Merge pull request #602 from l1b0k/policy

update policy image
AliyunContainerService · Apr 12, 2024 · 1446303 · 1446303
2 parents 15fcdc0 + 3e346b1
commit 1446303
Show file tree

Hide file tree

Showing 3 changed files with 36 additions and 32 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -1,4 +1,4 @@
-ARG TERWAY_POLICY_IMAGE=registry.cn-hongkong.aliyuncs.com/acs/terway:policy-d78b0c3@sha256:503a31bc708cec62b4f3276affd0d708a091148ce9bf4503744a3d1f3755b66f
+ARG TERWAY_POLICY_IMAGE=registry-cn-zhangjiakou.ack.aliyuncs.com/acs/terway:policy-582f057@sha256:17fbff0f3ae5c1631c902c7c83c7022f69b4ff3d726645856f5cbb161854a630
 ARG UBUNTU_IMAGE=registry.cn-hangzhou.aliyuncs.com/acs/ubuntu:22.04-update
 ARG CILIUM_LLVM_IMAGE=quay.io/cilium/cilium-llvm:547db7ec9a750b8f888a506709adb41f135b952e@sha256:4d6fa0aede3556c5fb5a9c71bc6b9585475ac9b1064f516d4c45c8fb691c9d9e
 ARG CILIUM_BPFTOOL_IMAGE=quay.io/cilium/cilium-bpftool:78448c1a37ff2b790d5e25c3d8b8ec3e96e6405f@sha256:99a9453a921a8de99899ef82e0822f0c03f65d97005c064e231c06247ad8597d

diff --git a/policy/cilium/0023-fix-ip-cache-driven-secid-derivation-for-external-tr.patch b/policy/cilium/0023-fix-ip-cache-driven-secid-derivation-for-external-tr.patch
@@ -0,0 +1,35 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: l1b0k <[email protected]>
+Date: Thu, 11 Apr 2024 15:45:33 +0800
+Subject: fix ip cache driven secid derivation for external traffic ensuring
+ correct identity-based policy enforcement in BPF programs.
+
+Signed-off-by: l1b0k <[email protected]>
+---
+ pkg/datapath/loader/loader.go | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/pkg/datapath/loader/loader.go b/pkg/datapath/loader/loader.go
+index e0c3fe6a00..2ed01b9b19 100644
+--- a/pkg/datapath/loader/loader.go
++++ b/pkg/datapath/loader/loader.go
+@@ -16,6 +16,7 @@ import (
+ 	"github.com/vishvananda/netlink"
+
+ 	"github.com/cilium/cilium/pkg/command/exec"
++	datapathOption "github.com/cilium/cilium/pkg/datapath/option"
+
+ 	"github.com/cilium/cilium/pkg/bpf"
+ 	"github.com/cilium/cilium/pkg/byteorder"
+@@ -157,7 +158,7 @@ func patchHostNetdevDatapath(ep datapath.Endpoint, objPath, dstPath, ifName stri
+ 		return err
+ 	}
+
+-	if !option.Config.EnableHostLegacyRouting {
++	if option.Config.DatapathMode == datapathOption.DatapathModeVeth {
+ 		opts["SECCTX_FROM_IPCACHE"] = uint32(SecctxFromIpcacheEnabled)
+ 	} else {
+ 		opts["SECCTX_FROM_IPCACHE"] = uint32(SecctxFromIpcacheDisabled)
+-- 
+2.44.0
+
diff --git a/policy/cilium/0023-fix-sec-label.patch b/policy/cilium/0023-fix-sec-label.patch