Skip to main content

Browse the archive

https://github.com/cilium/cilium
12 July 2024, 03:14:21 UTC
sort by:
Revision Author Date Message Commit Date
fc70b76 Daniel Borkmann 27 August 2020, 08:38:16 UTC cilium, doc: update the limitation section for bandwidth manager Move the L7 proxy part out, and instead of having long explanation in the main section about ifb details etc, move all this to limitation to keep it simple for readers. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> 27 August 2020, 08:38:38 UTC
70bc052 Daniel Borkmann 27 August 2020, 07:51:37 UTC bpf: set edt aggregate for traffic from proxy Enable tagging packets egressing from proxy such that they can be subject to EDT rate-limiting on the phys dev. Given aggregate id cannot be preserved when passing proxy, we need to look it up in the endpoint map based on the source. Given the proxy overhead, that lookup should be neglible especially given hashtab is rather efficient. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> 27 August 2020, 08:30:02 UTC
7457ce6 John Watson 25 August 2020, 17:44:23 UTC Fix expression per lint error Signed-off-by: John Watson <johnw@planetscale.com> 26 August 2020, 22:42:24 UTC
ff821d2 John Watson 25 August 2020, 17:41:21 UTC Simplify gate expression Signed-off-by: John Watson <johnw@planetscale.com> 26 August 2020, 22:42:24 UTC
58aea35 John Watson 21 August 2020, 22:04:23 UTC nodeinit: only bypass IP-MASQ if Cilium manages masquerade Signed-off-by: John Watson <johnw@planetscale.com> 26 August 2020, 22:42:24 UTC
88688c3 Joe Stringer 12 August 2020, 19:48:06 UTC bpf: Avoid setting all bits on bpf stack ingress When making use of eBPF TPROXY, avoid setting bits in the upper portions of the mark which would previously be used in non-eBPF TPROXY for determining the transparent socket port. These bits do not need to be set in this case, so leaving them unset helps to better integrate with other potential users of the mark. Suggested-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Joe Stringer <joe@cilium.io> 26 August 2020, 20:08:53 UTC
b6f3310 Joe Stringer 10 August 2020, 03:08:57 UTC dnsproxy: Disable SO_REUSEPORT with bpf tproxy The upstream BPF TPROXY support doesn't support REUSEPORT sockets at this time, so disable REUSEPORT if BPF TPROXY is enabled. Signed-off-by: Joe Stringer <joe@cilium.io> 26 August 2020, 20:08:53 UTC
35f28a3 Joe Stringer 03 August 2020, 23:19:36 UTC test: Add proxy datapaths test Add a test which deploys connectivity-check-proxy.yaml from the examples/kubernetes/connectivity-check/ dirs, to validate the various egress/ingress/dual proxy cases. Related: #12714 Signed-off-by: Joe Stringer <joe@cilium.io> 26 August 2020, 20:08:53 UTC
d401b0b Joe Stringer 04 August 2020, 00:28:55 UTC install: Add support to configure BPF tproxy Default it to enabled for new v1.9 installs, v1.8 upgrades will disable. Signed-off-by: Joe Stringer <joe@cilium.io> 26 August 2020, 20:08:53 UTC
69956a9 Joe Stringer 01 May 2020, 23:41:24 UTC daemon: Add --enable-bpf-tproxy This flag supports manually enabling or disabling the BPF-based tproxy functionality as supported on Linux 5.7 or later. If it is enabled, then the iptables rules which perform tproxy action will be disabled and the equivalent functionality will be enabled in BPF in the datapath. Some rules such as ones that configure the stack to ignore proxy flows and avoid connection tracking them via iptables are left in place in case the user still has iptables enabled in their environment. Signed-off-by: Joe Stringer <joe@cilium.io> 26 August 2020, 20:08:53 UTC
0286646 Joe Stringer 07 August 2020, 03:48:44 UTC bpf: Implement BPF TPROXY for traffic from the host For stack packet receive ~reasons~, the ability to assign a socket to the context is only supported at TC ingress. As such, when for instance the host itself is sending traffic to endpoints on the same node, or when the egress proxy is sending traffic towards an endpoint that also has ingress L7 policy applied, we need to redirect the packet towards an ingress TC program before assigning the socket to the context. The process of redirecting the traffic towards an ingress qdisc was already present as this is necessary to actually present the traffic to the stack to send to the proxy; this commit extends that logic to perform the same logic as the previous commit for socket assign from the host ingress program. In the case of the host ingress program, we don't have the luxury of having already extracted the packet tuple for performing socket lookup, so in this case we are required to perform this extraction again. (*) (*) This was written pre-hostfw so there may be some room to perform better sharing of the implementation for this case now. Signed-off-by: Joe Stringer <joe@cilium.io> 26 August 2020, 20:08:53 UTC
b042aac Joe Stringer 01 May 2020, 00:45:34 UTC bpf: Implement BPF TPROXY for traffic to the host In cases where the traffic is being processed in a BPF program at TC ingress, ie the traffic is already heading towards the host, we can implement the socket lookup & assign logic directly in the proxy redirect logic here. This applies, for instance, to traffic arriving from an endpoint on the lxc device, or from a tunnel (via tail call to the endpoint policy program). In these cases, we attempt to first locate any full sockets associated with the tuple, and if the connection is already established, assign the corresponding socket to the skb to notify the stack to pass the traffic into the socket. If the full socket cannot be found, then we fall back to listen sockets for the proxy port and assign that one. Signed-off-by: Joe Stringer <joe@cilium.io> 26 August 2020, 20:08:53 UTC
