WG tunneling #29000
Merged
WG tunneling #29000
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
brb
added
kind/enhancement
|
/test |
|
/test |
So that a src security ID can be transferred to a remote node (e.g., for
netpol checks).
This commit changes a pkt path when WireGuard + tunneling are enabled
AND the newly introduced --wireguard-encapsulate is set.
Previously, we had the following:
┌──────┐ 1. ┌──────┐ 4.
│ lxc0 ├──────────────► eth0 ├──────►
└──────┘ └─┬───▲┘
│ │
│ │
2.│ │ 3.
│ │
┌───────────────┐ ┌───▼───┴────┐
│ cilium_vxlan │ │cilium_wg0 │
└───────────────┘ └────────────┘
With this change:
┌──────┐ ┌──────┐
│ lxc0 │ ┌──────────► eth0 ├─────►
└───┬──┘ │ └─┬───▲┘ 5.
│ │ │ │
│ │ │ │
1.│ 2.│ 3. │ │ 4.
│ │ │ │
┌─────▼──────┴──┐ ┌───▼───┴────┐
│ cilium_vxlan │ │cilium_wg0 │
└───────────────┘ └────────────┘
A side effect of this change is that host-to-remote-pod traffic is going
to be encrypted (previously it was not).
The change was first made available in v1.14 [1] (controlled w/
--wireguard-encapsulate, which defaults to false). To avoid breaking
connections during an upgrade from v1.14 to v1.15 (due to missing node
IPs within allowed-ips), in v1.14 we populate those IPs regardless
whether the feature is enabled.
[1]: #28917
Signed-off-by: Martynas Pumputis <m@lambda.lt>
|
/ci-e2e |
brb
added a commit
to cilium/cilium-cli
that referenced
this pull request
Nov 6, 2023
It's going to be enabled on Cilium >= 1.15 [1]. [1]: cilium/cilium#29000 Signed-off-by: Martynas Pumputis <m@lambda.lt>
|
/test |
|
/test |
pchaigno
pushed a commit
to cilium/cilium-cli
that referenced
this pull request
Nov 6, 2023
It's going to be enabled on Cilium >= 1.15 [1]. [1]: cilium/cilium#29000 Signed-off-by: Martynas Pumputis <m@lambda.lt>
To include the encryption suite changes [1] [2] [1]: cilium/cilium-cli#2055 [2]: cilium/cilium-cli#2089 Signed-off-by: Martynas Pumputis <m@lambda.lt>
Previously, the strict encrypt check [1] was running in bpf_overlay (in addition to bpf_host). That particular check was assuming that no pod-to-pod unencrypted packet should be seen by bpf_overlay. However, after the previous commit it's no longer the case. So, remove the check, and only keep the one in bpf_host. A nice side-effect of the previous commit is that for WG+tunnel we automatically enforce the strict mode w/o relying on strict_allow(). I.e., any tunnel encaped traffic is going to be dropped until cilium-agent has propogated destination node's IP addr into WG's allowed-ips list for that node. This commit also drops the WG strict mode test case for tunneling, as the test configuration is no longer applicable, and the test is going to be migrated to the CLI connectivity suite. [1]: #21856 Signed-off-by: Martynas Pumputis <m@lambda.lt>
|
/test |
This was referenced Nov 7, 2023
2 tasks
3u13r
added a commit
to edgelesssys/cilium
that referenced
this pull request
Jan 18, 2024
Since cilium#29000 packets are always encapsulated before they are encrypted with WireGuard. Therefore, we also need to take the tunnel overhead for the route MTU into account. This fixes a performance regression. Before this commit WireGuard encrypted pod-to-pod traffic the iperf3 bandwidth was ~102 Mbits/sec. With this patch the bandwidth increases to 656 Mbits/sec. Without encryption the bandwidth is ~2 Gbits/sec. Signed-off-by: Leonard Cohnen <lc@edgeless.systems>
3u13r
added a commit
to edgelesssys/cilium
that referenced
this pull request
Jan 18, 2024
Since cilium#29000 packets are always encapsulated before they are encrypted with WireGuard. Therefore, we also need to take the tunnel overhead for the route MTU into account. This fixes a performance regression. Before this commit WireGuard encrypted pod-to-pod traffic the iperf3 bandwidth was ~102 Mbits/sec. With this patch the bandwidth increases to 656 Mbits/sec. Without encryption the bandwidth is ~2 Gbits/sec. Fixes: b67291f Signed-off-by: Leonard Cohnen <lc@edgeless.systems>
3u13r
added a commit
to edgelesssys/cilium
that referenced
this pull request
Jan 18, 2024
Since cilium#29000 packets are always encapsulated before they are encrypted with WireGuard. Therefore, we also need to take the tunnel overhead for the route MTU into account. This fixes a performance regression. Before this commit WireGuard encrypted pod-to-pod traffic the iperf3 bandwidth was ~102 Mbits/sec. With this patch the bandwidth increases to 656 Mbits/sec. Without encryption the bandwidth is ~2 Gbits/sec. Fixes: b67291f Signed-off-by: Leonard Cohnen <lc@edgeless.systems>
