https://github.com/cilium/cilium
- HEAD
- refs/heads/1.2.7-hotfix1-fqdn-regen
- refs/heads/EndpointPolicyEnformcement
- refs/heads/all-scalability-improvements
- refs/heads/beta/service-mesh
- refs/heads/bpf-metrics
- refs/heads/brb/brb-patch-2
- refs/heads/cilium-envoy-crd-pre-beta
- refs/heads/cilium-no-gopath
- refs/heads/cli-upgrade-v1.12-ci-test
- refs/heads/clustermesh511-upgrade-test
- refs/heads/committers-codeowners
- refs/heads/debug
- refs/heads/dev/joe/v1.8-with-hostfw-fixes
- refs/heads/enable_cnp_latency
- refs/heads/encrypt-node-fixes
- refs/heads/ensure-macos-build-succeeds
- refs/heads/envoy-policy-precedence
- refs/heads/envoy-warnings-cleanup
- refs/heads/extension-mysql
- refs/heads/feature/cep-scalability
- refs/heads/feature/devices-and-addresses
- refs/heads/feature/devices-reconciliation-v1.16
- refs/heads/feature/main/svc-icmp-response
- refs/heads/feature/service-refactor
- refs/heads/feature/service-refactor-fresh
- refs/heads/feature/v1.11/beta-test
- refs/heads/feature/v1.11/k8s-ingress
- refs/heads/fix-iphealth
- refs/heads/fqdn-fixl3-wildcard
- refs/heads/fristonio/iptables-manager-fix
- refs/heads/ft/main/chancez/push-dev-charts
- refs/heads/ft/main/push_chart_stable_branches_fix
- refs/heads/ft/main/test_push_chart_updates
- refs/heads/gce-example
- refs/heads/gh-readonly-queue/main/pr-27509-78a5f177693fb443cd946441f45826bf7fa2437a
- refs/heads/ginkgo-better-timeout
- refs/heads/graduation
- refs/heads/hf/main/ipam-pools-build-230605
- refs/heads/hf/master/v1.12-rc2-health-dbg-v1
- refs/heads/hf/master/wg-fix-ipam-k8s-v2
- refs/heads/hf/v1.10/cls-prio2
- refs/heads/hf/v1.10/debug-taint-removal
- refs/heads/hf/v1.10/v1.10.10-with-19452
- refs/heads/hf/v1.10/v1.10.2-fix-ipsec-ep-routes
- refs/heads/hf/v1.10/v1.10.5-with-identity-leak-fix
- refs/heads/hf/v1.10/v1.10.7-additional-logs
- refs/heads/hf/v1.10/v1.10.7-exclude-local
- refs/heads/hf/v1.10/v1.10.7-exclude-loopback
- refs/heads/hf/v1.10/v1.10.7-extra-logs
- refs/heads/hf/v1.10/v1.10.7-more-logs
- refs/heads/hf/v1.10/v1.10.8-deadlock-and-complexity-fix
- refs/heads/hf/v1.10/v1.10.8-deadlock-fix
- refs/heads/hf/v1.10/xdp-multidev-with-bpf-multihoming-and-egress-gw-fixes-v3
- refs/heads/hf/v1.10/xdp-multidev-with-bpf-multihoming-and-egress-gw-fixes-v4
- refs/heads/hf/v1.10/xdp-multidev-with-bpf-multihoming-and-egress-gw-fixes-v5
- refs/heads/hf/v1.10/xdp-multidev-with-bpf-multihoming-and-egress-gw-fixes-v6
- refs/heads/hf/v1.10/xdp-multidev-with-bpf-multihoming-and-egress-gw-fixes-v7
- refs/heads/hf/v1.11/1.11.4-custom-taint
- refs/heads/hf/v1.11/19247-custom-taint-key
- refs/heads/hf/v1.11/dbg-svc-restore
- refs/heads/hf/v1.11/v1.11.16-fix-xfrm-leak
- refs/heads/hf/v1.11/v1.11.16-fix-xfrm-leak-eni-attach-and-logging
- refs/heads/hf/v1.11/v1.11.16-fix-xfrm-leak-eni-attachment
- refs/heads/hf/v1.11/v1.11.3-with-19259
- refs/heads/hf/v1.11/v1.11.4-custom-taint
- refs/heads/hf/v1.11/v1.11.5-and-19247-eed5544
- refs/heads/hf/v1.11/xdp-multidev-v1
- refs/heads/hf/v1.11/xdp-multidev-v2-ipcache-fix
- refs/heads/hf/v1.12/next-net-v1
- refs/heads/hf/v1.12/v1.12.18-994
- refs/heads/hf/v1.12/v1.12.3-debug-k8s-heartbeat
- refs/heads/hf/v1.12/v1.12.3-debug-k8s-heartbeat-v2
- refs/heads/hf/v1.13/bpf-sock-l7-fix
- refs/heads/hf/v1.13/v1.13.12-without-deny-precedence
- refs/heads/hf/v1.13/v1.13.14-without-deny-precedence
- refs/heads/hf/v1.13/v1.13.14-without-deny-precedence-debug
- refs/heads/hf/v1.13/v1.13.14-without-deny-precedence-with-xfrm-fix
- refs/heads/hf/v1.13/v1.13.2-with-24875
- refs/heads/hf/v1.13/v1.13.3-with-26242
- refs/heads/hf/v1.14/cidr-identity-refcnt-fix
- refs/heads/hf/v1.14/v1.14-with-27327
- refs/heads/hf/v1.7/v1.7.15-with-neighbor-fix
- refs/heads/hf/v1.7/v1.7.15-with-neighbor-fix-2
- refs/heads/hf/v1.8/v1.8.13-with-19452
- refs/heads/hf/v1.8/v1.8.6-eni-cidr-fix-1
- refs/heads/hf/v1.8/v1.8.6-eni-cidr-fix-15303
- refs/heads/hf/v1.8/v1.8.7-with-fqdn-underscore-fix
- refs/heads/hf/v1.8/v1.8.8-eni-cidr-fix-1
- refs/heads/hf/v1.8/v1.8.8-with-encrypt-fixes
- refs/heads/hf/v1.9/v1.9.8-azure-ipam-fix
- refs/heads/hf/v1.9/v1.9.9-azure-pod-egress-fix
- refs/heads/images/runtime/20210830
- refs/heads/ipc-demo
- refs/heads/ktls-tx-only
- refs/heads/ktls-tx-only-v2
- refs/heads/ktls-tx-rx
- refs/heads/ktls-tx-rx-v2
- refs/heads/ktls-tx-rx-v3
- refs/heads/ktls-tx-rx-v4
- refs/heads/ktls-tx-rx-v5
- refs/heads/ldelossa/feat/bgp-control-plane
- refs/heads/ldelossa/segment-makefiles
- refs/heads/ldelossa/segment-makefiles-v2
- refs/heads/ldelossa/srv6-encap-fib
- refs/heads/lizrice/pr/cli-confusion
- refs/heads/main
- refs/heads/multi-stack-dev-vm
- refs/heads/pr/1-9-ci-test
- refs/heads/pr/aanm-update-k8s-conformance
- refs/heads/pr/aanm/bisect
- refs/heads/pr/aanm/test-31027
- refs/heads/pr/add-controller-identity
- refs/heads/pr/aditighag/lrp-skip-lb
- refs/heads/pr/asauber/link-local-as-host
- refs/heads/pr/asauber/max-ifindex-metric
- refs/heads/pr/avoid-ct-for-dsr
- refs/heads/pr/backend-state
- refs/heads/pr/bbb-cpy
- refs/heads/pr/bimmlerd/modularize-bandwidth-manager
- refs/heads/pr/bimmlerd/v1.12-backport-quay-org-from-env
- refs/heads/pr/bounded-loops
- refs/heads/pr/bpf-based-masquerading
- refs/heads/pr/bpf-edt-proxy
- refs/heads/pr/brb/arping-nexthop
- refs/heads/pr/brb/arping-via-gw
- refs/heads/pr/brb/auto-multi-dev-v2
- refs/heads/pr/brb/backport-1.8.5-nat-gc
- refs/heads/pr/brb/bpf-host-routing-wg
- refs/heads/pr/brb/bpf-lxc-no-redirect
- refs/heads/pr/brb/bpf-masq-no-socket-lb
- refs/heads/pr/brb/bpf-masq-veth
- refs/heads/pr/brb/bpf-multihoming
- refs/heads/pr/brb/cgroup-v2-test
- refs/heads/pr/brb/check-errors-in-logs
- refs/heads/pr/brb/check-wg
- refs/heads/pr/brb/ci
- refs/heads/pr/brb/ci-1111
- refs/heads/pr/brb/ci-2
- refs/heads/pr/brb/ci-4.19
- refs/heads/pr/brb/ci-arping-flake
- refs/heads/pr/brb/ci-bigtcp
- refs/heads/pr/brb/ci-bpf-netdev-without-egress
- refs/heads/pr/brb/ci-cleanup-svc
- refs/heads/pr/brb/ci-dbg-conformance-kind
- refs/heads/pr/brb/ci-dbg-external
- refs/heads/pr/brb/ci-dbg-flake-from-outside
- refs/heads/pr/brb/ci-demo
- refs/heads/pr/brb/ci-disable-ces-for-egress-gw
- refs/heads/pr/brb/ci-dp-disable-bpf-host-routing
- refs/heads/pr/brb/ci-dp-hubble-flows
- refs/heads/pr/brb/ci-dp-more-diversity
- refs/heads/pr/brb/ci-dp-v1.13
- refs/heads/pr/brb/ci-dp-v6
- refs/heads/pr/brb/ci-dp-verifier
- refs/heads/pr/brb/ci-e2e-enable-debug-ipsec
- refs/heads/pr/brb/ci-e2e-geneve-dsr
- refs/heads/pr/brb/ci-e2e-helm-mode-v1.13
- refs/heads/pr/brb/ci-e2e-lvh-retry
- refs/heads/pr/brb/ci-e2e-more-nodes
- refs/heads/pr/brb/ci-e2e-new-cli
- refs/heads/pr/brb/ci-e2e-nft
- refs/heads/pr/brb/ci-e2e-unsafe
- refs/heads/pr/brb/ci-e2e-unsafe-v2
- refs/heads/pr/brb/ci-e2e-upgrade-tests
- refs/heads/pr/brb/ci-e2e-upgrade-tests-ipsec
- refs/heads/pr/brb/ci-early-terminate-conn-disrupt
- refs/heads/pr/brb/ci-eks-ipsec-upgrade
- refs/heads/pr/brb/ci-encrypt-l7
- refs/heads/pr/brb/ci-fix-ip-masq-dry-run
- refs/heads/pr/brb/ci-ipsec-upgrade-fix
- refs/heads/pr/brb/ci-ipsec-upgrade-missed-tail-calls
- refs/heads/pr/brb/ci-ipsec-upgrade-v1.13
- refs/heads/pr/brb/ci-ipsec-upgrade-vol2
- refs/heads/pr/brb/ci-keep-missed-tail-calls
- refs/heads/pr/brb/ci-l7-nodeport
- refs/heads/pr/brb/ci-lvh-4.19
- refs/heads/pr/brb/ci-lvh-5.4
- refs/heads/pr/brb/ci-lvh-5.4-v2
- refs/heads/pr/brb/ci-lvh-bpf-next
- refs/heads/pr/brb/ci-no-self-hosted
- refs/heads/pr/brb/ci-pass-kernel-env
- refs/heads/pr/brb/ci-prepull-l4lb
- refs/heads/pr/brb/ci-refactor-svc-suite
- refs/heads/pr/brb/ci-rm-smoke-tests
- refs/heads/pr/brb/ci-sanity