23c6001 Joe Stringer 01 May 2020, 00:41:45 UTC bpf: Pass tuple into ctx_redirect_to_proxy In preparation for implementing BPF TPROXY in ctx_redirect_to_proxy(), pass the tuple into this function from all of its callers. In this commit it will remain unused but in future commits this will begin to be used in particular cases to perform a socket lookup in the callee. When endpoint-routes mode is enabled, we're executing on TC egress which can't make use of the tuple yet so we won't extract the tuple out at this point (pass NULL). The "hairpin" redirect will redirect this back to a device where we can perform the tuple extraction & socket lookup. NOTE: At this point when passing the tuple in, I am making the assumption that it is no longer needed at these call points so ctx_redirect_to_proxy() is welcome to thrash it and use it as scratch buffer as it searches for the relevant sockets. As such it is deliberately not marked "const". If this assumption is invalid or reviewers have suggestions how to alleviate this assumption, please comment in the review. If you're reading this in the future and have hit an issue due to rewrites of the tuple in this function, then.... sorry? :-) Signed-off-by: Joe Stringer <joe@cilium.io> 26 August 2020, 20:08:53 UTC
a5e56e2 Joe Stringer 08 April 2020, 03:44:25 UTC bpf: Add socket lookup,assign helpers Define these helpers for use in upcoming BPF TPROXY commits. Signed-off-by: Joe Stringer <joe@cilium.io> 26 August 2020, 20:08:53 UTC
1186d69 Joe Stringer 30 April 2020, 23:00:37 UTC monitor: Add notifications for socket failures Add drop and debug notifications that will be used by upcoming commits to emit informational events from the datapath when BPF TPROXY is enabled. Signed-off-by: Joe Stringer <joe@cilium.io> 26 August 2020, 20:08:53 UTC
ece6fa9 Joe Stringer 01 May 2020, 01:22:16 UTC bpf: Fix up proxy debug monitor message for hairpin When hairpinning, it's useful to have two datapoints for the proxy redirect: One in the original program and one in the program that actually prepares the context to send the packet to the proxy. The ctx_redirect_to_proxy_hairpin one should occur in the original program, so change it to DBG_CAPTURE_PROXY_PRE. The corresponding DBG_CAPTURE_PROXY_POST should be handled in the "to-host" program later. Signed-off-by: Joe Stringer <joe@cilium.io> 26 August 2020, 20:08:53 UTC
71f077f Joe Stringer 01 May 2020, 00:52:25 UTC bpf: Use CB_PROXY_MAGIC to store proxy meta magic Use the define here to improve readability and locating the code that changes specific offsets in the context metadata (eg skb->cb). The value is the same, this is a purely cosmetic change. Signed-off-by: Joe Stringer <joe@cilium.io> 26 August 2020, 20:08:53 UTC
dee0191 Tobias Klauser 26 August 2020, 16:07:18 UTC docs: bump kernel and ena driver version, drop custom prebuilt driver in EKS XDP GSG The kernel-ng package updated to 5.4.58-27.104.amzn2.x86_64 which includes version 2.2.10g of the ena driver. Thus we no longer require a manually built ena driver for the EKS XDP Getting Started Guide. Drop the corresponding note as well. Signed-off-by: Tobias Klauser <tklauser@distanz.ch> 26 August 2020, 16:14:33 UTC
3030ba6 Daniel Borkmann 18 August 2020, 08:55:46 UTC cilium, test: add various netperf e2e tests Add {Pod,Host} to Pod netperf tests over VMs with different bandwidth limits in direct routing and tunneling mode. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> 26 August 2020, 15:13:23 UTC
7476d27 Daniel Borkmann 26 August 2020, 06:58:04 UTC bpf: reset edt aggregate for nodeport traffic that is remotely handled Reset it to zero so that rx queue mapping won't accidentally select a known aggregate given we don't rate-limit these. This is for fwd direction where backend is remote as well as reverse direction in case of SNAT where reply hits the middle node again. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> 26 August 2020, 15:13:23 UTC
5fcf38f Daniel Borkmann 25 August 2020, 21:31:41 UTC bpf: call edt_sched_departure from overlay egress Paul reported that rate-limiting with tunneling enabled currently does not work. This is due to queue_mapping being trashed upon dev_queue_xmit() on the vxlan/geneve dev. Instead of mapping this to some other skb meta data in the hope it doesn't get overridden during vxlan/geneve xmit, just set the timestamp from there. Given they have noqueue it gets close enough; the reported netperf rates are close enough. Reported-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> 26 August 2020, 15:13:23 UTC
7403251 Martynas Pumputis 26 August 2020, 13:08:30 UTC docs: Disable BPF-masq in KIND GSG Disable BPF-masq when deploying in KIND until https://github.com/cilium/cilium/issues/12699 has been fixed. Signed-off-by: Martynas Pumputis <m@lambda.lt> 26 August 2020, 14:12:07 UTC
9770931 Paul Chaignon 26 August 2020, 07:00:25 UTC endpoint: Clean up the bwmap on pod termination The bandwidth manager map is populated with the rate limits to apply to specific pods (not all pods are rate limited). On pod termination, we must remove the corresponding entry from the map, if a rate limit was configured. Fixes: 29f4654 ("cilium: add bandwidth manager") Signed-off-by: Paul Chaignon <paul@cilium.io> 26 August 2020, 14:11:31 UTC
