-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Policy: Add TLS SNI support #22398
Policy: Add TLS SNI support #22398
Conversation
/test |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Cool stuff!
I would really like to see new rule validation logic unit tested, other comments are nitpicks.
1c660ba
to
8aca627
Compare
@nebril Added the unit tests :-) |
8aca627
to
2adaf9c
Compare
/test Job 'Cilium-PR-K8s-1.24-kernel-5.4' failed: Click to show.Test Name
Failure Output
If it is a flake and a GitHub issue doesn't already exist to track it, comment |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Small nits.
Runtime test hit an unrelated flake: #22470 |
test-1.24-5.4 failed due to an error in Cilium agent logs. Issued PR #22474 to fix that. |
2adaf9c
to
e361b63
Compare
/test |
/test-runtime |
/ci-external-workloads |
Use Envoy image with Cilium TLS wrapper fallback to non-TLS socket when policy has no TLS context. This allows SNI policies to work without TLS termination and/or origination. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
Add a list of allowed server names (TLS SNI) to L4 policy. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
e361b63
to
564825e
Compare
Rebased due to CRD schema version bump on master. |
/test Job 'Cilium-PR-K8s-1.25-kernel-4.19' hit: #22019 (94.82% similarity) |
|
If you click on Pipeline Steps from that job, then scroll down until you see the red icon with an exclamation mark, click the console icon next to it, then check the provisioning failure, there is some apt failures there too. I think that Ubuntu had an outage around the time you kicked off CI for this PR. |
/test-1.16-4.9 |
Both fails on required checks are know flakes:
|
Empty PerSelectorPolicy can not have any SNIs. Modify existing unit test to have a case with SNI without any L7 rules that would have catched this error. Fixes: cilium#22398 Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
Add new
serverNames
field to Cilium Network Policy to restrict the allowed TLS SNIs. This is implemented as an Envoy redirect, but does not need TLS termination, as TLS SNI extension is in clear in the Client Hello message.As a follow-up, a test case will be added to https://github.com/cilium/cilium-cli