Skip to main content

Browse the archive

https://github.com/cilium/cilium
09 April 2024, 21:14:05 UTC
sort by:
Revision Author Date Message Commit Date
2426047 John Fastabend 07 December 2018, 15:25:51 UTC cilium: fix egress only case Previous patch fixed endpoint to endpoint case but broke the endpoint to world case fix it here. Manage all traffic sent by a cilium endpoint (sip4) and on the #define'd SFD_PORT Couple notes: - Future work will pull SFD_PORT out of proxy policy TBD - Disabled redirects for now it breaks container to container user space proxy. TBD redirect to userspace proxy correctly this is just coding work but all the same disabled for later. - only supporting egress userspace proxy now. Need some direction field in key most likely to do both ingress and egress. - SK_PASS to user space via sk_skb verdict program is not working yet. Seems kernel patch needs some fix but its not needed to demo here. TBD. - Missing arch doc describing proto sock_key headers and BPF program layout. Need to organize this a bit to be sure we have correct feature precedence with all features enabled. Again not needed for POC. - TBD all the things. Signed-off-by: John Fastabend <john.fastabend@gmail.com> 07 December 2018, 15:51:43 UTC
68f17f7 John Fastabend 06 December 2018, 21:53:07 UTC bpf: fixes for tls 07 December 2018, 15:51:42 UTC
29442a0 John Fastabend 02 December 2018, 06:13:18 UTC cilium: add ktls support 07 December 2018, 15:43:36 UTC
19031a6 Ray Bejjani 06 December 2018, 17:18:32 UTC pkg/fqdn: Cache stores reverse DNS lookup data It is sometimes useful to find all DNS names that have a specific IP. `pkg/fqdn.DNSCache` already does most of the bookkeeping for this and can maintain the additional reverse lookup information. This can then be used to ask cilium-agent for this via an API call (among other methods). Signed-off-by: Ray Bejjani <ray@covalent.io> 07 December 2018, 15:23:06 UTC
1a3c41f Ray Bejjani 07 December 2018, 12:26:30 UTC pkg/fqdn: matchPattern supports "*" allow-all toFQDNs rules need a source of DNS information, nominally the proxy. While it is better to specify explicit patterns to allow, it may be easier to allow all, but still capture the DNS data for more specific toFQDNs. Note that toFQDNs can also use "*" but that may be a little pointless. It will select all known IPs in the DNS cache and generate rules with them. Signed-off-by: Ray Bejjani <ray@covalent.io> 07 December 2018, 15:22:13 UTC
0b78eb1 Thomas Graf 07 December 2018, 01:55:59 UTC clustermesh: Ignore !(etcd configfiles) in the secrets volume Avoids controller errors like these: ``` remote-etcd-cluster1.etcd-client-ca.crt never 2m59s ago 282 error unmarshaling JSON: json: cannot unmarshal string into Go value of type yaml.yamlConfig remote-etcd-cluster1.etcd-client.crt never 2m59s ago 282 error unmarshaling JSON: json: cannot unmarshal string into Go value of type yaml.yamlConfig remote-etcd-cluster1.etcd-client.key never 2m59s ago 282 error unmarshaling JSON: json: cannot unmarshal string into Go value of type yaml.yamlConfig `` Fixes: #6380 Signed-off-by: Thomas Graf <thomas@cilium.io> 07 December 2018, 04:30:00 UTC
1a1b35b André Martins 06 December 2018, 21:59:36 UTC test: fix kafka policy test Signed-off-by: André Martins <andre@cilium.io> 07 December 2018, 00:18:03 UTC
e0c6077 Ray Bejjani 23 November 2018, 20:41:24 UTC dnsproxy: Emit accesslog/monitor events on DNS traffic We can now report DNS information that we intercept via the proxy. Signed-off-by: Ray Bejjani <ray@covalent.io> 06 December 2018, 21:58:53 UTC
c54c950 Ray Bejjani 05 December 2018, 18:32:40 UTC accesslog: Add DNS field to LogRecord We can report DNS information as part of the accesslog, similar to other proxies. The DNS data is added in a simple way, including just the DNS message itself. Signed-off-by: Ray Bejjani <ray@covalent.io> 06 December 2018, 21:58:53 UTC
e4fd520 André Martins 06 December 2018, 09:43:36 UTC .github: update issue templates Signed-off-by: André Martins <andre@cilium.io> 06 December 2018, 09:44:53 UTC
81a8fc6 André Martins 04 December 2018, 11:10:52 UTC dev: update k8s version to v1.13.0 and etcd to v3.3.10 Signed-off-by: André Martins <andre@cilium.io> 06 December 2018, 08:24:20 UTC