eecd5b9 Paul Chaignon 22 July 2020, 20:51:47 UTC test: NodePort with host policy This commit adds new tests, identical to NodePort tests under vxlan tunneling and direct routing, but with an ingress+egress host policy applied. The host policy only allow communications between nodes and to specific endpoints for readiness probes. Signed-off-by: Paul Chaignon <paul@cilium.io> 25 August 2020, 22:40:01 UTC
74be0b2 Paul Chaignon 22 July 2020, 19:15:44 UTC test: fromCIDR+toPorts host policy This commit extends the existing fromCIDR+toPorts policy test to test the same kind of policy for the host firewall. To that end, it: 1. Enables the host firewall. The issue in comment is not relevant anymore since masquerading is disabled. 2. Introduce a helper to get the ID of the host endpoint. This helper will likely be needed for other host firewall tests as well. 3. Load a new DaemonSet to instanciate a host-networking pod on each k8s node. This pod serves as the target for host firewall connectivity tests. 4. Extend the existing test cases with CCNP tests. Signed-off-by: Paul Chaignon <paul@cilium.io> 25 August 2020, 22:40:01 UTC
3f8f7c3 Paul Chaignon 21 July 2020, 15:06:47 UTC test: Enable host firewall in CI only when label is set The host firewall is only enabled in CI if label ci/host-firewall is set. The goal is to have default CI options closer to common user environments and host firewall is not enabled by default in those. Signed-off-by: Paul Chaignon <paul@cilium.io> 25 August 2020, 22:40:01 UTC
fc6ac9d Deepesh Pathak 16 August 2020, 18:47:41 UTC test/helpers: cleanup cilium components before running any tests This commits adds a cleaning up step in BeforeAll block of test suite that make sure to clean up any orphaned cilium components in the cluster. This is useful when running local tests which in some cases like improper cleanup might lead to orphaned cilium components. Signed-off-by: Deepesh Pathak <deepshpathak@gmail.com> 25 August 2020, 13:26:28 UTC
f5ce105 Deepesh Pathak 16 August 2020, 11:44:51 UTC test/helpers: fix spelling of ciliumclusterwidenetworkpolicy crd * Fixes the spelling of ciliumclusterwidenetworkpolicy rbac resource we dump when gathering log using kubectl helper. Fixes: aeefd5862ae4 ("test/helpers: dump rbac information on k8s test failure") Signed-off-by: Deepesh Pathak <deepshpathak@gmail.com> 25 August 2020, 13:26:28 UTC
bd4c5e6 Deepesh Pathak 14 August 2020, 09:29:05 UTC test/k8sT: fix failing missed k8s tests * Remove checking the presence of manifest file using os.Stat this does not work for some reason when running missed k8s tests. Instead create a dummy file if it does not exist and run `kubectl delete` on that so if the file does not exist it won't throw the kubectl error. * Remove dead code where we fallback to deleting `cilium.yaml` instead of timestamped file that we now use everywhere. Signed-off-by: Deepesh Pathak <deepshpathak@gmail.com> 25 August 2020, 13:26:28 UTC
35c8725 Deepesh Pathak 14 August 2020, 09:19:39 UTC test/k8sT: do proper cleanup in update tests * Do proper cleanup of cilium deployment in K8s update test * Fix minor issue with DeploymentManager DeleteCilium function. * Add logging for context in UninstallCiliumFromManifest Signed-off-by: Deepesh Pathak <deepshpathak@gmail.com> 25 August 2020, 13:26:28 UTC
7b1a801 Deepesh Pathak 14 August 2020, 09:13:30 UTC helm: change serviceaccount name for cilium-pre-flight components * This commit changes service account name for cilium-pre-flight check so that it does not conflict with cilium serviceAccount name. Signed-off-by: Deepesh Pathak <deepshpathak@gmail.com> 25 August 2020, 13:26:28 UTC
018e63d Jarno Rajahalme 21 August 2020, 13:10:31 UTC envoy: Add Prometheus metrics listener Add Envoy listener for prometheus metrics at port cunfigured via command line option '--proxy-prometheus-port'. Default 0 (== disabled). The corresponding Helm value 'global.proxy.prometheus.port' defaults to 9095, but is only configured if 'global.prometheus.enabled' is set to 'true'. Signed-off-by: Jarno Rajahalme <jarno@covalent.io> 25 August 2020, 13:25:25 UTC
552c823 Nathan Bird 14 August 2020, 12:39:36 UTC fix: node-init should use docker if /etc/crictl.yaml not found This script has several tests for what the container runtime situation looks like to determine how best to restart the underlying containers (going around the kubelet) so that the new networking configuration can take effect. The first test looks to see if the crictl config file is configured to use docker, but if that file doesn't exist then it fails. I believe docker is the default if this hasn't been configured at all so if that file doesn't exist then use docker. Fixes #12850 Signed-off-by: Nathan Bird <njbird@infiniteenergy.com> 25 August 2020, 13:25:10 UTC
4004c33 Ilya Dmitrichenko 20 August 2020, 10:34:20 UTC images/cilium-test: New test suite image This is to be used with GKE test cluster operator that will be introduce in the due course. The operator will be in charge of running the tests, hence there needs to be an image with all test binaries and assets included. Signed-off-by: Ilya Dmitrichenko <errordeveloper@gmail.com> 25 August 2020, 13:24:23 UTC
