Add Strict Mode Ingress Encryption Support for Wireguard#39239
Add Strict Mode Ingress Encryption Support for Wireguard#39239joestringer merged 4 commits intomainfrom
Conversation
maintainer-s-little-helper
bot
added
the
dont-merge/needs-release-note-label
rgo3
added
the
dont-merge/preview-only
|
/ci-e2e-upgrade |
rgo3
force-pushed
the
pr/rgo3/wg-strict-mode-ingress
branch
from
7823c7a to
f8d79d5
Compare
|
/ci-e2e-upgrade |
rgo3
force-pushed
the
pr/rgo3/wg-strict-mode-ingress
branch
from
f8d79d5 to
b3dce95
Compare
|
/ci-e2e-upgrade |
rgo3
force-pushed
the
pr/rgo3/wg-strict-mode-ingress
branch
from
b3dce95 to
e060f66
Compare
|
/ci-e2e-upgrade |
rgo3
force-pushed
the
pr/rgo3/wg-strict-mode-ingress
branch
from
e060f66 to
c76d6dc
Compare
rgo3
added
the
release-note/minor
maintainer-s-little-helper
bot
removed
the
dont-merge/needs-release-note-label
rgo3
force-pushed
the
pr/rgo3/wg-strict-mode-ingress
branch
2 times, most recently
from
7d6171a to
6cead71
Compare
|
/ci-e2e-upgrade |
rgo3
force-pushed
the
pr/rgo3/wg-strict-mode-ingress
branch
from
6cead71 to
495cf66
Compare
rgo3
changed the title
rgo3
changed the title
|
/ci-e2e-upgrade |
rgo3
force-pushed
the
pr/rgo3/wg-strict-mode-ingress
branch
from
495cf66 to
0060b99
Compare
|
/test |
rgo3
added
the
release-blocker/1.18
|
Realistically based on the current state of this PR, we should target this for v1.19. |
|
In my opinion the main issue isn't this PR but the related backport for 1.17: #39498. Is there precedent to add features that can't be enabled during the upgrade? If the backport wasn't required and we document that to enable this feature, users must first upgrade and only enable once they are on 1.18, there shouldn't be too much work left to get this in. Apart from review of course. |
|
I'd say as a general rule it's good practice to first upgrade and then in a separate step enable new functionality. I don't believe this that this guidance is provided in the current upgrade guide, but it seems like a reasonable addition to make. At this stage of the development cycle in order to get a PR into v1.18 on time, the development and review should be largely complete with a clear path to merging within days. The default is that everything must be in before feature freeze, then we'll branch off in 1-2 weeks and open the main branch back up. Between the relevant reviewers (cc @cilium/sig-encryption) and committers (cc @cilium/committers) we can decide to make an exception for crucial changes that have low risk and a clear path into the tree. |
rgo3
force-pushed
the
pr/rgo3/wg-strict-mode-ingress
branch
from
0060b99 to
c454bfc
Compare
rgo3
added
the
release-blocker/1.19
smagnani96
left a comment
smagnani96
left a comment
There was a problem hiding this comment.
Left a couple of comments.
I think we should document the behavior Traffic is Unencrypted after enabling this new feature. Or do we expect to have this feature enabled only when the counterpart egress is enabled too?
In addition, our CLI --no-unexpected-packet-drops checks in general if there are errors in the nodes. That means, running that CLI command in a cluster that has historical drop recorded (such as Traffic is Unencrypted) would always fail.
Where should this be documented?
AFAIK the CLI also has an option to ignore certain drop reasons, so unless you are witnessing ongoing drops, historical drop reasons can be ignored to get a successful test. |
|
/test |
smagnani96
left a comment
smagnani96
left a comment
There was a problem hiding this comment.
LGTM, and thanks also for upgrade doc mention 🙏🏼
I think we're good to go after a rebase, don't see anything else missing at the moment.
|
/test |
|
Removing Chris as |
|
I've made a very small change to how I set the decrypted mark in the first commit because I saw some strange failure on the I'm now using |
|
/ci-awscni |
1 similar comment
|
/ci-awscni |
Previously, the agent conditionally attached cil_from_wireguard based on NeedIngressOnWireGuardDevice(), which checked for native routing mode or tunnel mode with NodePort and encrypt-node enabled. Now, cil_from_wireguard is always compiled and attached unconditionally. The previous agent-side conditions are reflected in the datapath itself: in tunnel mode without NodePort + node encyrption, the program returns early after setting the decrypt mark. This ensures decrypted traffic is always marked while preserving the original behavior of not processing packets further when unnecessary. For environments where AWS-CNI might interfere with the use of the skb mark, we need to ensure that the marking of the packet can be turned of. See #38738 and related PRs for more details. For now we use `ENABLE_IDENTITY_MARK` to guard writing to the mark, as a follow-up we might want to introduce something more generic. Signed-off-by: Robin Gögge <[email protected]>
|
/test |
This commits adds a feature that lets users drop any pod-to-pod traffic that hasn't been encrypted. It can be enabled by setting --enable-encryption-strict-mode-ingress, or the respective helm value. For now, this feature will only be available when Wireguard and tunneling are enabled as well. This new strict ingress encryption mode is unrelated to the already existing strict mode encryption feature. To avoid any confusion, the next commit will deprecate the exisiting feature flags and helm values for the strict mode encryption and rename them to have a distinct separation between ingress and egress strict mode encryption. Signed-off-by: Robin Gögge <[email protected]>
This commit renames the encryption strict mode options to be more explicit about their egress context: CLI flags: - `--enable-encryption-strict-mode` → `--enable-encryption-strict-mode-egress` - `--encryption-strict-mode-cidr` → `--encryption-strict-egress-cidr` - `--encryption-strict-mode-allow-remote-node-identities` → `--encryption-strict-egress-allow-remote-node-identities` Helm options: - `encryption.strictMode.enabled` → `encryption.strictMode.egress.enabled` - `encryption.strictMode.cidr` → `encryption.strictMode.egress.cidr` - `encryption.strictMode.allowRemoteNodeIdentities` → `encryption.strictMode.egress.allowRemoteNodeIdentities` The old options are deprecated and will be removed in Cilium 1.20. The new names better reflect that these options only apply to egress traffic. Signed-off-by: Robin Gögge <[email protected]>
Signed-off-by: Robin Gögge <[email protected]>
|
/test |
|
@cilium/cli (@asauber) PTAL 🙏 |
tommyp1ckles
left a comment
tommyp1ckles
left a comment
There was a problem hiding this comment.
looks good for @cilium/cli
julianwiedmann
left a comment
julianwiedmann
left a comment
There was a problem hiding this comment.
Just two small drive-by comments (sorry for not spotting this earlier)
12 participants
This PR adds strict mode ingress encryption support in Cilium, enabling users to drop unencrypted pod-to-pod traffic when using WireGuard with tunneling. It also renames existing strict mode options to be egress-specific and updates CI configurations to test the new feature.
Please see the individual commit and respective messages for more details. Any deprecated options will be removed in Cilium 1.20.