Skip to main content

Browse the archive

https://github.com/cilium/cilium
12 July 2024, 03:14:21 UTC
sort by:
Revision Author Date Message Commit Date
529115c Martynas Pumputis 15 June 2023, 11:22:20 UTC pkg/datapath: Prefer v4 Node IP addr for NodeID allocation Previously, node IDs were meant to be allocated per node regardless of node IP addr families. However, this became problematic when running Cilium with both v4 and v6 enabled. Sometimes Cilium could have allocated two different IDs for the same node. This confused XFRM states or IPcache [1]. A proper solution is to use node name or other than node IP addr as a reference for node ID allocations. Unfortunately, it's not possible, as the node ID allocation can happen in the pkg/ipcache (see AllocateNodeID), which is not aware of node object. Because of this limitation, we could allocate node IDs per each IP familiy for a given node. However, CiliumEndpoint prefers IPv4 address for host IP, so IPv6 of a node is not always accessible to the pkg/ipcache. To fix the issue, let's prefer v4 node IP addr. This is the same as we do in CiliumEndpoint creation. [1]: https://github.com/cilium/cilium/issues/26114#issuecomment-1587906785 Fixes: https://github.com/cilium/cilium/pull/23202 Signed-off-by: Martynas Pumputis <m@lambda.lt> 06 July 2023, 13:17:37 UTC
cb66aef Julian Wiedmann 04 July 2023, 05:54:29 UTC bpf: nodeport: exclude EgressGW reply logic from bpf_overlay The nodeport ingress path contains a special path that immediately redirects replies for EgressGW connections into the tunnel (bypassing the stack). This path is only required for bpf_xdp and bpf_host, exclude it from bpf_overlay. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> 06 July 2023, 08:39:35 UTC
f0979d7 Julian Wiedmann 04 July 2023, 05:41:09 UTC bpf: nat: exclude EgressGW logic from bpf_overlay EgressGW uses the masquerading logic in to-netdev. Avoid including these code sections in bpf_overlay. Also don't consider EgressGW in bpf_overlay when deciding whether handle_nat_fwd_ipv4() can be inlined. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> 06 July 2023, 08:39:35 UTC
d88e1c7 Julian Wiedmann 04 July 2023, 05:34:33 UTC bpf: nat: clean up ENABLE_MASQUERADE_* section in snat_v*_prepare_state() We only want to apply the MASQUERADE logic when snat_v*_prepare_state() is called from bpf_host (ie to-netdev). Make this a bit clearer in the code. No functional change, except that we avoid the local_ep / remote_ep handling when MASQUERADE is disabled. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> 06 July 2023, 08:39:35 UTC
447c911 Lorenz Bauer 05 July 2023, 13:18:38 UTC cilium: export intermediate cobra.Commands Export all cobra.Command which do not have a Run function set. This allows extending the CLI behaviour from outside the package without allowing modifications to individual commands. Signed-off-by: Lorenz Bauer <lmb@isovalent.com> 06 July 2023, 06:57:36 UTC
9876e96 Joe Stringer 31 May 2023, 21:54:29 UTC .github: Remove master mirror The master mirror has been in place for a grace period now, but it appears that everyone has migrated over to the main branch. Remove the mirror workflow so we can finally retire the old branch name. Signed-off-by: Joe Stringer <joe@cilium.io> 05 July 2023, 18:40:08 UTC
31592e7 Marco Hofstetter 05 July 2023, 11:09:36 UTC auth: optimize log output for pending auth This commit optimizes the logoutput by given insights when an authentication request is skipped due to a pending auth request. Without this log entry, it might be quite irritating why so many auth requests are logged without further insights. In addition, a log output is added when the pending auth is cleared. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> 05 July 2023, 16:13:00 UTC
76d6d42 Mathis Joffre 04 July 2023, 10:04:50 UTC relicense test/bpf/unit_test.c to not be GPL Closes: #26598 Signed-off-by: Mathis Joffre <51022808+Joffref@users.noreply.github.com> 05 July 2023, 16:12:25 UTC