d543d41 Sebastian Wicki 20 August 2020, 12:44:53 UTC monitor: Avoid JSON-encoding agent events for in-memory storage This avoids encoding agent events in JSON before they are submitted to the cilium monitor socket. This change will is in preparation for a subsequent PR where Hubble will store and expose agents events in their decoded form. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> 25 August 2020, 13:23:00 UTC
be6c9c3 Jarno Rajahalme 10 August 2020, 12:05:28 UTC policy: Do not dump selections on logs Dumping all security identities selected by a cached selectors can make for huge logs if there are a thousands of PODs in the cluster. Signed-off-by: Jarno Rajahalme <jarno@covalent.io> 25 August 2020, 13:22:23 UTC
72e670c Paul Chaignon 24 August 2020, 19:49:08 UTC .gitattributes: Mark cmdref files as generated This commit tells Linguist [1] that files in Documentation/cmdref/ are generated and can therefore be hidden by default in pull requests. 1 - https://github.com/github/linguist Signed-off-by: Paul Chaignon <paul@cilium.io> 25 August 2020, 13:21:31 UTC
9af24ee Daniel Borkmann 25 August 2020, 07:28:08 UTC cocci: extend WRITE_ONCE detection for const script It was suggesting that ctx should be marked const: static __always_inline __maybe_unused void bpf_clear_meta(struct __sk_buff *ctx) { __u32 zero = 0; WRITE_ONCE(ctx->cb[0], zero); WRITE_ONCE(ctx->cb[1], zero); WRITE_ONCE(ctx->cb[2], zero); WRITE_ONCE(ctx->cb[3], zero); WRITE_ONCE(ctx->cb[4], zero); } Extend to cover x->z[...]. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> 25 August 2020, 08:15:42 UTC
7fcd46c Daniel Borkmann 25 August 2020, 06:48:36 UTC bpf: remove stale comment and unused helper Small leftover cleanup. Tested with: `BUILD_PERMUTATIONS=1 make`. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> 25 August 2020, 08:15:42 UTC
c39cce9 Daniel Borkmann 13 August 2020, 15:35:17 UTC cilium, docs: add gsg for bandwidth manager Add a simple GSG guide for the bandwidth manager along with a deployment example users can verify. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> 25 August 2020, 05:32:30 UTC
e2b64a3 Daniel Borkmann 17 August 2020, 07:44:57 UTC cilium: add bpf bandwidth command for map introspection Add a tool for introspecting current bandwidth settings from the BPF map: # ./cilium/cilium bpf bandwidth list IDENTITY EGRESS BANDWIDTH (BitsPerSec) 491 125M This can easily correlated with `cilium endpoint list`. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> 25 August 2020, 05:32:30 UTC
87390a7 Daniel Borkmann 13 August 2020, 10:16:09 UTC cilium, status: add bandwidth manager status Add status info message about bandwidth manager. Example output with agent flag --enable-bandwidth-manager=true and supported kernel: # ./cilium/cilium status [...] BandwidthManager: EDT with BPF [eno1] [...] Otherwise: # ./cilium/cilium status [...] BandwidthManager: Disabled [...] Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> 25 August 2020, 05:32:30 UTC
b83603c Daniel Borkmann 13 August 2020, 10:04:13 UTC cilium, api: extend openapi to dump bandwidth manager status Dump info on whether it is enabled and if so which devices are managed. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> 25 August 2020, 05:32:30 UTC
4d90692 Daniel Borkmann 18 August 2020, 15:05:52 UTC cilium: warn on unsupported bandwidth pod annotations Throw a warning in particular when users try to configure an ingress bandwidth limitation to make it obvious that we do not support this. Also add one for egress when bw manager is disabled. Example when kubernetes.io/ingress-bandwidth is set: [...] level=warning msg="Endpoint has kubernetes.io/ingress-bandwidth annotation which is unsupported. This annotation is ignored." annotations="map[kubernetes.io/egress-bandwidth:125M kubernetes.io/ingress-bandwidth:125M]" k8sPodName=default/netperf-6d6cd89c86-6xtgh subsys=daemon [...] Suggested-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> 25 August 2020, 05:32:30 UTC
8c8ca99 Daniel Borkmann 18 August 2020, 13:13:34 UTC cilium: use structured logging for setting sysctl params Use structured logging (WithFields) for sysctl settings: level=info msg="Setting up BPF bandwidth manager" subsys=bandwidth-manager level=info msg="Setting sysctl" subsys=bandwidth-manager sysParamName=net.core.netdev_max_backlog sysParamValue=1000 level=info msg="Setting sysctl" subsys=bandwidth-manager sysParamName=net.core.somaxconn sysParamValue=4096 level=info msg="Setting sysctl" subsys=bandwidth-manager sysParamName=net.core.default_qdisc sysParamValue=fq level=info msg="Setting sysctl" subsys=bandwidth-manager sysParamName=net.ipv4.tcp_congestion_control sysParamValue=bbr level=info msg="Setting sysctl" subsys=bandwidth-manager sysParamName=net.ipv4.tcp_max_syn_backlog sysParamValue=4096 level=info msg="Setting qdisc to fq" device=eno1 subsys=bandwidth-manager level=info msg="Setting up BPF datapath" bpfClockSource=ktime bpfInsnSet=v2 subsys=datapath-loader level=info msg="Setting sysctl" subsys=datapath-loader sysParamName=net.core.bpf_jit_enable sysParamValue=1 level=info msg="Setting sysctl" subsys=datapath-loader sysParamName=net.ipv4.conf.all.rp_filter sysParamValue=0 level=info msg="Setting sysctl" subsys=datapath-loader sysParamName=kernel.unprivileged_bpf_disabled sysParamValue=1 level=info msg="Setting sysctl" subsys=datapath-loader sysParamName=kernel.timer_migration sysParamValue=0 level=info msg="Setting sysctl" subsys=datapath-loader sysParamName=net.ipv6.conf.all.disable_ipv6 sysParamValue=0 Suggested-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> 25 August 2020, 05:32:30 UTC