- refs/heads/pr/brb/ci-test
- refs/heads/pr/brb/ci-test-2
- refs/heads/pr/brb/ci-test-k8s-vsn-swap
- refs/heads/pr/brb/ci-test-large-runners
- refs/heads/pr/brb/ci-uffff
- refs/heads/pr/brb/ci-upgrade-vol-2
- refs/heads/pr/brb/ci-upgrade-vol-3
- refs/heads/pr/brb/ci-wg-mtu
- refs/heads/pr/brb/ci-wg-mtu-vol2
- refs/heads/pr/brb/cilium-host-v6-from-ipam
- refs/heads/pr/brb/cli-bump-test
- refs/heads/pr/brb/datapath-loop-dbg
- refs/heads/pr/brb/dbg-ci
- refs/heads/pr/brb/dbg-conformance-gke
- refs/heads/pr/brb/dbg-master-np-vxlan-ipcache-ci
- refs/heads/pr/brb/debug-nodeport-bpf-flake
- refs/heads/pr/brb/do-not-derive-pod-cidrs-from-dev
- refs/heads/pr/brb/do-not-query-dev-for-arping
- refs/heads/pr/brb/docs-clarify-egress-gw-ip-addr-dp
- refs/heads/pr/brb/drop-notify
- refs/heads/pr/brb/dsr
- refs/heads/pr/brb/dsr-v2
- refs/heads/pr/brb/dualstack-ci
- refs/heads/pr/brb/enable-ipv6-per-endpoint-routes
- refs/heads/pr/brb/enable-route-mtu-cni
- refs/heads/pr/brb/fib-lookup-src
- refs/heads/pr/brb/fix-backend-id-u32
- refs/heads/pr/brb/fix-ci-dp-deprecation-warn
- refs/heads/pr/brb/fix-clang-vsn-regexp
- refs/heads/pr/brb/fix-egress-ip-16147
- refs/heads/pr/brb/fix-external-ip-dp
- refs/heads/pr/brb/fix-maglev-del
- refs/heads/pr/brb/fix-nodeport-hostnetns
- refs/heads/pr/brb/fix-stale-dsr
- refs/heads/pr/brb/fix-svc-backend-selection
- refs/heads/pr/brb/fix-third-host
- refs/heads/pr/brb/gh-action-cgr
- refs/heads/pr/brb/gh-action-lvh
- refs/heads/pr/brb/gh-install-cli-backup
- refs/heads/pr/brb/ginkgo-kpr-strict
- refs/heads/pr/brb/ginkgo-rm-update-tests
- refs/heads/pr/brb/go-crazy
- refs/heads/pr/brb/hubble-tcp-ack-seq-no
- refs/heads/pr/brb/improve-svc-restore
- refs/heads/pr/brb/istio-getsockopt
- refs/heads/pr/brb/it-cannot-be-truth
- refs/heads/pr/brb/kpr-svc-mesh
- refs/heads/pr/brb/kubeproxy-free-ci
- refs/heads/pr/brb/l7-np-bpf
- refs/heads/pr/brb/l7-rerevert
- refs/heads/pr/brb/lets-be-friends-with-ipsec
- refs/heads/pr/brb/lvh-kind-127
- refs/heads/pr/brb/lvh-kind-ipsec-upgrade
- refs/heads/pr/brb/meyskens/auth-ep-gc-locks
- refs/heads/pr/brb/multi-network
- refs/heads/pr/brb/no-cache-snat
- refs/heads/pr/brb/no-rev-nat-bpf-lxc-ingress
- refs/heads/pr/brb/node-id-per-fam
- refs/heads/pr/brb/nodeport-xlr-flag
- refs/heads/pr/brb/perf-wg
- refs/heads/pr/brb/pin-lvh
- refs/heads/pr/brb/push-ci-charts
- refs/heads/pr/brb/pwru
- refs/heads/pr/brb/rm-arping-l2-addr-check
- refs/heads/pr/brb/rm-no-redirect
- refs/heads/pr/brb/rm-np-deadcode
- refs/heads/pr/brb/rm-partial-host-svc
- refs/heads/pr/brb/rm-test-gke
- refs/heads/pr/brb/test-bpf-masq
- refs/heads/pr/brb/test-ci-e2e
- refs/heads/pr/brb/test-ci-e2e-v1.13
- refs/heads/pr/brb/test-kind
- refs/heads/pr/brb/third-host-more-pain
- refs/heads/pr/brb/timing-l4lb-gh-action
- refs/heads/pr/brb/triage-flake-v2
- refs/heads/pr/brb/triage-lb-flake
- refs/heads/pr/brb/unquarantine-svc
- refs/heads/pr/brb/v1.10-istio-snat
- refs/heads/pr/brb/v1.12-ci-e2e
- refs/heads/pr/brb/v1.12-ci-ipsec-upgrade
- refs/heads/pr/brb/v1.12-test-ipsec-upgrade
- refs/heads/pr/brb/v1.13-ci-e2e
- refs/heads/pr/brb/v1.13-remote-np
- refs/heads/pr/brb/v1.13-upgrade-fixes
- refs/heads/pr/brb/v1.14-ci-e2e-upgrade
- refs/heads/pr/brb/v1.14-drop-notify
- refs/heads/pr/brb/v1.15-enable-route-mtu-cni
- refs/heads/pr/brb/v1.6.9-iptables-W
- refs/heads/pr/brb/v1.8-fix-icmp-port-check
- refs/heads/pr/brb/wg-duplicate-node-ip
- refs/heads/pr/brb/wg-encrypt-node-test
- refs/heads/pr/brb/wg-hack
- refs/heads/pr/brb/wg-ipam-fix
- refs/heads/pr/brb/wg-kpr
- refs/heads/pr/brb/wg-test
- refs/heads/pr/brb/wip
- refs/heads/pr/brb/wip-ci
- refs/heads/pr/brb/wip-sync-policy-map
- refs/heads/pr/brb/xdp-egress-gw
- refs/heads/pr/brb/xdp-multidev-with-bpf-multihoming
- refs/heads/pr/brb/xdp-multidev-with-bpf-multihoming-v2
- refs/heads/pr/bruno/sleepy-pawn
- refs/heads/pr/bugtool-systemd
- refs/heads/pr/bwm-base2
- refs/heads/pr/bwm-fq
- refs/heads/pr/bwm-priority
- refs/heads/pr/chancez/add_hubble_l7_dashboard_prometheus_example
- refs/heads/pr/chancez/fix_websocket_l7_policies
- refs/heads/pr/chancez/flow_filter_namespace
- refs/heads/pr/chancez/hubble_metrics_tls_docs
- refs/heads/pr/chancez/hubble_plus_plus
- refs/heads/pr/chancez/static_peers_hubble_relay
- refs/heads/pr/christarazi/controlplane-fqdn
- refs/heads/pr/christarazi/ipcache-async-cep-pods-namedports
- refs/heads/pr/christarazi/prep-from-cidr-tests
- refs/heads/pr/ci-k8s-1.30
- refs/heads/pr/datapath-opt
- refs/heads/pr/dbkm/nodeport-lb
- refs/heads/pr/debug-dns-timeout
- refs/heads/pr/eproutes-redir
- refs/heads/pr/example/neigh-state-manager
- refs/heads/pr/fastdp
- refs/heads/pr/fastdp2
- refs/heads/pr/feroz/allow-sbom-read
- refs/heads/pr/feroz/set-container-scan-failure-flag
- refs/heads/pr/fib-consolidation
- refs/heads/pr/fix-aks-workflow
- refs/heads/pr/fix-k8s-all-sha1
- refs/heads/pr/fix-net-next-1.16
- refs/heads/pr/fix-pod-pacing
- refs/heads/pr/fix-tail-call-replace
- refs/heads/pr/fristonio/feat-19038
- refs/heads/pr/fristonio/fix-istio-k8sT
- refs/heads/pr/fristonio/ipv6-masquerading
- refs/heads/pr/fristonio/test-dual-stack
- refs/heads/pr/fristonio/test-ipv6-dualstack
- refs/heads/pr/gandro+brb/fix-monitor-aggregation-np-v2
- refs/heads/pr/gandro+brb/mv-trace-point-to-rev-nodeport
- refs/heads/pr/gandro+brb/wg-host-encryption-v3
- refs/heads/pr/gandro+brb/wg-host2host
- refs/heads/pr/gandro+brb/wg-host2host-kind
- refs/heads/pr/gandro/bump-hubble-2020-03-25
- refs/heads/pr/gandro/ci-conformance-multicluster-fix-log-gathering
- refs/heads/pr/gandro/ci-delete-crds-in-cleanupcomponents
- refs/heads/pr/gandro/ci-fix-status-if-workflows-are-skipped
- refs/heads/pr/gandro/ci-wait-for-all-relevant-images-do-not-merge-test
- refs/heads/pr/gandro/enable-hubble-by-default
- refs/heads/pr/gandro/portmap-refcount
- refs/heads/pr/gandro/re-enable-wireguard-in-multicluster-ci
- refs/heads/pr/gandro/svc-healthchecknodeport
- refs/heads/pr/gc-on-svc-update
- refs/heads/pr/getname-hooks
- refs/heads/pr/giorio94/1.14/test-cilium-cli-2184
- refs/heads/pr/giorio94/main/cluster-name-validation-strict
- refs/heads/pr/giorio94/main/clustermesh-deprecated-cleanup
- refs/heads/pr/giorio94/main/gha-cl2-agents-pprof
- refs/heads/pr/giorio94/main/gha-cl2-compress-agent-pprofs
- refs/heads/pr/giorio94/main/gha-cluster-name
- refs/heads/pr/giorio94/main/gha-conformance-clustermesh-lb
- refs/heads/pr/giorio94/main/test-cilium-cli-2184
- refs/heads/pr/giorio94/main/tests-clustermesh-upgrade-interrupted
- refs/heads/pr/gray/30837-with-pwru
- refs/heads/pr/gray/main/connectivity-wg-proxy-nodeport
- refs/heads/pr/gray/main/decouple-ipsec-gh-actions
- refs/heads/pr/gray/main/egress-proxy-ipsec-fix2
- refs/heads/pr/gray/main/fix-leak-detection-race
- refs/heads/pr/gray/main/xfrm-delete-flake
- refs/heads/pr/gray/main/xfrm-delete-flake2
- refs/heads/pr/gray/pwru-action
- refs/heads/pr/gray/v1.15/decouple-ipsec-gh-actions
- refs/heads/pr/health
- refs/heads/pr/health-data-path
- refs/heads/pr/hubble-tls-cert-gen-via-k8s-job
- refs/heads/pr/ianvernon/kvstore-client-type
- refs/heads/pr/ianvernon/kvstore-context
- refs/heads/pr/ianvernon/more-endpoint-cleanup
- refs/heads/pr/ianvernon/resolve-cidr-policy-perf-improvement
- refs/heads/pr/increase-verifier-test-build-timeout
- refs/heads/pr/ipip
- refs/heads/pr/ipip-encap
- refs/heads/pr/ipip-encap2
- refs/heads/pr/ipip2
- refs/heads/pr/ipip4
- refs/heads/pr/ipip6
- refs/heads/pr/jibi/differentiate-udp-tcp-svcs-take-4
- refs/heads/pr/jibi/fix-differentiate-udp-tcp-svc-upgrade
- refs/heads/pr/jibi/ip-list-contains-addr
- refs/heads/pr/joamaki/gather-network-info
- refs/heads/pr/joamaki/idless-service-restapi
- refs/heads/pr/joe/ariane-scheduled-cilium-only
- refs/heads/pr/joe/backport-28007-1.11
- refs/heads/pr/joe/bump-ginkgo-seed
- refs/heads/pr/joe/docker-build-log-tracing
- refs/heads/pr/joe/ipcache-cidr-policy
- refs/heads/pr/joe/lost-identity
- refs/heads/pr/joe/policymap-format-test
- refs/heads/pr/joe/ready-to-merge
- refs/heads/pr/joe/release-codeowners
- refs/heads/pr/joe/sw-quay
- refs/heads/pr/joe/test-labeler
- refs/heads/pr/joe/test-lvh-fix
- refs/heads/pr/joe/v1.13-stability-check
- refs/heads/pr/joe/v1.7-dev-env
- refs/heads/pr/jrajahalme/gh-filter-test-files
- refs/heads/pr/jrfastab/backport-ooo-ipsec-fixes
- refs/heads/pr/jrfastab/backport-v111-loopback
- refs/heads/pr/jrfastab/backport-v115
- refs/heads/pr/jrfastab/dbgNodeId
- refs/heads/pr/jrfastab/dbgNodeId111
- refs/heads/pr/jrfastab/dbgNodeId111v2
- refs/heads/pr/jrfastab/dbgv114
- refs/heads/pr/jrfastab/eks-encrypt-ipamupdate
- refs/heads/pr/jrfastab/fix-encrypt-subnets
- refs/heads/pr/jrfastab/fix-ixsec-vxlan-remoteIP
- refs/heads/pr/jrfastab/fixes-ipsec-init
- refs/heads/pr/jrfastab/v1.8-fix-ipsec-vxlan-remoteIP
- refs/heads/pr/jrfastab/v1.9-fix-ipsec-vxlan-remoteIP
- refs/heads/pr/jrfastab/v111-debug-ooo
- refs/heads/pr/jrfastab/v111-debug-ooo-v2
- refs/heads/pr/jwi/main/ipsec-rhel8
- refs/heads/pr/jwi/v1.14/ci-ipsec
- refs/heads/pr/jwi/v1.15/bpf-complexity
- refs/heads/pr/jwi/v1.15/ci-ipsec
- refs/heads/pr/k8s-nat46x64
- refs/heads/pr/k8s-nat46x64-2
- refs/heads/pr/kaworu/helm-hubble-cli.yaml
- refs/heads/pr/kkourt/azure-ipam-test-race
- refs/heads/pr/kkourt/bpftool-update
- refs/heads/pr/kkourt/ct-rst-timeout-wip
- refs/heads/pr/kkourt/v1.11-backport-2022-01-26
- refs/heads/pr/kkourt/v1.9-lxc-complexity
- refs/heads/pr/l4lb-improvements-tmp
- refs/heads/pr/learnitall/ginkgo-race-workflow
- refs/heads/pr/learnitall/test-startup-script-changes
- refs/heads/pr/lmb/1.14-cni
- refs/heads/pr/lmb/1.15-cni
- refs/heads/pr/lmb/update-cni-plugin
- refs/heads/pr/marga/v1.11-without-deny-precedence
- refs/heads/pr/marseel/scale_test_1_15
- refs/heads/pr/max/upgrade-llvm-18-1-6
- refs/heads/pr/mhofstetter/guestbook-registry
- refs/heads/pr/mhofstetter/junit-fetch-nullglob
- refs/heads/pr/mhofstetter/ssh-store-consolelog
- refs/heads/pr/mhofstetter/test-ingress
- refs/heads/pr/michi/circular-struggle
- refs/heads/pr/michi/clustermesh
- refs/heads/pr/michi/crdregister
- refs/heads/pr/michi/debug
- refs/heads/pr/michi/description
- refs/heads/pr/michi/dns-refactor12
- refs/heads/pr/michi/ipsec-workflows
- refs/heads/pr/michi/l7drop
- refs/heads/pr/michi/majestic-ketchup
- refs/heads/pr/michi/mega-ketchup
- refs/heads/pr/michi/peerapi
- refs/heads/pr/michi/rest
- refs/heads/pr/michi/scaletest
- refs/heads/pr/michi/sleep-on-it
- refs/heads/pr/michi/test
- refs/heads/pr/michi/weekly-bot
- refs/heads/pr/monitor-wait-ci
- refs/heads/pr/move-image-to-one-repo
- refs/heads/pr/nat-gw-tests
- refs/heads/pr/nathanjsweet/add-complex-allow-test-to-policy-map-tests
- refs/heads/pr/nathanjsweet/add-lockdown-mode-for-policy-map-overflows
- refs/heads/pr/nathanjsweet/differentiate-protocol-in-services
- refs/heads/pr/nathanjsweet/node-port-addresses
- refs/heads/pr/nathanjsweet/refactor-mapstate
- refs/heads/pr/nathanjsweet/update-k8s-control-plane-tests-to-1-27
- refs/heads/pr/nebril/add-dns-concurrency-limit
- refs/heads/pr/nebril/fix-precheck
- refs/heads/pr/nebril/fqdn-proxy-ha
- refs/heads/pr/nebril/fqdn-proxy-interface
- refs/heads/pr/nebril/gke-workflow-migrate-from-cli
- refs/heads/pr/nebril/quarantine-1.14-nodeport
- refs/heads/pr/nebril/test-bottlerocket
- refs/heads/pr/nebril/test-helm-gke-fix
- refs/heads/pr/nebril/test-our-ghaction-shenanigans
- refs/heads/pr/nebril/test-rebase-helm
- refs/heads/pr/nebril/trololo
- refs/heads/pr/nebril/update-cli-9.1-test
- refs/heads/pr/netkit
- refs/heads/pr/netkit3
- refs/heads/pr/netns-switch
- refs/heads/pr/netns-switch-no-peer
- refs/heads/pr/nodeport-fix
- refs/heads/pr/nodeport-improvements2
- refs/heads/pr/nodeport-nat-improvements
- refs/heads/pr/nodeport-nat-improvements2
- refs/heads/pr/nodeport-retry-sport
- refs/heads/pr/pchaigno/deprecate-bpf_network-f
- refs/heads/pr/pchaigno/fix-4.19-bpf-program-size
- refs/heads/pr/pchaigno/hotfix1-ipsec-fix
- refs/heads/pr/pchaigno/hotfix1-ipsec-fix-brb-v0
- refs/heads/pr/pchaigno/optim-complexity-ipcache-lookup
- refs/heads/pr/pchaigno/rework-config-probes
- refs/heads/pr/pchaigno/tmp-base-branch
- refs/heads/pr/pin-1.10-workflows-k8s-version
- refs/heads/pr/pin-1.11-workflows-k8s-version
- refs/heads/pr/pin-1.12-workflows-k8s-version
- refs/heads/pr/pin-1.13-workflows-k8s-version
- refs/heads/pr/pin-cloud-provider-master-workflows
- refs/heads/pr/pr/fix-ipam-node-manager-semaphore-error-handling
- refs/heads/pr/publish-test-images
- refs/heads/pr/qmonnet/docs-20230224
- refs/heads/pr/qmonnet/docs-bump
- refs/heads/pr/qmonnet/ipsec/no-missed-tail-call-1.13
- refs/heads/pr/qmonnet/standalone-lb-docs
- refs/heads/pr/qmonnet/sync-joblists
- refs/heads/pr/rastislavs/bgp-e2e-test
- refs/heads/pr/ray/late-dns-proxy
- refs/heads/pr/rgo3/1.12-run-no-unexpected-drops-for-patch
- refs/heads/pr/rgo3/fix-k8s-vm-provisioning-1.13
- refs/heads/pr/rgo3/fix-missing-health-endpoint
- refs/heads/pr/rolinh/better-policy-verdict
- refs/heads/pr/rolinh/hubble-dump-all
- refs/heads/pr/rolinh/hubble-fix-maxflows-rounding
- refs/heads/pr/route-test
- refs/heads/pr/run-tests-in-parallel
- refs/heads/pr/scalability-crd-only
- refs/heads/pr/squeed/make-ccache
- refs/heads/pr/squeed/per-node-config
- refs/heads/pr/squeed/remote-cluster-leak
- refs/heads/pr/stacy/docs-update
- refs/heads/pr/tammach/accesslog-envoy
- refs/heads/pr/tammach/ci-cm
- refs/heads/pr/tammach/cleanup-helm-1.16
- refs/heads/pr/tammach/envoy-1.30
- refs/heads/pr/tammach/headless-service-flake
- refs/heads/pr/tammach/ingress-controller-e2e-config6
- refs/heads/pr/tammach/more-ingress-tests
- refs/heads/pr/tammach/rennovate-statedb
- refs/heads/pr/tammach/revert/fib-lookup
- refs/heads/pr/tammach/ubuntu-24.04
- refs/heads/pr/tammach/ubuntu-24.04-no-llvm
- refs/heads/pr/tc-np-test
- refs/heads/pr/tcx
- refs/heads/pr/tcx-helm
- refs/heads/pr/tcx-misc
- refs/heads/pr/test-419-ci
- refs/heads/pr/test-increase-update-delete-timeout
- refs/heads/pr/test-k8s-all-tests
- refs/heads/pr/test-lb-super-netperf
- refs/heads/pr/test-nightly
- refs/heads/pr/test-upstream-timeout
- refs/heads/pr/tgraf/chaos-testing
- refs/heads/pr/tgraf/clustermesh-stale-state
- refs/heads/pr/tgraf/eni-ipam
- refs/heads/pr/tgraf/new-endpoint-state
- refs/heads/pr/tgraf/new-policy
- refs/heads/pr/tgraf/remove-tunnel-map
- refs/heads/pr/tgraf/scoped-ipam
- refs/heads/pr/tgraf/sctp
- refs/heads/pr/tgraf/split-lxc-prog
- refs/heads/pr/thorn3r/cesBlanketTest
- refs/heads/pr/thorn3r/clustermesh511
- refs/heads/pr/tklauser/build-push-images-env-var
- refs/heads/pr/tommyp1ckles/debugging-aks-conformance
- refs/heads/pr/tp/add-logging-for-wait-for-pods-term-condition
- refs/heads/pr/tp/backport-31380
- refs/heads/pr/tp/bump-cilium-cli
- refs/heads/pr/tp/cleanup-ipam-ips-metric-docs
- refs/heads/pr/tp/complexity-issue-verifier-case-main
- refs/heads/pr/tp/dont-terminate-on-node-config-changee
- refs/heads/pr/tp/eps-modular-health
- refs/heads/pr/tp/fix-stuck-ginko-pod-v2
- refs/heads/pr/tp/forward-hubble-for-e2e
- refs/heads/pr/tp/forward-hubble-for-e2e-v2
- refs/heads/pr/tp/switch-1.24-eks-region
- refs/heads/pr/tp/switch-1.24-eks-region-v1.13