a0b6b5b Jacopo Nardiello 01 June 2023, 16:45:36 UTC add links to support and slack in issue templates add links to support and slack in issue template Signed-off-by: Bill Mulligan <billmulligan516@gmail.com> 05 July 2023, 14:30:50 UTC
5d2fd29 Tobias Klauser 05 July 2023, 11:28:52 UTC datapath/connector: remove unused SetupVethRemoteNs return values These are always 0 and are not used by the only caller. Signed-off-by: Tobias Klauser <tobias@cilium.io> 05 July 2023, 13:01:54 UTC
a34322b Tobias Klauser 05 July 2023, 11:28:48 UTC datapath/connector: remove unused Endpoint2TempRandIfName The function is unused since commit c3adaec9dc06 ("Remove IPVLAN code"). Also remove the now unused rand.RandomLowercaseStringWithLen function. Signed-off-by: Tobias Klauser <tobias@cilium.io> 05 July 2023, 13:01:54 UTC
53bd04f Tobias Klauser 05 July 2023, 11:28:44 UTC datapath/connector: declare variables in a more idiomatic manner Remove yet another C89 style "variable declaration block". Signed-off-by: Tobias Klauser <tobias@cilium.io> 05 July 2023, 13:01:54 UTC
9228087 Tobias Klauser 05 July 2023, 11:28:40 UTC datapath/connector: rename SetupVethWithNames parameter Rename tmpIfName to peerIfName. The interface name might not be temporary depending on where the function's call site. Also remove mention of the inexistent link name return value from the godoc comment. Signed-off-by: Tobias Klauser <tobias@cilium.io> 05 July 2023, 13:01:54 UTC
640e2e5 Tobias Klauser 05 July 2023, 11:28:36 UTC plugins/cilium-cni: declare variables in a more idiomatic manner Follow commit 0e4c3b28adee ("cni: Declare variables in a more idiomatic manner") and remove another C89 style "variable declaration block". Signed-off-by: Tobias Klauser <tobias@cilium.io> 05 July 2023, 13:01:54 UTC
366a260 Tobias Klauser 05 July 2023, 11:28:32 UTC plugins/cilium-cni: check for IPv4 or IPv6 addresses earlier Check whether either an IPv4 address or an IPv6 address or both were provided by IPAM right after the IPAM allocation rather than later when the veth pair was already set up. Also fix up the error messages. Signed-off-by: Tobias Klauser <tobias@cilium.io> 05 July 2023, 13:01:54 UTC
a0b3227 Tobias Klauser 05 July 2023, 11:28:29 UTC plugins/cilium-cni: allow to pass IPAM pool name in IPAM allocation Preparatory refactoring for cases where we want to specifiy the IPAM pool on CNI add. Currently this is left empty to select the default pool. Signed-off-by: Tobias Klauser <tobias@cilium.io> 05 July 2023, 13:01:54 UTC
a0366e3 gray 04 July 2023, 09:32:11 UTC Document cilium_host's IPv6 change in upgrade guide Signed-off-by: Zhichuan Liang <gray.liang@isovalent.com> 05 July 2023, 12:48:47 UTC
1a4e7d4 Martynas Pumputis 30 June 2023, 12:55:16 UTC docs: Adjust KPR GSG to --kpr=boolean changes Signed-off-by: Martynas Pumputis <m@lambda.lt> 05 July 2023, 12:48:23 UTC
2e2fc63 Martynas Pumputis 30 June 2023, 12:40:08 UTC docs: Mention changes of --kpr=boolean in upgrade guide Signed-off-by: Martynas Pumputis <m@lambda.lt> 05 July 2023, 12:48:23 UTC
9949c5a Nicolas Busseneau 28 June 2023, 16:02:21 UTC ci: rework workflows to be triggered by Ariane Ariane uses `workflow_dipatch` events to trigger workflows based on trigger phrases found in PR comments (e.g. `/test`). Effectively, this commit reworks all `issue_comment`-based workflows to use `workflow_dipatch` instead. In order to continue testing changes coming from the PR in a secure fashion as we did with `issue_comment`, `workflow_dipatch`-based workflows implement a similar principle to what we used to have before: - The workflows run in the context of the PR target branch (e.g. `main`) and thus are using workflow files from a trusted source while having access to repository secrets. - The PR branch itself is tested by deploying the images built off the PR in ephemeral self-contained environments (e.g. a short-lived cluster). In effect, from the point of view of external contributors, there will be no change in how the CI works and how they interact with it. However, this change brings a good number of QoL advantages: 1. As can be seen in the diffs, most of the boilerplate we used to have for handling triggers and detecting whether or not this specific workflow should run based on the PR changelist is gone, therefore reducing maintenance drag on workflows. 2. Building up on this, when it is determined that a workflow does not need to be run at all based on the PR changelist, the corresponding PR check will automatically be marked as `Skipped`, so that the PR is not blocked due to missing a required PR check. (We had some workflows with boilerplate addressing this by manually marking the check as OK, but this is now handled consistently for all workflows and using the proper `Skipped` status, which wasn't possible with the previous boilerplate.) 3. For contributors with write privileges to the repository, Ariane will transparently run workflows in the context of the PR branch instead of the context of the PR target branch. This allows easy testing of changes to workflow files directly from a PR without any edit tricks. 4. Since the GitHub App is able to determine properly in which context to run pipelines, we can store the workflow files directly in the proper branch (e.g. stable workflows will live in stable branches). This will greatly simplify backport duties: - No need to maintain multiple sets of workflows with some being duplicated in `main` and some living in the appropriate branches, now everything is stored in the same place. - Changes made to backport workflows can be tested without even more cumbersome workflow edit tricks than the ones regular workflows already required. 5. There is now immediate feedback that "something" is happening when `/test` is commented, since Ariane will react to the comment to ack on the request. Additional commit notes: - This refactor standardized commit status reporting at the beginning and end of all workflows using `myrotvorets/set-commit-status-action` instead of `Sibz/github-status-action`, since the former allows for less boilerplate. Going forward we plan to find a way to remove that boilerplate as well via the GitHub App. - We had to move back to regular secret-based authentication on AKS as the OIDC subject claims currently available on AKS do not allow for authorizing arbitrary branches. Microsoft is aware of this limitation and a new system is being worked on to allow it (see [1]), we will move back to OIDC when it is rolled out. [1]: https://github.com/Azure/azure-workload-identity/issues/373#issuecomment-1611854839 Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> 05 July 2023, 12:01:32 UTC
4a9ee81 Nicolas Busseneau 14 June 2023, 15:27:37 UTC ci: add Ariane configuration file Ariane is a new GitHub App intended to trigger Cilium CI workflows based on trigger phrases commented in pull requests, in order to replace the existing `issue_comment`-based workflows and simplify our CI stack. This commit adds a configuration setting up triggers such that existing workflows can be triggered with the usual `/test`, and based on the same PR changelist match / ignore rules. Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> 05 July 2023, 12:01:32 UTC
e3a8cfe Philip Schmid 20 June 2023, 15:28:39 UTC doc: Improved Cilium ingress annotations table * Improved statements about Cilium ingress annotation default values * Fixed Cilium ingress annotation table formatting so vertical scrolling is not needed anymore. Signed-off-by: Philip Schmid <philip.schmid@isovalent.com> 05 July 2023, 09:26:33 UTC
c426dc8 Michi Mutsuzaki 03 July 2023, 23:00:30 UTC docs: Update cluster mesh instructions - Only document using the Helm mode. Time to deprecate the classic mode. - Remove "clustermesh enable" and "clustermesh connect" output samples. These outputs might change in the future, and I think output samples from the subsequent "clustermesh status" commands give users enough context to confirm that "clustermesh enable" and "clustermesh connect" commands succeeded. Signed-off-by: Michi Mutsuzaki <michi@isovalent.com> 05 July 2023, 09:24:43 UTC
b9f467a Michi Mutsuzaki 03 July 2023, 22:16:59 UTC docs: Update external workloads instructions Signed-off-by: Michi Mutsuzaki <michi@isovalent.com> 05 July 2023, 09:24:27 UTC
66226a3 Jussi Maki 22 May 2023, 11:35:19 UTC daemon: Process deletion queue before API server starts To explicitly process the deletion queue before the API server is started this commit introduces a 'deletionQueue' object which the daemon's API handlers provider depends on. This ensures that he Cilium API server starts after the endpoint deletions have been processed. Conversely, the delete queue is only unlocked after the API server has started and is ready to process requests from CNI plugin (unlockAfterAPIServer). Start hook order according to "cilium-agent hive": ... • cmd.newDaemonPromise.func1 (daemon_main.go:1640) ... • *cmd.deletionQueue.Start • *server.Server.Start • cmd.unlockAfterAPIServer.func1 (deletion_queue.go:118) Signed-off-by: Jussi Maki <jussi@isovalent.com> 05 July 2023, 08:33:18 UTC
cf60337 Jussi Maki 24 February 2023, 15:30:52 UTC daemon: Adapt the API handlers to the new server cell Since NewDaemon is side-effectful we don't have *Daemon directly, but rather a promise.Promise[*Daemon]. With the modular API server we need to provide the handlers up-front before the server starts, so this commit implements a wrapper (apiHandler[T]) that deals with waiting for the promise and then implements the existing handlers around that wrapper. Signed-off-by: Jussi Maki <jussi@isovalent.com> 05 July 2023, 08:33:18 UTC
d7ac888 Jussi Maki 28 February 2023, 12:37:48 UTC daemon: Move rate limiter to daemon/restapi Make a cell for rate.APILimiterSet along with its configuration. Since we cannot use option.NewNamedMapOptions() with cell.Config, we're implementing it using pflag's StringToString. This seems to have the exact behavior we want. The api_limits_test.go has test cases to confirm this. Signed-off-by: Jussi Maki <jussi@isovalent.com> Signed-off-by: David Bimmler <david.bimmler@isovalent.com> 05 July 2023, 08:33:18 UTC
c6aff5c Marco Hofstetter 04 July 2023, 13:25:21 UTC loader: check enabled L7 proxy via config property Currently, the check whether l7 proxy functionality is enabled is based on whether the passed proxy reference is `nil` or not. Due to Go's nil-handling on Interfaces, this result in calls to `proxy.ReinstallRules` even though l7 proxy functionality isn't enabled. Therefore, this commit changes the check towards checking the config property. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> 05 July 2023, 07:00:37 UTC
fa04680 Vlad Ungureanu 04 July 2023, 16:44:07 UTC Update Palantir usecases Signed-off-by: Vlad Ungureanu <vladu@palantir.com> 05 July 2023, 07:00:05 UTC
f3f9971 Marco Hofstetter 03 July 2023, 07:02:57 UTC auth: use NodeManager instead of k8s.CiliumNodeResource in auth gc Auth map garbage collection is using the k8s.CiliumNodeResource to get notified about added and deleted nodes. This comes with the drawback of not supporting ClusterMesh and introducing an additional k8s watcher for CiliumNodes (as long as the NodeManager is using the legacy k8s watcher). Therefore, this commit is refactoring the auth map garbage collection to register itself as NodeHandler to the NodeManager to get notified about node events. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> 05 July 2023, 06:58:55 UTC
3d641e1 guoguangwu 13 June 2023, 09:26:42 UTC chore: Use xxx.String() instead of string(xxx.Bytes()) Signed-off-by: guoguangwu <guoguangwu@magic-shield.com> 05 July 2023, 06:51:46 UTC
15db629 Marek Chodor 22 May 2023, 12:47:24 UTC Add flag to enforce mTLS on hubble relay clients Fixes: #24265 Signed-off-by: Marek Chodor <mchodor@google.com> Co-authored-by: ZSC <zacharysarah@users.noreply.github.com> 05 July 2023, 06:51:04 UTC
dcc0a0e Philip Schmid 12 June 2023, 20:31:05 UTC doc: Documented incompatibility of EgressGW and kvstore Signed-off-by: Philip Schmid <philip.schmid@isovalent.com> 05 July 2023, 06:47:30 UTC
645bb5d Gilberto Bertin 23 June 2023, 12:42:23 UTC CODEOWNERS: assign pkg/backoff to @cilium/sig-agent Signed-off-by: Gilberto Bertin <jibi@cilium.io> 05 July 2023, 06:45:49 UTC
