Skip to content

upstream: add opt-in validation of bind config network namespaces#45976

Open
bpalermo wants to merge 3 commits into
envoyproxy:mainfrom
bpalermo:feat/upstream-bind-netns-validation
Open

upstream: add opt-in validation of bind config network namespaces#45976
bpalermo wants to merge 3 commits into
envoyproxy:mainfrom
bpalermo:feat/upstream-bind-netns-validation

Conversation

@bpalermo

@bpalermo bpalermo commented Jul 4, 2026

Copy link
Copy Markdown

Commit Message

upstream: add opt-in validation of bind config network namespaces

Additional Description

Split out of #45721 (validation half), as requested in review.

A cluster (or the bootstrap cluster manager) whose bind config references a Linux network
namespace that cannot be opened previously failed only when creating upstream connections
(historically with a crash; #45975 makes it a graceful connection failure). This PR adds a new
BindConfig.validate_network_namespaces bool. When set, the
SocketAddress.network_namespace_filepath of every source address in the bind config is
validated at configuration load time, and the configuration is rejected if a namespace cannot be
opened.

Per review feedback on #45721, this is an opt-in API field rather than a runtime guard: a
namespace may legitimately not exist yet when the configuration is loaded (upstream binds only
enter the namespace at connection-establishment time), so eager validation must not be the
unconditional default, and a temporary runtime guard would eventually make it unconditional.

Risk Level

Low — new behavior is opt-in via a new API field; default behavior is unchanged.

Testing

Unit tests added: Network::Utility::validateNetworkNamespace (success/open-failure), and
cluster config rejection with validate_network_namespaces set, plus acceptance of the same
config when unset.

Docs Changes

API proto docs for the new field.

Release Notes

Added a new-feature changelog fragment.

Platform Specific Features

Network namespaces are Linux-only; on other platforms network_namespace_filepath has no effect
and the new validation is a no-op.

bpalermo added 2 commits July 4, 2026 15:44
A bind config source address referencing a Linux network namespace that
cannot be opened previously failed only when upstream connections were
created. This adds a BindConfig.validate_network_namespaces bool: when
set, the network_namespace_filepath of every source address in the bind
config is validated at configuration load time and the configuration is
rejected if a namespace cannot be opened.

This is opt-in rather than default/runtime-guarded because upstream
binds only enter the namespace at connection-establishment time, so a
namespace may legitimately not exist yet when the configuration is
loaded.

Signed-off-by: Bruno Palermo <b@palermo.dev>
Signed-off-by: Bruno Palermo <b@palermo.dev>
@bpalermo bpalermo had a problem deploying to external-contributors July 4, 2026 18:51 — with GitHub Actions Error
@repokitteh-read-only

Copy link
Copy Markdown

Hi @bpalermo, welcome and thank you for your contribution.

We will try to review your Pull Request as quickly as possible.

In the meantime, please take a look at the contribution guidelines if you have not done so already.

🐱

Caused by: #45976 was opened by bpalermo.

see: more, trace.

@repokitteh-read-only

Copy link
Copy Markdown

CC @envoyproxy/api-shepherds: Your approval is needed for changes made to (api/envoy/|docs/root/api-docs/).
envoyproxy/api-shepherds assignee is @markdroth
CC @envoyproxy/api-watchers: FYI only for changes made to (api/envoy/|docs/root/api-docs/).

🐱

Caused by: #45976 was opened by bpalermo.

see: more, trace.

Signed-off-by: Bruno Palermo <b@palermo.dev>
@bpalermo bpalermo requested a deployment to external-contributors July 4, 2026 19:04 — with GitHub Actions Waiting
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants