mirror of
https://github.com/edgelesssys/constellation.git
synced 2024-12-28 08:59:34 -05:00
helm: deprioritize Cilium tc filters
By default, Cilium's tc filters are added add the highest priority, which makes it impossible to add any tc filters of our own (because the Cilium eBPF programs don't return to the filter chain). Two near-future use cases that would benefit from this: * Network testing could add counting filters to interfaces and observe e.g. violations of encryption policy. * The VPN Helm chart could add a filter policy that drops packets on the "physical" interface before they can leak to the CSP.
This commit is contained in:
parent
5e2cad34c9
commit
a3de1d95d9
@ -14,7 +14,7 @@ var ciliumVals = map[string]map[string]any{
|
||||
"endpointRoutes": map[string]any{
|
||||
"enabled": true,
|
||||
},
|
||||
"extraArgs": []string{"--node-encryption-opt-out-labels=invalid.label"},
|
||||
"extraArgs": []string{"--node-encryption-opt-out-labels=invalid.label", "--bpf-filter-priority=50"},
|
||||
"encryption": map[string]any{
|
||||
"enabled": true,
|
||||
"type": "wireguard",
|
||||
@ -57,7 +57,7 @@ var ciliumVals = map[string]map[string]any{
|
||||
"endpointRoutes": map[string]any{
|
||||
"enabled": true,
|
||||
},
|
||||
"extraArgs": []string{"--node-encryption-opt-out-labels=invalid.label"},
|
||||
"extraArgs": []string{"--node-encryption-opt-out-labels=invalid.label", "--bpf-filter-priority=50"},
|
||||
"encryption": map[string]any{
|
||||
"enabled": true,
|
||||
"type": "wireguard",
|
||||
@ -102,7 +102,7 @@ var ciliumVals = map[string]map[string]any{
|
||||
"endpointRoutes": map[string]any{
|
||||
"enabled": true,
|
||||
},
|
||||
"extraArgs": []string{"--node-encryption-opt-out-labels=invalid.label"},
|
||||
"extraArgs": []string{"--node-encryption-opt-out-labels=invalid.label", "--bpf-filter-priority=50"},
|
||||
"tunnel": "disabled",
|
||||
"encryption": map[string]any{
|
||||
"enabled": true,
|
||||
|
Loading…
Reference in New Issue
Block a user