b4ebfe2 Daniel Borkmann 13 August 2020, 12:49:01 UTC cilium, bpf: add metric counter for EDT drop horizon Add a counter so we can inspect rate-limiting drops due to too large departure time windows. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> 25 August 2020, 05:32:30 UTC
29f4654 Daniel Borkmann 04 August 2020, 16:42:57 UTC cilium: add bandwidth manager Base layer which implements setup of BBR + {MQ/FQ, FQ} as well as EDT based rate-limiting in BPF. Agent code implements map setup and handling of egress bandwidth label for Pods. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> 25 August 2020, 05:32:30 UTC
423e855 Daniel Borkmann 04 August 2020, 21:21:47 UTC cilium: disable timer migration Avoid spinlock contention on resetting TCP retransmit timer for large servers. Not disabling timer_migration is known to cause issues on larger servers with >= 64 CPUs. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Link: https://lore.kernel.org/netdev/CANn89iKS6fas9O74U5w1wb+8DN==fXRKQ8nzq0tkT_VOXRtYBQ@mail.gmail.com 25 August 2020, 05:32:30 UTC
4112684 Thomas Graf 24 August 2020, 14:26:35 UTC Remove GitHub issue template for support request Slack is the usual support forum these days, remove the support request template. It has rarely been used and is not very effective. Signed-off-by: Thomas Graf <thomas@cilium.io> 24 August 2020, 15:43:34 UTC
aacc6e7 Thomas Graf 21 August 2020, 11:53:36 UTC connectivity-check: Use unprivileged ports Use of port 80 causes unnecessary requirements for k8s environments to allow pods to bind to privileged ports. Switch to port 8080 instead. Signed-off-by: Thomas Graf <thomas@cilium.io> 24 August 2020, 09:44:38 UTC
a4a1df0 Thomas Graf 21 August 2020, 15:37:59 UTC etcd: Make keepalive interval and timeout configurable Signed-off-by: Thomas Graf <thomas@cilium.io> 24 August 2020, 09:39:20 UTC
268f406 André Martins 21 August 2020, 11:13:51 UTC pkg/kvstore: add gRPC keep alives for etcd connectivity If the client does not receive a keep alive from the server, that connection should be closed so the etcd client library does proper round robin for the other available endpoints. This might be a little bit aggressive in a larger environment if all clients perform a keep alive requests to the etcd servers. Some testing could be done to verify if there is a large overhead of doing these keep alive requests. Signed-off-by: André Martins <andre@cilium.io> 24 August 2020, 09:39:20 UTC
fb0c3e5 Tam Mach 08 August 2020, 03:12:47 UTC metrics: Add new prometheus metrics and related label This PR is to add new metrics and labels as per the check done by official tool promtool. Summary of the changes can be found as below: - Deprecate eventType, mapName, subnetId, availabilityZone, repsonseCode labels in favour of event_type and map_name, subnet_id, availability_zone, and response_code. - Add _total suffix for counter metrics (cilium_endpoint_regenerations, cilium_k8s_client_api_calls_counter, cilium_policy_import_errors) - Add _count suffix for non-histogram and non-summary metrics (cilium_identity_count, cilium_policy_count) Relates: #11743 Signed-off-by: Tam Mach <sayboras@yahoo.com> 20 August 2020, 17:02:14 UTC
62d356d Tam Mach 14 August 2020, 14:57:49 UTC metrics: Add steps in GA to lint metrics after conformance test This is not ideal, but will help to mitigate similar cases. Signed-off-by: Tam Mach <sayboras@yahoo.com> 20 August 2020, 17:02:14 UTC
2a30cc1 Martynas Pumputis 20 August 2020, 14:14:14 UTC docs: Add ipmasq and src range BPF maps limits Signed-off-by: Martynas Pumputis <m@lambda.lt> 20 August 2020, 15:14:17 UTC
871080b Martynas Pumputis 20 August 2020, 14:07:01 UTC docs: Add LB src range check section to kube-proxy-free gsg Signed-off-by: Martynas Pumputis <m@lambda.lt> 20 August 2020, 15:14:17 UTC
3ec7b35 Martynas Pumputis 20 August 2020, 14:05:50 UTC helm: Add config.svcSourceRangeCheck The config option can be used to disable the (LB) source range check feature (--enable-svc-source-range-check). Signed-off-by: Martynas Pumputis <m@lambda.lt> 20 August 2020, 15:14:17 UTC
c142e5e Martynas Pumputis 13 August 2020, 15:20:12 UTC test: Add integration test for LB src range check Currently, the test contains some sleeps for waiting until cilium-agents have updated their LB src range maps. In the future, it will be replaced by checking whether "cilium bpf source-list list" (TODO) contains relevant entries. Signed-off-by: Martynas Pumputis <m@lambda.lt> 20 August 2020, 12:47:26 UTC
bd6600f Martynas Pumputis 13 August 2020, 15:42:31 UTC daemon: Rename --enable-loadbalancer-source-range-check Rename to --enable-svc-source-range-check, as in the future we might enable (e.g. via annotations) the checks for services which type != LoadBalancer. Signed-off-by: Martynas Pumputis <m@lambda.lt> 20 August 2020, 12:47:26 UTC
ae71d89 Martynas Pumputis 13 August 2020, 13:30:30 UTC daemon: Enable LB src range check by default Disable it when running in the non-strict mode if the full LPM is missing, or fail hard if running in the strict mode. Signed-off-by: Martynas Pumputis <m@lambda.lt> 20 August 2020, 12:47:26 UTC
dd135f5 Martynas Pumputis 13 August 2020, 12:48:14 UTC probe: Invoke HaveFullLPM checks only once The check is going to be used by the LB src range check, so reuse a result from a previous check if available. Signed-off-by: Martynas Pumputis <m@lambda.lt> 20 August 2020, 12:47:26 UTC
f903c17 Martynas Pumputis 11 August 2020, 15:39:28 UTC service: Replace UpsertServiceParams with lb.SVC Both structs are identical, and the latter has been used everywhere. Signed-off-by: Martynas Pumputis <m@lambda.lt> 20 August 2020, 12:47:26 UTC
8ad79dc Martynas Pumputis 11 August 2020, 12:51:50 UTC datapath: Add source range check for LB services The check is performed only if the SVC_FLAG_CHECK_SRC bit is set of a given service. The check is based on a lookup of the LB{4,6}_SRC_RANGE_MAP BPF maps which are of the LPM type. If an entry is not found for a given src IP addr + rev_nat_index, then such request is dropped. Signed-off-by: Martynas Pumputis <m@lambda.lt> 20 August 2020, 12:47:26 UTC
34fae55 Martynas Pumputis 11 August 2020, 12:48:30 UTC service: Add provisioning of LoadBalancerSourceRanges The service manager gets updates from the k8s service watcher. If --enable-loadbalancer-source-range=true AND svc type = LB AND len(.spec.loadBalancerSourceRanges) != 0, it will populate the corresponding BPF maps via lbmap. Signed-off-by: Martynas Pumputis <m@lambda.lt> 20 August 2020, 12:47:26 UTC
945a852 Martynas Pumputis 11 August 2020, 12:22:44 UTC lbmap: Add SourceRange maps The maps are going to be used by the LB source range check. The check is going to be enabled for those services which type is LoadBlancer AND .spec.loadBalancerSourceRanges is not empty. Such service flags have the check source range bit being set. This allows the datapath to avoid doing a lookup in the maps for each request sent to a service of the LoadBalancer type. The maps are of the LPM type, and a key is a tuple containing LPM prefix, SVC rev_nat_id (aka svc ID), some padding and source IPv{4,6} addr. Signed-off-by: Martynas Pumputis <m@lambda.lt> 20 August 2020, 12:47:26 UTC
3195681 Martynas Pumputis 05 August 2020, 09:55:57 UTC k8s: Add and parse LoadBalancerSourceRanges field It's going to be used by the loadBalancerSourceRanges check. Signed-off-by: Martynas Pumputis <m@lambda.lt> 20 August 2020, 12:47:26 UTC
c815406 Martynas Pumputis 05 August 2020, 11:16:12 UTC daemon: Add --enable-loadbalancer-source-range-check flag Currently, the flag is noop. Signed-off-by: Martynas Pumputis <m@lambda.lt> 20 August 2020, 12:47:26 UTC
c4e4263 Tobias Klauser 19 August 2020, 11:51:37 UTC ipam: use existing CNPPluralName const Use the const already defined in pkg/k8s/apis/cilium.io/v2 instead of duplicating the "ciliumnodes" string. Signed-off-by: Tobias Klauser <tklauser@distanz.ch> 20 August 2020, 10:14:04 UTC
18ac5b5 Tobias Klauser 19 August 2020, 11:47:51 UTC operator: use existing *{Plural,Singular}Name consts for Cilium CRD names Use the consts already defined in pkg/k8s/apis/cilium.io/v2 instead of duplicating strings for the Cilium CRD names. Signed-off-by: Tobias Klauser <tklauser@distanz.ch> 20 August 2020, 10:14:04 UTC
9cee4db Tobias Klauser 19 August 2020, 11:42:56 UTC k8s: use existing *{Plural,Singular}Name consts for Cilium CRD names Use the consts already defined in pkg/k8s/apis/cilium.io/v2 instead of duplicating strings for the Cilium CRD names. Exception for auto-generated files in pkg/k8s/client/listers/cilium.io/v2 and pkg/k8s/client/informers/externalversions Signed-off-by: Tobias Klauser <tklauser@distanz.ch> 20 August 2020, 10:14:04 UTC
3fb8793 Joe Stringer 19 August 2020, 18:54:38 UTC docs: Add summary of bird integration This page previously lacked the core explanation of the roles that either Cilium or bird perform in this guide: That Cilium manages in-cluster network connectivity while bird advertises the pod ranges outside the cluster. Signed-off-by: Joe Stringer <joe@cilium.io> 20 August 2020, 10:12:07 UTC
2960b5f Martynas Pumputis 18 August 2020, 14:37:33 UTC datapath: Pull skb data in to-netdev path It has been reported [1][2] that ICMP packets are being dropped by a receiving node due to DROP_INVALID when bpf_host was attached to the receiving iface. Further look into the issue revealed that the drops were happening because IP headers were not in the skb linear data (unsuccessful revalidate_data() caused the DROP_INVALID return). Fix this by making sure that the first invocation of revalidate_data() in the "to-netdev" path will always do skb_data_pull() before deciding that the packet is invalid. [1]: https://github.com/cilium/cilium/issues/11802 [2]: https://github.com/cilium/cilium/issues/12854 Reported-by: Andrei Kvapil <kvapss@gmail.com> Signed-off-by: Martynas Pumputis <m@lambda.lt> 19 August 2020, 21:34:39 UTC
ac31607 André Martins 18 August 2020, 21:14:43 UTC install/kubernetes: quote disableEnvoyVersionCheck when option is set The option needs to be quoted as this should be treated as a string. Fixes: c1d63f79e31e ("pkg/k8s: set schema version to 1.22.1") Signed-off-by: André Martins <andre@cilium.io> 19 August 2020, 09:11:57 UTC
f24a921 Sebastian Wicki 29 July 2020, 17:34:12 UTC hubble: Switch GetEventsChannel to new consumer interface This commit switches the observer to use the new consumer interface instead of relying on the monitor listener to feed the events queue. This removes the need for GOB decoding in the parsers and decouples the L3/L4 and L7 parsers from the old monitor payload type. In addition, this adds support for keeping track of events dropped in the Hubble events queue by the monitor consumer. The old monitor listener code is removed. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> 19 August 2020, 08:26:42 UTC
4ae060c Alexandre Perrin 17 August 2020, 16:25:00 UTC hubble/relay: don't attempt to connect to peer without address Before this patch, the pool manager would attempt to connect to peer with a nil Address field, and crash. This patch make the pool manager return from connect() as soon as a nil Address is detected. Signed-off-by: Alexandre Perrin <alex@kaworu.ch> 19 August 2020, 07:24:01 UTC
4d8b175 Alexandre Perrin 17 August 2020, 15:51:16 UTC hubble/relay: observer server handle peer without address Background: the observer server doesn't use use the peer Address field other than for logging. Before this patch, the observer server would segfault when one of the peer would have a nil Address. This patch simply make it log <nil> instead. Signed-off-by: Alexandre Perrin <alex@kaworu.ch> 19 August 2020, 07:24:01 UTC
c1d63f7 André Martins 18 August 2020, 18:42:38 UTC pkg/k8s: set schema version to 1.22.1 We don't need to update the schema version every time the schema is changed, we only the to be sure the schema version is updated before a release is done. Although the schema version was bumped 2 times in the 1.9 development cycle we only need to make sure it is set to 1.22.1 before we cut the first release candidate. Signed-off-by: André Martins <andre@cilium.io> 18 August 2020, 18:53:17 UTC
1d814f9 André Martins 18 August 2020, 14:25:14 UTC install/kubernetes: add permissive tolerations to cilium operator Since Cilium agents depend on the operator to be up and running, it is better to have some permissive tolerations in the Cilium Operator deployment spec. This will allow Cilium operator to be deployed in the cluster in similar tolerations as the Cilium agent daemonset. Regardless of node taints, the Operator pod will be scheduled, hence a permissive toleration. Signed-off-by: André Martins <andre@cilium.io> 18 August 2020, 18:01:57 UTC
7bd20a2 André Martins 18 August 2020, 16:13:01 UTC install/kubernetes: add disableEnvoyVersionCheck option With this option users will be able to deploy Cilium without envoy support which is helpful for arm64 clusters. Signed-off-by: André Martins <andre@cilium.io> 18 August 2020, 17:58:24 UTC
fdf5aac Chris Tarazi 14 August 2020, 16:52:20 UTC k8s: Remove unneeded markers from CNP and CCNP These marker comments have no effect. They are likely leftovers from when the tooling was not as mature. We are able to generate (`make generate-k8s-api`) without issue. Signed-off-by: Chris Tarazi <chris@isovalent.com> 18 August 2020, 17:31:45 UTC
f3ddc79 Chris Tarazi 13 August 2020, 19:36:01 UTC k8s: Bump schema version to 1.22.2 This bump is after generating the following CRDs using the controller-gen tool: - CiliumNode - CiliumIdentity - CiliumEndpoint Signed-off-by: Chris Tarazi <chris@isovalent.com> 18 August 2020, 17:31:45 UTC
c29722a Chris Tarazi 15 May 2020, 03:24:44 UTC k8s: Relax CRD upgrade check Previously, we only wanted to update a CRD when the CRD has an out-of-date schema version (which is inside the label "io.cilium.k8s.crd.schema.version".) Some CRDs like CiliumNode (CN) had a validation schema, but did not have a schema version (label mentioned above). This commit will allow all CRDs like CN to be updated, because it removes the check for the existance of the label. Signed-off-by: Chris Tarazi <chris@isovalent.com> 18 August 2020, 17:31:45 UTC
de8ecc9 Chris Tarazi 14 May 2020, 18:03:05 UTC k8s: Improve readability of createUpdateCRD() Kubernetes code tends to have very long lines because of package / variable names, and can make certain lines hard to parse. This commit attempts to make the code easier to parse. No functional changes were made. Signed-off-by: Chris Tarazi <chris@isovalent.com> 18 August 2020, 17:31:45 UTC
8765226 Chris Tarazi 13 May 2020, 00:48:06 UTC k8s: Generate CiliumNode CRD This commit adds resource name generation via markers. It also updates the validation schema via markers which the old method of hardcoding had a few fields missing / incorrect. Here's a summary of the main differences in the validation schema: 1) Old schema had eniTypes.ENISpec.MaxAllocate, which doesn't exist. It exists under ipamTypes.IPAMSpec.MaxAllocate. 2) Old schema was missing eniTypes.ENISpec.{InstanceID,InstanceType}, which is now included in this new generated schema. 3) Old schema was missing EncryptionSpec, which is now included in this new generated schema. 4) Old schema has azureTypes.AzureSpec.InstanceID, but that was removed and deprecated in favor of ipamTypes.IPAMSpec.InstanceID. See PR which forgot to remove this from the old validation schema. [1] This CRD is generated using https://book.kubebuilder.io/reference/generating-crd.html. [1]: https://github.com/cilium/cilium/pull/10569 Signed-off-by: Chris Tarazi <chris@isovalent.com> 18 August 2020, 17:31:45 UTC
ed0c343 Chris Tarazi 13 May 2020, 00:40:22 UTC k8s: Generate CiliumIdentity CRD This CRD is generated using https://book.kubebuilder.io/reference/generating-crd.html. Signed-off-by: Chris Tarazi <chris@isovalent.com> 18 August 2020, 17:31:45 UTC
ecc83b9 Chris Tarazi 12 May 2020, 21:13:47 UTC k8s: Generate CiliumEndpoint CRD This commit also adds a missing endpoint state, "invalid" This CRD is generated using https://book.kubebuilder.io/reference/generating-crd.html. Signed-off-by: Chris Tarazi <chris@isovalent.com> 18 August 2020, 17:31:45 UTC
2b27e0a Chris Tarazi 13 August 2020, 23:38:02 UTC k8s: Restore removed CiliumNode CRD validation This was accidently removed in commit 225526078b05c0b8d7d37d91cae8a62d45c0a448. Fixes: 2255260 ("k8s, policy: Add automated CRD generation") Signed-off-by: Chris Tarazi <chris@isovalent.com> 18 August 2020, 17:31:45 UTC
529328d André Martins 18 August 2020, 12:41:27 UTC images/{Dockerfile.dockerignore}: do not ignore .git The .git directory is important to detect the git commit SHA. This commit SHA is then used to present as part of the `cilium --version` command. Signed-off-by: André Martins <andre@cilium.io> 18 August 2020, 14:23:31 UTC
f0e584d Tobias Klauser 14 August 2020, 10:33:50 UTC operator: make EC2 AWS API endpoint configurable Add a new --ec2-api-endpoint operator option which allows to specify a custom AWS API endpoints for the EC2 service. One possible use-case for this is the usage of FIPS endpoints, see https://aws.amazon.com/compliance/fips/. For example, to use API endpoint ec2-fips.us-west-1.amazonaws.com, the AWS operator can be called using: cilium-operator-aws --ec2-api-endpoint=ec2-fips.us-west-1.amazonaws.com Fixes #12620 Signed-off-by: Tobias Klauser <tklauser@distanz.ch> 18 August 2020, 07:04:37 UTC
78ffdac Tobias Klauser 10 August 2020, 14:25:54 UTC operator/option: fix typo in UpdateEC2AdapterLimitViaAPI godoc comment Signed-off-by: Tobias Klauser <tklauser@distanz.ch> 18 August 2020, 07:04:37 UTC
79faec9 Tobias Klauser 06 August 2020, 10:46:29 UTC vendor: bump github.com/aws/aws-sdk-go-v2 to 0.24.0 According to the changelog [1] this release will mark the final release using the current SDK design. [1] https://github.com/aws/aws-sdk-go-v2/blob/master/CHANGELOG.md#release-v0240-2020-07-21 Other than that, only the updated AWS service API definitions that should affect Cilium. Signed-off-by: Tobias Klauser <tklauser@distanz.ch> 18 August 2020, 07:04:37 UTC
fef1a0d Martynas Pumputis 17 August 2020, 15:34:24 UTC test: Add K8sUpdate on GKE to the quarantine Currently, it's broken, and it prevents other tests from being invoked. Signed-off-by: Martynas Pumputis <m@lambda.lt> 18 August 2020, 06:45:46 UTC
acd8a7d Martynas Pumputis 17 August 2020, 12:55:13 UTC test: Do not provision LB SVC with IP addr on GKE Otherwise, GKE LB might fail to assign the IP addr to other LB svcs which results in the following failure: <*errors.errorString | 0xc0002a6410>: { s: "could not get service LoadBalancer IP addr: 30s timeout expired", } Signed-off-by: Martynas Pumputis <m@lambda.lt> 18 August 2020, 06:45:46 UTC
a7c2130 Martynas Pumputis 12 August 2020, 15:26:56 UTC test: Refactor IP{Add,Del}Route helpers - Invoke cmds for a given node instead of returning cmd itself - reduces boilerplate by quite a bit. - Changes method names form to verb + noun. Suggested-by: Chris Tarazi <chris@isovalent.com> Signed-off-by: Martynas Pumputis <m@lambda.lt> 18 August 2020, 06:45:46 UTC
03ef3e4 Martynas Pumputis 13 August 2020, 10:27:52 UTC test: Make ExecInFirstPod() to return a single value Instead of returning (*CmdRes, error) make the method to return *CmdRes by setting error in the CmdRes.err field. This makes assertions of functions which depend on the method simpler. A notable example is ExecInHostNetNS() which previously required to assertions. Finally, extend the *CMDRes success matcher by adding a check whether CmdRes.err is not nil. This will help us to catch bugs when CmdRes was considered as successful, although an error was set. Signed-off-by: Martynas Pumputis <m@lambda.lt> 18 August 2020, 06:45:46 UTC
0818740 Martynas Pumputis 12 August 2020, 08:49:37 UTC test: Re-enable LoadBalancer tests This commit re-enables LoadBalancer service tests, and switches from MetalLB to dummylb [1]. The main reason for switching is that the former was operating in L2 mode which interfered with the vbox VM bridge resulting in the test flakes. The new lb only assigns LoadBalancerIP addr to a service (specified by a user in .spec.loadBalancerIP). Therefore, making the LB IP addr reachable from other nodes is up to a user. This can be achieved by installing a route on a client node (as we do in the test). [1]: https://github.com/cilium/dummylb. Signed-off-by: Martynas Pumputis <m@lambda.lt> 18 August 2020, 06:45:46 UTC
85600be Tam Mach 15 August 2020, 07:34:50 UTC docs/metrics: Correct label typo `equal` in metrics.rst This PR is to correct simple typo equal in metrics.rst Signed-off-by: Tam Mach <sayboras@yahoo.com> 17 August 2020, 10:27:16 UTC
87d4940 Tam Mach 16 August 2020, 09:13:40 UTC fix(k8s): Support recent api versions for {Deployment, ReplicaSet} To add recent API versions apps{v1beta1, v1beta2, v1}.Deployments and apps{v1beta2,v1}.ReplicaSet in cilium policy trace CLI. Refactor with switch type statement, and move common code to separate function Fixes: #12882 Signed-off-by: Tam Mach <sayboras@yahoo.com> 17 August 2020, 09:56:43 UTC
868670e Tam Mach 15 August 2020, 07:51:33 UTC docs/metrics: Correct label typo family in metrics.rst This PR is to correct simple typo in metrics.rst Signed-off-by: Tam Mach <sayboras@yahoo.com> 17 August 2020, 09:53:36 UTC
bfd972f Deepesh Pathak 12 August 2020, 04:31:27 UTC install/kubernetes: add helm option to override lbmap max entries This commits adds a new helm bpf option `global.bpf.lbMapMax` that can be used to configure the max entries in LB service, backend and affinity maps. Extend KubeProxy free gsg to point out the use of this helm option when user needs to scale the cluster beyond a default preconfigured limit. Signed-off-by: Deepesh Pathak <deepshpathak@gmail.com> 14 August 2020, 12:49:14 UTC
back to top