3u13r
added a commit
to edgelesssys/cilium
that referenced
this pull request
Jan 23, 2024
Since cilium#29000 packets are always encapsulated before they are encrypted with WireGuard. Therefore, we also need to take the tunnel overhead for the route MTU into account. This fixes a performance regression. Before this commit WireGuard encrypted pod-to-pod traffic the iperf3 bandwidth was ~102 Mbits/sec. With this patch the bandwidth increases to 656 Mbits/sec. Without encryption the bandwidth is ~2 Gbits/sec. Fixes: b67291f Signed-off-by: Leonard Cohnen <lc@edgeless.systems>
burgerdev
pushed a commit
to edgelesssys/cilium
that referenced
this pull request
Jan 24, 2024
Since cilium#29000 packets are always encapsulated before they are encrypted with WireGuard. Therefore, we also need to take the tunnel overhead for the route MTU into account. This fixes a performance regression. Before this commit WireGuard encrypted pod-to-pod traffic the iperf3 bandwidth was ~102 Mbits/sec. With this patch the bandwidth increases to 656 Mbits/sec. Without encryption the bandwidth is ~2 Gbits/sec. Fixes: b67291f Signed-off-by: Leonard Cohnen <lc@edgeless.systems>
burgerdev
pushed a commit
to edgelesssys/cilium
that referenced
this pull request
Jan 24, 2024
Since cilium#29000 packets are always encapsulated before they are encrypted with WireGuard. Therefore, we also need to take the tunnel overhead for the route MTU into account. This fixes a performance regression. Before this commit WireGuard encrypted pod-to-pod traffic the iperf3 bandwidth was ~102 Mbits/sec. With this patch the bandwidth increases to 656 Mbits/sec. Without encryption the bandwidth is ~2 Gbits/sec. Fixes: b67291f Signed-off-by: Leonard Cohnen <lc@edgeless.systems>
burgerdev
pushed a commit
to edgelesssys/cilium
that referenced
this pull request
Jan 24, 2024
Since cilium#29000 packets are always encapsulated before they are encrypted with WireGuard. Therefore, we also need to take the tunnel overhead for the route MTU into account. This fixes a performance regression. Before this commit WireGuard encrypted pod-to-pod traffic the iperf3 bandwidth was ~102 Mbits/sec. With this patch the bandwidth increases to 656 Mbits/sec. Without encryption the bandwidth is ~2 Gbits/sec. Fixes: b67291f Signed-off-by: Leonard Cohnen <lc@edgeless.systems>
github-merge-queue bot
pushed a commit
that referenced
this pull request
Jan 30, 2024
Since #29000 packets are always encapsulated before they are encrypted with WireGuard. Therefore, we also need to take the tunnel overhead for the route MTU into account. This fixes a performance regression. Before this commit WireGuard encrypted pod-to-pod traffic the iperf3 bandwidth was ~102 Mbits/sec. With this patch the bandwidth increases to 656 Mbits/sec. Without encryption the bandwidth is ~2 Gbits/sec. Fixes: b67291f Signed-off-by: Leonard Cohnen <lc@edgeless.systems>
joamaki
pushed a commit
that referenced
this pull request
Jan 30, 2024
[ upstream commit 44c3dd0 ] Since #29000 packets are always encapsulated before they are encrypted with WireGuard. Therefore, we also need to take the tunnel overhead for the route MTU into account. This fixes a performance regression. Before this commit WireGuard encrypted pod-to-pod traffic the iperf3 bandwidth was ~102 Mbits/sec. With this patch the bandwidth increases to 656 Mbits/sec. Without encryption the bandwidth is ~2 Gbits/sec. Fixes: b67291f Signed-off-by: Leonard Cohnen <lc@edgeless.systems> Signed-off-by: Jussi Maki <jussi@isovalent.com>
aanm
pushed a commit
that referenced
this pull request
Jan 31, 2024
[ upstream commit 44c3dd0 ] Since #29000 packets are always encapsulated before they are encrypted with WireGuard. Therefore, we also need to take the tunnel overhead for the route MTU into account. This fixes a performance regression. Before this commit WireGuard encrypted pod-to-pod traffic the iperf3 bandwidth was ~102 Mbits/sec. With this patch the bandwidth increases to 656 Mbits/sec. Without encryption the bandwidth is ~2 Gbits/sec. Fixes: b67291f Signed-off-by: Leonard Cohnen <lc@edgeless.systems> Signed-off-by: Jussi Maki <jussi@isovalent.com>
