cilium-cli: Add strict-mode-test v2#38566
Merged
julianwiedmann merged 1 commit intocilium:mainfrom Apr 2, 2025
Merged
Conversation
pippolo84
added
dont-merge/preview-only
maintainer-s-little-helper
bot
added
the
dont-merge/needs-release-note-label
pippolo84
force-pushed
the
pr/pippolo84/cilium-cli-strict-mode-test
branch
from
b664334 to
b14056f
Compare
pippolo84
changed the title
Member
Author
|
/test |
pippolo84
force-pushed
the
pr/pippolo84/cilium-cli-strict-mode-test
branch
from
b14056f to
fbb5ffb
Compare
Member
Author
|
/test |
pippolo84
force-pushed
the
pr/pippolo84/cilium-cli-strict-mode-test
branch
2 times, most recently
from
9ee4575 to
274c8dd
Compare
pippolo84
added
the
release-note/misc
maintainer-s-little-helper
bot
removed
the
dont-merge/needs-release-note-label
pippolo84
added
dont-merge/blocked
pippolo84
changed the title
Member
Author
|
/test |
pippolo84
force-pushed
the
pr/pippolo84/cilium-cli-strict-mode-test
branch
from
274c8dd to
494751b
Compare
Member
Author
|
/test |
pippolo84
force-pushed
the
pr/pippolo84/cilium-cli-strict-mode-test
branch
from
494751b to
c340d03
Compare
pippolo84
force-pushed
the
pr/pippolo84/cilium-cli-strict-mode-test
branch
from
c340d03 to
5f472a0
Compare
Member
Author
|
/ci-e2e-upgrade |
pippolo84
force-pushed
the
pr/pippolo84/cilium-cli-strict-mode-test
branch
from
5f472a0 to
79cffd2
Compare
Member
Author
|
/test |
joamaki
approved these changes
Apr 1, 2025
smagnani96
approved these changes
Apr 1, 2025
Contributor
smagnani96
left a comment
smagnani96
left a comment
There was a problem hiding this comment.
LGTM, left a couple of nits.
Thanks Fabio!
The `strict-mode-test` verifies that in Wireguard strict mode, no unecrypted pod-to-pod traffic is leaked. To do that, it temporarily removes all the ipcache entries related to the echo pods IP. Doing so, the pod IP is assigned the "world" identity and since no encryption key can be found, this leads to send unencrypted traffic is dropped as expected. Since v1.18, besides the pod IPs, the ipcache BPF map now stores the pod CIDRs too. Thus, removing just the IP is not enough to have a pod without an associated encryption key in the ipcache: the key can still be found from the pod CIDR entry and all the traffic from the client pods to the echo pods is encrypted. Despite this, the test still passes (somehow accidentally), because the reply traffic from the echo pod is now dropped. Since only pod CIDRs from remote nodes are inserted into the ipcache, no entry is found for the local endpoint on the remote agent, thus the egress reply traffic from that endpoint is leaked. To restore the test as was originally intended, the commit adds a new version that removes the ipcache pod CIDR entries too. To do that it relies on the `cilium-dbg bpf ipcache match` command, to find the pod CIDRs with an exact match and restore them at the end of the test. Signed-off-by: Fabio Falzoi <[email protected]>
pippolo84
force-pushed
the
pr/pippolo84/cilium-cli-strict-mode-test
branch
from
79cffd2 to
0cf892c
Compare
Member
Author
|
/test |
christarazi
approved these changes
Apr 1, 2025
pippolo84
removed
the
dont-merge/blocked
maintainer-s-little-helper
bot
added
the
ready-to-merge
julianwiedmann
added
feature/wireguard
This was referenced Apr 2, 2025
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
6 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The
strict-mode-testverifies that in Wireguard strict mode, nounecrypted pod-to-pod traffic is leaked. To do that, it temporarily
removes all the ipcache entries related to the echo pods IP. Doing so,
the pod IP is assigned the "world" identity and since no encryption key
can be found, this leads to send unencrypted traffic is dropped as
expected.
Since v1.18, besides the pod IPs, the ipcache BPF map now stores the pod
CIDRs too. Thus, removing just the IP is not enough to have a pod
without an associated encryption key in the ipcache: the key can still
be found from the pod CIDR entry and all the traffic from the client
pods to the echo pods is encrypted.
Despite this, the test still passes (somehow accidentally), because the
reply traffic from the echo pod is now dropped. Since only pod CIDRs
from remote nodes are inserted into the ipcache, no entry is found for
the local endpoint on the remote agent, thus the egress reply traffic
from that endpoint is leaked.
To restore the test as was originally intended, the commit adds a new
version that removes the ipcache pod CIDR entries too. To do that it
relies on the
cilium-dbg bpf ipcache matchcommand, to find the podCIDRs with an exact match and restore them at the end of the test.
Example run: https://github.com/cilium/cilium/actions/runs/14173035345
Related: #38483
Blocked by: #38483 and #38579