From 98f359e03924dc2c0d57fa9d4ffeb6f618c9770b Mon Sep 17 00:00:00 2001 From: Markus Rudy Date: Tue, 10 Sep 2024 13:17:26 +0200 Subject: [PATCH] helm: allow multiple default routes (#3344) --- .../templates/cilium-agent/daemonset.yaml | 15 +++++----- internal/constellation/helm/cilium.patch | 29 +++++++++++++++++-- 2 files changed, 35 insertions(+), 9 deletions(-) diff --git a/internal/constellation/helm/charts/cilium/templates/cilium-agent/daemonset.yaml b/internal/constellation/helm/charts/cilium/templates/cilium-agent/daemonset.yaml index ffd5935ba1..e2b8ccff6c 100644 --- a/internal/constellation/helm/charts/cilium/templates/cilium-agent/daemonset.yaml +++ b/internal/constellation/helm/charts/cilium/templates/cilium-agent/daemonset.yaml @@ -764,13 +764,14 @@ spec: - -exc - | pref=32 - interface=$(ip route | awk '/^default/ { print $5 }') - tc qdisc add dev "${interface}" clsact || true - tc filter del dev "${interface}" ingress pref "${pref}" 2>/dev/null || true - handle=0 - for cidr in ${POD_CIDRS}; do - handle=$((handle + 1)) - tc filter replace dev "${interface}" ingress pref "${pref}" handle "${handle}" protocol ip flower dst_ip "${cidr}" action drop + for interface in $(ip route | awk '/^default/ { print $5 }'); do + tc qdisc add dev "${interface}" clsact || true + tc filter del dev "${interface}" ingress pref "${pref}" 2>/dev/null || true + handle=0 + for cidr in ${POD_CIDRS}; do + handle=$((handle + 1)) + tc filter replace dev "${interface}" ingress pref "${pref}" handle "${handle}" protocol ip flower dst_ip "${cidr}" action drop + done done env: - name: POD_CIDRS diff --git a/internal/constellation/helm/cilium.patch b/internal/constellation/helm/cilium.patch index 44857e2831..b9c255c253 100644 --- a/internal/constellation/helm/cilium.patch +++ b/internal/constellation/helm/cilium.patch @@ -1,5 +1,5 @@ diff --git a/install/kubernetes/cilium/Chart.yaml b/install/kubernetes/cilium/Chart.yaml -index 256a79542..3f3fc714b 100644 +index 4df10f166b..9f079933b2 100644 --- a/install/kubernetes/cilium/Chart.yaml +++ b/install/kubernetes/cilium/Chart.yaml @@ -2,8 +2,8 @@ apiVersion: v2 @@ -13,4 +13,29 @@ index 256a79542..3f3fc714b 100644 kubeVersion: ">= 1.16.0-0" icon: https://cdn.jsdelivr.net/gh/cilium/cilium@v1.15/Documentation/images/logo-solo.svg description: eBPF-based Networking, Security, and Observability - \ No newline at end of file +diff --git a/install/kubernetes/cilium/templates/cilium-agent/daemonset.yaml b/install/kubernetes/cilium/templates/cilium-agent/daemonset.yaml +index ffd5935ba1..e2b8ccff6c 100644 +--- a/install/kubernetes/cilium/templates/cilium-agent/daemonset.yaml ++++ b/install/kubernetes/cilium/templates/cilium-agent/daemonset.yaml +@@ -764,13 +764,14 @@ spec: + - -exc + - | + pref=32 +- interface=$(ip route | awk '/^default/ { print $5 }') +- tc qdisc add dev "${interface}" clsact || true +- tc filter del dev "${interface}" ingress pref "${pref}" 2>/dev/null || true +- handle=0 +- for cidr in ${POD_CIDRS}; do +- handle=$((handle + 1)) +- tc filter replace dev "${interface}" ingress pref "${pref}" handle "${handle}" protocol ip flower dst_ip "${cidr}" action drop ++ for interface in $(ip route | awk '/^default/ { print $5 }'); do ++ tc qdisc add dev "${interface}" clsact || true ++ tc filter del dev "${interface}" ingress pref "${pref}" 2>/dev/null || true ++ handle=0 ++ for cidr in ${POD_CIDRS}; do ++ handle=$((handle + 1)) ++ tc filter replace dev "${interface}" ingress pref "${pref}" handle "${handle}" protocol ip flower dst_ip "${cidr}" action drop ++ done + done + env: + - name: POD_CIDRS