7d48db9 André Martins 04 December 2018, 10:34:41 UTC test: change default k8s version to 1.13.0 Signed-off-by: André Martins <andre@cilium.io> 06 December 2018, 08:24:20 UTC
9aa8ed4 André Martins 04 December 2018, 10:34:32 UTC update k8s dependencies to 1.13.0 Signed-off-by: André Martins <andre@cilium.io> 06 December 2018, 08:24:20 UTC
49f330a André Martins 06 December 2018, 08:18:15 UTC .github: fix directory name for github issue templates Signed-off-by: André Martins <andre@cilium.io> 06 December 2018, 08:19:54 UTC
60b52d7 André Martins 05 December 2018, 12:21:21 UTC .github: add more issue templates for different cases Signed-off-by: André Martins <andre@cilium.io> 06 December 2018, 05:24:42 UTC
06928ca Joe Stringer 05 December 2018, 21:37:34 UTC docs: Update references for inline assembly Signed-off-by: Joe Stringer <joe@cilium.io> 06 December 2018, 05:23:03 UTC
e875c1a Thomas Graf 04 December 2018, 22:00:11 UTC k8s: Provide ServiceCache contents via /debuginfo The library used to pretty print the structure has already been vendored via another dependency so it doesn't add to the binary size. Example: ``` (*k8s.ServiceCache)(0xc00098ed30)({ mutex: (lock.RWMutex) { internalRWMutex: (lock.internalRWMutex) { RWMutex: (sync.RWMutex) { w: (sync.Mutex) { state: (int32) 0, sema: (uint32) 0 }, writerSem: (uint32) 0, readerSem: (uint32) 0, readerCount: (int32) 1, readerWait: (int32) 0 } } }, services: (map[k8s.ServiceID]*k8s.Service) (len=3) { (k8s.ServiceID) default/echo: (*k8s.Service)(0xc002e1ed80)(frontend:172.20.0.214/ports=[]/selector=map[name:echo]), (k8s.ServiceID) default/kubernetes: (*k8s.Service)(0xc002e1ee00)(frontend:172.20.0.1/ports=[https]/selector=map[]), (k8s.ServiceID) kube-system/kube-dns: (*k8s.Service)(0xc002e1ee40)(frontend:172.20.0.10/ports=[dns dns-tcp]/selector=map[k8s-app:kube-dns]) }, endpoints: (map[k8s.ServiceID]*k8s.Endpoints) (len=5) { (k8s.ServiceID) default/echo: (*k8s.Endpoints)(0xc002ed9480)(10.16.105.205:80/TCP,10.16.150.104:80/TCP,10.16.179.87:80/TCP,10.16.198.212:80/TCP,10.16.223.106:80/TCP), (k8s.ServiceID) default/kubernetes: (*k8s.Endpoints)(0xc002ed9490)(192.168.33.11:6443/TCP), (k8s.ServiceID) kube-system/kube-controller-manager: (*k8s.Endpoints)(0xc002ed94a0)(), (k8s.ServiceID) kube-system/kube-dns: (*k8s.Endpoints)(0xc002ed9460)(10.16.226.224:53/TCP,10.16.226.224:53/UDP), (k8s.ServiceID) kube-system/kube-scheduler: (*k8s.Endpoints)(0xc002ed9470)() }, ingresses: (map[k8s.ServiceID]*k8s.Service) { }, externalEndpoints: (map[k8s.ServiceID]k8s.externalEndpoints) { }, Events: (chan k8s.ServiceEvent) (cap=128) 0xc0002b0960 }) ``` Signed-off-by: Thomas Graf <thomas@cilium.io> 06 December 2018, 05:22:38 UTC
50f7b9e Thomas Graf 04 December 2018, 23:35:07 UTC api: Add subsystem field to /debuginfo API The new field is a map[string]string to allow arbitrary subsystems to expose debug information without requiring to structure it via the API. Signed-off-by: Thomas Graf <thomas@cilium.io> 06 December 2018, 05:22:38 UTC
565aaae Thomas Graf 04 December 2018, 21:50:02 UTC debug: Simple subsystem status collector registrar Signed-off-by: Thomas Graf <thomas@cilium.io> 06 December 2018, 05:22:38 UTC
40d2b3c Tony Lambiris 03 December 2018, 14:47:01 UTC Build cilium-operator, generate shell completions 05 December 2018, 23:34:15 UTC
18eb98a André Martins 04 December 2018, 14:32:35 UTC add cilium-docker-plugin Dockerfile This allows to provide the cilium docker plugin in its own docker image Signed-off-by: André Martins <andre@cilium.io> 05 December 2018, 20:18:07 UTC
eac4a51 André Martins 04 December 2018, 14:27:13 UTC add cilium-operator dockerfile This allows cilium-operator to be executed in its own docker image. Signed-off-by: André Martins <andre@cilium.io> 05 December 2018, 20:18:07 UTC
6aaeb33 André Martins 04 December 2018, 14:26:19 UTC pkg/k8s: move pkg/k8s/cep.go to pkg/k8s/endpointsynchronizer/cep.go This avoids pkg/k8s to import pkg/endpoint which is used by cilium/operator. Signed-off-by: André Martins <andre@cilium.io> 05 December 2018, 20:18:07 UTC
25b258a André Martins 04 December 2018, 13:08:07 UTC dockerfile: do not build unecessary binaries in docker image To shrink the image size used for cilium-agent it was decided to remove unecessary binaries from the cilium/cilium image. cilium-operator will have its own image cilium-ring-dump is mainly used by developers cilium-docker is not used in a kubernetes deployment Signed-off-by: André Martins <andre@cilium.io> 05 December 2018, 20:18:07 UTC
b5ecc4c Ian Vernon 05 December 2018, 16:57:27 UTC endpoint: make policy calculation log Debug level Given that this log message occurs for each endpoint that is regenerated, it does not make sense to have it at Info level, since the amount of log messages will increase as the number of both regenerations and endpoints increases on a given node. Signed-off by: Ian Vernon <ian@cilium.io> 05 December 2018, 18:13:49 UTC
5ede12f André Martins 05 December 2018, 13:13:43 UTC test: add cilium-etcd-operator to k8s upstream tests Signed-off-by: André Martins <andre@cilium.io> 05 December 2018, 16:35:31 UTC
c9818c2 Ian Vernon 04 December 2018, 21:37:07 UTC policy: add documentation for computeDesiredL4PolicyMapEntries Signed-off by: Ian Vernon <ian@cilium.io> 05 December 2018, 02:47:04 UTC
659d461 Ian Vernon 04 December 2018, 21:31:55 UTC policy: factor out duplicated L4Filter conversion logic based on direction Signed-off by: Ian Vernon <ian@cilium.io> 05 December 2018, 02:47:04 UTC
c9f5954 Ian Vernon 04 December 2018, 21:24:56 UTC policy: factor out allow all at L3 logic Factor out code which is exactly the same for ingress and egress into a function which allows all identities in a specified IdentityCache at ingress or egress to reduce duplication of logic. Signed-off by: Ian Vernon <ian@cilium.io> 05 December 2018, 02:47:04 UTC
7f2e623 Ian Vernon 04 December 2018, 17:04:58 UTC policy: rename Policy to EndpointPolicy This type is generated on a per-endpoint basis, so name it as such. Signed-off by: Ian Vernon <ian@cilium.io> 05 December 2018, 02:47:04 UTC
ed012c3 Ian Vernon 30 November 2018, 00:16:16 UTC endpoint: remove unused code Signed-off by: Ian Vernon <ian@cilium.io> 05 December 2018, 02:47:04 UTC
267d4f6 Ian Vernon 20 November 2018, 23:32:09 UTC daemon: remove ComputePolicyEnforcement tests This functionality is tested in the policy package in pkg/policy/repository_test.go:TestComputePolicyEnforcementAndRules. Signed-off by: Ian Vernon <ian@cilium.io> 05 December 2018, 02:47:04 UTC
5d1f85c Ian Vernon 20 November 2018, 23:24:12 UTC endpoint: use policy.ResolvePolicy to determine desired policy state Signed-off by: Ian Vernon <ian@cilium.io> 05 December 2018, 02:47:04 UTC
8cbf74d Ian Vernon 20 November 2018, 23:13:37 UTC policy: plumb L3-only PolicyKey calculation into ResolvePolicy Signed-off by: Ian Vernon <ian@cilium.io> 05 December 2018, 02:47:04 UTC
e7b08e8 Ian Vernon 20 November 2018, 22:53:30 UTC policy: convert L4Policy to Key This allows for the L4Policy to be converted to a representation the datapath can understand. In the future, this will be done elsewhere, but in order to unify policy generation, it has been moved into the policy package. Signed-off by: Ian Vernon <ian@cilium.io> 05 December 2018, 02:47:04 UTC
e6f7b88 Ian Vernon 20 November 2018, 19:27:29 UTC policy: add new ResolvePolicy function This function returns a generated policy object based off the following state: * Set of labels for which the policy is computed. * Set of all identities. * List of rules in the policy repository. The first step of this new function is to figure out whether ingress or egress enforcement applies to the provided set of labels. All rules need to be analyzed as to whether they match these labels. While this check is done, cache the rules that match locally. This increases performance of policy evaluation by reducing the number of rules which are iterated over when calculating policy at each protocol layer for an endpoint, as well as performing the matching operation upon the endpoint selector of the rules only once, as opposed to against all rules in the repository for each protocol layer. Since the list of rules are already predetermined to select the set of labels, the check as to whether the rules select the set of labels does not need to be performed again. This allows for setting of the `rulesSelect` flag in the SearchContext objects for both ingress and egress policy generation, which skips said aforementioned check in the subsequent policy generation at L4, for CIDRs, etc. Signed-off by: Ian Vernon <ian@cilium.io> 05 December 2018, 02:47:04 UTC
aed4daa Ian Vernon 20 November 2018, 19:11:58 UTC policy: add new Policy type This groups separate types that encode resolved policy, e.g. L4Policy, CIDRPolicy, into one structure. Signed-off by: Ian Vernon <ian@cilium.io> 05 December 2018, 02:47:04 UTC
8854973 Ian Vernon 20 November 2018, 20:42:46 UTC policy: add rulesSelect field to SearchContext rulesSelect specifies whether or not to check whether a rule which is being analyzed against its SearchContext matches either the From or To fields within the SearchContext. This is used to avoid using EndpointSelector.Matches() while analyzing rules if possible, since said function is costly in terms of performance. Currently, this flag is always false, so no functional change is intended here. Signed-off by: Ian Vernon <ian@cilium.io> 05 December 2018, 02:47:04 UTC
42613c3 Ian Vernon 29 November 2018, 23:07:01 UTC endpoint: factor out regeneration statistics update into function Signed-off by: Ian Vernon <ian@cilium.io> 05 December 2018, 01:37:14 UTC
daa2129 Ian Vernon 29 November 2018, 23:01:28 UTC endpoint: add updateRealizedState function Factor this out of `endpoint.regenerate()` and into its own function for more maintainable, organized code. No functional change is intended. Signed-off by: Ian Vernon <ian@cilium.io> 05 December 2018, 01:37:14 UTC
a9e759f Martynas Pumputis 28 November 2018, 10:04:31 UTC daemon: do deep copy of model.StatusResponse This commit is going to be squashed after all reviews. Signed-off-by: Martynas Pumputis <martynas@covalent.io> 05 December 2018, 01:19:38 UTC
ef4a884 Martynas Pumputis 28 November 2018, 09:58:48 UTC deps: add github.com/mohae/deepcopy It's going to be used by daemon/status.go for making a deep copy of models.StatusResponse. Signed-off-by: Martynas Pumputis <martynas@covalent.io> 05 December 2018, 01:19:38 UTC
e25b3a8 Martynas Pumputis 27 November 2018, 16:29:07 UTC {daemon,status,defaults}: address PR comments This commit is going to be squashed after all reviews. Signed-off-by: Martynas Pumputis <martynas@covalent.io> 05 December 2018, 01:19:38 UTC
82156b6 Martynas Pumputis 26 November 2018, 16:07:29 UTC client: report stale statuses (probes) with status cmd Example of such report: ``` $ cilium status KVStore: Failure Err: No response from kvstore probe within 15 seconds ContainerRuntime: Ok docker daemon: OK Kubernetes: Failure No response from kubernetes probe within 15 seconds Kubernetes APIs: [""] Cilium: Warning Stale status data Stale status: "kubernetes" since 2018-11-21T11:11:45.164Z, "kvstore" since 2018-11-21T11:09:43.133Z NodeMonitor: Disabled Cilium health daemon: Ok IPv4 address pool: 260/65535 allocated IPv6 address pool: 3/65535 allocated Proxy Status: OK, ip 10.0.0.1, port-range 10000-20000 ``` Joint work with @tgraf and @raybejjani. Fixes #5674. Signed-off-by: Martynas Pumputis <martynas@covalent.io> 05 December 2018, 01:19:38 UTC
80b1636 Martynas Pumputis 26 November 2018, 15:55:02 UTC daemon: get status of each subsystem concurrently Move status collection of each subsystem into probes handled by the collector from pkg/status. Each probe is run concurrently, so a deadlocking/stale probe a) does not stop other probes, b) can be reported. Joint work with @tgraf and @raybejjani. Signed-off-by: Martynas Pumputis <martynas@covalent.io> 05 December 2018, 01:19:38 UTC
db41346 Martynas Pumputis 26 November 2018, 15:44:04 UTC api: add the field Stale to StatusResponse The field is a map which key is a stale probe name and value is a timestamp when the probe was started. Joint work with @tgraf and @raybejjani. Signed-off-by: Martynas Pumputis <martynas@covalent.io> 05 December 2018, 01:19:38 UTC
fe98542 Martynas Pumputis 26 November 2018, 15:31:48 UTC status: add pkg for running status probes concurrently pkg/status/status.go introduces a mechanism for running status probes concurrently. The main use-case is to detect stale statuses of the daemon subsystems. Joint work with @tgraf and @raybejjani. Signed-off-by: Martynas Pumputis <martynas@covalent.io> 05 December 2018, 01:19:38 UTC
27f149c Ray Bejjani 22 November 2018, 14:42:33 UTC policy: Force L3 when toFQDNs is present via a selector When calculating L3/L4 policy, toFQDNs was ignored. In the cases where a DNS lookup had not occured, and no toCIDRSet rules generated, the policy was interpreted as L3 wildcard. We now treat toFQDNs as a label selector style rule that always selects EntityNone. Nothing can create an EntityNone so it should never be a valid target. Signed-off-by: Ray Bejjani <ray@covalent.io> 04 December 2018, 13:33:11 UTC
6065556 Ray Bejjani 02 December 2018, 14:18:08 UTC policy: Add EntityNone - a non-assignable entity EntityNone expresses the opposite of EntityAll. It never matches anything and is, in effect, an explicit deny-all. Signed-off-by: Ray Bejjani <ray@covalent.io> 04 December 2018, 13:33:11 UTC
71c2353 Ian Vernon 26 November 2018, 20:16:52 UTC policy: remove policymap dependency Instead, duplicate the PolicyKey type in this package. The key difference between this type and the PolicyKey type in pkg/maps/policymap, is that the DestPort field is in host-byte order in the version in pkg/policy. This avoids pulling in the BPF dependencies into pkg/policy, and also continues the work to create an intermediate representation of policy that is not directly tied to pkg/bpf. The duplicated type is renamed to Key to avoid stuttering in the type name with the package name. Signed-off by: Ian Vernon <ian@cilium.io> 04 December 2018, 01:36:45 UTC
691d203 Ian Vernon 20 November 2018, 22:24:19 UTC policy: move determination of allow localhost / world into policy package Now that PolicyMapState is within the policy package, refactor some functions which perform operations directly on this type to be within said package. Signed-off by: Ian Vernon <ian@cilium.io> 04 December 2018, 01:36:45 UTC
4eaf235 Ian Vernon 20 November 2018, 22:17:04 UTC move PolicyMapState to policy package This allows for it to be part of the Policy type within the policy package. This is not an ideal change, since it exposes datapath representation into the policy package, but this is an iterative step to unify policy computation within Cilium. This will eventually be changed in the future. Signed-off by: Ian Vernon <ian@cilium.io> 04 December 2018, 01:36:45 UTC
7cce61f André Martins 03 December 2018, 16:40:07 UTC test: bump k8s 1.13 to 1.13.0-rc.2 Signed-off-by: André Martins <andre@cilium.io> 04 December 2018, 01:13:55 UTC
d051142 André Martins 30 November 2018, 15:23:52 UTC examples/kubernetes: loosen up tolerations used As Cilium is a critical component in the network we can loose up the tolerations used in the DaemonSet the pods can be scheduled in all nodes by default. Signed-off-by: André Martins <andre@cilium.io> 04 December 2018, 01:12:16 UTC
b22cd44 Thomas Graf 02 December 2018, 20:03:01 UTC agent: Ignore IPV4_GATEWAY=0x0 when restoring I ended up with a node_config.h where IPV4_GATEWAY is set to 0x0. This causes the internalIP to be restored to 0.0.0.0 which causes the agent to refuse to start up and recover. It is better to continue and attempt to recover from the IP assigned to the cilium_host device. Signed-off-by: Thomas Graf <thomas@cilium.io> 04 December 2018, 01:11:00 UTC
e43ff15 Ian Vernon 30 November 2018, 19:23:59 UTC test/k8sT: specify image tag for Kafka proxy image While the only tag available on DockerHub is 'latest' for 'docker.io/spotify/kafkaproxy', explicitly state that the tag is 'latest', and add a comment indicating that the only tagged version on DockerHub is 'latest'. Signed-off by: Ian Vernon <ian@cilium.io> 03 December 2018, 23:12:57 UTC
48ad125 Ray Bejjani 02 December 2018, 13:47:10 UTC fqdn/proxy: Send REFUSED response on policy deny Return a synthetic REFUSED DNS response when the proxy rejects a DNS lookup. This avoids the requester from having to wait (and to retry). REFUSED doesn't seem to be a cached negative response, and RFC 1035 explicitly references policy as a reason to refuse a request (in https://tools.ietf.org/html/rfc1035#section-4.1.1). In kubernetes a search domain list is provided, listing various combinations of service, namespace, and cluster.local. Stub resolvers follow this list and may have to wait for a very long time (2 timeouts per possible name), rendering even allowed DNS lookups unusable. This is because the rejected combinations may be attempted first. Signed-off-by: Ray Bejjani <ray@covalent.io> Signed-off-by: Maciej Kwiek<maciej@covalent.io> 03 December 2018, 16:24:07 UTC
fad7213 André Martins 29 November 2018, 18:58:09 UTC delete kubernetes/addons/etcd-operator Signed-off-by: André Martins <andre@cilium.io> 02 December 2018, 05:52:27 UTC
7a56283 André Martins 29 November 2018, 18:50:38 UTC test: test etcd-operator provided to users in examples/kubernetes Signed-off-by: André Martins <andre@cilium.io> 02 December 2018, 05:52:27 UTC
4057123 André Martins 29 November 2018, 11:55:14 UTC examples/kubernetes: add etcd-operator Signed-off-by: André Martins <andre@cilium.io> 02 December 2018, 05:52:27 UTC
d124242 André Martins 29 November 2018, 11:34:30 UTC examples/kubernetes: add env variable to specify cilium init Signed-off-by: André Martins <andre@cilium.io> 02 December 2018, 05:52:27 UTC
663467e André Martins 30 November 2018, 13:08:24 UTC pkg/k8s: update generated code with 1.13 code-generators Signed-off-by: André Martins <andre@cilium.io> 01 December 2018, 20:53:37 UTC
a498257 André Martins 30 November 2018, 13:05:36 UTC vendor: update k8s dependencies to 1.13.0-rc.1 Signed-off-by: André Martins <andre@cilium.io> 01 December 2018, 20:53:37 UTC
cd4ae97 André Martins 30 November 2018, 11:39:55 UTC bump k8s version to v1.13.0-rc.1 Signed-off-by: André Martins <andre@cilium.io> 01 December 2018, 20:53:37 UTC
08336c8 André Martins 30 November 2018, 13:30:07 UTC vendor: update miekg/dns to v1.1.0 Update miekg/dns to see if it solves some decoding bugs we are seeing and also, doing frequent updates we will make minimal library changes. golang.org/x/net requires a override as miekg/dns uses branch = master for this dependency. Signed-off-by: André Martins <andre@cilium.io> 01 December 2018, 18:15:02 UTC
d909e0c Michal Rostecki 30 November 2018, 15:33:23 UTC make: Fix intentation in start-kvstores section Makefiles should indent only with tabs. Signed-off-by: Michal Rostecki <mrostecki@suse.de> 01 December 2018, 17:57:58 UTC
afb9849 Ian Vernon 30 November 2018, 20:50:23 UTC endpoint: remove endpoint CIDR Map functions These maps are no longer used, and can be removed as part of the 1.4 release. Signed-off by: Ian Vernon <ian@cilium.io> 01 December 2018, 17:56:41 UTC
d0c05bd Ian Vernon 30 November 2018, 23:35:31 UTC test: improve resiliency of policy import test Instead of checking whether the identities of locally running endpoints contain the labels which are allowed by policy, query which identities have those labels via the `cilium identity get` CLI. This is a more correct check since policy computation is done in relation to all identities, not just those running locally. It also ensures that if other tests add identities which are not deleted yet from the key-value store, the test will still pass even if the endpoints which utilized said identities no longer are running. Signed-off by: Ian Vernon <ian@cilium.io> 01 December 2018, 17:55:21 UTC
54d94a5 Thomas Graf 30 November 2018, 03:06:52 UTC identity: Block createEndpoint() while identity is being resolved Commit 65fe98 has changed the endpoint creation API to resolve and assign the endpoint labels in a synchronous manner when running in Kubernetes mode. However, the identity resolution has remained non-blocking. This leads to the endpoint not being assigned an identity for some period of time. Previously, the init identity was resolved immediately due to not depending on the kvstore. Resolve the identity while creating the endpoint via the API. This guarantees that an endpoint has a proper identity from the moment it starts up. The consequence is that endpoint creation and thus CNI ADD will fail for pods when the kvstore is not available and the pod is not using a well-known identity. Fixes: 65fe98c4f39 ("cni: Synchroneous pod label retrieval on CNI add") Signed-off-by: Thomas Graf <thomas@cilium.io> 01 December 2018, 09:51:14 UTC
38e678d André Martins 26 November 2018, 14:30:57 UTC tests: add version constraints for k8s 1.13 and cilium 1.3 Signed-off-by: André Martins <andre@cilium.io> 30 November 2018, 19:43:50 UTC
b24c369 André Martins 22 October 2018, 11:16:56 UTC docs: update documentation for k8s 1.13 Signed-off-by: André Martins <andre@cilium.io> 30 November 2018, 19:43:50 UTC
62e7c9f André Martins 22 October 2018, 11:12:22 UTC k8s: add k8s 1.13 cilium deployment descriptors Signed-off-by: André Martins <andre@cilium.io> 30 November 2018, 19:43:50 UTC
378b45d André Martins 22 October 2018, 11:09:04 UTC test: add k8s 1.13 to test framework As we are always testing against k8s 1.8, 1.8 was removed ginkgo-kubernetes-all.Jenkinsfile Signed-off-by: André Martins <andre@cilium.io> 30 November 2018, 19:43:50 UTC
fd5ea2a Joe Stringer 29 November 2018, 00:27:08 UTC bpf: Don't reset TCP timer on final ACK A typical TCP connection close looks something like: -> FIN <- ACK, FIN -> ACK or -> FIN <- ACK <- FIN -> ACK For each direction when the FIN is received, either entry->rx_closing or entry->tx_closing is set. This is triggered via the caller's code which choses to ACTION_CREATE or ACTION_CLOSE depending on the presence of TCP_FLAG_RST or TCP_FLAG_FIN. When the final ack packet arrives, it does not have a `RST` or `FIN`, so the action ends up being ACTION_CREATE. As a result, with the existing logic, the final ack will *always refresh the timer* back to the full 12-hour TCP timeout, after the FINs previously reduced the entry timeout to CT_CLOSE_TIMEOUT. This patch alleviates this by only resetting the closing state and timeout if it appears that a brand new connection is establishing with the same 5-tuple. Signed-off-by: Joe Stringer <joe@cilium.io> 30 November 2018, 17:58:38 UTC
bbc5a51 Joe Stringer 29 November 2018, 00:06:11 UTC bpf: Fix tcp flag access Previously, access into tcp flags was governed using a bitfield declared based on the endianness of the host CPU, even though the packet data is always in network byte-order. This would mean that any direct access of flags would access the wrong bits in the packet, and would cause conntrack entries for closed TCP connections to expire as long as 12 hours after a connection was closed. Fix this issue by redefining the tcp flags struct to store in a 32-bit structure, then use the Linux TCP_FLAG_* defines to check / store the appropriate TCP flag bits. Fixes: #6280 Signed-off-by: Joe Stringer <joe@cilium.io> 30 November 2018, 17:58:38 UTC
717a468 Joe Stringer 29 November 2018, 21:57:53 UTC bpf: Relax verifier in IPv6 drop case Before: $ make -C bpf && sudo ./test/bpf/check-complexity.sh | grep -A 2 IPV6_FROM_LXC ... Prog section '2/10' (tail_call IPV6_FROM_LXC) loaded (31)! - Instructions: 4006 (0 over limit) processed 62569 insns After: $ make -C bpf && sudo ./test/bpf/check-complexity.sh | grep -A 2 IPV6_FROM_LXC ... Prog section '2/10' (tail_call IPV6_FROM_LXC) loaded (31)! - Instructions: 4014 (0 over limit) processed 49669 insns Signed-off-by: Joe Stringer <joe@cilium.io> 30 November 2018, 17:58:38 UTC
a0ad61d Ian Vernon 29 November 2018, 20:56:00 UTC endpoint: remove prepareForDatapathRegeneration function Instead, setting `ctCleaned` can be done when a `datapathRegenerationContext` is initialized. Signed-off by: Ian Vernon <ian@cilium.io> 30 November 2018, 17:56:00 UTC
4045887 Ian Vernon 29 November 2018, 00:40:06 UTC endpoint: do not finalize proxy state in DryMode Signed-off by: Ian Vernon <ian@cilium.io> 30 November 2018, 17:56:00 UTC
9db9a2c Ian Vernon 14 November 2018, 22:48:54 UTC endpoint: factor out function which holds endpoint lock within regenerateBPF into separate function This makes regenerateBPF smaller and the code easier to understand. Also have prepare build stat not overlap with waitingForCTClean stat, and End this spanstat when said function returns. Signed-off by: Ian Vernon <ian@cilium.io> 30 November 2018, 17:56:00 UTC
2d9d7e6 Ian Vernon 14 November 2018, 22:45:48 UTC endpoint: factor out code which locks endpoint before compilation into function In this function, we can defer the unlocking of the endpoint's mutex. Signed-off by: Ian Vernon <ian@cilium.io> 30 November 2018, 17:56:00 UTC
60e551d Ian Vernon 14 November 2018, 22:57:28 UTC endpoint: factor out compilation of BPF out of regenerateBPF into separate function Signed-off by: Ian Vernon <ian@cilium.io> 30 November 2018, 17:56:00 UTC
395bf0b Ian Vernon 14 November 2018, 22:04:50 UTC endpoint: move currentDir / nextDir into datapathRegenerationContext in regenerateBPF Signed-off by: Ian Vernon <ian@cilium.io> 30 November 2018, 17:56:00 UTC
b15beb2 Ian Vernon 14 November 2018, 21:59:45 UTC endpoint: factor out deferred proxy finalizing / reverting logic into separate function Signed-off by: Ian Vernon <ian@cilium.io> 30 November 2018, 17:56:00 UTC
5da965a Ian Vernon 14 November 2018, 21:55:37 UTC endpoint: move revertStack / finalizeList into datapathRegenerationContext in regenerateBPF Signed-off by: Ian Vernon <ian@cilium.io> 30 November 2018, 17:56:00 UTC
b7539b7 Ian Vernon 14 November 2018, 21:52:23 UTC endpoint: move wait group, completions into datapathRegenerationContext Signed-off by: Ian Vernon <ian@cilium.io> 30 November 2018, 17:56:00 UTC
afa68e4 Ian Vernon 14 November 2018, 21:48:41 UTC endpoint: move datapathRegenerationContext setup after locks are acquired Signed-off by: Ian Vernon <ian@cilium.io> 30 November 2018, 17:56:00 UTC
f48cdfb Ian Vernon 14 November 2018, 21:45:51 UTC endpoint: move epInfoCache in regenerateBPF into datapathRegenerationContext Signed-off by: Ian Vernon <ian@cilium.io> 30 November 2018, 17:56:00 UTC
b1315fa Ian Vernon 14 November 2018, 21:44:29 UTC endpoint: move bpfHeaderfilesHash in regenerateBPF into datapathRegenerationContext Signed-off by: Ian Vernon <ian@cilium.io> 30 November 2018, 17:56:00 UTC
f72957a Ian Vernon 14 November 2018, 21:42:49 UTC endpoint: move bpfHeaderfilesChanged in regenerateBPF into datapathRegenerationContext Signed-off by: Ian Vernon <ian@cilium.io> 30 November 2018, 17:56:00 UTC
5c8df12 Ian Vernon 14 November 2018, 21:40:25 UTC endpoint: move ctCleaned in regenerateBPF into datapathRegenerationContext Signed-off by: Ian Vernon <ian@cilium.io> 30 November 2018, 17:56:00 UTC
beba6dc Ian Vernon 14 November 2018, 21:35:56 UTC endpoint: move ReloadDatapath to datapathRegenerationContext in RegenerationContext Signed-off by: Ian Vernon <ian@cilium.io> 30 November 2018, 17:56:00 UTC
d673526 Ian Vernon 14 November 2018, 21:30:56 UTC endpoint: add datapathRegenerationContext type Signed-off by: Ian Vernon <ian@cilium.io> 30 November 2018, 17:56:00 UTC
6ef9836 Ian Vernon 14 November 2018, 21:30:11 UTC endpoint: move RegenerationContext to separate file Signed-off by: Ian Vernon <ian@cilium.io> 30 November 2018, 17:56:00 UTC
70f09c7 Ian Vernon 15 November 2018, 21:59:33 UTC endpoint: make RegenerationRequest private Instead, consumers of pkg/endpoint pass down an ExternalRegenerationMetadata structure, which contains data relevant to a regeneration which are populated by said consumers (e.g., daemon). When an endpoint regeneration is triggered, transfer the data from this new type into a regenerationRequest. This regenerationRequest is only available to the goroutine which is responsible for a single endpoint's regeneration. Signed-off by: Ian Vernon <ian@cilium.io> 30 November 2018, 17:56:00 UTC
6bdf6d1 Eloy Coto 29 November 2018, 16:36:12 UTC FQDN: Fix rounrobin dns test. The roundrobin should fail because the MatchName was incorrect. The main reason is that the policy was not being applied because malformed endpoint selector. With this change we make sure that the policy is applied to all sample endpoints. Signed-off-by: Eloy Coto <eloy.coto@gmail.com> 30 November 2018, 14:35:20 UTC
0b21b05 Eloy Coto 29 November 2018, 15:51:41 UTC FQDN: Add CNAME testing Add a new test that validate the CNAME entries are working correctly. Two kind of test: - One test one level of CNAME - Other one test three level of CNAME. Signed-off-by: Eloy Coto <eloy.coto@gmail.com> 30 November 2018, 14:35:20 UTC
bb1e587 Joe Stringer 29 November 2018, 22:13:57 UTC bpf: Share common make variables in Makefile.bpf Move the common BPF make targets into a new Makefile, which is included from both bpf/Makefile and bpf/sockops/Makefile. Signed-off-by: Joe Stringer <joe@cilium.io> 30 November 2018, 14:08:38 UTC
ed16d84 Joe Stringer 29 November 2018, 19:19:46 UTC bpf: Add assembly make target This target will generate %.asm files from the %.c files in the bpf/ directory, allowing developers to inspect the generated BPF assembly more directly including with source locators, without needing to read it from the ELF. Signed-off-by: Joe Stringer <joe@cilium.io> 30 November 2018, 14:08:38 UTC
e02d670 Joe Stringer 29 November 2018, 21:09:07 UTC Makefiles: Fix absolute path echo Signed-off-by: Joe Stringer <joe@cilium.io> 30 November 2018, 14:08:38 UTC
0890d87 Joe Stringer 29 November 2018, 20:34:08 UTC bpf/sockops: Fix Makefile The Makefile under bpf/sockops was duplicating some targets, it had targets referencing variables that don't exist, and the clean target wouldn't work. Tidy up the Makefile and fix these issues. Signed-off-by: Joe Stringer <joe@cilium.io> 30 November 2018, 14:08:38 UTC
back to top