cilium: chaining mode skb->mark can be mangled by iptables allow opt-out by jrfastab · Pull Request #12185 · cilium/cilium

jrfastab · 2020-06-18T16:24:38Z

The skb->mark field may not reliable in chaining modes because the host
stack may have conflicting users of the mark field. For example in one
case we observe a set mark rule 'MARK and 0xfff1ffff' which mangles the
identity stored in skb->mark. If Cilium user also has ingress policy
logic the identity is no longer correct. This likely will result in policy
denied hits,

-> stack flow 0xa0688256 identity 54898->7179 state established ifindex 0 orig-ip 0.0.0.0: 192.168.187.136:50344 -> 192.168.187.139:80 tcp SYN
xx drop (Policy denied) flow 0xa0688256 to endpoint 149, identity 54897->7179: 192.168.187.136:50344 -> 192.168.187.139:80 tcp SYN

To fix this create a flag EnableIdentityMark to allow setting the identity.
In cases that have conflicting mark values this can then be disabled. The
trace on ingress will no longer have a listed identity but because when
'identity < UNMANAGED' we do the lookup using the src ip and policy will
work correctly.

Fixes: f25d8b9 ("bpf: Preserve source identity for hairpin via stack")
Signed-off-by: John Fastabend [email protected]

maintainer-s-little-helper · 2020-06-18T16:24:40Z

Please set the appropriate release note label.

jrfastab · 2020-06-18T17:26:04Z

test-me-please

jrfastab · 2020-06-18T17:27:22Z

fixes #12136

aanm · 2020-06-18T17:32:49Z

install/kubernetes/cilium/charts/config/templates/configmap.yaml

I think this needs to be:

{{- if hasKey .Values "enableIdentityMap" }} enable-identity-map: {{ .Values.enableIdentityMap | quote }} {{- else if (ne $enableIdentityMap "true") }} enable-identity-map: "false" {{- end }}

and on top of this file:

... {{- /* Default values when 1.8 was initially deployed */ -}} ... {{- $enableIdentityMap = "true" -}}

aanm · 2020-06-18T17:33:23Z

install/kubernetes/cilium/values.yaml

this should be in the cilium/charts/config/values.yaml like the other flags are

The skb->mark field may not reliable in chaining modes because the host stack may have conflicting users of the mark field. For example in one case we observe a set mark rule 'MARK and 0xfff1ffff' which mangles the identity stored in skb->mark. If Cilium user also has ingress policy logic the identity is no longer correct. This likely will result in policy denied hits, -> stack flow 0xa0688256 identity 54898->7179 state established ifindex 0 orig-ip 0.0.0.0: 192.168.187.136:50344 -> 192.168.187.139:80 tcp SYN xx drop (Policy denied) flow 0xa0688256 to endpoint 149, identity 54897->7179: 192.168.187.136:50344 -> 192.168.187.139:80 tcp SYN To fix this create a flag EnableIdentityMark to allow setting the identity. In cases that have conflicting mark values this can then be disabled. The trace on ingress will no longer have a listed identity but because when 'identity < UNMANAGED' we do the lookup using the src ip and policy will work correctly. Fixes: f25d8b9 ("bpf: Preserve source identity for hairpin via stack") Signed-off-by: John Fastabend <[email protected]>

jrfastab · 2020-06-18T19:13:00Z

test-me-please

joestringer · 2020-06-18T19:21:16Z

install/kubernetes/cilium/charts/config/values.yaml

+# enables passing identity on local routes by using the mark fields. However,
+# in cases where this conflicts with a chained CNI plugin it may be disabled.
+#enableIdentityMark: true


I don't see the corresponding chaining docs changes for this, did you intend to add them here?

We should set it in the Calico guide

joestringer · 2020-06-18T19:22:11Z

install/kubernetes/cilium/charts/config/templates/configmap.yaml

+{{- if hasKey .Values "enableIdentityMap"}}
+  enable-identity-map: {{ .Values.global.enableIdentityMap | quote }}
+{{- else if (ne $enableIdentityMap "true") }}
+  enable-identity-map: "false"
+{{- end }}


@tgraf has the freshest understanding of exactly how to format these options, would be good to get a quick look from him whether it's actually matching our latest approach.

tgraf · 2020-06-18T21:22:06Z

install/kubernetes/cilium/charts/config/values.yaml

+# enables passing identity on local routes by using the mark fields. However,
+# in cases where this conflicts with a chained CNI plugin it may be disabled.
+#enableIdentityMark: true


We should set it in the Calico guide

vadorovsky · 2020-07-08T07:38:56Z

install/kubernetes/cilium/charts/config/templates/configmap.yaml

  cni-chaining-mode: {{ .Values.global.cni.chainingMode }}

+{{- if hasKey .Values "enableIdentityMap"}}
+  enable-identity-map: {{ .Values.global.enableIdentityMap | quote }}


Don't we have a mismatch here? The new argument in the daemon is enable-identity-mark, but here we define enable-identity-map. Shouldn't we do s/map/mark/ in helm charts?

Am I missing something here?

I noticed that when backporting to 1.7.

Ah, sorry, it got fixed here #12194

…ENTITY For environments where option.EnableIdentityMark is not set (and thus from-container doesn't set the source identity in the skb->mark), we shouldn't attempt to retrieve the identity. Which leaves the question whether all the *other* use of skb->mark in this program is safe. Or all those features are simply incompatible with running in a CNI-chained environment, where skb->mark is not owned by Cilium (see cilium#12185). Signed-off-by: Julian Wiedmann <[email protected]>

When AWS-CNI is in control of orchestrating the connectivity on the node, we shouldn't assume that usage of skb->mark for Cilium is safe. #12185 introduced the `--enable-identity-mark` option for this scenario, so that Cilium doesn't use the skb->mark for identity propagation. Set this flag in the AWS-CNI workflow accordingly. Signed-off-by: Julian Wiedmann <[email protected]>

…ENTITY For environments where option.EnableIdentityMark is not set (and thus from-container doesn't set the source identity in the skb->mark), we shouldn't attempt to retrieve the identity. Which leaves the question whether all the *other* use of skb->mark in this program is safe. Or all those features are simply incompatible with running in a CNI-chained environment, where skb->mark is not owned by Cilium (see #12185). Signed-off-by: Julian Wiedmann <[email protected]>

When AWS-CNI is in control of orchestrating the connectivity on the node, we shouldn't assume that usage of skb->mark for Cilium is safe. #12185 introduced the `--enable-identity-mark` option for this scenario, so that Cilium doesn't use the skb->mark for identity propagation. Set this flag in the AWS-CNI workflow accordingly. Signed-off-by: Julian Wiedmann <[email protected]>

…ENTITY [ upstream commit 2566ce2 ] For environments where option.EnableIdentityMark is not set (and thus from-container doesn't set the source identity in the skb->mark), we shouldn't attempt to retrieve the identity. Which leaves the question whether all the *other* use of skb->mark in this program is safe. Or all those features are simply incompatible with running in a CNI-chained environment, where skb->mark is not owned by Cilium (see #12185). Signed-off-by: Julian Wiedmann <[email protected]>

[ upstream commit c73b5f0 ] When AWS-CNI is in control of orchestrating the connectivity on the node, we shouldn't assume that usage of skb->mark for Cilium is safe. #12185 introduced the `--enable-identity-mark` option for this scenario, so that Cilium doesn't use the skb->mark for identity propagation. Set this flag in the AWS-CNI workflow accordingly. Signed-off-by: Julian Wiedmann <[email protected]>