Skip to content

chore: clean up allowlisted IPv6 prefixes #8252

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
r-birkner wants to merge 2 commits into
base: master
Choose a base branch
from
Open

chore: clean up allowlisted IPv6 prefixes #8252

r-birkner wants to merge 2 commits into from
+27 −135

Conversation

@r-birkner
Copy link
Contributor

@r-birkner r-birkner commented Jan 7, 2026
edited
Loading

For guestOS, the IPv6 prefixes are only used if there are no rules in the registry as a fallback (see here).

For hostOS, the IPv6 prefixes are always used. Here the most important change are the telemetry_clients prefix list, which is necessary for scraping metrics and logs from the host.

In the following, I list the guestOS prefixes with their DC:

"2602:fb2b:120::/48",             # ch1
"2602:fb2b:100::/48",             # dm1
"2602:fb2b:110::/48",             # fr1
"2600:c00:2:100::/64",            # se1
"2001:4c08:2003:b09::/64",        # sh1
"2600:3007:4401::/48",            # tp1
"2a00:fb01:400::/56",             # zh1
"2a00:fb01:400:200::/64",         # zh2
"2a05:d01c:e2c:a700::/56",        # AWS_eu-west-2_monitoring
"2a05:d01c:d9:2b00::/56",         # AWS_eu-west-2_monitoring2

@github-actions github-actions bot added the chore label Jan 7, 2026
@r-birkner r-birkner force-pushed the rjb/remove-old-prefixes-from-fw branch from a09102f to d5687a1 Compare January 7, 2026 12:19
@r-birkner r-birkner marked this pull request as ready for review January 7, 2026 14:00
@r-birkner r-birkner requested a review from a team as a code owner January 7, 2026 14:00
@github-actions github-actions bot added the @node label Jan 7, 2026
@r-birkner
Copy link
Contributor Author

r-birkner commented Jan 7, 2026

I requested a review from:

  • @eichhorl just to make sure this does not impact recovery (we only change the default rules in guestOS if the registry is not available)
  • @NikolaMilosa to make sure this does not impact observability (both metrics and logs scraping for the host)
  • @slawomirbabicz to make sure this is good from security POV

@r-birkner r-birkner added the CI_ALL_BAZEL_TARGETS Runs all bazel targets and uploads them to S3 label Jan 7, 2026
NikolaMilosa
NikolaMilosa approved these changes Jan 8, 2026
View reviewed changes
Copy link
Contributor

@NikolaMilosa NikolaMilosa left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

slawomirbabicz
slawomirbabicz approved these changes Jan 8, 2026
View reviewed changes
Copy link

@slawomirbabicz slawomirbabicz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. If you have some a spare cycles, I would add a comment for the prefixes added about their dc affinity.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@NikolaMilosa NikolaMilosa NikolaMilosa approved these changes

@slawomirbabicz slawomirbabicz slawomirbabicz approved these changes

@andrewbattat andrewbattat andrewbattat approved these changes

@eichhorl eichhorl Awaiting requested review from eichhorl

Assignees

No one assigned

Labels

chore CI_ALL_BAZEL_TARGETS Runs all bazel targets and uploads them to S3 @node

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@r-birkner @NikolaMilosa @slawomirbabicz @andrewbattat