f6600fd Lorenz Bauer 19 June 2023, 14:15:25 UTC .github/workflows: don't error out if pkill finds no processes The pkill invocation in GH workflows is meant to kill background tasks started earlier in the workflow. It seems like some of them exit of their own accord, with tests still passing. Ignore the pkill error code 1 which indicates that no processes were matched / signalled: 1 No processes matched or none of them could be signalled. Fixes #26075 Signed-off-by: Lorenz Bauer <lmb@isovalent.com> 05 July 2023, 06:45:22 UTC
c4dc46c Rastislav Szabo 29 June 2023, 13:30:00 UTC bgpv1: Use max int32 as max value for ConnectRetryTimeSeconds ConnectRetryTime is not negotiated with the peer and therefore there is no strict protocol limit for it. Internally, GoBGP uses int type to manage this timeout. Signed-off-by: Rastislav Szabo <rastislav.szabo@isovalent.com> 05 July 2023, 06:44:57 UTC
907537c harsimran pabla 28 June 2023, 18:21:19 UTC bgpv1: set upper limits to BGP timers and GR restart time in BGP CRD BGP holdtime is 16bits unsigned int and GR restart time is 12bits. Setting this limit in cilium BGP CRDs, so configuration can validated at the API layer. Signed-off-by: harsimran pabla <hpabla@isovalent.com> 05 July 2023, 06:44:57 UTC
043ff5b Quentin Monnet 04 July 2023, 14:18:01 UTC cocci: Re-license Coccinelle scripts as Apache 2.0 We want to change the license under which we distribute the Coccinelle scripts, in order make it consistent with the rest of the repository. These scripts were written from scratch by Cilium contributors. Looking at the Git history: $ git log --reverse --format='%an' -- contrib/coccinelle/*.cocci | \ sort -u Alexandre Perrin André Martins Anton Protopopov Daniel Borkmann Dylan Reimerink Paul Chaignon Quentin Monnet ... we note that all contributors are affiliated with Isovalent. Liz Rice, currently Chief Open Source Officer at Isovalent, gave her consent for the change. Acked-by: Liz Rice <liz@lizrice.com> Signed-off-by: Quentin Monnet <quentin@isovalent.com> 04 July 2023, 18:26:15 UTC
bb0126f Julian Wiedmann 04 July 2023, 04:58:18 UTC bpf: dsr: fix IPIP health-encap on older kernels 87855a957541 ("bpf: Set outer source IP to pod IP") added a field for the source IP to the `bpf_tunnel_key` struct. But as this isn't supported on older kernels, we need to reduce the key length for the IPIP health path's usage of ctx_set_tunnel_key(). Signed-off-by: Julian Wiedmann <jwi@isovalent.com> 04 July 2023, 16:29:31 UTC
a8ecaa9 Jack-R-lantern 30 May 2023, 15:51:25 UTC pkg/monitor: improve decode performance This commit is to improve decode performance. Due to the performance degradation caused by the reflection of 'binary.Read', added functions for each structure. Signed-off-by: Jack-R-lantern <tjdfkr2421@gmail.com> Co-authored-by: Alexandre Perrin <alex@kaworu.ch> 04 July 2023, 13:49:07 UTC
55a09e5 Lorenz Bauer 03 July 2023, 13:12:54 UTC .github: dump buddyinfo and pagetypeinfo when ci-e2e fails There is a persistent CI flake where the kernel returns ENOMEM from BPF map updates. Grab buddyinfo and pagetypeinfo from /proc to see whether the allocation failures are related to memory fragmentation. Signed-off-by: Lorenz Bauer <lmb@isovalent.com> 04 July 2023, 13:36:52 UTC
7726560 Dorde Lapcevic 04 July 2023, 10:15:44 UTC Refactor duplicate imports for Cilium v2alpha1 API A couple of go files had `github.com/cilium/cilium/pkg/k8s/apis/cilium.io/v2alpha1` imported twice. Remove the duplicate and make the import name consistent. Signed-off-by: Dorde Lapcevic <dordel@google.com> 04 July 2023, 12:24:44 UTC
14a835d Frederic Branczyk 03 March 2023, 17:13:08 UTC pkg/monitor: Improve performance of decoding `TraceNotifyV1` Previously decoding `TraceNotifyV1` performed 3 unnecessary allocations, this patch removes these allocation resulting in a ~94% improvement in runtime performance. name old time/op new time/op delta DecodeTraceNotifyVersion1-10 303ns ± 0% 17ns ± 1% -94.51% (p=0.008 n=5+5) name old alloc/op new alloc/op delta DecodeTraceNotifyVersion1-10 144B ± 0% 0B -100.00% (p=0.008 n=5+5) name old allocs/op new allocs/op delta DecodeTraceNotifyVersion1-10 3.00 ± 0% 0.00 -100.00% (p=0.008 n=5+5) Signed-off-by: Frederic Branczyk <fbranczyk@gmail.com> 04 July 2023, 12:16:47 UTC
