Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use label-prefix-file #326

Merged
merged 3 commits into from
May 22, 2024
Merged

Use label-prefix-file #326

merged 3 commits into from
May 22, 2024

Conversation

DockToFuture
Copy link
Member

How to categorize this PR?

/area networking
/kind enhancement

What this PR does / why we need it:
By default, Cilium considers all labels to be relevant for identities, with the following exceptions, see:
https://docs.cilium.io/en/stable/operations/performance/scalability/identity-relevant-labels/#limiting-identity-relevant-labels
As the statefulset label were also included into this list the preceding behaviour was changed which could potentially break running kubernetes cluster and its workload once for statefulset is matched in the networkpolicies as shown below.

  podSelector:
    matchLabels:
      statefulset.kubernetes.io/pod-name: vpn-seed-server-1

To circumvent this issue thelabel-prefix-file with the excluded identities from: https://docs.cilium.io/en/stable/operations/performance/scalability/identity-relevant-labels/#identity-relevant-labels except the statefulset is used.

Which issue(s) this PR fixes:
Fixes #

Special notes for your reviewer:

Release note:

Cilium uses the `label-prefix-file` with the excluded identities from: https://docs.cilium.io/en/stable/operations/performance/scalability/identity-relevant-labels/#identity-relevant-labels except the statefulset.

@DockToFuture DockToFuture requested review from a team as code owners May 22, 2024 06:59
@gardener-robot gardener-robot added area/networking Networking related kind/enhancement Enhancement, improvement, extension needs/review Needs review size/s Size of pull request is small (see gardener-robot robot/bots/size.py) labels May 22, 2024
@gardener-robot-ci-2 gardener-robot-ci-2 added reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) needs/ok-to-test Needs approval for testing (check PR in detail before setting this label because PR is run on CI/CD) and removed reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) labels May 22, 2024
ScheererJ
ScheererJ requested changes May 22, 2024
View reviewed changes
Copy link
Member

@ScheererJ ScheererJ left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks a lot for this fix.

What do you think about making the configmap immutable and adding a hash so that we ensure that changes make it into the cilium agent pod? Is this not required as the configmap will not be changed often?

WDYT?

charts/internal/cilium/charts/config/templates/label-prefix-config.yaml Outdated Show resolved Hide resolved
@gardener-robot gardener-robot added the needs/changes Needs (more) changes label May 22, 2024
@gardener-robot-ci-2 gardener-robot-ci-2 added the reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) label May 22, 2024
@gardener-robot-ci-3 gardener-robot-ci-3 removed the reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) label May 22, 2024
@DockToFuture
Copy link
Member Author

What do you think about making the configmap immutable and adding a hash so that we ensure that changes make it into the cilium agent pod? Is this not required as the configmap will not be changed often?

If the configmap is immutable changes would only happen if we build a new release and then the pods would already be restarted. Do you think a checksum is really necessary here?

@ScheererJ
Copy link
Member

If the configmap is immutable changes would only happen if we build a new release and then the pods would already be restarted. Do you think a checksum is really necessary here?

It depends on how cilium agent reads the configmap. If it only reads the configmap during startup a checksum annotation ensures that it gets restarted if the configmap changes. However, if cilium agent watches the files of the configmap and reacts to changes at runtime there is no need for a checksum.

Does the documentation of this option give any indication how it works?

@ScheererJ ScheererJ mentioned this pull request May 22, 2024
Closed
@gardener-robot gardener-robot added size/m Size of pull request is medium (see gardener-robot robot/bots/size.py) and removed size/s Size of pull request is small (see gardener-robot robot/bots/size.py) labels May 22, 2024
@gardener-robot-ci-3 gardener-robot-ci-3 added reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) and removed reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) labels May 22, 2024
@DockToFuture DockToFuture added status/on-hold Issue on hold (e.g. because work was suspended) reviewed/do-not-merge Has no approval for merging as it may break things, be of poor quality or have (ext.) dependencies and removed status/on-hold Issue on hold (e.g. because work was suspended) reviewed/do-not-merge Has no approval for merging as it may break things, be of poor quality or have (ext.) dependencies labels May 22, 2024
ScheererJ
ScheererJ approved these changes May 22, 2024
View reviewed changes
Copy link
Member

@ScheererJ ScheererJ left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@gardener-robot gardener-robot added reviewed/lgtm Has approval for merging and removed needs/changes Needs (more) changes labels May 22, 2024
@gardener-robot gardener-robot removed the needs/review Needs review label May 22, 2024
@gardener-robot-ci-3 gardener-robot-ci-3 added the reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) label May 22, 2024
@DockToFuture DockToFuture merged commit 6c53409 into gardener:master May 22, 2024
8 checks passed
@DockToFuture DockToFuture deleted the use/label-file branch May 22, 2024 13:41
@gardener-robot gardener-robot added the status/closed Issue is closed (either delivered or triaged) label May 22, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ScheererJ ScheererJ ScheererJ approved these changes

Assignees
No one assigned
Labels
area/networking Networking related kind/enhancement Enhancement, improvement, extension needs/ok-to-test Needs approval for testing (check PR in detail before setting this label because PR is run on CI/CD) reviewed/lgtm Has approval for merging reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) size/m Size of pull request is medium (see gardener-robot robot/bots/size.py) status/closed Issue is closed (either delivered or triaged)
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@DockToFuture @ScheererJ @gardener-robot-ci-2 @gardener-robot-ci-3 @gardener-robot