Adding more details to goals and dealing with upgrades sections

Signed-off-by: Hemanth Malla <[email protected]>
cilium · Nov 6, 2024 · 11fee60 · 11fee60
1 parent dadacae
commit 11fee60
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/cilium/CFP-30984-dns-proxy-ha-v2.md b/cilium/CFP-30984-dns-proxy-ha-v2.md
@@ -23,6 +23,7 @@ Users rely on toFQDN policies to enforce network policies against traffic to des
 * Introduce a streaming gRPC API for exchanging FQDN policy related information.
 * Introduce a standalone DNS proxy (SDP) that binds on the same port as built-in proxy with SO_REUSEPORT.
 * Enforce L7 DNS policy via SDP.
+* When an endpoint's DNS traffic is selected by an L7 policy, DNS requests and responses will be forwarded to their destinations via SDP even if cilium-agent is not running. So, clients re-resolving DNS to establish new connections will not be blocked anymore.
 
 ## Non-Goals
 
@@ -96,7 +97,6 @@ message DNSPoliciesResult {
     string request_id = 2;
 }
 ```
-```
 
 ### Load balancing
 
@@ -129,4 +129,4 @@ SDP and agent's DNS proxy will run on the same port using SO_REUSEPORT. By defau
 
 ### Handling Upgrades
 
-Other than the streaming API from the agent, this CFP introduces a dependency on the ipcache bpf map which isn't a stable API exposed to components beyond the agent. An e2e test for the toFQDN HA feature in CI will be added to catch such datapath changes impacting SDP. In order to support a safe upgrade path, SDP would need to support reading from the current and future formats of the map (including possibly reading from an entire new map).
+Other than the streaming API from the agent, this CFP introduces a dependency on the ipcache bpf map which isn't a stable API exposed to components beyond the agent. An e2e test for the toFQDN HA feature in CI will be added to catch such datapath changes impacting SDP. If a new change is introduced to the ipcache bpf map, the userspace code to access data from ipcache needs to be refactored out into a library. This library would then be used in both the cilium agent and SDP. This would mean that when upgrading to a new cilium version with updates to ipcache bpf map, SDP should always be upgraded first. The ipcache library needs to support reading data from both old and new formats (we'll likely need to carry this for couple of stable releases). When SDP is upgraded first, SDP would start leveraging the library which would allow us to seamlessly switch over to reading from the new ipcache map when the actual map migration happens. The actual heuristcs to determine when to switch will depend on the nature of changes to bpf map.