restoration

package

v1.19.0 Latest Latest Go to latest Published: Feb 3, 2026 License: Apache-2.0 Imports: 17 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/cilium/cilium

Links

Documentation ¶

Index ¶

Variables
type LocalIdentityRestorer
- func (d *LocalIdentityRestorer) ReleaseRestoredIdentities(ipCache *ipcache.IPCache)
- func (d *LocalIdentityRestorer) RestoreLocalIdentities(ipCache *ipcache.IPCache) error

Constants ¶

This section is empty.

Variables ¶

View Source

var Cell = cell.Module(
	"identity-restoration",
	"Restores local identities from the ipcache map at startup",

	cell.Provide(newLocalIdentityRestorer),
)

Cell provides the LocalIdentityRestorer that is responsible to restore the local identities from the IPCache.

Functions ¶

This section is empty.

Types ¶

type LocalIdentityRestorer ¶

type LocalIdentityRestorer struct {
	// contains filtered or unexported fields
}

func (*LocalIdentityRestorer) ReleaseRestoredIdentities ¶

func (d *LocalIdentityRestorer) ReleaseRestoredIdentities(ipCache *ipcache.IPCache)

ReleaseRestoredIdentities removes the placeholder state that was inserted in to the ipcache and local identity allocators on restoration

Any identities and prefixes actually in use will still exist after this.

This should be called after a grace period (default 30 seconds, 10 minutes for kvstore, set by --identity-restore-grace-period). This grace period is needed when running on an external workload where policy synchronization is not done via k8s. Also in k8s case it is prudent to allow concurrent endpoint regenerations to (re-)allocate the restored identities before we release them.

Any CIDRs still in use after the grace period will have other sources of metadata in the ipcache, and thus will remain. CIDRs for which restoration was the only source of metadata will be deallocated. Identities with no references after restoration will be deallocated.

func (*LocalIdentityRestorer) RestoreLocalIdentities ¶

func (d *LocalIdentityRestorer) RestoreLocalIdentities(ipCache *ipcache.IPCache) error

RestoreLocalIdentities restores the local identity state in the allocator and IPCache.

First, the local identity allocator checkpoint is loaded. This will ensure that the same set of labels is assigned the same numeric identity once the agent has restored all state.

Next, the outgoing ipcache bpf map is read. For any prefixes that mapped to a CIDR-specific identity, the ipcache metadata is re-created and inserted in to the ipcache.

The purpose of this is to preserve stable local identities on agent restart as much as possible. This helps prevent spurious policy drops on agent restart.

After a grace period, the restored identity references and placeholder ipcache metadata entries are removed, assuming that the agent has synchronized with other state (i.e. kvstore, k8s) and that all necessary entries are present in ipcache & the identity allocator.

This *must* be called before initMaps(), which will hide the "old" ipcache.

Source Files ¶

View all Source files

local_identity_restorer.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL