected]>
@pchaigno pchaigno force-pushed the pr/pchaigno/node-labels branch from 45c7275 to 85f90ff Compare May 18, 2020 17:08
@pchaigno pchaigno requested a review from aanm May 18, 2020 17:09
@pchaigno
Copy link
Member Author

retest-runtime

@aanm aanm merged commit 8d0211c into master May 19, 2020
@aanm aanm deleted the pr/pchaigno/node-labels branch May 19, 2020 09:59
@pchaigno pchaigno mentioned this pull request May 22, 2020
Merged
@pchaigno pchaigno added the area/host-firewall Impacts the host firewall or the host endpoint. label Jul 20, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aanm aanm aanm approved these changes

@tgraf tgraf tgraf approved these changes

Assignees
No one assigned
Labels
area/host-firewall Impacts the host firewall or the host endpoint. release-note/minor This PR changes functionality that users may find relevant to operating Cilium. sig/k8s Impacts the kubernetes API, or kubernetes -> cilium internals translation layers. sig/policy Impacts whether traffic is allowed or denied based on user-defined policies.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@pchaigno @coveralls @tgraf @aanm