Description
Is there an existing issue for this?
- I have searched the existing issues
Version
equal or higher than v1.17.0 and lower than v1.18.0
What happened?
Hubble export allow/deny list parsing regressed in #35596 when moving export to a hive cell due to how hive cells handle flags.StringSlices. Similar to #35619.
The root of the issue is hive will parse string slice flags using , as the delimiter whereas the previous behavior was it was separated by whitespace.
This will need to be fixed in main and backported to v1.17 too.
How can we reproduce the issue?
You can test with the following options set:
hubble:
export:
static:
enabled: true
denyList: |-
{"verdict":["DROPPED"],"event_type":[{"type":1,"match_sub_type":true,"sub_type":139}]}
{"reply":[true],"event_type":[{"type":4}]}
{"source_label":["reserved:health"]}
{"destination_label":["reserved:health"]}
{"source_label":["k8s:k8s-app=kube-dns"],"event_type":[{"type":4}]}
{"destination_label":["k8s:k8s-app=kube-dns"],"event_type":[{"type":4}]}
{"dns_query":[".*\\.local\\.$",".*\\.internal\\.$"]}
And you will get the following error:
time="2025-01-24T00:34:47.222609042Z" level=fatal msg="failed to start: could not build arguments for function \"github.com/cilium/cilium/daemon/cmd\".configureAPIServer (/go/src/github.com/cilium/cilium/daemon/cmd/cells.go:320): failed to build *server.Server: could not build arguments for function \"github.com/cilium/cilium/api/v1/server\".newForCell (/go/src/github.com/cilium/cilium/api/v1/server/server.go:201): failed to build *restapi.CiliumAPIAPI: could not build arguments for function \"github.com/cilium/cilium/api/v1/server\".newAPI (/go/src/github.com/cilium/cilium/api/v1/server/server.go:122): failed to build endpoint.DeleteEndpointHandler: could not build arguments for function \"github.com/cilium/cilium/daemon/cmd\".ciliumAPIHandlers (/go/src/github.com/cilium/cilium/daemon/cmd/api_handlers.go:85): failed to build promise.Promise[*github.com/cilium/cilium/daemon/cmd.Daemon]: could not build arguments for function \"github.com/cilium/cilium/daemon/cmd\".newDaemonPromise (/go/src/github.com/cilium/cilium/daemon/cmd/daemon_main.go:1632): failed to build hubblecell.HubbleIntegration: could not build arguments for function \"github.com/cilium/cilium/pkg/hubble/cell\".newHubbleIntegration (/go/src/github.com/cilium/cilium/pkg/hubble/cell/cell.go:83): could not build value group exporter.FlowLogExporter[group=\"hubble-flow-log-exporters\"]: could not build arguments for function \"github.com/cilium/cilium/pkg/hubble/exporter/cell\".NewHubbleStaticExporter (/go/src/github.com/cilium/cilium/pkg/hubble/exporter/cell/cell.go:101): failed to build exportercell.validatedConfig: could not build arguments for function \"github.com/cilium/cilium/pkg/hubble/exporter/cell\".NewValidatedConfig (/go/src/github.com/cilium/cilium/pkg/hubble/exporter/cell/cell.go:94): failed to build exportercell.config: received non-nil error from function \"github.com/cilium/hive/cell\".(*config[...].func2 (/go/src/github.com/cilium/cilium/vendor/github.com/cilium/hive/cell/config.go:63): failed to unmarshal config struct exportercell.config: 1 error(s) decoding:\n\n* error decoding 'hubble-export-denylist': failed to decode flow filter '{\"verdict\":[\"DROPPED\"]': unexpected EOF.\nHint: field 'FooBar' matches flag 'foo-bar', or use tag `mapstructure:\"flag-name\"` to match field with flag" subsys=daemon
Cilium Version
main/v1.17
Kernel Version
Linux lima-docker 5.15.0-130-generic #140-Ubuntu SMP Wed Dec 18 17:59:36 UTC 2024 aarch64 aarch64 aarch64 GNU/Linux
Kubernetes Version
Server Version: v1.32.0
Regression
Yes. 1.16.x and earlier is not impacted.
Sysdump
No response
Relevant log output
Anything else?
We can fix it by switching away from a StringSlice flag and parsing the values into a list ourselves I think: #36371.
I'm not entirely sure though because JSON can have whitespace, so I'm not sure we can naively break it on spaces.
Cilium Users Document
- Are you a user of Cilium? Please add yourself to the Users doc
Code of Conduct
- I agree to follow this project's Code of Conduct