diff --git a/internal/constellation/helm/charts/cilium/README.md b/internal/constellation/helm/charts/cilium/README.md index bdbca6edc..21f7633a0 100644 --- a/internal/constellation/helm/charts/cilium/README.md +++ b/internal/constellation/helm/charts/cilium/README.md @@ -297,10 +297,11 @@ contributors across the globe, there is almost always someone available to help. | encryption.mountPath | string | `"/etc/ipsec"` | Deprecated in favor of encryption.ipsec.mountPath. To be removed in 1.15. Path to mount the secret inside the Cilium pod. This option is only effective when encryption.type is set to ipsec. | | encryption.nodeEncryption | bool | `false` | Enable encryption for pure node to node traffic. This option is only effective when encryption.type is set to "wireguard". | | encryption.secretName | string | `"cilium-ipsec-keys"` | Deprecated in favor of encryption.ipsec.secretName. To be removed in 1.15. Name of the Kubernetes secret containing the encryption keys. This option is only effective when encryption.type is set to ipsec. | -| encryption.strictMode | object | `{"allowRemoteNodeIdentities":false,"cidr":"","enabled":false}` | Configure the WireGuard Pod2Pod strict mode. | -| encryption.strictMode.allowRemoteNodeIdentities | bool | `false` | Allow dynamic lookup of remote node identities. This is required when tunneling is used or direct routing is used and the node CIDR and pod CIDR overlap. | -| encryption.strictMode.cidr | string | `""` | CIDR for the WireGuard Pod2Pod strict mode. | -| encryption.strictMode.enabled | bool | `false` | Enable WireGuard Pod2Pod strict mode. | +| encryption.strictMode | object | `{"allowRemoteNodeIdentities":true,"enabled":false,"nodeCIDRList":[],"podCIDRList":[]}` | Configure the WireGuard strict mode. | +| encryption.strictMode.allowRemoteNodeIdentities | bool | `true` | Allow dynamic lookup of remote node identities. This is required when tunneling is used or direct routing is used and the node CIDR and pod CIDR overlap. This is also required when control-plane nodes are exempted from node-to-node encryption. | +| encryption.strictMode.enabled | bool | `false` | Enable WireGuard strict mode. | +| encryption.strictMode.nodeCIDRList | list | `[]` | nodeCIDRList for the WireGuard strict mode. | +| encryption.strictMode.podCIDRList | list | `[]` | podCIDRList for the WireGuard strict mode. | | encryption.type | string | `"ipsec"` | Encryption method. Can be either ipsec or wireguard. | | encryption.wireguard.persistentKeepalive | string | `"0s"` | Controls Wireguard PersistentKeepalive option. Set 0s to disable. | | encryption.wireguard.userspaceFallback | bool | `false` | Enables the fallback to the user-space implementation. | diff --git a/internal/constellation/helm/charts/cilium/templates/cilium-agent/daemonset.yaml b/internal/constellation/helm/charts/cilium/templates/cilium-agent/daemonset.yaml index 773a5b26b..d63395f8a 100644 --- a/internal/constellation/helm/charts/cilium/templates/cilium-agent/daemonset.yaml +++ b/internal/constellation/helm/charts/cilium/templates/cilium-agent/daemonset.yaml @@ -716,7 +716,7 @@ spec: mountPath: /host/opt/cni/bin {{- end }} # .Values.cni.install - name: firewall-pods - image: ghcr.io/edgelesssys/cilium/cilium:v1.15.0-pre.3-edg.2@sha256:c21b7fbbb084a128a479d6170e5f89ad2768dfecb4af10ee6a99ffe5d1a11749 + image: {{ include "cilium.image" .Values.image | quote }} imagePullPolicy: IfNotPresent command: - /bin/bash diff --git a/internal/constellation/helm/charts/cilium/values.yaml.tmpl b/internal/constellation/helm/charts/cilium/values.yaml.tmpl index 92a7ad759..2f55aa49a 100644 --- a/internal/constellation/helm/charts/cilium/values.yaml.tmpl +++ b/internal/constellation/helm/charts/cilium/values.yaml.tmpl @@ -800,17 +800,21 @@ encryption: # This option is only effective when encryption.type is set to "wireguard". nodeEncryption: false - # -- Configure the WireGuard Pod2Pod strict mode. + # -- Configure the WireGuard strict mode. strictMode: - # -- Enable WireGuard Pod2Pod strict mode. + # -- Enable WireGuard strict mode. enabled: false - # -- CIDR for the WireGuard Pod2Pod strict mode. - cidr: "" + # -- podCIDRList for the WireGuard strict mode. + podCIDRList: [] + + # -- nodeCIDRList for the WireGuard strict mode. + nodeCIDRList: [] # -- Allow dynamic lookup of remote node identities. # This is required when tunneling is used or direct routing is used and the node CIDR and pod CIDR overlap. - allowRemoteNodeIdentities: false + # This is also required when control-plane nodes are exempted from node-to-node encryption. + allowRemoteNodeIdentities: true ipsec: # -- Name of the key file inside the Kubernetes secret configured via secretName. diff --git a/internal/constellation/helm/cilium.patch