Pods exposed to peers in VPC #3125
Replies: 4 comments 3 replies
-
Hi Jeffrey, Thanks for reporting this, I do agree that it is unexpected and that the mitigation from 5507982 will not work if that entry isn't set. Could you please share some more information about your setup, in particular:
Cheers, Markus |
Beta Was this translation helpful? Give feedback.
-
Thanks for the response. I am on Azure, I created the cluster I believe on v.2.14.x and upgraded. I didn't modify any settings via Terraform. What I have tried was copy the helm values locally and when I put the value in like this for podCIDRList: "10.0.x.x/16" it creates the entry successfully; however, since the latest cilium fork isn't published here: https://github.com/edgelesssys/cilium/pkgs/container/cilium%2Fcilium Any ideas? |
Beta Was this translation helpful? Give feedback.
-
I believe we never released a Constellation version that had The authoritative version of Cilium, including all patches and derivation of Helm values, is what we ship with the Constellation CLI. Cilium version $ helm get metadata -n kube-system cilium
NAME: cilium
CHART: cilium
VERSION: 1.15.0-pre.3-edg.3
APP_VERSION: 1.15.0-pre.3-edg.3
NAMESPACE: kube-system
REVISION: 1
STATUS: deployed
DEPLOYED_AT: 2024-04-17T15:14:17+02:00 ReinstallIf the versions look different in your cluster, I think it would be best to force a reinstallation of the chart. If anything is unclear or looks unexpected to you during this process, don't hesitate to stop and clarify with me! Ensure you're using the right version of the CLI: $ constellation version
Version: v2.16.3 (Enterprise build; see documentation for license agreement)
GitCommit: ea5cdfb247829d0ea2b8573651132d9376bf9a30
GitTreeState: clean
BuildDate: 2024-04-11T08:29:03
GoVersion: go1.22.1 X:nocoverageredesign
Compiler: bazel/gc
Platform: linux/amd64 Run this command and verify that all versions (except maybe Cilium) are up-to-date: $ constellation apply --skip-phases infrastructure,init,attestationconfig,certsans,image,k8s
[...]
invalid upgrade for cilium: upgrading from v1.15.0-pre.3-edg.3 to v1.15.0-pre.3-edg.3 is not a valid upgrade: current version newer than or equal to new version
invalid upgrade for constellation-services: upgrading from v2.16.3 to v2.16.3 is not a valid upgrade: current version newer than or equal to new version
invalid upgrade for cert-manager: upgrading from v1.12.6 to v1.12.6 is not a valid upgrade: current version newer than or equal to new version
invalid upgrade for constellation-operators: upgrading from v2.16.3 to v2.16.3 is not a valid upgrade: current version newer than or equal to new version
invalid upgrade for constellation-csi: upgrading from v2.16.3 to v2.16.3 is not a valid upgrade: current version newer than or equal to new version
[...] Force the Helm chart upgrade with the following command (you can ignore the note about Cert Manager if the versions are the same): constellation-2.16.3 apply --skip-phases infrastructure,init,attestationconfig,certsans,image,k8s --force You should now have kubectl rollout restart ds/cilium -n kube-system Spot check that the init container is applying the mitigation correctly - output should be similar to the following, in particular the
|
Beta Was this translation helpful? Give feedback.
-
For future reference, how could one update the helm chart values for cilium? For instance, say I wanted to enable the Gateway Controller. |
Beta Was this translation helpful? Give feedback.
-
I was looking at the commit here: 5507982
It runs a bash script that pulls an entry from:
encryption-strict-mode-pod-cidrs
from thecilium-config
; however, I do not have that entry in my cilium config. In turn, I won't get the benefit of this mitigation.In my
cilium-config
, I do have the entry:encryption-strict-mode-cidr: ""
Any ideas on how to fix this?
Running:
Image: v2.16.3
Beta Was this translation helpful? Give feedback.
All reactions