joamaki
pushed a commit
that referenced
this pull request
Jan 31, 2024
[ upstream commit 44c3dd0 ] Since #29000 packets are always encapsulated before they are encrypted with WireGuard. Therefore, we also need to take the tunnel overhead for the route MTU into account. This fixes a performance regression. Before this commit WireGuard encrypted pod-to-pod traffic the iperf3 bandwidth was ~102 Mbits/sec. With this patch the bandwidth increases to 656 Mbits/sec. Without encryption the bandwidth is ~2 Gbits/sec. Fixes: b67291f Signed-off-by: Leonard Cohnen <lc@edgeless.systems> Signed-off-by: Jussi Maki <jussi@isovalent.com>
joamaki
pushed a commit
that referenced
this pull request
Jan 31, 2024
[ upstream commit 44c3dd0 ] Since #29000 packets are always encapsulated before they are encrypted with WireGuard. Therefore, we also need to take the tunnel overhead for the route MTU into account. This fixes a performance regression. Before this commit WireGuard encrypted pod-to-pod traffic the iperf3 bandwidth was ~102 Mbits/sec. With this patch the bandwidth increases to 656 Mbits/sec. Without encryption the bandwidth is ~2 Gbits/sec. Fixes: b67291f Signed-off-by: Leonard Cohnen <lc@edgeless.systems> Signed-off-by: Jussi Maki <jussi@isovalent.com>
joamaki
pushed a commit
that referenced
this pull request
Feb 7, 2024
[ upstream commit 44c3dd0 ] Since #29000 packets are always encapsulated before they are encrypted with WireGuard. Therefore, we also need to take the tunnel overhead for the route MTU into account. This fixes a performance regression. Before this commit WireGuard encrypted pod-to-pod traffic the iperf3 bandwidth was ~102 Mbits/sec. With this patch the bandwidth increases to 656 Mbits/sec. Without encryption the bandwidth is ~2 Gbits/sec. Fixes: b67291f Signed-off-by: Leonard Cohnen <lc@edgeless.systems> Signed-off-by: Jussi Maki <jussi@isovalent.com>
julianwiedmann
added a commit
to julianwiedmann/cilium
that referenced
this pull request
Mar 1, 2024
cilium#29000 changed how we mix WireGuard with VXLAN / Geneve tunneling. Reflect this in the docs. Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
github-merge-queue bot
pushed a commit
that referenced
this pull request
Mar 4, 2024
#29000 changed how we mix WireGuard with VXLAN / Geneve tunneling. Reflect this in the docs. Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
pippolo84
pushed a commit
to pippolo84/cilium
that referenced
this pull request
Mar 5, 2024
[ upstream commit f604ce2 ] cilium#29000 changed how we mix WireGuard with VXLAN / Geneve tunneling. Reflect this in the docs. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
|
Adding backport-label to account for #28917. |
julianwiedmann
added
the
backport-done/1.14
sayboras
pushed a commit
that referenced
this pull request
Jun 10, 2024
[ upstream commit 44c3dd0 ] Since #29000 packets are always encapsulated before they are encrypted with WireGuard. Therefore, we also need to take the tunnel overhead for the route MTU into account. This fixes a performance regression. Before this commit WireGuard encrypted pod-to-pod traffic the iperf3 bandwidth was ~102 Mbits/sec. With this patch the bandwidth increases to 656 Mbits/sec. Without encryption the bandwidth is ~2 Gbits/sec. Fixes: b67291f Signed-off-by: Leonard Cohnen <lc@edgeless.systems> Signed-off-by: Jussi Maki <jussi@isovalent.com> Signed-off-by: Michi Mutsuzaki <michi@isovalent.com>
michi-covalent
pushed a commit
that referenced
this pull request
Jul 16, 2024
It's going to be enabled on Cilium >= 1.15 [1]. [1]: #29000 Signed-off-by: Martynas Pumputis <m@lambda.lt>
3 tasks
michi-covalent
pushed a commit
that referenced
this pull request
Aug 5, 2024
[ cherry-picked from cilium/cilium-cli repository ] It's going to be enabled on Cilium >= 1.15 [1]. [1]: #29000 Signed-off-by: Martynas Pumputis <m@lambda.lt>
github-merge-queue bot
pushed a commit
that referenced
this pull request
Aug 16, 2024
[ cherry-picked from cilium/cilium-cli repository ] It's going to be enabled on Cilium >= 1.15 [1]. [1]: #29000 Signed-off-by: Martynas Pumputis <m@lambda.lt>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Forward port of #28917 (minus the optional flag and the strict mode removal).