b/internal/constellation/helm/cilium.patch index cc12f4cb5..1ef6a2419 100644 --- a/internal/constellation/helm/cilium.patch +++ b/internal/constellation/helm/cilium.patch @@ -1,49 +1,3 @@ -diff --git a/install/kubernetes/cilium/templates/cilium-configmap.yaml b/install/kubernetes/cilium/templates/cilium-configmap.yaml -index 4ac3b006e3..3541e3d380 100644 ---- a/install/kubernetes/cilium/templates/cilium-configmap.yaml -+++ b/install/kubernetes/cilium/templates/cilium-configmap.yaml -@@ -608,7 +608,9 @@ data: - {{- if .Values.encryption.strictMode.enabled }} - enable-encryption-strict-mode: {{ .Values.encryption.strictMode.enabled | quote }} - -- encryption-strict-mode-cidr: {{ .Values.encryption.strictMode.cidr | quote }} -+ encryption-strict-mode-node-cidrs: {{ .Values.encryption.strictMode.nodeCIDRList | join " " | quote }} -+ -+ encryption-strict-mode-pod-cidrs: {{ .Values.encryption.strictMode.podCIDRList | join " " | quote }} - - encryption-strict-mode-allow-remote-node-identities: {{ .Values.encryption.strictMode.allowRemoteNodeIdentities | quote }} - {{- end }} -diff --git a/install/kubernetes/cilium/values.yaml b/install/kubernetes/cilium/values.yaml -index c00e9af831..4661c16f56 100644 ---- a/install/kubernetes/cilium/values.yaml -+++ b/install/kubernetes/cilium/values.yaml -@@ -794,17 +794,21 @@ encryption: - # This option is only effective when encryption.type is set to "wireguard". - nodeEncryption: false - -- # -- Configure the WireGuard Pod2Pod strict mode. -+ # -- Configure the WireGuard strict mode. - strictMode: -- # -- Enable WireGuard Pod2Pod strict mode. -+ # -- Enable WireGuard strict mode. - enabled: false -+ -+ # -- podCIDRList for the WireGuard strict mode. -+ podCIDRList: [] - -- # -- CIDR for the WireGuard Pod2Pod strict mode. -- cidr: "" -+ # -- nodeCIDRList for the WireGuard strict mode. -+ nodeCIDRList: [] - - # -- Allow dynamic lookup of remote node identities. - # This is required when tunneling is used or direct routing is used and the node CIDR and pod CIDR overlap. -- allowRemoteNodeIdentities: false -+ # This is also required when control-plane nodes are exempted from node-to-node encryption. -+ allowRemoteNodeIdentities: true - - ipsec: - # -- Name of the key file inside the Kubernetes secret configured via secretName. diff --git a/install/kubernetes/cilium/Chart.yaml b/install/kubernetes/cilium/Chart.yaml index 256a79542..3f3fc714b 100644 --- a/install/kubernetes/cilium/Chart.yaml @@ -59,45 +13,4 @@ index 256a79542..3f3fc714b 100644 kubeVersion: ">= 1.16.0-0" icon: https://cdn.jsdelivr.net/gh/cilium/cilium@main/Documentation/images/logo-solo.svg description: eBPF-based Networking, Security, and Observability -diff --git a/install/kubernetes/cilium/templates/cilium-agent/daemonset.yaml b/install/kubernetes/cilium/templates/cilium-agent/daemonset.yaml -index f6b493cb7..50b80267a 100644 ---- a/install/kubernetes/cilium/templates/cilium-agent/daemonset.yaml -+++ b/install/kubernetes/cilium/templates/cilium-agent/daemonset.yaml -@@ -715,6 +715,37 @@ spec: - - name: cni-path - mountPath: /host/opt/cni/bin - {{- end }} # .Values.cni.install -+ - name: firewall-pods -+ image: ghcr.io/edgelesssys/cilium/cilium:v1.15.0-pre.3-edg.2@sha256:c21b7fbbb084a128a479d6170e5f89ad2768dfecb4af10ee6a99ffe5d1a11749 -+ imagePullPolicy: IfNotPresent -+ command: -+ - /bin/bash -+ - -exc -+ - | -+ pref=32 -+ interface=$(ip route | awk '/^default/ { print $5 }') -+ tc qdisc add dev "${interface}" clsact || true -+ tc filter del dev "${interface}" ingress pref "${pref}" 2>/dev/null || true -+ handle=0 -+ for cidr in ${POD_CIDRS}; do -+ handle=$((handle + 1)) -+ tc filter replace dev "${interface}" ingress pref "${pref}" handle "${handle}" protocol ip flower dst_ip "${cidr}" action drop -+ done -+ env: -+ - name: POD_CIDRS -+ valueFrom: -+ configMapKeyRef: -+ key: encryption-strict-mode-pod-cidrs -+ name: cilium-config -+ optional: true -+ resources: -+ requests: -+ cpu: 100m -+ memory: 20Mi -+ securityContext: -+ capabilities: -+ add: -+ - NET_ADMIN - restartPolicy: Always - priorityClassName: {{ include "cilium.priorityClass" (list $ .Values.priorityClassName "system-node-critical") }} - serviceAccount: {{ .Values.serviceAccounts.cilium.name | quote }} + \ No newline at end of file diff --git a/internal/constellation/helm/generateCilium.sh b/internal/constellation/helm/generateCilium.sh index df2a625bd..8d8e462f9 100755 --- a/internal/constellation/helm/generateCilium.sh +++ b/internal/constellation/helm/generateCilium.sh @@ -21,8 +21,8 @@ git clone \ --no-checkout \ --sparse \ --depth 1 \ - -b 1.15.0-pre.3 \ - https://github.com/cilium/cilium.git + -b v1.15.0-pre.3-edg.3 \ + https://github.com/edgelesssys/cilium.git cd cilium git sparse-checkout add install/kubernetes/cilium