cilium / cilium / 40861 / 2
39%
master: 39%

DEFAULT BRANCH: master
Ran
Files 933
Run time 1min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 34.211% (+0.01%) from 34.2%
40861.2

push

travis-ci-com

borkmann 
cilium: Add scope knob for local address to be considered host id in ipcache

In some advanced environments, there may be devices in the hostns which could
have a link scoped 10.x.y.z address. The default behavior of Cilium when
populating its local ipcache is to skip all link local addresses as per
listLocalAddresses().

Depending on the datapath configuration, this may cause issues when a Pod
wants to talk to such an address in the hostns. For example, when routing
doesn't go via stack such as the case in BPF host routing, then for such
addresses, the ipcache will fall-back to WORLD id instead of HOST id. The
datapath then assumes that this needs to be xmitted to the given device
from tc layer instead of pushing traffic up the local stack as the case
with HOST id traffic. Then, if such device is f.e. a dummy dev, such traffic
is being blackholed.

We tested that changing scope to global for such address would make traffic
flow working, so the culprit really is in listLocalAddresses()'s logic
which unconditionally skips all addr.Scope == int(netlink.SCOPE_LINK).

Allow to customize this, given the kernel also allows many other scope
values. The agent gets a new --local-max-addr-scope param for this so
that e.g. link local scope can be included via `--local-max-addr-scope=253`
or via `--local-max-addr-scope=link`. To preserve the default, it's still
excluded.

Example, default:

  # ./daemon/cilium-agent --identity-allocation-mode=crd \
  --enable-ipv6=true --enable-ipv4=true --disable-envoy-version-check=true \
  --tunnel=disabled --k8s-kubeconfig-path=$HOME/.kube/config \
  --kube-proxy-replacement=strict --enable-l7-proxy=false \
  --auto-direct-node-routes=true --enable-bandwidth-manager=true \
  --ipv4-native-routing-cidr=10.91.0.0/16 --ipv6-native-routing-cidr=f00d::a5b:0:0:0/96 \
  --enable-ipv4-masquerade=false --enable-ipv6-masquerade=false

  root@zh-lab-node-1:~/go/src/github.com/cilium/cilium# ./cilium/cilium bpf ipcache list | grep "ident... (continued)

47212 of 138004 relevant lines covered (34.21%)

2096.14 hits per line

Source Files on job 40861.2