Skip to content

Perf eval #1404

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 3 commits into
base: main
Choose a base branch
from
Draft

Perf eval #1404

wants to merge 3 commits into from

Conversation

jrajahalme
Copy link
Member

@jrajahalme jrajahalme commented Jun 17, 2025
edited
Loading

No description provided.

@jrajahalme jrajahalme requested a review from a team as a code owner June 17, 2025 12:27
@jrajahalme jrajahalme requested a review from mhofstetter June 17, 2025 12:27
@jrajahalme jrajahalme marked this pull request as draft June 17, 2025 12:27
@jrajahalme jrajahalme force-pushed the perf-eval branch 4 times, most recently from 04afc8b to e8aa157 Compare June 19, 2025 08:57
@jrajahalme
tidy fix
e4aa296 
Signed-off-by: Jarno Rajahalme <[email protected]>
@jrajahalme
accesslog: Add trace Envoy logging
1f74b63 
Signed-off-by: Jarno Rajahalme <[email protected]>
@jrajahalme
metadata: Eliminate separate 'ingress_source_identity'
9cea468 
Both debug logging and access logging are more intelligible when the
original source identity is used, also in the case of the north/south L7
LB, where an "Ingress IP" is used as the source address in the upstream
connections. In that case SO_MARK encodes the identity of the Ingress IP
so that the source identity seen in the destination is the same when the
destination is in the same node (source identity derived from SO_MARK)
and when the destination is in a different node (source identity mapped
from the source (Ingress) IP).

Note that the (original) source identity is used for policy determination
only for ingress policy, for which the original source identity was
already used. Given this, the only visible change is the source identity
as seen on debug/trace logs and (hubble) access logs. Access logs already
show the original source address, so this change aligns the recorded
source identity with it, so that instead of:

Jun 18 12:37:20.940: default/ubuntu-deployment-6f7cc4b9fb-9gmnp:39430 (ingress) -> default/nginx-deployment-worker-7d99874b8b-dw4bt:80 (ID:53552) http-request FORWARDED (HTTP/1.1 GET http://10.96.154.80/)

Hubble will show this:

Jun 18 15:39:29.763: default/ubuntu-deployment-6f7cc4b9fb-9gmnp:57354 (ID:43964) -> default/nginx-deployment-worker-7d99874b8b-dw4bt:80 (ID:53552) http-request FORWARDED (HTTP/1.1 GET http://10.96.154.80/)

where '43964' is the source security identity of
'default/ubuntu-deployment-6f7cc4b9fb-9gmnp'

Similarly for north/south the original source identity is recorded in the hubble flow:

Jun 18 15:41:15.186: 172.18.0.1:41684 (ID:16777217) -> default/nginx-deployment-worker-7d99874b8b-dw4bt:80 (ID:53552) http-request FORWARDED (HTTP/1.1 GET http://172.18.255.193/)

where 16777217 is the node-local source identity if the CIDR 172.18.0.1.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mhofstetter mhofstetter Awaiting requested review from mhofstetter mhofstetter is a code owner automatically assigned from cilium/envoy

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
dont-merge/preview-only DON'T MERGE
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@jrajahalme