Affected by GO-2024-2922 and 10 other vulnerabilities

GO-2024-2922: Cilium leaks sensitive information in cilium-bugtool in github.com/cilium/cilium

GO-2024-3071: Gateway API route matching order contradicts specification in github.com/cilium/cilium

GO-2024-3072: Policy bypass for Host Firewall policy due to race condition in Cilium agent in github.com/cilium/cilium

GO-2024-3074: Cilium leaks information via incorrect ReferenceGrant update logic in Gateway API in github.com/cilium/cilium

GO-2024-3208: Cilium's CIDR deny policies may not take effect when a more narrow CIDR allow is present in github.com/cilium/cilium

GO-2025-3415: DoS in Cilium agent DNS proxy from crafted DNS responses in github.com/cilium/cilium

GO-2025-3416: Cilium has an information leakage via insecure default Hubble UI CORS header in github.com/cilium/cilium

GO-2025-3560: Cilium East-west traffic not subject to egress policy enforcement for requests via Gateway API load balancers in github.com/cilium/cilium

GO-2025-3635: In Cilium, packets from terminating endpoints may not be encrypted in Wireguard-enabled clusters in github.com/cilium/cilium

GO-2025-4167: Cilium with misconfigured toGroups in policies can lead to unrestricted egress traffic in Ciliumgithub.com/cilium/cilium

GO-2026-4856: Cilium L7 proxy may bypass Kubernetes NetworkPolicy for same-node traffic in github.com/cilium/cilium

clustermesh

package

v1.15.4 Latest Latest Go to latest Published: Apr 11, 2024 License: Apache-2.0 Imports: 24 Imported by: 5

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/cilium/cilium

Links

Documentation ¶

Index ¶

Variables
type ClusterIDsManager
type ClusterMesh
- func NewClusterMesh(lifecycle cell.Lifecycle, c Configuration) *ClusterMesh
type ClusterMeshUsedIDs
- func NewClusterMeshUsedIDs() *ClusterMeshUsedIDs
- func (cm *ClusterMeshUsedIDs) ReleaseClusterID(clusterID uint32)
- func (cm *ClusterMeshUsedIDs) ReserveClusterID(clusterID uint32) error
type Configuration
type IPCacheWatcherOptsFn
type Metrics
- func NewMetrics() Metrics
type RemoteIdentityWatcher
type ServiceMerger
type SyncedWaitFn

Constants ¶

This section is empty.

Variables ¶

View Source

var Cell = cell.Module(
	"clustermesh",
	"ClusterMesh is the Cilium multicluster implementation",

	cell.Provide(NewClusterMesh),

	cell.ProvidePrivate(func(sc *k8s.ServiceCache) (ServiceMerger, k8s.ServiceIPGetter) { return sc, sc }),
	cell.ProvidePrivate(func(ipcache *ipcache.IPCache) ipcache.IPCacher { return ipcache }),
	cell.ProvidePrivate(func(mgr nodemanager.NodeManager) (store.Observer, kvstore.ClusterSizeDependantIntervalFunc) {
		return nodeStore.NewNodeObserver(mgr), mgr.ClusterSizeDependantInterval
	}),
	cell.ProvidePrivate(func() store.KeyCreator { return nodeStore.KeyCreator }),
	cell.ProvidePrivate(idsMgrProvider),

	cell.Config(common.Config{}),

	cell.Metric(NewMetrics),
	cell.Metric(common.MetricsProvider(subsystem)),
)

View Source

var (
	// ErrRemoteClusterDisconnected is the error returned by wait for sync
	// operations if the remote cluster is disconnected while still waiting.
	ErrRemoteClusterDisconnected = errors.New("remote cluster disconnected")
)

Functions ¶

This section is empty.

Types ¶

type ClusterIDsManager ¶

type ClusterIDsManager interface {
	ReserveClusterID(clusterID uint32) error
	ReleaseClusterID(clusterID uint32)
}

type ClusterMesh ¶

type ClusterMesh struct {
	// contains filtered or unexported fields
}

ClusterMesh is a cache of multiple remote clusters

func NewClusterMesh ¶

func NewClusterMesh(lifecycle cell.Lifecycle, c Configuration) *ClusterMesh

NewClusterMesh creates a new remote cluster cache based on the provided configuration

func (*ClusterMesh) IPIdentitiesSynced ¶

func (cm *ClusterMesh) IPIdentitiesSynced(ctx context.Context) error

IPIdentitiesSynced returns after that the initial list of ipcache entries and identities has been received from all remote clusters, and synchronized with the BPF datapath.

func (*ClusterMesh) NewRemoteCluster ¶

func (cm *ClusterMesh) NewRemoteCluster(name string, status common.StatusFunc) common.RemoteCluster

func (*ClusterMesh) NodesSynced ¶

func (cm *ClusterMesh) NodesSynced(ctx context.Context) error

NodesSynced returns after that the initial list of nodes has been received from all remote clusters, and synchronized with the different subscribers.