- refs/heads/pr/tp/use-helm-default-vars-for-clustermesh-downgrade-c1
- refs/heads/pr/tweak-github-action-ref
- refs/heads/pr/twpayne/hubble-recent-events-buffer
- refs/heads/pr/twpayne/hubble-ring-buffer-benchmarks
- refs/heads/pr/update-azure
- refs/heads/pr/update-readme-for-releases
- refs/heads/pr/update-tm-network
- refs/heads/pr/v1.10-backport-2022-06-13
- refs/heads/pr/v1.10-backport-2022-10-03
- refs/heads/pr/v1.10-eni-stability-improvements-v1
- refs/heads/pr/v1.10-neigh-clean
- refs/heads/pr/v1.11-backport-2022-10-03
- refs/heads/pr/v1.11-test/issue-692
- refs/heads/pr/v1.12-backport-2023-10-10
- refs/heads/pr/v1.12-test/issue-692
- refs/heads/pr/v1.13-backport-2023-10-31
- refs/heads/pr/v1.13-backport-2024-04-22-03-42
- refs/heads/pr/v1.13-test/issue-692
- refs/heads/pr/v1.14-backport-2024-06-18-02-46
- refs/heads/pr/v1.14.1
- refs/heads/pr/v1.7-stability-test
- refs/heads/pr/v1.7.9-hf-13205
- refs/heads/pr/v3-cpu
- refs/heads/pr/v6-host-addr2
- refs/heads/pr/vk/bpf/tests/csum
- refs/heads/pr/vk/ci/test/concurrent/run
- refs/heads/pr/vk/doc/ipsec
- refs/heads/pr/vk/ipsec/key/rotate
- refs/heads/pr/vk/test/ipsec/tests/concurrent/run
- refs/heads/pr/wip/bijective-nodemap
- refs/heads/regex_improved
- refs/heads/renovate/v1.13-all-dependencies
- refs/heads/renovate/v1.14-all-dependencies
- refs/heads/renovate/v1.15-aanm-test
- refs/heads/renovate/v1.15-all-dependencies
- refs/heads/renovate/v1.16-cilium-cli
- refs/heads/renovate/v1.16-go
- refs/heads/revert-29086-2023-11-09-backport-1.14
- refs/heads/revert-33302-policy-catch-invalid-port-wildcard
- refs/heads/rib
- refs/heads/run-ci-wihout-building-cilium
- refs/heads/sh-dep-test-l4lb
- refs/heads/sidecar-http-proxy
- refs/heads/sockmap-v5
- refs/heads/sockops-build-fix
- refs/heads/tam/integration-tests
- refs/heads/tam/more-ingress-tests
- refs/heads/tb/bpf-remove-bear
- refs/heads/test-branch
- refs/heads/test-ipsec
- refs/heads/test-sig-bgp-notifs
- refs/heads/test/brlbil/upload
- refs/heads/test/skip-workflows
- refs/heads/tgraf/process-policy
- refs/heads/thorn3r/cesScaleTest
- refs/heads/thorn3rCES
- refs/heads/tinker/learnitall/scale-test-1
- refs/heads/tinker/learnitall/scale-test-2
- refs/heads/tklauser+brb/wip/multi-homing
- refs/heads/unit-test-ipsec
- refs/heads/v0.10
- refs/heads/v0.11
- refs/heads/v0.12
- refs/heads/v0.13
- refs/heads/v0.8
- refs/heads/v0.9
- refs/heads/v1.0
- refs/heads/v1.0.0-rc2
- refs/heads/v1.0.0-rc3
- refs/heads/v1.1
- refs/heads/v1.10
- refs/heads/v1.11
- refs/heads/v1.12
- refs/heads/v1.12.11-base
- refs/heads/v1.13
- refs/heads/v1.14
- refs/heads/v1.15
- refs/heads/v1.16
- refs/heads/v1.2
- refs/heads/v1.3
- refs/heads/v1.3.1
- refs/heads/v1.3.1-release
- refs/heads/v1.3.7-release
- refs/heads/v1.4
- refs/heads/v1.4.5-release
- refs/heads/v1.5
- refs/heads/v1.5.2-rc1-with-clusterip-fix
- refs/heads/v1.5.4-release
- refs/heads/v1.6
- refs/heads/v1.7
- refs/heads/v1.7.9-1
- refs/heads/v1.7.9.1
- refs/heads/v1.8
- refs/heads/v1.9
- refs/heads/verify-external-workload-dns-setup-redux
- refs/heads/vladu/identity-type-metrics
- refs/heads/weavescope
- refs/heads/wip-ktls-tx-rx
- refs/heads/wip-sockmap
- refs/heads/wip-sockmap-v2
- refs/heads/wip-sockmap-v3
- refs/heads/wip-sockmap-v4
- refs/heads/xfrm-subnet-test
- refs/heads/yutaro/bgp-cplane-etp-local/doc
- refs/heads/yutaro/oss/eni-overlapping-mark
- refs/remotes/bruno/hf/v1.10/v1.10.3-bpf-snat-and-masq-fixes
- refs/remotes/joe/submit/quarantine-etcd
- refs/remotes/origin/1.2-backports-18-09-12
- refs/remotes/origin/ipvlan3
- refs/remotes/origin/pr/add-reserved-health
- refs/remotes/origin/pr/brb/nodeport-lb
- refs/remotes/origin/pr/ianvernon/5859
- refs/remotes/origin/pr/ianvernon/dynamic-ep-cfg
- refs/remotes/origin/pr/tgraf/kube-dns-fixed-identity
- refs/semaphoreci/6384f501b324813e55cfbe818c04a40f2a923765
- refs/semaphoreci/7f69b285bac8a1be414e8769799962ae1408d9e1
- refs/semaphoreci/b5eb6622da121ad36b8f375a084392f7feeec64a
- refs/semaphoreci/d9e7e28f39d34a7050a9c1cad2a26d84f5f4eff1
- refs/semaphoreci/f55ec535d85f387ef981265967fabb3c1b5f1ec6
- refs/tags/0.10.1
- refs/tags/1.1.1
- refs/tags/1.9.0-rc0
- refs/tags/v0.11
- refs/tags/v0.12.0
- refs/tags/v0.13.1
- refs/tags/v0.8.0
- refs/tags/v0.8.1
- refs/tags/v0.8.2
- refs/tags/v0.9.0
- refs/tags/v0.9.0-rc1
- refs/tags/v1.0.0-rc2
- Branches list truncated to 687 entries, 4 were omitted.
- v1.0.0-rc14
- v1.0.0-rc13
- v1.0.0-rc11
- v1.0.0-rc10
- v1.0.0-rc1
- v1.0.0
- v0.13.9
- v0.13.8
- v0.13.7
- v0.13.6
- v0.13.5
- v0.13.4
- v0.13.3
- v0.13.28
- v0.13.25
- v0.13.24
- v0.13.23
- v0.13.22
- v0.13.21
- v0.13.20
- v0.13.2
- v0.13.19
- v0.13.18
- v0.13.17
- v0.13.16
- v0.13.15
- v0.13.14
- v0.13.13
- v0.13.12
- v0.13.11
- v0.13.10
- v0.10.0
- 1.9.9
- 1.9.8
- 1.9.7
- 1.9.6
- 1.9.5
- 1.9.4
- 1.9.3
- 1.9.2
- 1.9.18
- 1.9.17
- 1.9.16
- 1.9.15
- 1.9.14
- 1.9.13
- 1.9.12
- 1.9.11
- 1.9.10
- 1.9.1
- 1.9.0-rc3
- 1.9.0-rc2
- 1.9.0-rc1
- 1.9.0
- 1.8.9
- 1.8.8
- 1.8.7
- 1.8.6
- 1.8.5
- 1.8.4
- 1.8.3
- 1.8.2
- 1.8.13
- 1.8.12
- 1.8.11
- 1.8.10
- 1.8.1
- 1.8.0-rc4
- 1.8.0-rc3
- 1.8.0-rc2
- 1.8.0-rc1
- 1.8.0
- 1.7.9
- 1.7.8
- 1.7.7
- 1.7.6
- 1.7.5
- 1.7.4
- 1.7.3
- 1.7.2
- 1.7.16
- 1.7.15
- 1.7.14
- 1.7.13
- 1.7.12
- 1.7.11
- 1.7.10
- 1.7.1
- 1.7.0-rc4
- 1.7.0-rc3
- 1.7.0
- 1.6.9
- 1.6.8
- 1.6.7
- 1.6.6
- 1.6.5
- 1.6.4
- 1.6.3
- 1.6.2
- 1.6.12
- 1.6.11
- 1.6.10
- 1.6.1
- 1.6.0
- 1.5.9
- 1.5.8
- 1.5.7
- 1.5.6
- 1.5.5
- 1.5.4
- 1.5.3
- 1.5.2
- 1.5.13
- 1.5.12
- 1.5.11
- 1.5.10
- 1.5.1
- 1.5.0-rc6
- 1.5.0-rc5
- 1.5.0-rc4
- 1.5.0-rc3
- 1.5.0-rc2
- 1.5.0
- 1.4.9
- 1.4.8
- 1.4.7
- 1.4.6
- 1.4.5
- 1.4.4
- 1.4.3
- 1.4.2
- 1.4.10
- 1.4.1
- 1.4.0-rc9
- 1.4.0-rc8
- 1.4.0-rc7
- 1.4.0-rc6
- 1.4.0-rc5
- 1.4.0-rc2
- 1.4.0
- 1.3.8
- 1.3.7
- 1.3.6
- 1.3.5
- 1.3.4
- 1.3.3
- 1.3.2
- 1.3.1
- 1.3.0-rc5
- 1.3.0-rc4
- 1.3.0
- 1.2.8
- 1.2.7
- 1.2.6
- 1.2.5
- 1.2.4
- 1.2.3
- 1.2.2
- 1.2.1
- 1.2.0-rc3
- 1.2.0-rc2
- 1.2.0-rc1
- 1.2.0
- 1.16.0-rc.1
- 1.16.0-rc.0
- 1.16.0-pre.3
- 1.16.0-pre.2
- 1.16.0-pre.1
- 1.16.0-pre.0
- 1.15.7
- 1.15.6
- 1.15.5
- 1.15.4
- 1.15.3
- 1.15.2
- 1.15.1
- 1.15.0-rc.1
- 1.15.0-rc.0
- 1.15.0-pre.3
- 1.15.0-pre.2
- 1.15.0-pre.1
- 1.15.0-pre.0
- 1.15.0
- 1.14.9
- 1.14.8
- 1.14.7
- 1.14.6
- 1.14.5
- 1.14.4
- 1.14.3
- 1.14.2
- 1.14.13
- 1.14.12
- 1.14.11
- 1.14.10
- 1.14.1
- 1.14.0-snapshot.4
- 1.14.0-snapshot.3
- 1.14.0-snapshot.2
- 1.14.0-snapshot.1
- 1.14.0-snapshot.0
- 1.14.0-rc.1
- 1.14.0-rc.0
- 1.14.0-pre.2
- 1.14.0
- 1.13.9
- 1.13.8
- 1.13.7
- 1.13.6
- 1.13.5
- 1.13.4
- 1.13.3
- 1.13.2
- 1.13.18
- 1.13.17
- 1.13.16
- 1.13.15
- 1.13.14
- 1.13.13
- 1.13.12
- 1.13.11
- 1.13.10
- 1.13.1
- 1.13.0-rc5
- 1.13.0-rc4
- 1.13.0-rc3
- 1.13.0-rc2
- 1.13.0-rc1
- 1.13.0-rc0
- 1.13.0
- 1.12.9
- 1.12.8
- 1.12.7
- 1.12.6
- 1.12.5
- 1.12.4
- 1.12.3
- 1.12.2
- 1.12.19
- 1.12.18
- 1.12.17
- 1.12.16
- 1.12.15
- 1.12.14
- 1.12.13
- 1.12.12
- 1.12.11
- 1.12.10
- 1.12.1
- 1.12.0-rc3
- 1.12.0-rc2
- 1.12.0-rc1
- 1.12.0-rc0
- 1.12.0
- 1.11.9
- 1.11.8
- 1.11.7
- 1.11.6
- 1.11.5
- 1.11.4
- 1.11.3
- 1.11.20
- 1.11.2
- 1.11.19
- 1.11.18
- 1.11.17
- 1.11.16
- 1.11.15
- 1.11.14
- 1.11.13
- 1.11.12
- 1.11.11
- 1.11.10
- 1.11.1
- 1.11.0-rc3
- 1.11.0-rc2
- 1.11.0-rc1
- 1.11.0-rc0
- 1.11.0
- 1.10.9
- 1.10.8
- 1.10.7
- 1.10.6
- 1.10.5
- 1.10.4
- 1.10.3
- 1.10.20
- 1.10.2
- 1.10.19
- 1.10.18
- 1.10.17
- 1.10.16
- 1.10.15
- 1.10.14
- 1.10.13
- 1.10.12
- 1.10.11
- 1.10.10
- 1.10.1
- 1.10.0-rc2
- 1.10.0-rc1
- 1.10.0-rc0
- 1.10.0
- 1.1.6
- 1.1.5
- 1.1.4
- 1.1.3
- 1.1.2
- 1.1.0
- 1.0.7
- 1.0.6
- 1.0.5
- 1.0.4
- Releases list truncated to 313 entries, 325 were omitted.
Take a new snapshot of a software origin
If the archived software origin currently browsed is not synchronized with its upstream version (for instance when new commits have been issued), you can explicitly request Software Heritage to take a new snapshot of it.
Use the form below to proceed. Once a request has been submitted and accepted, it will be processed as soon as possible. You can then check its processing state by visiting this dedicated page.![swh spinner](/static/img/swh-spinner.gif)
Processing "take a new snapshot" request ...
Permalinks
To reference or cite the objects present in the Software Heritage archive, permalinks based on SoftWare Hash IDentifiers (SWHIDs) must be used.
Select below a type of object currently browsed in order to display its associated SWHID and permalink.
Revision | Author | Date | Message | Commit Date |
---|---|---|---|---|
e66114f | Martynas Pumputis | 15 January 2020, 14:27:23 UTC | WIP Signed-off-by: Martynas Pumputis <m@lambda.lt> | 15 January 2020, 14:27:23 UTC |
130bddf | Martynas Pumputis | 15 January 2020, 10:49:54 UTC | daemon: Replace --enable-dsr with --node-port-mode As we are planning to support multiple mutually inclusive modes for NodePort, introduce a flag to store them. Also, re-use the flag for enabling the DSR option. Signed-off-by: Martynas Pumputis <m@lambda.lt> | 15 January 2020, 10:49:54 UTC |
04c6f1d | Martynas Pumputis | 10 January 2020, 16:56:06 UTC | test: Fix DatapathConfiguration tests when running on >2 nodes Signed-off-by: Martynas Pumputis <m@lambda.lt> | 14 January 2020, 15:10:16 UTC |
c31b62d | Martynas Pumputis | 10 January 2020, 16:31:46 UTC | test: Improve indentation of kubeproxy-free tests Signed-off-by: Martynas Pumputis <m@lambda.lt> | 14 January 2020, 15:10:16 UTC |
5dd1114 | Martynas Pumputis | 10 January 2020, 16:06:14 UTC | test: Run curl from k8s3 instead of client-from-outside container Previously, we ran curl from the "client-from-outside" container in the tests which required sending requests from a third host. We simulated the third host by running a container ("client-from-outside") in a Docker network which was not managed by Cilium. Unfortunately, requests sent to a NodePort service from the container were handled by bpf_sock.c which prevented from testing the NodePort implementation in bpf_netdev.c. Fix it by introducing a "real" host, and run curl from it. Signed-off-by: Martynas Pumputis <m@lambda.lt> | 14 January 2020, 15:10:16 UTC |
b0db339 | Martynas Pumputis | 10 January 2020, 15:56:54 UTC | test: Run k8s1-1.11 net-next on 3 VMs This is going to be needed by some k8sT/Services.go tests. Signed-off-by: Martynas Pumputis <m@lambda.lt> | 14 January 2020, 15:10:16 UTC |
f338bdc | Martynas Pumputis | 09 January 2020, 11:40:15 UTC | test: Allow provisioning arbitrary number of VMs Signed-off-by: Martynas Pumputis <m@lambda.lt> | 14 January 2020, 15:10:16 UTC |
5bb6748 | Martynas Pumputis | 08 January 2020, 10:55:07 UTC | nat: GC NAT entries created by DSR In the case of DSR, the following CT and NAT entries are created on a host which runs a service endpoint and to which a client request is forwarded: * NAT: endpoint -> client (XLATE_SRC aka TUPLE_F_OUT) * CT: client -> endpoint (TUPLE_F_IN) Previously, the CT GC ignored NAT entries when a corresponding CT entry was of the TUPLE_F_IN type. Therefore, the DSR NAT entries could not have been collected. Signed-off-by: Martynas Pumputis <m@lambda.lt> | 14 January 2020, 15:10:16 UTC |
ded49cc | Martynas Pumputis | 23 December 2019, 17:36:11 UTC | test: Schedule test-nodeport-local pod on k8s2 For the DSR test case, we need to schedule the test-k8s2 (prev. test-k8s1) pod on k8s2. Otherwise, a request from the client-from-outside Docker container running on k8s1 to the pod via k8s2 (sending via k8s1 does not test the DSR) would be dropped by the kernel due to a routing loop detection mechanism: 1) k8s2 recv: client-from-outside (192.168.10.10) @ k8s1 -> k8s2:NodePort 2) k8s2 fwd to k8s1: client-from-outside (192.168.10.10) @ k8s1 -> Pod @ k8s1 3) k8s1 recv the packet on enp0s8, and has a route "192.168.10.0/24 dev $DOCKER_BRIDGE" <- kernel detects a potential loop. Signed-off-by: Martynas Pumputis <m@lambda.lt> | 14 January 2020, 15:10:16 UTC |
2fdfb91 | Martynas Pumputis | 19 December 2019, 17:16:57 UTC | test: Add DSR IPv4 integration tests Signed-off-by: Martynas Pumputis <m@lambda.lt> | 14 January 2020, 15:10:16 UTC |
d6a7fcb | Martynas Pumputis | 22 October 2019, 12:51:04 UTC | datapath: Add DSR for NodePort BPF IPv4 This commit adds a direct server return (DSR) support for the NodePort BPF for IPv4 and in the direct routing mode. The main idea of DSR is to avoid SNAT'ing an original request sent to an LB, so that a backend could directly reply to a client (the originator of the request) and the original source IP could be preserved. To achieve this, we introduce a new IPv4 option which stores a NodePort service IP and port number. The option is set by bpf_netdev running on a public iface of an intermediate node which received the original request. Once the option has been set, the request (the dst IP addr of the request is DNAT'd to the backend IP addr) is forwarded to a node running the backend. After receiving the fwd'd request, bpf_lxc of the backend parses the option, stores the svc addr:port in the NAT table and sets the "dsr" bit in a CT entry. When sending a reply to the client, bpf_lxc finds out that the "dsr" bit was set, does a lookup in the NAT table to find the mapping, and finally rewrites the source addr and port to the svc addr and port. The current approach has a shortcoming that if the request size is > (MTU - 8bytes), the request will be dropped after we append the IPv4 option. To partially solve this, in the case of TCP we set the option only for SYN packets which should have an empty payload. However, the problem still exists for TCP with SYN cookies and UDP packets. For those cases, a client needs to decrease its MTU by 8bytes. Signed-off-by: Martynas Pumputis <m@lambda.lt> | 14 January 2020, 15:10:10 UTC |
d16ebad | Martynas Pumputis | 22 October 2019, 12:41:46 UTC | helm: Add global.nodePort.dsr Signed-off-by: Martynas Pumputis <m@lambda.lt> | 14 January 2020, 14:09:25 UTC |
83d2199 | Martynas Pumputis | 22 October 2019, 12:41:13 UTC | daemon: Add --enable-dsr param The param is used to enable direct server return (DSR) for the NodePort BPF. Signed-off-by: Martynas Pumputis <m@lambda.lt> | 14 January 2020, 14:09:25 UTC |
2fbeebc | André Martins | 16 December 2019, 15:58:43 UTC | docs: remove disable container runtime documentation Since container runtime integration has been removed from Cilium, we can remove this part of the documentation as well. Signed-off-by: André Martins <andre@cilium.io> | 14 January 2020, 12:54:54 UTC |
46141ff | Martynas Pumputis | 13 January 2020, 14:28:12 UTC | bpf: Compile bpf_netdev.c with build permutations Add a make target for bpf_netdev.c to compile it against permutations of the most common options. Helps to catch bpf_netdev.c compile errors faster than waiting until cilium-agent -> bpf/init.sh returns them. Signed-off-by: Martynas Pumputis <m@lambda.lt> | 14 January 2020, 12:40:41 UTC |
c4c4596 | Daniel Borkmann | 13 January 2020, 21:30:08 UTC | docs, minor: update mailmap and authors file Given we're doing misc doc updates, also do a round of AUTHORS file sync. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> | 14 January 2020, 08:52:38 UTC |
b439f53 | Daniel Borkmann | 13 January 2020, 20:29:21 UTC | docs: slightly improve USERS.md description - Move example entry into 'Adding yourself as a user' section - Add optional 'L:' with link for further information - Fix typo ClusteMesh - Fix underline for 'Users' title - Link to Cilium Slack community Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> | 14 January 2020, 08:52:38 UTC |
4f7e033 | Laurent Bernaille | 13 January 2020, 15:12:09 UTC | Add Datadog to users Signed-off-by: Laurent Bernaille <laurent.bernaille@datadoghq.com> | 13 January 2020, 19:48:46 UTC |
a8c6834 | André Martins | 13 January 2020, 17:26:28 UTC | README: update weekly meeting hours Signed-off-by: André Martins <andre@cilium.io> | 13 January 2020, 18:22:48 UTC |
dd38573 | Thomas Graf | 13 January 2020, 13:20:59 UTC | eni: Fix releases of excess IPs The release of excess IPs has been incorrect due to not taking into account the max-above-watermark limit in combination with min-allocate. This bug was hidden in the unit test as min-allocate was set to a value equal to the max IP limit of the interface which rendered the value of max-above-watermark (4) to never be taken into account as min-allocate had already maxed out the interface limit. Fix the calculation of excess IPs to never fall below min-allocate + max-above-watermark and change the unit tests to cover this scenario. This fixes a bug where IPs would always be immediately released again if min-allocate was greater than pre-allocate and the number of used IPs did not make up for that gap. Signed-off-by: Thomas Graf <thomas@cilium.io> | 13 January 2020, 18:16:29 UTC |
43be0e6 | Dharma Bellamkonda | 12 January 2020, 01:03:00 UTC | Update USERS.md Signed-off-by: Dharma Bellamkonda <dharma.Bellamkonda@gmail.com> | 13 January 2020, 18:15:54 UTC |
8e24b5a | Martynas Pumputis | 13 January 2020, 13:56:52 UTC | datapath: Return err if default route is not found Previously, cilium-agent was panicking if no default route was found: panic: runtime error: index out of range [0] with length 0 goroutine 1 [running]: github.com/cilium/cilium/pkg/datapath/linux/route.lookupDefaultRoute(0xa, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, ...) /go/src/github.com/cilium/cilium/pkg/datapath/linux/route/route.go:104 +0x445 To fix this, return an error instead. Fixes: 63297f3085 ("cilium, daemon: fix device detection for default route") Signed-off-by: Martynas Pumputis <m@lambda.lt> | 13 January 2020, 16:21:43 UTC |
e490829 | Daniel Borkmann | 13 January 2020, 13:36:30 UTC | cilium: slightly improve bpf lb flags output Before: # ./cilium/cilium bpf lb list SERVICE ADDRESS BACKEND ADDRESS 8.8.8.8:30003 0.0.0.0:0 (3) [FLAGS: NONE] 10.12.164.240:80 (3) 8.8.8.8:30002 0.0.0.0:0 (2) [FLAGS: NodePort] 10.12.164.240:80 (2) 8.8.8.8:30001 10.12.164.240:80 (1) 0.0.0.0:0 (1) [FLAGS: ExternalIPs] After: # ./cilium/cilium bpf lb list SERVICE ADDRESS BACKEND ADDRESS 8.8.8.8:30003 0.0.0.0:0 (3) [ClusterIP] 10.12.164.240:80 (3) 8.8.8.8:30002 0.0.0.0:0 (2) [NodePort] 10.12.164.240:80 (2) 8.8.8.8:30001 10.12.164.240:80 (1) 0.0.0.0:0 (1) [ExternalIPs] Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> | 13 January 2020, 16:08:37 UTC |
b4e0402 | Daniel Borkmann | 13 January 2020, 10:17:00 UTC | bpf, nodeport: add nodeport flag to nodeport services Similar to ExternalIPs add a NodePort flag to services in order to distinguish NodePort exposed services vs ClusterIP ones and reject bogus requests from outside trying to reach ClusterIP ones. Similarly, assert in bpf_sock that the second lookup is really a NodePort service. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> | 13 January 2020, 16:08:37 UTC |
acfc27e | Daniel Borkmann | 13 January 2020, 09:40:22 UTC | bpf, external ip: always build in external ip check logic Simplify the ifdef hackery to always build-in the code that checks on external ip. Latter is also needed for follow-up code in NodePort; we can compile out the actual check for svc->external when it is disabled. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> | 13 January 2020, 16:08:37 UTC |
cc100d0 | Robin Hahling | 13 January 2020, 09:09:57 UTC | SECURITY.md: update versions of supported releases Current supported versions are 1.6, 1.5 and 1.4. Signed-off-by: Robin Hahling <robin.hahling@gw-computing.net> | 13 January 2020, 13:43:55 UTC |
4f6184b | Eric Bailey | 10 January 2020, 18:54:35 UTC | USERS.md: add Sportradar Signed-off-by: Eric Bailey <e.bailey@sportradar.com> | 11 January 2020, 14:41:15 UTC |
6426c86 | Daniel Borkmann | 10 January 2020, 19:03:29 UTC | bpf, external ip: fix service xlation for containers We need to compile the service lookup back in for bpf_lxc when in the config ENABLE_EXTERNAL_IP is set. Reason is that for !local IPs we correctly bypass the xlation in the host ns, but given BPF cgroups hook is not ns aware, it's also bypassed for containers which is not the behavior of iptables based kube-proxy. Therefore, the only way to fix it is to rely in this case on the veth ingress hook and finalize the external IP xlation there. Spotted by Andre's amazing kube-proxy test suite. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> | 10 January 2020, 23:02:13 UTC |
4ac28ce | Daniel Borkmann | 10 January 2020, 18:58:59 UTC | bpf: make bpf_sock REMOTE_NODE_ID aware Retain the same behavior when remote node IDs are enabled in order to retain xlation of i) NodePort services at the node as well as ii) external IP entries. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> | 10 January 2020, 23:02:13 UTC |
6ac70c8 | Daniel Borkmann | 10 January 2020, 17:26:46 UTC | bpf: fix sock6_xlate when not all host service protocols are enabled We have the case in v4, and the v6 one got accidentally removed in commit 2bf35ed2f2a0 ("add correct implementation of k8s externalIPs in datapath"). Restore it back. Fixes: 2bf35ed2f2a0 ("add correct implementation of k8s externalIPs in datapath") Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> | 10 January 2020, 23:02:13 UTC |
19b18f2 | Daniel Borkmann | 10 January 2020, 16:07:12 UTC | bpf, misc, trivial: cleanup external service naming The BPF datapath is not and should not be aware of any k8s details, thus drop the k8s from external IP name. Also, we'll add nodeport bit next, which would otherwise need to have a k8s_nodeport name. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> | 10 January 2020, 23:02:13 UTC |
33f32a0 | Jarno Rajahalme | 09 January 2020, 23:06:25 UTC | policy: Do not merge rules for reserved:none toFQDN currently translates to "reserved:none" as an endpoint selector. Apparently this is needed due to logic requiring that the list of endpoint selectors be not empty. This has the side-effect that we currently create also populate and merge rules for the cached selector for "reserved:none". This merging currently fails if any of the TLS details for the to-be-merged rules are different, as in the case of terminating TLS for two different domain names. As the first level fix, skip merging rules for a cached selector represtation of "reserved:none". Longer term we should seek solutions where "reserved:none" would not be used in the first place. Change the TLS CI test to use two different domain names. Signed-off-by: Jarno Rajahalme <jarno@covalent.io> | 10 January 2020, 22:09:27 UTC |
718637f | Jarno Rajahalme | 09 January 2020, 23:06:24 UTC | test: TLS test with swapi.co Change the TLS toFQDN test us use 'swapi.co' instead of 'www.lyft.com' Signed-off-by: Jarno Rajahalme <jarno@covalent.io> | 10 January 2020, 22:09:27 UTC |
d97c95b | Jarno Rajahalme | 09 January 2020, 23:06:24 UTC | test: Use more TLS client CA certs Use a newly generated 'testCA' for signing TLS interception certificates. Passphrase for the 'testCA' key is 'cilium'. Signed-off-by: Jarno Rajahalme <jarno@covalent.io> | 10 January 2020, 22:09:27 UTC |
cabf83c | Jarno Rajahalme | 09 January 2020, 23:06:23 UTC | crypto: Add local GetSecrets(). Factor out code reading secrets from the local file system or k8s to GetSecrets(). This cleans up the code and allows the same semantics to be used to getting secret strings as for TLS contexts. Signed-off-by: Jarno Rajahalme <jarno@covalent.io> | 10 January 2020, 22:09:27 UTC |
998c07a | Jarno Rajahalme | 09 January 2020, 23:06:24 UTC | envoy: Increase max log token length to 1MB Long log lines may stop the Envoy log scanner within cilium-agent. Increase the max token size from the default 64kB to 1MB to be safe, but note that such long logs should normally not happen. Signed-off-by: Jarno Rajahalme <jarno@colalent.io> | 10 January 2020, 22:09:27 UTC |
abc1e9b | Jarno Rajahalme | 10 January 2020, 00:13:42 UTC | daemon: Increase default max DNS policy update wait time from 50 to 100ms CI tests fail due to policy updates to Envoy taking longer than 50 ms. Signed-off-by: Jarno Rajahalme <jarno@covalent.io> | 10 January 2020, 22:09:27 UTC |
f8ea5cf | Jarno Rajahalme | 09 January 2020, 23:06:25 UTC | envoy: Avoid logging policy Policy can contain sensitive information, so avoid logging it. Signed-off-by: Jarno Rajahalme <jarno@covalent.io> | 10 January 2020, 22:09:27 UTC |
f081e20 | Jarno Rajahalme | 09 January 2020, 23:06:23 UTC | Dockerfile: Use fixed Envoy image Use Envoy image with fixed upstream SNI support for the original destination cluster & reduced logging. Signed-off-by: Jarno Rajahalme <jarno@covalent.io> | 10 January 2020, 22:09:27 UTC |
88b012a | Daniel Borkmann | 10 January 2020, 15:18:16 UTC | cilium: use %v for dumping frontend struct on error Lets not pretend we try to make users happy with small Haikus on service update errors. ;-) The U+7532 is dumped due to the service port: # ./cilium/cilium service update --frontend "8.8.8.8:30002" --backends "10.12.164.240:80" --id 3 Updating existing service with id '3' Error: Cannot add/update service: [PUT /service/{id}][500] putServiceIdFailure Unable to allocate service ID 3 for {{"8.8.8.8" {"TCP" '甲'}} '\x03'}: Service ID 3 is already registered to "192.168.178.29:30002" Use %v instead of %q format string to fix it: # ./cilium/cilium service update --frontend "8.8.8.8:30002" --backends "10.12.164.240:80" --id 3 Updating existing service with id '3' Error: Cannot add/update service: [PUT /service/{id}][500] putServiceIdFailure Unable to allocate service ID 3 for {{8.8.8.8 {TCP 30002}} 3}: Service ID 3 is already registered to "192.168.178.29:30002" Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> | 10 January 2020, 19:25:18 UTC |
63297f3 | Daniel Borkmann | 10 January 2020, 14:17:11 UTC | cilium, daemon: fix device detection for default route I noticed on one of my test machines that the agent refuses to start up when IPv6 and NodePort gets enabled: [...] level=info msg=" - !:pod-template-generation" subsys=labels-filter level=info msg=" - !:pod-template-hash" subsys=labels-filter level=info msg=" - !:controller-revision-hash" subsys=labels-filter level=info msg=" - !:annotation.*" subsys=labels-filter level=info msg=" - !:etcd_node" subsys=labels-filter level=info msg="Auto-enabling host reachable services for UDP and TCP as required by BPF NodePort." subsys=daemon level=fatal msg="BPF NodePort's external facing device could not be determined. Use --device to specify." error="Found (2) default routes" subsys=daemon # Turns out in case of IPv6 the machine had the same route but different MTU metric: # ip -6 r | grep default default via fe80::9a9b:cbff:fe05:1eae dev eno1 proto ra metric 100 mtu 1492 pref medium default via fe80::9a9b:cbff:fe05:1eae dev eno1 proto ra metric 1024 pref medium # ip -4 r | grep default default via 192.168.178.1 dev eno1 proto dhcp src 192.168.178.28 metric 100 Fix the detection to walk and check all ifindices wrt whether they are equal, and if that is the case then proceed normally. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> | 10 January 2020, 18:53:09 UTC |
e45140c | Daniel Borkmann | 10 January 2020, 13:49:31 UTC | bpf: simplify error codes for connect/sndmsg/rcvmsg progs Noticed that the v6 UDP sendmsg prog had CONNECT_PROCEED instead of SENDMSG_PROCEED. In the end they end up with the same code, but lets get rid of the different defines and have a single SYS_PROCEED and SYS_REJECT. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> | 10 January 2020, 17:19:00 UTC |
f0de246 | Daniel Borkmann | 10 January 2020, 10:56:57 UTC | bpf: fix regular service lookup in nodeport range for host services Rework and simplify the externalIP handling code in BPF cgroup progs in order to also handle the case of a regular ClusterIP service where its exposed port sits in the NodePort range. Right now, connectivity fails for such corner case since we always assume NodePort in this range. Therefore, i) do the regular non-wildcarded lookup always in the first step to cover externalIP, ClusterIP and a part of the NodePort lookup on public/private interface and only if nothing is found there, perform the wildcarded lookup for covering the rest of the NodePort cases (other, local IPs and loopback IP). Reported-by: Andre Martins <andre@cilium.io> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> | 10 January 2020, 17:19:00 UTC |
2b8e26c | Vlad Ungureanu | 09 January 2020, 22:14:16 UTC | Add Palantir Technologies to USERS.md Signed-off-by: Vlad Ungureanu <vladu@palantir.com> | 09 January 2020, 22:21:54 UTC |
f45ca16 | ap4y | 07 January 2020, 00:52:58 UTC | Add cilium-monitor sidecar container for agent pods Cilium debugging across a cluster involves running cilium monitor manually on every node of the cluster. This MR introduces optional monitor sidecar container for agent's daemon set. This will simplify monitor startup across a cluster and will expose monitor event to the 'kubectl logs'. Monitor container is disabled by default (monitor.enabled), event types can be adjusted via monitor.eventTypes. Signed-off-by: Arthur Evstifeev <aevstifeev@gitlab.com> | 08 January 2020, 22:47:38 UTC |
3382082 | André Martins | 08 January 2020, 15:39:27 UTC | docs: fix kubernetes configmap The ConfigMap is not correctly formated. This commit fixes it so that users won't have problems using this configuration as an example for their setups. Signed-off-by: André Martins <andre@cilium.io> | 08 January 2020, 20:00:04 UTC |
ad6fed8 | Daniel Borkmann | 08 January 2020, 13:47:42 UTC | bpf, nat: clamp original source port into dest nat range If a source port has been selected by the remote which is not in our destination NAT range, we need to clamp it. Spotted by Martynas. Also add v6 support for 0d5062e99cfb ("bpf, nat: initially try snat by preserving source port"). Fixes: 0d5062e99cfb ("bpf, nat: initially try snat by preserving source port") Reported-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> | 08 January 2020, 17:55:18 UTC |
89aee18 | Daniel Borkmann | 08 January 2020, 12:11:23 UTC | identity: require global identity for empty labels On recent master, I noticed that there's a lack of connectivity when going over vxlan tunnel. Git bisection pointed me to commit 28dc941544f1 ("bpf: Map HOST_ID to REMOTE_NODE_ID when encapsulating"). After a closer look, it turns out however that 28dc941544f1 itself does nothing wrong, and for tunnel ID the reserved REMOTE_NODE_ID was properly set for traffic going out of the node via curl from hostns. However, the packets got dropped due to the identity == HOST_ID check on replies even though they are originating from a remote container. Turns out those containers had identity of 16777217 which is 0b100000000000000000000001 and therefore get truncated in case of vxlan tunnel id since it's 24 bits width. Moreover, packets with such 0dab1b63b87c ("identity: Introduce local scope for numeric identity") identity are only for local scope and not destined to leave the node. Turns out for empty labels f3bbcd8e886d ("identity: Use local identities to represent CIDR") RequiresGlobalIdentity() returns false which is not correct; fix gets connectivity working again. Fixes: f3bbcd8e886d ("identity: Use local identities to represent CIDR") Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> | 08 January 2020, 17:38:59 UTC |
6c23f97 | Jarno Rajahalme | 03 January 2020, 22:30:16 UTC | policy/api: Factor out Secret.Equal() Signed-off-by: Jarno Rajahalme <jarno@covalent.io> | 08 January 2020, 15:47:34 UTC |
78dcf61 | Jarno Rajahalme | 03 January 2020, 22:29:23 UTC | tls: Fix comments and logging Signed-off-by: Jarno Rajahalme <jarno@covalent.io> | 08 January 2020, 15:47:34 UTC |
9a6c605 | Jarno Rajahalme | 03 January 2020, 22:27:44 UTC | k8s: Make secret name and TLS context secret required policy fields. Signed-off-by: Jarno Rajahalme <jarno@covalent.io> | 08 January 2020, 15:47:34 UTC |
fa34e8f | Jarno Rajahalme | 03 January 2020, 22:26:13 UTC | crypto: Simplify error handling in certificatesmanager. Signed-off-by: Jarno Rajahalme <jarno@covalent.io> | 08 January 2020, 15:47:34 UTC |
aab7482 | Ray Bejjani | 09 December 2019, 14:50:26 UTC | CI: On EKS, skip K8sServicesTest Bookinfo Demo Ingress proxying doesn't work when chaining, and so won't work on EKS. Signed-off-by: Ray Bejjani <ray@isovalent.com> | 08 January 2020, 13:20:03 UTC |
51af00c | Ray Bejjani | 09 December 2019, 14:18:53 UTC | CI: On EKS, skip K8sServicesTest Checks service across nodes with L7 policy Ingress proxying doesn't work when chaining, and so won't work on EKS. Signed-off-by: Ray Bejjani <ray@isovalent.com> | 08 January 2020, 13:20:03 UTC |
22ee8bb | Ray Bejjani | 30 November 2019, 21:36:46 UTC | CI: On EKS, skip cilium-health --probe endpoint-endpoint checks fail, and the healthcheck --probe will do that. Signed-off-by: Ray Bejjani <ray@isovalent.com> | 08 January 2020, 13:20:03 UTC |
2409974 | Ray Bejjani | 26 November 2019, 14:00:41 UTC | CI: On EKS, skip cilium-health test cilium-health probe doesn't work when chaining, such as on flannel & EKS. The health test cannot pass in this case, and should be skipped. Signed-off-by: Ray Bejjani <ray@isovalent.com> | 08 January 2020, 13:20:03 UTC |
ba531da | Ray Bejjani | 29 November 2019, 11:06:55 UTC | CI: Refactor SkipIfFlannel to handle any integration We need to skip tests for various reasons, often predicated on the integration chosen. For the common case of "skip if we're running with integration X" the `SkipIf` function is a simple and clean way to indicate this. Signed-off-by: Ray Bejjani <ray@isovalent.com> | 08 January 2020, 13:20:03 UTC |
6604570 | Ray Bejjani | 26 November 2019, 17:25:12 UTC | CI: Add GetNodeIPByLabel helper Some tests need the node's IP but this can change based on the test environment. We can derive these easily instead of hard-coding them. Signed-off-by: Ray Bejjani <ray@isovalent.com> | 08 January 2020, 13:20:03 UTC |
11bb75d | Ray Bejjani | 29 November 2019, 12:58:07 UTC | CI: Add GetNodeNameByLabel helpers We switched to labelling nodes instead of using fixed names to facilitate varied testing environments. These functions help with lookups when trying to run on a specific node. Signed-off-by: Ray Bejjani <ray@isovalent.com> | 08 January 2020, 13:20:03 UTC |
0d5062e | Daniel Borkmann | 06 January 2020, 17:15:31 UTC | bpf, nat: initially try snat by preserving source port Originally we moved the prandom call out of the unrolled port collision loop in order to reduce verifier complexity but it seems better if we first try to preserve as much as possible before doing any rewrites. For latter we need to reduce the retry loop on older kernels when v4 + v6 is enabled as a trade-off between 4.19.57 and 5.3. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> | 07 January 2020, 10:51:16 UTC |
0c01497 | Michal Rostecki | 24 December 2019, 12:59:38 UTC | bpf: Remove unused BPF feature probes/macros The following macros were used in the old implementation of load balancer, but are not used anymore: - HAVE_MAP_VAL_ADJ - HAVE_MARK_MAP_VALS Also, those feature are available in kernel 4.9+, which is already required for running Cilium. Signed-off-by: Michal Rostecki <mrostecki@opensuse.org> | 06 January 2020, 16:20:50 UTC |
e270c23 | Thomas Graf | 06 January 2020, 14:06:10 UTC | Adding USERS directory to create a list of Cilium users Sharing experiences and learning from other users is important. We are frequently asked who is using a particular feature of Cilium in order to get in contact with other users of a particular features to share experiences and best-practices. While the Slack community allows users to get in touch, it can be challenging to quickly find users of a particular feature. Signed-off-by: Thomas Graf <thomas@cilium.io> | 06 January 2020, 15:40:57 UTC |
353a20c | Joe Stringer | 23 December 2019, 18:00:50 UTC | test: Make helm fetch more quiet Recent CI builds have consumed as many as 4300 lines of CLI output per attempt to download the helm client, over the course of about 6 seconds. Use the `-nv` (no verbose) option to quieten this output to only info/error/warnings; converts into about one line of output: $ wget -nv https://get.helm.sh/helm-v2.14.2-linux-amd64.tar.gz 2019-12-23 10:00:32 URL:https://get.helm.sh/helm-v2.14.2-linux-amd64.tar.gz [26534215/26534215] -> "helm-v2.14.2-linux-amd64.tar.gz" [1] Signed-off-by: Joe Stringer <joe@cilium.io> | 02 January 2020, 21:37:28 UTC |
d7ff1c8 | Thomas Graf | 27 December 2019, 15:21:15 UTC | operator: Only start kvstore GC if kvstore is enabled The log line indicating the kvstore GC has been started is confusing if kvstore mode is not enabled. Signed-off-by: Thomas Graf <thomas@cilium.io> | 27 December 2019, 17:59:48 UTC |
8c2247d | Thomas Graf | 27 December 2019, 15:14:34 UTC | operator: Improve identity GC logging No log line indicated whether the CRD identity GC has been started or not. Signed-off-by: Thomas Graf <thomas@cilium.io> | 27 December 2019, 17:59:48 UTC |
0b27e79 | Thomas Graf | 18 December 2019, 16:29:32 UTC | helm: Enable remote-node identity for all new deployments by default Signed-off-by: Thomas Graf <thomas@cilium.io> | 26 December 2019, 14:10:06 UTC |
87eeaa2 | Thomas Graf | 20 December 2019, 13:20:32 UTC | bpf: Prohibit the IPv6 flowlabel transport to represent HOST_ID The existing codepath was already never presenting HOST_ID as the source identity and with the introduction of REMOTE_NODE_ID, this is guarnateed to be impossible. Drop such packets with an appropriate error code. Signed-off-by: Thomas Graf <thomas@cilium.io> | 26 December 2019, 14:10:06 UTC |
28dc941 | Thomas Graf | 18 December 2019, 16:29:32 UTC | bpf: Map HOST_ID to REMOTE_NODE_ID when encapsulating When encapsulating to other nodes, any traffic originating from the local host must be presented as remote node traffic as it is being received. Therefore, map any use of HOST_ID to REMOTE_NODE_ID. Consequently, drop any traffic received as HOST_ID in bpf_overlay. Signed-off-by: Thomas Graf <thomas@cilium.io> | 26 December 2019, 14:10:06 UTC |
bbfabcf | Thomas Graf | 18 December 2019, 16:29:32 UTC | node: Assign remote node identity to all node IPs Node IPs other than the Cilium internal IPs where only added to the ipcache so far when encryption was enabled. This commit adds all node IPs to the ipcache and assign the correct node identity. The code is cleaned up while doing so. `n.GetNodeIP(false)` always returns the IPv4 node address and is not dependant on the current address while iterating over all node addresses. Calling it inside the loop is therefore unnecessary as the result is always the same. Similarly, the `nodeIP4` variable is redundant as the nodeIP is always an IPv4 address anyway. Signed-off-by: Thomas Graf <thomas@cilium.io> | 26 December 2019, 14:10:06 UTC |
becf7dd | Thomas Graf | 18 December 2019, 16:29:32 UTC | policy: Add remote-node entity This allows matching remote nodes with a policy entity. Signed-off-by: Thomas Graf <thomas@cilium.io> | 26 December 2019, 14:10:06 UTC |
975f7b7 | Thomas Graf | 18 December 2019, 16:29:32 UTC | node: Use remote-node identity when enabled Assign the new remote-node identity to all remote hosts if the option is enabled. The option is disabled by default as it has the potential to change existing policy rules where users are relying on the behavior that allowing from the host will allow traffic from all hosts in the cluster. Signed-off-by: Thomas Graf <thomas@cilium.io> | 26 December 2019, 14:10:06 UTC |
702913d | Thomas Graf | 18 December 2019, 16:29:32 UTC | policy: Introduce reserved identity for remote cluster nodes Signed-off-by: Thomas Graf <thomas@cilium.io> | 26 December 2019, 14:10:06 UTC |
70c2eae | dhsathiya | 24 December 2019, 10:23:59 UTC | Fix table markdown spacing issue Columns on row 3 of the table were not getting seperated due to it. Signed-off-by: dhsathiya <devarshisathiya5@gmail.com> | 24 December 2019, 11:53:43 UTC |
6b784d8 | Ray Bejjani | 20 December 2019, 14:02:35 UTC | daemon: Upgrade spf13/viper We began using .IsSet to handle --tofqdns-min-ttl=0 invocations but older viper versions always returned true from this function. This then caused the default value to never be used, instead using the 0 default used when initializing the variable. fixes 078f19d6b52ebc099edc2ed2a48a25818b6e4a56 Signed-off-by: Ray Bejjani <ray@isovalent.com> | 23 December 2019, 17:20:39 UTC |
da34687 | Jarno Rajahalme | 12 December 2019, 17:21:22 UTC | k8s: TLS testing Add simple TLS test to access an external resource via the proxy. Signed-off-by: Jarno Rajahalme <jarno@covalent.io> | 20 December 2019, 15:46:59 UTC |
32b3025 | Jarno Rajahalme | 12 December 2019, 17:21:22 UTC | test: Add runtime test for imposing an HTTP header Signed-off-by: Jarno Rajahalme <jarno@covalent.io> | 20 December 2019, 15:46:59 UTC |
13db448 | Jarno Rajahalme | 12 December 2019, 17:24:26 UTC | policy: Add API for actions on header mismatches Allow replacing logging, deleting, adding, and replacing mismatching headers. Now that we can have rules with side-effect, we must track if HTTP rules can be short circuited. If no rules have side-effects, then the policy evaluationn can be stopped as soon as a decision to pass traffic has been found. If rules include side-effects, we must evaluate all applicable rules. Signed-off-by: Jarno Rajahalme <jarno@covalent.io> | 20 December 2019, 15:46:59 UTC |
c8f4b5b | Jarno Rajahalme | 12 December 2019, 17:21:21 UTC | policy: Map Envoy HTTP rules when translating policy Supporting secrets is easier if we translate HTTP policies while in the policy computation context. Translating HTTP policies erlier also reduces unnecessary work of re-translating them when policy remains but IDs change. Signed-off-by: Jarno Rajahalme <jarno@covalent.io> | 20 December 2019, 15:46:59 UTC |
7393662 | Jarno Rajahalme | 12 December 2019, 17:21:21 UTC | policy: Translate TLS contexts into PerEpData Resolve TLS contexts earlier in the process. Get the default namespace from the security identity rather than the rule. This allows for a default namespace to be well defined even if none of the rules have a namespace label. Signed-off-by: Jarno Rajahalme <jarno@covalent.io> | 20 December 2019, 15:46:59 UTC |
c17f5c2 | Jarno Rajahalme | 12 December 2019, 17:21:20 UTC | policy: Add PolicyContext Add PolicyContext, a collection of references to resources needed during policy computation. Initially this holds just a SelectorCache, but later commits will add more items without then needing to update and bloat all the function prototypes. Signed-off-by: Jarno Rajahalme <jarno@covalent.io> | 20 December 2019, 15:46:59 UTC |
8610686 | Jarno Rajahalme | 12 December 2019, 17:21:20 UTC | api: Add API support for k8s secrets Add API definitions for k8s secrets and plumb them into Envoy policy updates. Add certificate manager to find certificates either locally or in k8s Map keys "tls.key" and "tls.crt" are used for the private key and the certificate, respectively, when creating a TLS secret like so: $ kubectl create secret tls test-tls --key="file1" --cert="file2" Support explicit overrides for the default item names. If given, these must be found. Signed-off-by: Jarno Rajahalme <jarno@covalent.io> Signed-off-by: André Martins <andre@cilium.io> | 20 December 2019, 15:46:59 UTC |
1371911 | André Martins | 12 December 2019, 17:21:19 UTC | pkg/k8s: add wrapper to get k8s secrets Signed-off-by: André Martins <andre@cilium.io> | 20 December 2019, 15:46:59 UTC |
60a846b | Jarno Rajahalme | 12 December 2019, 17:21:19 UTC | option: add 'certificates-directory' option to look for TLS certificates This option will set the root certificate used to search for TLS certificates defined in a CNP for L7 TLS policy enforcement. Signed-off-by: André Martins <andre@cilium.io> | 20 December 2019, 15:46:59 UTC |
7721c8a | Joe Stringer | 16 December 2019, 14:00:59 UTC | docs: Describe cluster restriction to CIDR policy Describe the restrictions of which traffic CIDR- and DNS-based policies apply in a bit more detail. Signed-off-by: Joe Stringer <joe@cilium.io> | 20 December 2019, 10:21:56 UTC |
b78e761 | Joe Stringer | 16 December 2019, 10:07:59 UTC | docs: Fix reference to init id with k8s With the kubernetes Cilium CNI, the labels are typically fetched during endpoint creation, so the lifecycle text here was a bit out-of-date. Fix it up to be more clear in which cases the init identity is used, and reference it from the relevant code. Signed-off-by: Joe Stringer <joe@cilium.io> | 20 December 2019, 10:21:56 UTC |
5430481 | Sebastian Wicki | 19 December 2019, 22:46:48 UTC | test: Extend externalTrafficPolicy=Local tests Adds an additional check for NodePort services with externalTrafficPolicy=Local where only a single node is running a service endpoint. Therefore, we test that only direct connections to that node will succeed, while any requests to a node without a local backend are dropped. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> | 20 December 2019, 10:16:00 UTC |
78e3c9b | Sebastian Wicki | 19 December 2019, 22:46:48 UTC | lbmap: Include services without backends in DumpServiceMaps This changes the behavior of DumpServiceMaps to include services without any backends. This is required when DumpServiceMaps is used to restore services in the service cache. Without this change, services without any backends (e.g. NodePort services with externalTrafficPolicy=Local) will not be restored from the datapath and are consequently not garbage collected once cilium-agent recognizes that these services have been removed from Kubernetes. This commit therefore fixes a case where the Cilium CI status preflight check fails to pass, as the lbmap contains such leftover entries. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> | 20 December 2019, 10:16:00 UTC |
51a1f21 | Joe Stringer | 18 December 2019, 17:03:45 UTC | release: Add guardrails for mixing releases As a sanity check, make sure that the cilium source directory that is being used to generate the release specifies the same version as the one being specified on the uploadrev commandline. Signed-off-by: Joe Stringer <joe@cilium.io> | 20 December 2019, 06:08:42 UTC |
3cc2e51 | Joe Stringer | 18 December 2019, 16:45:10 UTC | release: Fix helm chart paths Store the helm chart artifacts in a release-specific directory so we don't have to upload all resources each time if a particular maintainer reuses the same directory; and ensure that the helm template files are pulled from $CILIUM_SOURCE rather than the current directory. Signed-off-by: Joe Stringer <joe@cilium.io> | 20 December 2019, 06:08:42 UTC |
07b9cba | Joe Stringer | 18 December 2019, 16:46:19 UTC | release: Print SHAs for helm chart artifacts Signed-off-by: Joe Stringer <joe@cilium.io> | 20 December 2019, 06:08:42 UTC |
2e6e8d1 | Michal Rostecki | 18 December 2019, 23:14:20 UTC | datapath: Use the new probes module Use the new `probes` module for checking BPF features in the kernel configuraation. Signed-off-by: Michal Rostecki <mrostecki@opensuse.org> | 20 December 2019, 06:06:09 UTC |
6c98e94 | Michal Rostecki | 18 December 2019, 22:29:54 UTC | datapath: New package `probes` with BPF checks based on bpftool This change introduces the new package `pkg/datapath/linux/probes` which uses BPF feature probes from bpftool in JSON format. In the current shape, it handles kernel feature probes with the public function `SystemConfigProbes`. Signed-off-by: Michal Rostecki <mrostecki@opensuse.org> | 20 December 2019, 06:06:09 UTC |
512d948 | Michal Rostecki | 18 December 2019, 22:21:22 UTC | bpf: Remove old kernel probes This change removes old kernel probes from run_probes.sh. Kernel probes are going to be implemented in Go and are going to use bpftool. Signed-off-by: Michal Rostecki <mrostecki@opensuse.org> | 20 December 2019, 06:06:09 UTC |
2854434 | Maciej Kwiek | 05 December 2019, 15:52:31 UTC | [CI] parallel image build and cluster setup for eks Signed-off-by: Maciej Kwiek <maciej@isovalent.com> | 19 December 2019, 16:15:54 UTC |
ba85129 | Valas Valancius | 15 December 2019, 22:13:21 UTC | test: Add conntrack entry timeout validation tests. Partially fixes #9303. Signed-off-by: Valas Valancius <valas@google.com> | 19 December 2019, 12:40:42 UTC |
7acf046 | ap4y | 16 December 2019, 01:45:28 UTC | Improve nodeinit uninstalls by reverting nodeinit changes Uninstalls are not well supported by the nodeinit and requires manual operations on each node of a cluster. This patch introduces optional preStop hook to the nodeinit containers that will revert changes made on start. Changes to the nodeinit's helm chart: - Add new variable 'nodeinit.revertReconfigureKubelet', defaults to false - If enabled preStop hook will be installed to revert changes made by nodeinit Signed-off-by: Arthur Evstifeev <aevstifeev@gitlab.com> | 18 December 2019, 16:28:21 UTC |
999ba19 | Sebastian Wicki | 16 December 2019, 16:36:18 UTC | docs: externalTrafficPolicy is now supported by BPF NodePort Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> | 18 December 2019, 15:24:24 UTC |
5922546 | Sebastian Wicki | 16 December 2019, 16:34:49 UTC | test: Add BPF NodePort externalTrafficPolicy=Local tests This tests externalTrafficPolicy=Local in BPF NodePort with both vxlan and direct routing mode. A new context is added to share the setup of the Cilium deployment in either modes. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> | 18 December 2019, 15:24:24 UTC |
b46078c | Sebastian Wicki | 16 December 2019, 16:26:03 UTC | service: Add support for externalTrafficPolicy=Local This adds a new TrafficPolicy field to Cilium's service representation and implements the "Local" traffic policy. When externalTrafficPolicy is set to Local, only backends where the node name matches the current node are selected and added to the BPF lbmap. This check of the node name to determine local backends is the same mechanism that is also used by kube-proxy. When a service has TrafficPolicy=Local, the Cilium API only shows and accepts local backends for that service. Fixes: #8698 Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> | 18 December 2019, 15:24:24 UTC |
e9d5079 | Sebastian Wicki | 16 December 2019, 15:40:43 UTC | k8s: Add NodeName field to backend IPs The Kubernetes EndpointAddress object contains the node name of each backend. This can be used to determine if an endpoint is local to a node. This commit adds an equivalent NodeName field to Cilium's internal representation of a service backend and populates it in the K8s watcher. The node name is not added to the ClusterService object, as a ClusterService will never be node-local. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> | 18 December 2019, 15:24:24 UTC |