-
Notifications
You must be signed in to change notification settings - Fork 562
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: bpf program failes due of linux LSM Lockdown #8535
base: main
Are you sure you want to change the base?
Conversation
Commonly used Kubernetes CNI using multiple feature are blocked by this parameter Signed-off-by: Kevin Klopfenstein <kk@sudo-i.net>
There is no need to change the defaults, when generating an image |
@frezbo I'm not sure if you want your users in order to have a working Kubernetes Cluster using Cilium CNI and Secureboot to build and manage their own images. At least, I think the documentation should get an update on that. |
I meant to add it to factory, or when using imager. If using Not every user uses Cilium with SecureBoot and making Talos less secure for one CNI is not ideal |
Currently, when I create an Installer Image with |
Could you post the steps used? If it's a bug we can fix it |
sure im using the following URL https://factory.talos.dev/?version=1.6.7&ext-siderolabs%2Fbnx2-bnx2x=&ext-siderolabs%2Fintel-ucode=&ext-siderolabs%2Fiscsi-tools=&extra-args=lockdown%3Dintegrity.
|
Could you try this schematic id: Seems it was missing |
This is the input: customization:
extraKernelArgs:
- -lockdown
- lockdown=integrity
systemExtensions:
officialExtensions:
- siderolabs/bnx2-bnx2x
- siderolabs/intel-ucode
- siderolabs/iscsi-tools
|
I don't think there's a nice way to change lockdown flag via image factory, as installer will always try to write default, so you need to use machine config for that. We might consider changing the default for 1.8. |
@smira & @frezbo I was able to fix this issue by setting the args in the image factory customization:
extraKernelArgs:
- -lockdown
- lockdown=integrity but not via machine config machine:
install:
extraKernelArgs:
- -lockdown
- lockdown=integrity OK then I will update my PR to update the documentation on Cilium CNI (https://www.talos.dev/v1.6/kubernetes-guides/network/deploying-cilium/). ? |
Just to share our experience, we've been operating Talos with secureboot and utilizing Cilium for Kubernetes networking, enabling a wide range of BPF functionalities, for quite some time now—months, in fact—without encountering any significant issues tied to BPF's lockdown mode set to confidentiality. Here are the specifics of our KubeProxyReplacement configuration:
The only minor issue we've noted involves occasional log messages upon Cilium startup, indicating:
and:
However, from our perspective, these don't present a significant concern. |
This PR is stale because it has been open 45 days with no activity. |
Any problems so far? |
Maybe Cilium fallbacks to less optimized calls? Did you check it? |
Pull Request
What? (description)
When secureboot images are used, talos by default sets lockdown to confidentiality (lockdown=confidentiality).
This will prevent bfp based programs to run properly. BFP is used in many commonly used Kubernetes CNI like Cilium.
Many other commonly used Linux distros are moving away from confidentiality mode and move to integrity mode.
More Discussion here iovisor/bcc#2565.
Why? (reasoning)
Commonly used Kubernetes CNI not working properly.
Acceptance
Please use the following checklist:
make conformance
)make fmt
)make lint
)make docs
)make unit-tests
)I still have to test the change in my environment. Not sure if there is also change needed on the factory code?