func (*ClusterMesh) NumReadyClusters ¶

func (cm *ClusterMesh) NumReadyClusters() int

NumReadyClusters returns the number of remote clusters to which a connection has been established

func (*ClusterMesh) ServicesSynced ¶

func (cm *ClusterMesh) ServicesSynced(ctx context.Context) error

ServicesSynced returns after that the initial list of shared services has been received from all remote clusters, and synchronized with the BPF datapath.

func (*ClusterMesh) Status ¶

func (cm *ClusterMesh) Status() (status *models.ClusterMeshStatus)

Status returns the status of the ClusterMesh subsystem

type ClusterMeshUsedIDs ¶

type ClusterMeshUsedIDs struct {
	UsedClusterIDs      map[uint32]struct{}
	UsedClusterIDsMutex lock.RWMutex
}

func NewClusterMeshUsedIDs ¶

func NewClusterMeshUsedIDs() *ClusterMeshUsedIDs

func (*ClusterMeshUsedIDs) ReleaseClusterID ¶

func (cm *ClusterMeshUsedIDs) ReleaseClusterID(clusterID uint32)

func (*ClusterMeshUsedIDs) ReserveClusterID ¶

func (cm *ClusterMeshUsedIDs) ReserveClusterID(clusterID uint32) error

type Configuration ¶

type Configuration struct {
	cell.In

	common.Config

	// ClusterInfo is the id/name of the local cluster. This is used for logging and metrics
	ClusterInfo types.ClusterInfo

	// NodeKeyCreator is the function used to create node instances as
	// nodes are being discovered in remote clusters
	NodeKeyCreator store.KeyCreator

	// ServiceMerger is the interface responsible to merge service and
	// endpoints into an existing cache
	ServiceMerger ServiceMerger

	// NodeObserver reacts to node events.
	NodeObserver store.Observer

	// RemoteIdentityWatcher provides identities that have been allocated on a
	// remote cluster.
	RemoteIdentityWatcher RemoteIdentityWatcher

	IPCache ipcache.IPCacher

	// ClusterSizeDependantInterval allows to calculate intervals based on cluster size.
	ClusterSizeDependantInterval kvstore.ClusterSizeDependantIntervalFunc

	// ServiceIPGetter, if not nil, is used to create a custom dialer for service resolution.
	ServiceIPGetter k8s.ServiceIPGetter

	// ConfigValidationMode defines whether the CiliumClusterConfig is always
	// expected to be exposed by remote clusters.
	ConfigValidationMode types.ValidationMode `optional:"true"`

	// IPCacheWatcherExtraOpts returns extra options for watching ipcache entries.
	IPCacheWatcherExtraOpts IPCacheWatcherOptsFn `optional:"true"`

	// ClusterIDsManager handles the reservation of the ClusterIDs associated
	// with remote clusters, to ensure their uniqueness.
	ClusterIDsManager clusterIDsManager

	Metrics       Metrics
	CommonMetrics common.Metrics
	StoreFactory  store.Factory
}

Configuration is the configuration that must be provided to NewClusterMesh()

type IPCacheWatcherOptsFn ¶

type IPCacheWatcherOptsFn func(config *cmtypes.CiliumClusterConfig) []ipcache.IWOpt

IPCacheWatcherOptsFn is a function which returns extra options for watching ipcache entries.

type Metrics ¶

type Metrics struct {
	// TotalNodes tracks the number of total nodes in a remote cluster.
	TotalNodes metric.Vec[metric.Gauge]

	// TotalGlobalServices tracks the total number of global services.
	TotalGlobalServices metric.Vec[metric.Gauge]
}

func NewMetrics ¶

func NewMetrics() Metrics

type RemoteIdentityWatcher ¶

type RemoteIdentityWatcher interface {
	// WatchRemoteIdentities returns a RemoteCache instance which can be later
	// started to watch identities in another kvstore and sync them to the local
	// identity cache. remoteName should be unique unless replacing an existing
	// remote's backend. When cachedPrefix is set, identities are assumed to be
	// stored under the "cilium/cache" prefix, and the watcher is adapted accordingly.
	WatchRemoteIdentities(remoteName string, backend kvstore.BackendOperations, cachedPrefix bool) (*allocator.RemoteCache, error)

	// RemoveRemoteIdentities removes any reference to a remote identity source,
	// emitting a deletion event for all previously known identities.
	RemoveRemoteIdentities(name string)
}

RemoteIdentityWatcher is any type which provides identities that have been allocated on a remote cluster.

type ServiceMerger ¶

type ServiceMerger interface {
	MergeExternalServiceUpdate(service *serviceStore.ClusterService, swg *lock.StoppableWaitGroup)
	MergeExternalServiceDelete(service *serviceStore.ClusterService, swg *lock.StoppableWaitGroup)
}

ServiceMerger is the interface to be implemented by the owner of local services. The functions have to merge service updates and deletions with local services to provide a shared view.

type SyncedWaitFn ¶

type SyncedWaitFn func(ctx context.Context) error

SyncedWaitFn is the type of a function to wait for the initial synchronization of a given resource type from all remote clusters.

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
common
kvstoremesh
types
utils

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL