helm: deprioritize Cilium tc filters

By default, Cilium's tc filters are added add the highest priority, which makes it impossible to add any tc filters of our own (because the Cilium eBPF programs don't return to the filter chain). Two near-future use cases that would benefit from this: * Network testing could add counting filters to interfaces and observe e.g. violations of encryption policy. * The VPN Helm chart could add a filter policy that drops packets on the "physical" interface before they can leak to the CSP.
2024-10-01 01:36:09 -04:00 · 2023-11-30 14:39:28 +01:00 · 2023-11-30 14:39:28 +01:00 · a3de1d95d9
commit a3de1d95d9
parent 5e2cad34c9
1 changed files with 3 additions and 3 deletions
--- a/internal/helm/values.go
+++ b/internal/helm/values.go
@ -14,7 +14,7 @@ var ciliumVals = map[string]map[string]any{
 		"endpointRoutes": map[string]any{
 			"enabled": true,
 		},
-		"extraArgs": []string{"--node-encryption-opt-out-labels=invalid.label"},
+		"extraArgs": []string{"--node-encryption-opt-out-labels=invalid.label", "--bpf-filter-priority=50"},
 		"encryption": map[string]any{
 			"enabled":        true,
 			"type":           "wireguard",
@ -57,7 +57,7 @@ var ciliumVals = map[string]map[string]any{
 		"endpointRoutes": map[string]any{
 			"enabled": true,
 		},
-		"extraArgs": []string{"--node-encryption-opt-out-labels=invalid.label"},
+		"extraArgs": []string{"--node-encryption-opt-out-labels=invalid.label", "--bpf-filter-priority=50"},
 		"encryption": map[string]any{
 			"enabled":        true,
 			"type":           "wireguard",
@ -102,7 +102,7 @@ var ciliumVals = map[string]map[string]any{
 		"endpointRoutes": map[string]any{
 			"enabled": true,
 		},
-		"extraArgs": []string{"--node-encryption-opt-out-labels=invalid.label"},
+		"extraArgs": []string{"--node-encryption-opt-out-labels=invalid.label", "--bpf-filter-priority=50"},
 		"tunnel":    "disabled",
 		"encryption": map[string]any{
 			"enabled":        true,