Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

eBPF Manager Tech Preview - Add limitations of running INFW with eBPF Manager #82746

Open
Billy99 opened this issue Sep 30, 2024 · 2 comments
Open
Assignees

Comments

@Billy99
Copy link
Contributor

Billy99 commented Sep 30, 2024

Which section(s) is the issue in?

A list of the limitations of using eBPF Manager (bpfman) with Ingress Node Firewall needs to be added somewhere in the documents, either in the eBPF Manager portion of the docs, or with the INFW section that show how to use with eBPF Manager.

What needs fixing?

We need to add a list of the limitations of using bpfman with INFW somewhere. Indicate that with bpfman still in Tech Preview, there are some nuances to using it. @msherif1234 has a better list, but here are a few that come to mind:

  • TCX is currently not supported in bpfman, which INFW uses as a backup if XDP is not supported. So INFW won't work in this release (will be available next release) with bpfman on systems that don't support XDP (i.e. ROSA).
  • When deployed with bpfman operator, the INFW daemonset will remain in the "container creating" state until the rules are applied. Everything is working fine, the INFW daemonset pods are just waiting for the eBPF maps to be created and volume mounted into the pods. It can't do anything until the maps are created anyway. This is a security feature which avoids mounting the eBPF maps on the host, which in turn avoids having to grant INFW pods access to the host filesystem.
  • Ideally when INFW is deployed with bpfman operator, the daemonset pods would run as unprivileged. There is an issue with perf event arrays (still being investigated) that is preventing access without privileged mode.
@openshift-bot
Copy link

Issues go stale after 90d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale

@openshift-ci openshift-ci bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Dec 30, 2024
@Billy99
Copy link
Contributor Author

Billy99 commented Jan 2, 2025

/remove-lifecycle stale

@openshift-ci openshift-ci bot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jan 2, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants