Skip to main content

Browse the archive

https://github.com/cilium/cilium
09 April 2024, 21:14:05 UTC
sort by:
Revision Author Date Message Commit Date
0ae9845 Daniel Borkmann 13 March 2023, 12:55:54 UTC bpf: Use builtin memcpy for copying addresses Seen in verifier log where byte-by-byte copy happens: [...] ; if (nat_46x64) { 404: (16) if w5 == 0x1 goto pc+2437 ; R5=scalar(umax=4294967295,var_off=(0x0; 0xffffffff)) ; dst->d1 = src->d1; 405: (71) r2 = *(u8 *)(r1 +8) ; R1_w=pkt(off=0,r=40,imm=0) R2_w=scalar(umax=255,var_off=(0x0; 0xff)) 406: (71) r3 = *(u8 *)(r1 +9) ; R1_w=pkt(off=0,r=40,imm=0) R3_w=scalar(umax=255,var_off=(0x0; 0xff)) 407: (67) r3 <<= 8 ; R3_w=scalar(umax=65280,var_off=(0x0; 0xff00)) 408: (4f) r3 |= r2 ; R2_w=scalar(umax=255,var_off=(0x0; 0xff)) R3_w=scalar() 409: (71) r4 = *(u8 *)(r1 +10) ; R1_w=pkt(off=0,r=40,imm=0) R4_w=scalar(umax=255,var_off=(0x0; 0xff)) 410: (71) r2 = *(u8 *)(r1 +11) ; R1_w=pkt(off=0,r=40,imm=0) R2_w=scalar(umax=255,var_off=(0x0; 0xff)) 411: (67) r2 <<= 8 ; R2_w=scalar(umax=65280,var_off=(0x0; 0xff00)) 412: (4f) r2 |= r4 ; R2_w=scalar() R4_w=scalar(umax=255,var_off=(0x0; 0xff)) 413: (67) r2 <<= 16 ; R2_w=scalar(smax=9223372036854710272,umax=18446744073709486080,var_off=(0x0; 0xffffffffffff0000),s32_max=2147418112,u32_max=-65536) 414: (4f) r2 |= r3 ; R2_w=scalar() R3_w=scalar() 415: (71) r3 = *(u8 *)(r1 +13) ; R1_w=pkt(off=0,r=40,imm=0) R3_w=scalar(umax=255,var_off=(0x0; 0xff)) 416: (64) w3 <<= 8 ; R3_w=scalar(umax=65280,var_off=(0x0; 0xff00)) 417: (71) r4 = *(u8 *)(r1 +12) ; R1_w=pkt(off=0,r=40,imm=0) R4_w=scalar(umax=255,var_off=(0x0; 0xff)) 418: (4c) w3 |= w4 ; R3_w=scalar() R4_w=scalar(umax=255,var_off=(0x0; 0xff)) 419: (71) r4 = *(u8 *)(r1 +15) ; R1_w=pkt(off=0,r=40,imm=0) R4_w=scalar(umax=255,var_off=(0x0; 0xff)) 420: (64) w4 <<= 8 ; R4_w=scalar(umax=65280,var_off=(0x0; 0xff00)) 421: (71) r5 = *(u8 *)(r1 +14) ; R1_w=pkt(off=0,r=40,imm=0) R5_w=scalar(umax=255,var_off=(0x0; 0xff)) 422: (4c) w4 |= w5 ; R4_w=scalar() R5_w=scalar(umax=255,var_off=(0x0; 0xff)) 423: (64) w4 <<= 16 ; R4_w=scalar(umax=4294901760,var_off=(0x0; 0xffff0000),s32_max=2147418112) 424: (4c) w4 |= w3 ; R3_w=scalar() R4_w=scalar() 425: (67) r4 <<= 32 ; R4_w=scalar(smax=9223372032559808512,umax=18446744069414584320,var_off=(0x0; 0xffffffff00000000),s32_min=0,s32_max=0,u32_max=0) 426: (4f) r4 |= r2 ; R2_w=scalar() R4_w=scalar() ; dst->d1 = src->d1; 427: (7b) *(u64 *)(r10 -264) = r4 ; R4_w=scalar() R10=fp0 fp-264_w=mmmmmmmm ; dst->d2 = src->d2; [...] Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> 13 March 2023, 12:55:54 UTC
a902d35 Jarno Rajahalme 13 March 2023, 12:14:07 UTC Update Documentation/observability/metrics.rst Co-authored-by: Quentin Monnet <qmonnet+github@qoba.lt> Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> 13 March 2023, 12:15:00 UTC
c4449ee Ryan Drew 09 January 2023, 21:49:53 UTC Docs: Add `policy_implementation_delay` to metrics This commit adds the `policy_implementation_delay` to the metrics page in Cilium's documentation. This metric has already been implemented, however it was missing in the documentation. Signed-off-by: Ryan Drew <ryan.drew@isovalent.com> 13 March 2023, 12:15:00 UTC
b3b10aa Raphaël Pinson 10 March 2023, 09:01:50 UTC Add IPAM modes comparison table Signed-off-by: Raphaël Pinson <raphael@isovalent.com> 13 March 2023, 12:07:27 UTC
ca1cfb5 Fabio Falzoi 08 March 2023, 12:19:53 UTC options: Move pprof defaults into binary specific packages Move pprof related options default values (address and port) from pkg/defaults to binary specific packages, like pkg/option for the agent, operator/option for the operator and clustermesh-apiserver/option for the clustermesh server. This is done to avoid polluting the global defaults package with defaults that are not really global but binary specific. Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com> 13 March 2023, 12:06:10 UTC
e4d8660 Fabio Falzoi 02 March 2023, 09:12:22 UTC docs: Regenerate cmdref following pprof modularization This commit regenerates the cmdref documentation files following the modularization of pprof. Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com> 13 March 2023, 12:06:10 UTC
c57074c Fabio Falzoi 01 March 2023, 09:54:26 UTC pprof: Add a test for the pprof cell Add two unit-style integration tests to verify the correct registration of the pprof HTTP handlers. Specifically, the first one check that no listeners is started when pprof is disabled and the other one exercises the `debug/pprof/heap` endpoint when pprof is enabled. Both tests verify that the cell is not leaking any goroutines after the hive stops. Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com> 13 March 2023, 12:06:10 UTC
b9f90e9 Fabio Falzoi 28 February 2023, 16:23:26 UTC pprof: Add a cell for pprof HTTP handlers Modularize pprof related code into a cell. The cell is used by the agent, the operator and the clustermesh-apiserver. The already present pprof.Enable function is marked as deprecated. Differently from the agent and the clustermesh-apiserver, the operator prefixes the pprof related flags with `operator-`. To reuse the same cell, we use an operator specific config type, in order to map the equivalent fields to the operator-specific flag names. Also, when importing the cell, an additional call to cell.Config is requested to register the default config type (for agent and clustermesh-apiserver) or the operator-specific one. Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com> 13 March 2023, 12:06:10 UTC
bdbb129 Pat Riehecky 27 February 2023, 16:07:14 UTC helm: Add example dashboards as chart options With this patch, helm users can enable reporting on their clusters with example grafana dashboards. Fixes: #21921 Fixes: #20354 Signed-off-by: Pat Riehecky <riehecky@fnal.gov> 13 March 2023, 12:05:22 UTC
175b2f1 Dylan Reimerink 10 March 2023, 17:09:20 UTC bgpv1: Clear announcement maps after server recreation We maintain a cache/shadow map for all advertisements we have made. During reconciliation we check the desired state against this shadow state which lives in the `PodCIDRAnnouncements` and `ServiceAnnouncements` variables. This works until the `preflightReconciler` decides to recreate the server, which happens if the router-id or the listen port changes. At this point the GoBGP route server is recreated which also clears the tables. But we forget to clear our shadow state as well. This causes any existing routes to not be added since the reconcilers think they are already there. Fixes: #24069 Signed-off-by: Dylan Reimerink <dylan.reimerink@isovalent.com> 13 March 2023, 10:05:14 UTC
74307f1 Odin Ugedal 01 March 2023, 16:16:48 UTC Avoid clearing objects in conversion funcs This removes the behavior of mutating the objects received from the client-go library. To begin with there isn't really any benefit from doing so, given we don't store the object afterwards, and it will be ready for gc when it leaves the scope inside client-go. client-go can possibly return the same pointer twice here, to trigger eg. both an object update delta and then a DeletedFinalStateUnknown delta with the same pointer. For more info, see the issue 115658 in the kubernetes/kubernetes repo on github. Signed-off-by: Odin Ugedal <ougedal@palantir.com> Signed-off-by: Odin Ugedal <odin@uged.al> 13 March 2023, 10:04:35 UTC
2cdd4ee Marco Iorio 03 March 2023, 16:43:21 UTC agent: rework clustermesh config watcher The agent leverages an fsnotify watcher to detect file changes in the directory containing the etcd configurations for remote clusters (as well as the associated keys/certs), triggering a reconfiguration as appropriate. This commit reworks the above logic to address two main issues: * Due to how Kubernetes mounts ConfigMaps and Secrets within pods, and in particular the usage of symbolic links to handle atomic updates, changes in existing files were not detected (since the watched file itself was a symbolic link, which doesn't change during such operation). Now, an explicit watch operation is started for each configuration file (i.e., watching the actual target), causing a notification to be properly emitted when that is changed. * Prevent possible spurious notifications even if the configuration is not actually modified. This is achieved through hash comparison. Integration tests are updated to cover the above two aspects. Fixes: #23273 Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> 13 March 2023, 10:03:42 UTC
a1b3fb3 Julian Wiedmann 10 March 2023, 11:45:40 UTC bpf: clean up NAT target address Initialize target.addr along with the other fields of the ipv*_nat_target, and clarify that it's not actually 0 for nodeport_snat_fwd_ipv4(). This also let's us collapse two TUNNEL_MODE sections in tail_nodeport_nat_egress_ipv4() into one. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> 13 March 2023, 10:01:33 UTC
61549ed Julian Wiedmann 10 March 2023, 11:40:11 UTC bpf: nodeport: clean up a fib_redirect() in tail_nodeport_nat_egress_ipv4() This code path is IPv4-only. So prefer fib_redirect_v4() over the generic fib_redirect(). Signed-off-by: Julian Wiedmann <jwi@isovalent.com> 13 March 2023, 10:01:33 UTC
e27a876 renovate[bot] 10 March 2023, 18:46:18 UTC fix(deps): pin dependencies Signed-off-by: Renovate Bot <bot@renovateapp.com> 12 March 2023, 06:16:37 UTC
e1a4621 Casey Callendrello 28 February 2023, 16:29:05 UTC agent: install CNI plugin binary in an InitContainer This reduces the potential security surface of the agent by removing the bind-mount of /opt/cni/bin. Instead, write the binaries once in an initContainer. There is no currently known vulnerability exploiting this, but it's good practice to remove as many long-running host mounts as possible. This could be a potential further exploit vector if an agent were to be compromized. Signed-off-by: Casey Callendrello <cdc@isovalent.com> 11 March 2023, 06:02:08 UTC
a7d3e66 Maciej Kwiek 02 March 2023, 11:37:59 UTC helm: move poststart eni script to agent We rely on host having iptables binary for nodeinit scripts. They are not always available, so we are moving the eni-specific poststart hook to agent pod so that we can ensure it always runs if needed. Signed-off-by: Maciej Kwiek <maciej@isovalent.com> 10 March 2023, 18:39:36 UTC
d34c6d7 Marco Hofstetter 09 March 2023, 10:45:39 UTC auth: Inject IPCache into auth manager via hive Injecting the IPCache via hive instead of setting it explicitly. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> 10 March 2023, 18:38:26 UTC
69b0e65 Dylan Reimerink 03 March 2023, 10:19:10 UTC bpf_tests: Bumped CoverBee to v0.3.2 blank state value fix There was a bug in CoverBee which caused instrumentation to fail on some programs if the verifier log contained frame pointer dumps at the end of a log line without a value. Signed-off-by: Dylan Reimerink <dylan.reimerink@isovalent.com> 10 March 2023, 18:37:18 UTC
c735063 hxysayhi 23 February 2023, 07:18:44 UTC Update the comments about monitorNotify in the listener.go Fix comment error about monitorNotify in `pkg/datapath/ipcache/listener.go`. Signed-off-by: hxysayhi <51870525+hxysayhi@users.noreply.github.com> 10 March 2023, 18:36:17 UTC
db8030a Paul Chaignon 08 March 2023, 13:40:22 UTC docs/egressgw: Document enforcement delay for new pods This delay can have a security impact if the egress gateway masquerading is used to enforce policies in appliances outside the cluster. Signed-off-by: Paul Chaignon <paul@cilium.io> 10 March 2023, 18:35:17 UTC
9f583c2 Paul Chaignon 08 March 2023, 13:24:20 UTC docs/egressgw: Explicitly mention lack of IPv6 support We mention that the egress gateway is for IPv4 traffic, but we never explictly say that IPv6 isn't supported. This is apparently not obvious to everyone so let's state it here. This commit moves the feature incompatibilies subsection under the Preliminary Considerations section. Another subsection will be added there by the next commit. Signed-off-by: Paul Chaignon <paul@cilium.io> 10 March 2023, 18:35:17 UTC
bc927c0 Martynas Pumputis 08 March 2023, 13:50:09 UTC test: Remove RuntimeDatapathLB The test cases are already covered by ci-datapath and ci-l4lb. Signed-off-by: Martynas Pumputis <m@lambda.lt> 10 March 2023, 18:34:30 UTC
e2a01fd Marco Iorio 31 January 2023, 14:43:43 UTC test: add cluster mesh conformance test with Kind This commit introduces the new kind-based conformance tests for cluster mesh, implementing a test matrix to validate (a subset of) the following combinations: * encryption: "none" | "ipsec" | "wireguard" * tunnel: "disabled" | "vxlan" * ipfamily: "ipv4-only" | "dual-stack" | ipv6-only" * kube-proxy: "iptables" | "kpr" Additional context can be found in the enhancement proposal: #23322 Co-authored-by: Yutaro Hayakawa <yutaro.hayakawa@isovalent.com> Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> 10 March 2023, 18:33:54 UTC
f8ed62c André Martins 09 March 2023, 23:23:35 UTC pkg/k8s: set user-agent in k8s client The user agent for the k8s client was never set and it was defaulting to some non-specific which would make it difficult to distinguish the Cilium requests in the kube-apiserver logs. This looks a regression introduced in fc41aeb6152c and, similarly to the user-agent, we should make sure we are not overwriting any default QPS nor Burt values with '0'. Fixes: fc41aeb6152c ("k8s: Add k8s-client cell") Signed-off-by: André Martins <andre@cilium.io> 10 March 2023, 18:22:53 UTC
10deda4 Daniel Borkmann 09 March 2023, 19:23:29 UTC bpf: Remove fib_redirect's BPF_FIB_LOOKUP_DIRECT For now just do full routing lookup if users have custom tables in the wild, and if we want to optimize it later, we could add an agent flag to opt out. Fixes: #24252 Related: #23658 Reported-by: Wei Wei (@weiwei02) Reported-by: Andrei Kvapil (@kvaps) Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> 10 March 2023, 15:41:27 UTC
959b40a Michi Mutsuzaki 26 September 2022, 01:11:42 UTC dns: Set --tofqdns-min-ttl to zero by default This commit changes the default value of --tofqdns-min-ttl from 3600 seconds to zero. This means Cilium honors the TTLs returned from the upstream DNS server by default. Explicitly configure --tofqdns-min-ttl if you need to preserve the previous behavior that lets applications create new connections within the pre-defined --tofqdns-min-ttl time window after the DNS TTL is expired. --tofqdns-min-ttl setting is no longer needed since the poll-based DNS implementation has been replaced by the proxy-based implementation. Having the minimum TTL set to 1 hour by default adds unnecessary CPU / memory overhead, as Cilium ends up keeping track of expired DNS info. This is especially problematic when the upstream DNS server returns responses with short TTLs and many unique IP addresses. Co-authored-by: Joe Stringer <joe@cilium.io> Signed-off-by: Michi Mutsuzaki <michi@isovalent.com> 10 March 2023, 15:33:16 UTC
04da8a4 renovate[bot] 10 March 2023, 07:10:04 UTC fix(deps): pin dependencies Signed-off-by: Renovate Bot <bot@renovateapp.com> 10 March 2023, 15:19:42 UTC
5c59e61 Tam Mach 05 March 2023, 11:55:37 UTC chore: Update json-mock image Just replace docker.io/cilium/json-mock.* to quay.io/cilium/json-mock:v1.3.3@sha256:f26044a2b8085fcaa8146b6b8bb73556134d7ec3d5782c6a04a058c945924ca0 Switching to quay.io is done as the current image in docker.io only has amd64 build, but not arm version. It's also consistent with main cilium image repository. Fixes: #24170 Signed-off-by: Tam Mach <tam.mach@cilium.io> 10 March 2023, 15:18:38 UTC
1e09c39 André Martins 09 March 2023, 23:21:04 UTC pkg/ipcache: add ipcacher interface With an interface it will be possible to reuse certain code without requiring a real implementation of the ipcache. This can be proven useful when mocking some aspects of the controlplane. Signed-off-by: André Martins <andre@cilium.io> 10 March 2023, 12:38:22 UTC
46ecd9a Marco Iorio 07 March 2023, 13:45:48 UTC helm: allow to override the CA cert on a clustermesh peer basis This commit extends the helm chart to enable overriding the CA certificate of a specific clustermesh peer. This is required in case different CAs are used across the mesh, since it otherwise defaults to the local one. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> 10 March 2023, 12:09:39 UTC
a019680 Marco Iorio 06 March 2023, 14:34:27 UTC helm: simplify TLS config for clustermesh etcd if CA is shared In the clustermesh context, when the CA is shared across clusters, there is no need to explicitly set the TLS private key and certificate for each peer, since the one with CN=remote available locally is enough for authn/authz purposes. This commit extends the helm chart to automatically mount the secret containing the above key and certificate alongside the existing clustermesh configuration files, and for each peer configures etcd to use those if no TLS entry is provided. Overall, this simplifies the declarative configuration of clustermesh peers, as well as makes it transparent to the certificate renewal process. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> 10 March 2023, 12:09:39 UTC
7dbc63a Jef Spaleta 03 March 2023, 19:03:41 UTC Update clustermesh requirements to mention node InternalIP explicitly Discovered in community slack that k8s node ExternalIP isn't used by clustermesh even if configured. Let's be explicit about InternalIP in the documented reqs, until such time as use of node ExternalIP is supported. Signed-off-by: Jef Spaleta <jspaleta@gmail.com> 10 March 2023, 09:51:40 UTC
eff384c Tam Mach 27 February 2023, 06:44:09 UTC envoy: Avoid using deprecated field This is to avoid the below warning log upon agent start-up ``` 2023-02-27T06:06:18.292863957Z level=warning msg="[Deprecated field: type envoy.type.matcher.v3.RegexMatcher Using deprecated option 'envoy.type.matcher.v3.RegexMatcher.google_re2' from file regex.proto. This configuration will be removed from Envoy soon. Please see https://www.envoyproxy.io/docs/envoy/latest/version_history/version_history for details. If continued use of this field is absolutely necessary, see https://www.envoyproxy.io/docs/envoy/latest/configuration/operations/runtime#using-runtime-overrides-for-deprecated-features for how to apply a temporary and highly discouraged override." subsys=envoy-misc threadID=724 ``` Relates: #23940 Signed-off-by: Tam Mach <tam.mach@cilium.io> 10 March 2023, 09:48:42 UTC
8b20703 Gilberto Bertin 02 March 2023, 15:24:41 UTC daemon: initialize datapath before compiling sockops programs When egress gateway is enabled, we define the ENABLE_EGRESS_GATEWAY macro in the datapath, which in lib/common.h causes HAVE_ENCAP to be defined as well: #if defined(ENCAP_IFINDEX) || defined(ENABLE_EGRESS_GATEWAY) #define HAVE_ENCAP //.. #endif This doesn't work with sockops enabled, as bpf_sockops.c ends up including lib/overloadable_skb.h with HAVE_ENCAP defined and ENCAP_IFINDEX not defined. This happens since in the daemon we currently: - create the node_config.h header file with createNodeConfigHeaderfile() - invoke the logic to compile the sockops programs with the sockops.Sockmap*() methods - initialize the datapath with Datapath().Loader().Reinitialize(), which is responsible among other things of invoking bpf/init.sh, which in turn is responsible for populating node_config.h with a few missing constants, one of which is ENCAP_IFINDEX To fix this, simply invoke Datapath().Loader().Reinitialize() before compiling the sockops programs, in order to properly populate node_config.h Fixes: #24090 Signed-off-by: Gilberto Bertin <jibi@cilium.io> 09 March 2023, 23:27:02 UTC
75c9ce9 Anna Kapuscinska 18 January 2023, 11:27:27 UTC hubble: Use netip.Addr instead of net.IP in getter functions Various parts of Cilium now use netip.Addr instead of net.IP or custom IP types internally, and other parts will likely be migrated soon. This patch updates Hubble getters to take netip.Addr as an argument instead of net.IP. That will reduce type conversions needed in Hubble. All getters handle invalid addresses. Signed-off-by: Anna Kapuscinska <anna@isovalent.com> 09 March 2023, 20:56:56 UTC
7eecd10 Anna Kapuscinska 18 January 2023, 11:14:53 UTC dnsproxy: Rename targetServerAddr -> targetServerAddrStr Only renaming a variable, to avoid confusion with netip.Addr. It's preparing to migrate from net.IP to netip.Addr. Signed-off-by: Anna Kapuscinska <anna@isovalent.com> 09 March 2023, 20:56:56 UTC
54a896c Anna Kapuscinska 18 January 2023, 11:03:55 UTC endpointmanager: Use netip.Addr instead of net.IP in LookupIP It's preparing to migrate Hubble getters (calling LookupIP) from net.IP to netip.Addr. Signed-off-by: Anna Kapuscinska <anna@isovalent.com> 09 March 2023, 20:56:56 UTC
8423c45 Joe Stringer 02 March 2023, 19:07:59 UTC test: Enable conformance tests for SCTP These tests should now be supported, so enable them. Fixes: ae046b49a797 ("bpf: Add partial SCTP support.") Signed-off-by: Joe Stringer <joe@cilium.io> 09 March 2023, 16:29:53 UTC
54ee633 Tobias Klauser 08 March 2023, 22:10:31 UTC endpoint: correctly log IPv6 addresses Reference: https://github.com/cilium/cilium/commit/f3a4c4d204cf84af3d40f4782aa68e7c2da98440#r103598930 Fixes: f3a4c4d204cf ("endpoint: convert Endpoint from addressing.CiliumIPv{4,6} to netip.Addr") Reported-by: Joe Stringer <joe@cilium.io> Signed-off-by: Tobias Klauser <tobias@cilium.io> 09 March 2023, 16:25:21 UTC
80618bc Birol Bilgin 23 February 2023, 23:39:12 UTC workflow: enable pod-to-cidr tests This commit enables pod-to-cidr tests that were disabled due to flaky results. With the latest version of cilium-cli configuration, flags were added for cidr targets. We are using two different DNS as targets and use them in reverse in some cases in order to minimize rate limiting. DNS targets were determined by experimenting with connection times from cloud providers. Signed-off-by: Birol Bilgin <birol@cilium.io> 09 March 2023, 14:27:16 UTC
ce1f94e Marcel Zieba 23 February 2023, 11:42:20 UTC Optimize GetControllerName for CNP. Use strings.Builder instead of fmt.Sprintf(). Results: ``` benchmark old ns/op new ns/op delta BenchmarkCNPGetControllerName-10 338 206 -39.05% benchmark old allocs new allocs delta BenchmarkCNPGetControllerName-10 6 4 -33.33% benchmark old bytes new bytes delta BenchmarkCNPGetControllerName-10 464 432 -6.90% ``` Signed-off-by: Marcel Zieba <marcel.zieba@isovalent.com> 09 March 2023, 14:25:13 UTC
853ec10 romanspb80 04 March 2023, 18:25:33 UTC Fix duplicated logs for test-output.log This patch avoide duplicated info in the test-output.log Fixes: #18515 Signed-off-by: Roman Ptitcyn <romanspb@yahoo.com> 09 March 2023, 12:07:48 UTC
9bb6e50 Marco Hofstetter 08 March 2023, 09:25:51 UTC hive: fix documentation for cell.Provide & cell.ProvidePrivate Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> 09 March 2023, 10:35:48 UTC
d6503fa Lorenz Bauer 07 March 2023, 10:57:36 UTC daemon: move circular initialization of policy.Repository to hive IPCache, CachingIdentityAllocator and policy.Repository (really SelectorCache) have a gnarly circular dependency during initialization. Do the simplest possible thing and lift them into hive by providing a constructor that encapsulates the necessary logic. This way we can add dependencies on these without having to modularize them first. During shutdown of the IPCache we first cancel the context and then call IPCache.Shutdown, see cilium#21676. Signed-off-by: Lorenz Bauer <lmb@isovalent.com> 09 March 2023, 10:18:27 UTC
fb9e75b Lorenz Bauer 28 February 2023, 16:05:33 UTC policy: add NewStoppedPolicyRepository Add a constructor for Repository that doesn't allocate any queues. This is necessary to satisfy hive invariants. Signed-off-by: Lorenz Bauer <lmb@isovalent.com> 09 March 2023, 10:18:27 UTC
c12cbe4 Lorenz Bauer 21 February 2023, 15:03:23 UTC egressgateway, ipcache: depend on k8s.CacheStatus Introduce a small wrapper around chan struct{} to be able to provide it via hive to egressgateway and ipcache. Signed-off-by: Lorenz Bauer <lmb@isovalent.com> 09 March 2023, 10:18:27 UTC
5d8335d Lorenz Bauer 07 March 2023, 09:50:31 UTC gh/workflows: enable egress gateway in datapath workflows Enable the egress gateway in some datapath workflows. Doing this is a bit tricky, since EGW relies on BPF masquerading to function. The latter has been disabled to work around #23283. Instead, we can force legacy host routing which has a similar effect. Unfortunately, BPF masquerading doesn't work for IPv6 so enabling it breaks a bunch of testcases! The solution is to run half of the tests with BPF masq and EGW disabled, and the other half with EGW on, BPF masq on and IPv6 masq disabled. Updates #24151. Signed-off-by: Lorenz Bauer <lmb@isovalent.com> 09 March 2023, 09:07:36 UTC
2507bf8 Cilium Imagebot 08 March 2023, 10:04:43 UTC images: update cilium-{runtime,builder} Signed-off-by: Cilium Imagebot <noreply@cilium.io> 09 March 2023, 08:40:31 UTC
53236dd renovate[bot] 08 March 2023, 02:57:07 UTC chore(deps): update docker.io/library/golang docker tag to v1.20.2 Signed-off-by: Renovate Bot <bot@renovateapp.com> 09 March 2023, 08:40:31 UTC
e3f1a22 Tobias Klauser 03 March 2023, 12:53:10 UTC ipam: track IP owner per pool Signed-off-by: Tobias Klauser <tobias@cilium.io> 09 March 2023, 07:39:16 UTC
3981f95 Tobias Klauser 28 February 2023, 10:52:26 UTC ipam: incorporate pool in excludedIPs Encode pool:ip in the map key rather that maintaining a map of maps which would require allocating new maps in (*IPAM).ExcludeIP for pools that weren't previously known. Signed-off-by: Tobias Klauser <tobias@cilium.io> 09 March 2023, 07:39:16 UTC
a2c4d49 Tobias Klauser 08 March 2023, 16:40:52 UTC ipam: refactor isIPExcluded to return current owner And use it to replace an open-coded access of the excludedIPs map. Signed-off-by: Tobias Klauser <tobias@cilium.io> 09 March 2023, 07:39:16 UTC
9b2fdf6 Tobias Klauser 27 January 2023, 13:22:30 UTC ipam: wire up pool parameter from Cilium API to IPAM calls No functional change, the pool parameter is ignored for now and will be set/used in a later change. Signed-off-by: Tobias Klauser <tobias@cilium.io> 09 March 2023, 07:39:16 UTC
ee23f0b Tobias Klauser 27 January 2023, 12:14:08 UTC client, cni, docker: pass pool parameter on API calls It's empty for now, so no functional change. It will be set e.g. based on pod annotations in a later change. Signed-off-by: Tobias Klauser <tobias@cilium.io> 09 March 2023, 07:39:16 UTC
2195479 Tobias Klauser 26 January 2023, 15:47:07 UTC api/v1: add optional pool param to IPAM methods This will be used in a successive commit to allocate/release IPs from non-default pools. Signed-off-by: Tobias Klauser <tobias@cilium.io> 09 March 2023, 07:39:16 UTC
a91e20a Joe Stringer 13 January 2023, 00:30:54 UTC contrib: Remove deb,rpm packaging These have been bitrotting for a while now (the deb version lists version 0.9.90), and we have no mechanisms for building, deploying or testing these packages. The primary mechanism for distributing and using Cilium is via docker images, so let's focus on making those work really well and discard these. We can always resurrect these in future via git if we need to. Signed-off-by: Joe Stringer <joe@cilium.io> 08 March 2023, 17:22:48 UTC
cd0b2f8 renovate[bot] 03 March 2023, 12:06:01 UTC fix(deps): update all go dependencies master Signed-off-by: Renovate Bot <bot@renovateapp.com> 08 March 2023, 09:59:05 UTC
ab5ea83 Maartje Eyskens 23 February 2023, 09:45:31 UTC Add Spire delegate API as CertificateProvider This adds an implementation of the Delegate API of a SPIRE server as a source for certificates to be used in an mTLS handhake. It will connect to the admin socket of a SPIRE agent where it will be able to get the certificates and keys in name of all Cilium workloads which are receiving an SVID from the controller. This is then cached in memory for the auth handler to request. Signed-off-by: Maartje Eyskens <maartje.eyskens@isovalent.com> 08 March 2023, 09:54:06 UTC
7275f04 Maartje Eyskens 02 March 2023, 14:10:24 UTC Vendor in SPIFFE/SPIRE SDK This adds a dependency on the SPIFFE/SPIRE SDK to be used in the mTLS handling code. Signed-off-by: Maartje Eyskens <maartje.eyskens@isovalent.com> 08 March 2023, 09:54:06 UTC
6126ad7 Maartje Eyskens 02 March 2023, 14:13:56 UTC Define a CertificateProvider interface This adds an interface for a hive cell to use that provides the auth package with a way to receive and verify validity of certificates involved. Signed-off-by: Maartje Eyskens <maartje.eyskens@isovalent.com> 08 March 2023, 09:54:06 UTC
4274616 Noel Georgi 03 March 2023, 16:25:36 UTC feat: optional bpf mount On distributions that already mount the `bpffs` filesystem at `/sys/fs/bpf` this is a good way to optionally disable the bpf mount init container and have no pods running with `securityContext.privilged` and also reduced the number of init containers that needs to be run. This option was previously used when `containerRuntime.integration=crio` helm value was set, since this is not just only specific to crio, deprecate the `containerRuntime.integration=crio` option to skip mounting `bpffs` filesystem in favour of `bpf.autoMount.enabled` which is similar to how `cgroupv2` mounts are disabled (`cgroup.autoMount.enabled`). Eg: On [Talos](https://www.talos.dev/) both `cgroupv2` and `bpffs` filesystems are already mounted and using a values yaml like below helps reduce the number of init containers by a factor of two. `partial-values.yaml` ```yaml cgroup: autoMount: enabled: false hostRoot: /sys/fs/cgroup bpf: autoMount: enabled: false ``` Signed-off-by: Noel Georgi <git@frezbo.dev> 07 March 2023, 23:29:37 UTC
80e8a9b Lorenz Bauer 23 February 2023, 12:31:09 UTC use atomic.Pointer instead of bare LoadPointer There are a couple of uses of LoadPointer in the code base, which lead to a proliferation of unsafe.Pointer. Since Go 1.19 we can use atomic.Pointer instead to get a type safe wrapper. Signed-off-by: Lorenz Bauer <lmb@isovalent.com> 07 March 2023, 23:27:53 UTC
1823afb Antonio Ojea 06 March 2023, 14:16:07 UTC Proxy Terminating Endpoints To avoid connections drops during rolling updates, Kubernetes defines a Terminating state on the EndpointSlices that can be used to identify Pods that, despite being terminated, they can still serve traffic. In case that there are no Ready backend, use the Terminating and Serving pods. https://github.com/kubernetes/enhancements/tree/master/keps/sig-network/1669-proxy-terminating-endpoints Signed-off-by: Antonio Ojea <aojea@google.com> 07 March 2023, 21:44:31 UTC
e5d8cbc Antonio Ojea 06 March 2023, 01:24:38 UTC EndpointSlice semantics Fix the usage of the EndpointSlice Conditions semantics: Ready, Serving and Terminating. The conditions of the Endpoints and EndpointSlices are complicated because to keep backwards compatibility in the API a new Serving state has been added. This Serving state must be used to include and endpoint that is Terminating, not Serving pods should not be used as backends. Signed-off-by: Antonio Ojea <aojea@google.com> 07 March 2023, 21:44:31 UTC
0304818 Dorde Lapcevic 28 February 2023, 13:25:36 UTC Reduce number of CES updates sent to API server in short time for one CES Change the `DefaultCESSyncTime` to 500ms. The Cilium operator watches CiliumEndpoints (CEP) and batches them into CiliumEndpointSlices (CES). During high pod churn (Create, Update, Delete) rate, there are many CEPs created and batched into the same CES. Kube-apiserver logs show that it sometimes receives up to 10 CES updates from the Cilium operator for the same CES in less than 1 second. This behavior is degrading the performance of CEP batching, because the rate limiter for CES updates is based on the specified number of mutating requests per second. It is also inefficient, because adding up to 500ms delay to propagate CiliumEndpoints through the cluster is currently considered insignificant. The estimated and tested improvement is to reduce the number of CES update requests sent to the API server by a factor of 5 when there is a high pod churn rate. 500ms delay is insignificant because: 1. CiliumEndpoint batching is a feature to improve performance at scale, by reducing the load on the kube-apiserver, and also keeping the propagation latency low. The bottleneck at scale is the rate at which CES updates can be sent to the kube-apiserver, which is rate limited by the CES workqueue in the Cilium operator. In large clusters it can go into minutes, or even hours in the worst case with Identity batching mode. Without appropriate rate limiting, CES updates can overload kube-apiserver. There is a scalability/performance feature of kube-apiserver called [Priority & Fairness](https://kubernetes.io/docs/concepts/cluster-administration/flow-control/), which should help here, but it's still not at a stage that it can be relied on. With this in mind, clusters that need to use CEP batching will want to accept the delay of 500ms of sending CES updates, because it actually improves performance -- has lower latency to configure all nodes to communicate with every new pod. This is because multiple CES updates for the same CES will not be taking up nearly as many updates per second, and that other CES updates waiting in the queue are processed quicker. 2. The workqueue's `AddAfter()` works in a way that it enqueues the item for the first CES event right away, and adds delay only when there are subsequent events for the same CES. This means that in the worst case, only some CEPs that were added to CES may have up to 500ms delay to be processed. Here is an example that shows how the first update is immediately enqueued and processed, and that delay only affects subsequent updates and is always lower than 500ms: Time 0ms - Update A is immediately enqueued to be processed. Time 200ms - Update B is delayed to be enqueued at 500ms after the most recent enqueued update Time 300ms - Update C is delayed to be enqueued at 500ms after the most recent enqueued update Time 400ms - Update D is delayed to be enqueued at 500ms after the most recent enqueued update Time 500ms - A single CES update is enqueued to be processed, that covers all changes in updates B, C and D. Delay for update B was 300ms, for update C 200ms and for update D 100ms. 3. Pods are communicating with each other through services. Both default clusterIP or headless service and DNS require Endpoints/EndpointSlice objects to be populated with pod IPs first. This means that new pods already have some similar delay to be truly reachable (not just network ready). As I mentioned above, EndpointSlices already have 1 second delay for updates, which makes 500ms insignificant. 4. 500ms is a very small price to pay for using network policies at scale. There are no SLOs for network policies that cover this, or would indicate it as a regression, although some users might rely on lower latency. Also compared to Cilium's pod startup latency regression of a few seconds, which was recently reduced, it wasn't presenting real issues for Cilium's performance. Signed-off-by: Dorde Lapcevic <dordel@google.com> 07 March 2023, 21:41:39 UTC
cae1a7f Cilium Imagebot 06 March 2023, 12:46:41 UTC images: update cilium-{runtime,builder} Signed-off-by: Cilium Imagebot <noreply@cilium.io> 07 March 2023, 19:25:36 UTC
f0fd9cd renovate[bot] 03 March 2023, 09:23:09 UTC chore(deps): update base-images Signed-off-by: Renovate Bot <bot@renovateapp.com> 07 March 2023, 19:25:36 UTC
c09ee90 Julian Wiedmann 21 February 2023, 12:57:28 UTC bpf: clean up ctx_adjust_hroom_flags() variants We have two implementations (for DSR and SRv6) that do the same thing. Consolidate them. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> 07 March 2023, 16:42:00 UTC
685cfb7 Julian Wiedmann 25 January 2023, 10:48:12 UTC bpf: dsr: clarify endianness in DSR tail calls The address and port are passed via CB in network-order, and that's also what the various low-level functions expect. Clarify the types. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> 07 March 2023, 16:42:00 UTC
6a1a0c5 Casey Callendrello 02 March 2023, 10:50:36 UTC test: gather containerd logs on failure To aid in debugging. Sometimes containerd gets sad, and the only way to feel better is to talk about it. Signed-off-by: Casey Callendrello <cdc@isovalent.com> 07 March 2023, 16:39:43 UTC
a646acc Marco Hofstetter 03 March 2023, 10:19:58 UTC golangci-lint: fix unused issues in lbipam Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> 07 March 2023, 16:38:41 UTC
52f30da Marco Hofstetter 03 March 2023, 10:19:13 UTC golangci-lint: remove deprecated linter varcheck removing deprecated linter varcheck which has been replaced with unused. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> 07 March 2023, 16:38:41 UTC
44bd789 Marco Hofstetter 03 March 2023, 10:18:04 UTC golangci-lint: Update to v1.51.2 Updating golangci-lint to latest version which fixes caching issues and therefore improves performance. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> 07 March 2023, 16:38:41 UTC
193335c Marco Hofstetter 06 March 2023, 14:54:46 UTC auth: include dropnotify & connectioninfo into authResult Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> 07 March 2023, 16:38:06 UTC
a9bcbf4 Marco Hofstetter 06 March 2023, 12:18:05 UTC auth: Introduce event queue in auth monitor Since NotifyPerfEvent must not block the monitor producer, an event queue has been introduced into the auth monitor. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> 07 March 2023, 16:38:06 UTC
4997395 Marco Hofstetter 02 March 2023, 19:40:51 UTC auth: pass dedicated auth result into datapath authenticator Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> 07 March 2023, 16:38:06 UTC
2ccebfe Marco Hofstetter 02 March 2023, 19:31:20 UTC auth: remove one node ip from auth handler interface Only localIdentity, remoteIdentity & remoteHostIP are passed to an auth handler. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> 07 March 2023, 16:38:06 UTC
74eb7f6 Marco Hofstetter 02 March 2023, 13:41:59 UTC auth: unit tests for manager & monitor Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> 07 March 2023, 16:38:06 UTC
6b8aa9c Marco Hofstetter 01 March 2023, 14:51:21 UTC auth: extract datapathAuthenticator interface To support better testability of the auth manager itself, the interface dataPathAuthenticator is responsible for writing an authenticated request back into the datapath. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> 07 March 2023, 16:38:06 UTC
19a885b Marco Hofstetter 01 March 2023, 13:59:02 UTC auth: Provide auth request data to auth handler Relevant information for auth handlers are passed in the auth request (srcId, dstId, srcNodeIP, dstNodeIP). The node IP's are gathered via the IPCache. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> 07 March 2023, 16:38:06 UTC
470bd3e Marco Hofstetter 01 March 2023, 13:55:10 UTC auth: manual injection of IPCache into Auth Manager Manual injection of the IPCache into the Auth Manager via setter. This is necessary, as long as the IPCache isn't a dedicated cell which can be injected into the Auth Manager via hive. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> 07 March 2023, 16:38:06 UTC
87caff5 Marco Hofstetter 01 March 2023, 13:42:02 UTC auth: define auth handler auth-request & response types Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> 07 March 2023, 16:38:06 UTC
3f47387 Marco Hofstetter 01 March 2023, 13:29:20 UTC ipcache: Expose GetHostIP This commit exposes the functionality to retrieve the host IP for a given IP. This is necessary, to retrieve the host IP of a Cilium Endpoint when authenticating the identities via Cilium Agent in case of ServiceMesh mTLS. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> 07 March 2023, 16:38:06 UTC
0ee8015 kahirokunn 04 March 2023, 00:31:21 UTC clustermesh-apiserver: Add helm values. * ExternalTrafficPolicy * internalTrafficPolicy Signed-off-by: kahirokunn <okinakahiro@gmail.com> 07 March 2023, 16:37:15 UTC
1a3dd17 Bill Mulligan 06 March 2023, 11:37:04 UTC Add User doc to PR Template Signed-off-by: Bill Mulligan <billmulligan516@gmail.com> 07 March 2023, 16:36:46 UTC
305af9e Antonio Ojea 06 March 2023, 21:25:27 UTC service cache should handle duplicate endpoints addresses In some corner cases, a group of endpointslices may have the same address duplicate in different slices. Since the Endpoints are cached by address, when aggregating the endpoints, we should merge the content instead of overwriting. Signed-off-by: Antonio Ojea <aojea@google.com> 07 March 2023, 16:36:13 UTC
ed05c7e Quentin Monnet 07 March 2023, 12:01:48 UTC bpf: Update checkpatch image Update checkpatch image to pull the latest changes we've added: namely, allowing the use of _Static_assert, and ignoring the reports suggesting the use of the BIT_MACRO kernel macro. Signed-off-by: Quentin Monnet <quentin@isovalent.com> 07 March 2023, 16:33:18 UTC
841d1f3 André Martins 27 February 2023, 08:17:50 UTC add 1.13 conformance test The 1.13 conformance test was added during the 1.13 release cycle with a27609a3eeef6f4d77d3a32e2cf0a5682fe301f8 so we should also be testing the v1.13 branch for regressions. Fixes: fc7ae83692b1 ("Prepare for v1.14 development cycle") Signed-off-by: André Martins <andre@cilium.io> 07 March 2023, 10:59:02 UTC
f77231f André Martins 02 March 2023, 15:48:39 UTC renovate: skip ginkgo update to v2 We are not planning to update ginkgo to v2 so we should skip the dependency update for this version. Signed-off-by: André Martins <andre@cilium.io> 07 March 2023, 10:54:34 UTC
a52ed32 renovate[bot] 01 March 2023, 12:43:12 UTC fix(deps): update all go dependencies master to v2 Signed-off-by: Renovate Bot <bot@renovateapp.com> 07 March 2023, 10:54:34 UTC
95b6033 renovate[bot] 05 March 2023, 15:19:48 UTC fix(deps): pin dependencies Signed-off-by: Renovate Bot <bot@renovateapp.com> 07 March 2023, 10:52:40 UTC
a2b7bed Chris Tarazi 19 January 2023, 19:35:25 UTC pkg/identity: Optimize PrefixString() Remove the use of fmt.Sprintf() which is known to be inefficient and simplify the function by reducing allocations and computations generating prefix string. Results: ``` $ go test -v ./pkg/identity -run '^$' -count 10 -bench BenchmarkIPIdentityPair_PrefixString -benchmem > old.txt $ go test -v ./pkg/identity -run '^$' -count 10 -bench BenchmarkIPIdentityPair_PrefixString -benchmem > new.txt $ benchstat old.txt new.txt name old time/op new time/op delta IPIdentityPair_PrefixString/host-16 438ns ± 6% 126ns ± 6% -71.12% (p=0.000 n=10+10) IPIdentityPair_PrefixString/not_host-16 248ns ± 8% 61ns ± 3% -75.55% (p=0.000 n=10+9) name old alloc/op new alloc/op delta IPIdentityPair_PrefixString/host-16 64.0B ± 0% 32.0B ± 0% -50.00% (p=0.000 n=10+10) IPIdentityPair_PrefixString/not_host-16 48.0B ± 0% 16.0B ± 0% -66.67% (p=0.000 n=10+10) name old allocs/op new allocs/op delta IPIdentityPair_PrefixString/host-16 5.00 ± 0% 2.00 ± 0% -60.00% (p=0.000 n=10+10) IPIdentityPair_PrefixString/not_host-16 3.00 ± 0% 1.00 ± 0% -66.67% (p=0.000 n=10+10) ``` Co-authored-by: David Schlosnagle <davids@palantir.com> Signed-off-by: David Schlosnagle <davids@palantir.com> Signed-off-by: Chris Tarazi <chris@isovalent.com> 07 March 2023, 10:05:46 UTC
17b7382 Chris Tarazi 19 January 2023, 19:30:52 UTC pkg/identity: Add benchmark for PrefixString() This will allow us to establish a baseline when evaluating optimizations to this function. Signed-off-by: Chris Tarazi <chris@isovalent.com> 07 March 2023, 10:05:46 UTC
fefcc31 David Schlosnagle 20 January 2023, 23:47:57 UTC pkg/identity: Add PrefixString() tests Add unit test coverage to (*IPIdentityPair).PrefixString(). Signed-off-by: David Schlosnagle <davids@palantir.com> 07 March 2023, 10:05:46 UTC
cd5b127 Daniel Borkmann 06 March 2023, 23:44:36 UTC cilium, docs: Move sig-datapath meeting to on-demand only It's been like this for a while anyway, and if from the Cilium weekly meeting a topic is raised that needs more discussion, we can always schedule a one-off session with sig-datapath folks. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> 07 March 2023, 09:57:54 UTC
f296f1e Deepesha Burse 09 February 2023, 07:24:16 UTC fix: Deprecated flag --ipv4-native-routing-cidr update in cli Signed-off-by: Deepesha Burse <deepesha.3007@gmail.com> 07 March 2023, 03:28:48 UTC
449bb80 sjdot 19 February 2023, 22:12:04 UTC Check stale cilium endpoint flag before cleaning The "--enable-stale-cilium-endpoint-cleanup" flag is never checked before running "cleanStaleCEPs". Signed-off-by: Steven Johnson <sjdot@protonmail.com> 07 March 2023, 03:27:39 UTC
bb408ed Rocky Chen 22 February 2023, 02:24:19 UTC Create derivative policy for EgressDeny rules This PR is to generate derivative policy when `egressDeny` including `toGroups` rules. Fixes: #23829 Signed-off-by: Rocky Chen <rocky.chen@outlook.com> 07 March 2023, 03:27:01 UTC
4c2e4d0 Jussi Maki 28 February 2023, 17:31:36 UTC nodemanager, endpointmanager: Fix leaked goroutines in constructors EndpointManager was starting the endpoint-gc controller in the constructor and not from the start hook which left a pkg/controller's runController running. NodeManager created the workerpool in the constructor which left WorkerPool.run running. Signed-off-by: Jussi Maki <jussi@isovalent.com> 07 March 2023, 03:26:16 UTC
back to top