644e803adf
Fixes #4836 Firewall mark is `uint32` attached to the packet in the Linux kernel (it's not transmitted on the wire). This is a shared value for all networking software, so multiple components might attempt to set and match on the firewall mark. Cilium and Calico CNIs are using firewall marks internally, but they touch only some bits of the firewall mark. The way KubeSpan was implemented before this PR, it was doing direct match on the firewall mark, and setting the whole `uint32`, so it comes into conflict with any other networking component using firewall marks. The other problem was that firewall mark 0x51820 (0x51821) was too "wide" touching random bits of the 32-bit value for no good reason. So this change contains two fixes: * make firewall mark exactly a single bit (we use bits `0x20` and `0x40` now) * match and mark packets with the mask (don't touch bits outside of the mask when setting the mark and ignore bits outside of the mask when matching on the mark). This was tested successfully with both Cilium CNI (default config + `ipam.mode=kubernetes`) and Calico CNI (default config). One thing to note is that for KubeSpan and Talos it's important to make sure that `podSubnets` in the machine config match CNI setting for `podCIDRs`. Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
Talos Linux
A modern OS for Kubernetes.
Talos is a modern OS for running Kubernetes: secure, immutable, and minimal. Talos is fully open source, production ready, and supported by the people at Sidero Labs All system management is done via an API - there is no shell or interactive console. Benefits include:
- Security: Talos reduces your attack surface: It's minimal, hardened and immutable. All API access is secured with mutual TLS (mTLS) authentication.
- Predictability: Talos eliminates configuration drift, reduces unknown factors by employing immutable infrastructure ideology, and delivers atomic updates.
- Evolvability: Talos simplifies your architecture, increases your agility, and always delivers current stable Kubernetes and Linux versions.
Documentation
For instructions on deploying and managing Talos, see the Documentation.
Community
- Slack: Join our slack channel
- Support: Questions, bugs, feature requests GitHub Discussions
- Forum: community
- Twitter: @SideroLabs
- Email: info@SideroLabs.com
If you're interested in this project and would like to help in engineering efforts, or have general usage questions, we are happy to have you! We hold a weekly meeting that all audiences are welcome to attend.
We would appreciate your feedback so that we can make Talos even better! To do so, you can take our survey.
Office Hours
- When: Mondays at 16:30 UTC.
- Where: Google Meet.
You can subscribe to this meeting by joining the community forum above.
Note: You can convert the meeting hours to your local time.
Contributing
Contributions are welcomed and appreciated! See Contributing for our guidelines.
License
Some software we distribute is under the General Public License family of licenses or other licenses that require we provide you with the source code. If you would like a copy of the source code for this software, please contact via email: info at SideroLabs.com.