Merge pull request from GHSA-g8fc-vrcg-8vjg

* helm: firewall pods * helm: bump cilium chart version --------- Co-authored-by: Leonard Cohnen <lc@edgeless.systems>
2024-10-01 01:36:09 -04:00 · 2024-04-10 13:48:32 +02:00 · 2024-04-10 13:48:32 +02:00 · 550798279a
commit 550798279a
parent 6e31223ff9
4 changed files with 79 additions and 5 deletions
--- a/internal/constellation/helm/charts/cilium/Chart.yaml
+++ b/internal/constellation/helm/charts/cilium/Chart.yaml
@ -2,8 +2,8 @@ apiVersion: v2
 name: cilium
 displayName: Cilium
 home: https://cilium.io/
-version: 1.15.0-pre.3-edg.2
+version: 1.15.0-pre.3-edg.3
-appVersion: 1.15.0-pre.3-edg.2
+appVersion: 1.15.0-pre.3-edg.3
 kubeVersion: ">= 1.16.0-0"
 icon: https://cdn.jsdelivr.net/gh/cilium/cilium@main/Documentation/images/logo-solo.svg
 description: eBPF-based Networking, Security, and Observability
--- a/internal/constellation/helm/charts/cilium/templates/cilium-agent/daemonset.yaml
+++ b/internal/constellation/helm/charts/cilium/templates/cilium-agent/daemonset.yaml
@ -715,6 +715,37 @@ spec:
          - name: cni-path
            mountPath: /host/opt/cni/bin
      {{- end }} # .Values.cni.install
      - name: firewall-pods
        image: ghcr.io/edgelesssys/cilium/cilium:v1.15.0-pre.3-edg.2@sha256:c21b7fbbb084a128a479d6170e5f89ad2768dfecb4af10ee6a99ffe5d1a11749
        imagePullPolicy: IfNotPresent
        command:
        - /bin/bash
        - -exc
        - |
          pref=32
          interface=$(ip route | awk '/^default/ { print $5 }')
          tc qdisc add dev "${interface}" clsact || true
          tc filter del dev "${interface}" ingress pref "${pref}" 2>/dev/null || true
          handle=0
          for cidr in ${POD_CIDRS}; do
            handle=$((handle + 1))
            tc filter replace dev "${interface}" ingress pref "${pref}" handle "${handle}" protocol ip flower dst_ip "${cidr}" action drop
          done
        env:
        - name: POD_CIDRS
          valueFrom:
            configMapKeyRef:
              key: encryption-strict-mode-pod-cidrs
              name: cilium-config
              optional: true
        resources:
          requests:
            cpu: 100m
            memory: 20Mi
        securityContext:
          capabilities:
            add:
            - NET_ADMIN
      restartPolicy: Always
      priorityClassName: {{ include "cilium.priorityClass" (list $ .Values.priorityClassName "system-node-critical") }}
      serviceAccount: {{ .Values.serviceAccounts.cilium.name | quote }}
--- a/internal/constellation/helm/cilium.patch
+++ b/internal/constellation/helm/cilium.patch
@ -54,8 +54,50 @@ index 256a79542..3f3fc714b 100644
 home: https://cilium.io/
 -version: 1.15.0-pre.3
 -appVersion: 1.15.0-pre.3
-+version: 1.15.0-pre.3-edg.2
+version: 1.15.0-pre.3-edg.3
-+appVersion: 1.15.0-pre.3-edg.2
+appVersion: 1.15.0-pre.3-edg.3
 kubeVersion: ">= 1.16.0-0"
 icon: https://cdn.jsdelivr.net/gh/cilium/cilium@main/Documentation/images/logo-solo.svg
 description: eBPF-based Networking, Security, and Observability
 diff --git a/install/kubernetes/cilium/templates/cilium-agent/daemonset.yaml b/install/kubernetes/cilium/templates/cilium-agent/daemonset.yaml
 index f6b493cb7..50b80267a 100644
 --- a/install/kubernetes/cilium/templates/cilium-agent/daemonset.yaml
 +++ b/install/kubernetes/cilium/templates/cilium-agent/daemonset.yaml
@@ -715,6 +715,37 @@ spec:
           - name: cni-path
             mountPath: /host/opt/cni/bin
       {{- end }} # .Values.cni.install
 +      - name: firewall-pods
 +        image: ghcr.io/edgelesssys/cilium/cilium:v1.15.0-pre.3-edg.2@sha256:c21b7fbbb084a128a479d6170e5f89ad2768dfecb4af10ee6a99ffe5d1a11749
 +        imagePullPolicy: IfNotPresent
 +        command:
 +        - /bin/bash
 +        - -exc
 +        - |
 +          pref=32
 +          interface=$(ip route | awk '/^default/ { print $5 }')
 +          tc qdisc add dev "${interface}" clsact || true
 +          tc filter del dev "${interface}" ingress pref "${pref}" 2>/dev/null || true
 +          handle=0
 +          for cidr in ${POD_CIDRS}; do
 +            handle=$((handle + 1))
 +            tc filter replace dev "${interface}" ingress pref "${pref}" handle "${handle}" protocol ip flower dst_ip "${cidr}" action drop
 +          done
 +        env:
 +        - name: POD_CIDRS
 +          valueFrom:
 +            configMapKeyRef:
 +              key: encryption-strict-mode-pod-cidrs
 +              name: cilium-config
 +              optional: true
 +        resources:
 +          requests:
 +            cpu: 100m
 +            memory: 20Mi
 +        securityContext:
 +          capabilities:
 +            add:
 +            - NET_ADMIN
       restartPolicy: Always
       priorityClassName: {{ include "cilium.priorityClass" (list $ .Values.priorityClassName "system-node-critical") }}
       serviceAccount: {{ .Values.serviceAccounts.cilium.name | quote }}
--- a/internal/constellation/helm/loader.go
+++ b/internal/constellation/helm/loader.go
@ -359,7 +359,7 @@ func (i *chartLoader) cspTags() map[string]any {
 func (i *chartLoader) loadCiliumValues(cloudprovider.Provider) (map[string]any, error) {
 	sharedConfig := map[string]any{
-		"extraArgs": []string{"--node-encryption-opt-out-labels=invalid.label"},
+		"extraArgs": []string{"--node-encryption-opt-out-labels=invalid.label", "--bpf-filter-priority=128"},
 		"endpointRoutes": map[string]any{
 			"enabled": true,
 		},
@ -412,6 +412,7 @@ func (i *chartLoader) loadCiliumValues(cloudprovider.Provider) (map[string]any,
 		"kubeProxyReplacement":                "strict",
 		"enableCiliumEndpointSlice":           true,
 		"kubeProxyReplacementHealthzBindAddr": "0.0.0.0:10256",
 		"cleanBpfState":                       true,
 	}
 	cspOverrideConfigs := map[string]map[string]any{
 		cloudprovider.AWS.String():   {},