11743a9 Frederic Branczyk 03 March 2023, 16:41:38 UTC pkg/monitor: Improve performance of decoding `TraceNotifyV0` Previously decoding `TraceNotifyV0` performed 3 unnecessary allocations, this patch removes these allocation resulting in a ~92% improvement in runtime performance. name old time/op new time/op delta DecodeTraceNotifyVersion0-10 191ns ± 0% 15ns ± 0% -91.93% (p=0.008 n=5+5) name old alloc/op new alloc/op delta DecodeTraceNotifyVersion0-10 112B ± 0% 0B -100.00% (p=0.008 n=5+5) name old allocs/op new allocs/op delta DecodeTraceNotifyVersion0-10 3.00 ± 0% 0.00 -100.00% (p=0.008 n=5+5) Signed-off-by: Frederic Branczyk <fbranczyk@gmail.com> 04 July 2023, 12:16:47 UTC
875d4ab Frederic Branczyk 03 March 2023, 16:05:52 UTC pkg/monitor: Add benchmark for decodeTraceNotifyV0 Signed-off-by: Frederic Branczyk <fbranczyk@gmail.com> 04 July 2023, 12:16:47 UTC
41fc899 Alexandre Perrin 21 April 2023, 13:37:33 UTC pkg/monitor: improve DecodeTraceNotify test coverage The following commits will refactor DecodeTraceNotify. Signed-off-by: Alexandre Perrin <alex@isovalent.com> 04 July 2023, 12:16:47 UTC
c068a44 Mark Pashmfouroush 27 June 2023, 23:28:02 UTC docs: Add L2 Pod Announcements docs Add some brief documentation about the L2 Pod Annoucements feature to the existing L2 Annoucements docs page, as the features are very similar. Signed-off-by: Mark Pashmfouroush <mark@isovalent.com> 03 July 2023, 17:14:48 UTC
f6401f0 Michi Mutsuzaki 03 July 2023, 15:14:12 UTC MAINTAINERS: Add Jussi Mäki Voting Results: YES: 37 (79%) NO: 0 (0%) ABSTAIN: 10 (21%) With the Company Block Vote Limit applied: YES: (33 / (33/6)) + 4 = 10 votes NO: 0 votes Signed-off-by: Michi Mutsuzaki <michi@isovalent.com> 03 July 2023, 17:14:16 UTC
cea0b68 Julian Wiedmann 02 July 2023, 13:30:03 UTC bpf: nat: re-organize port selection loop in snat_v*_new_mapping() Extract the meaty parts of the port-selection loop, and add comments to make them more understandable. This also makes sure that we only set the ext_err if the map updates failed (and not when we exceeded the loop limit). Signed-off-by: Julian Wiedmann <jwi@isovalent.com> 03 July 2023, 16:40:32 UTC
7afb284 Julian Wiedmann 02 July 2023, 13:07:21 UTC bpf: nat: remove snat_v*_swap_tuple() helpers The naming doesn't fit at all (we're not swapping the tuple, but initializing a *new* tuple with the swapped values). Also some values in the new tuple get over-written right after, so any sort of impression that we're working with a "swapped" tuple is very misleading. It's much easier to read if we just open-code the tuple setup in one place. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> 03 July 2023, 16:40:32 UTC
ecdf4bc Julian Wiedmann 02 July 2023, 12:58:57 UTC bpf: nat: clean up port selection in snat_v*_new_mapping() We look for a free SNAT port by checking whether the corresponding revSNAT already exists. Have a single point in the loop where the revSNAT tuple gets updated with the next port candidate. Also only update the SNAT entry if the check was successful and the currently selected port is available. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> 03 July 2023, 16:40:32 UTC
8ec9b32 Julian Wiedmann 02 July 2023, 12:50:36 UTC bpf: nat: clean up return type for port selection helpers The helpers operate on values in host byte-order, and that's also what their callers expect. So just fix up the type of the return value. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> 03 July 2023, 16:40:32 UTC
d7afbb2 Julian Wiedmann 30 June 2023, 15:52:41 UTC bpf: nat: remove snat_v4_update() This helper is unused. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> 03 July 2023, 16:40:32 UTC
d102dbc Dylan Reimerink 09 June 2023, 12:48:05 UTC hive,metrics: Add metrics for pkg/hive/job This commit adds a metric to that tracks error counts for job runs, a metric to track timer run performance and observer run performance. For one shot jobs the metric collection is disabled by default, only jobs with the `WithMetrics` option will be measured. This way we can collect metrics for short running jobs and skip collection for high cardinality jobs or jobs that run forever. Signed-off-by: Dylan Reimerink <dylan.reimerink@isovalent.com> 03 July 2023, 14:41:17 UTC
780c697 Julian Wiedmann 30 June 2023, 14:42:44 UTC docs: update KPR section on DSR Rephrase the DSR section to clarify the differences between the two dispatch mechanisms (IP option/extension, or Geneve option). Signed-off-by: Julian Wiedmann <jwi@isovalent.com> 03 July 2023, 12:17:52 UTC
f6346d2 Tobias Klauser 30 June 2023, 08:31:06 UTC make: drop redundant `go vet ./...` from integration tests The Go toolchain will already run vet during `go test` since Go 1.10, see https://go.dev/doc/go1.10#test and https://github.com/golang/go/issues/18084 for details. This reduces total run time of `make integration-tests` on my machine from ~16min to ~18min. Signed-off-by: Tobias Klauser <tobias@cilium.io> 03 July 2023, 11:02:26 UTC
cc6310c Tobias Klauser 30 June 2023, 08:45:43 UTC Documentation/community: add multi-pool IPAM to list of beta features Multi-pool IPAM was added during the 1.14 release cycle and is currently considered a beta feature. Signed-off-by: Tobias Klauser <tobias@cilium.io> 03 July 2023, 09:02:48 UTC
970f881 Sebastian Wicki 28 June 2023, 08:50:11 UTC docs: Multi-Pool IPAM now partially supports iptables-based NAT With #26397 merged, iptables-based masquerading can now be used together with Multi-Pool IPAM, as long as `egressMasqueradeInterfaces` is set too. This commit adjusts the documentation to reflect that and improves the wording of that section a bit. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> 03 July 2023, 09:02:35 UTC
0447095 Fabio Falzoi 22 June 2023, 09:54:39 UTC test/controlplane: Remove validation timeout Due to the unpredictability of a CI environment, setting a validation timeout when running tests may lead to flakyness. At the same time, a short timeout is useful when developing locally to get faster feedback from the tests. The commit changes the controlplane test framework to run without a timeout by default. An additional method WithValidationTimeout is added to set a custom one when developing locally. Moreover, the result of each failed validation is always printed, to ease debuggability both locally and in a CI environment. Related: #26082 Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com> 03 July 2023, 07:06:06 UTC
a28f0fc Julian Wiedmann 08 May 2023, 06:58:24 UTC bpf: nat: use icmp6_load_type() instead of ctx_load_bytes() Replace open-coded variants of the helper. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> 02 July 2023, 08:43:13 UTC
ffbd7af Julian Wiedmann 30 June 2023, 09:28:14 UTC bpf: icmp6: have icmp6_load_type() take a L4 offset Right now the helper takes a L3 offset, and assumes a packet without extension headers. Change it to a L4 offset, so that callers can pass this when available. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> 02 July 2023, 08:43:13 UTC
283b8b7 Julian Wiedmann 08 May 2023, 06:44:59 UTC bpf: icmp6: have icmp6_load_type() return an error Under the hood this uses ctx_load_bytes(), which can fail. Return such an error to the caller. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> 02 July 2023, 08:43:13 UTC
c44f3aa Robin Hahling 28 June 2023, 09:14:13 UTC treewide: wrap multiple errors using the standard library Go 1.20 expands support for error wrapping to permit an error to wrap multiple other errors. Therefore, go.uber.org/multierr is no longer required. See https://go.dev/doc/go1.20#errors for more details. Signed-off-by: Robin Hahling <robin.hahling@gw-computing.net> 30 June 2023, 15:36:52 UTC
5da5882 Leonard Cohnen 23 October 2022, 17:10:36 UTC pod2pod strict mode for WireGuard When pod2pod encryption is enabled, there is a slight time window, where one pod may send unencrypted data to another one. This happens when a new pod is created but the information of the new endpoint has not propagated to the other nodes. To prevent this from happening, we block all unencrypted pod2pod traffic. This is done via a filter in the datapath. The filter is configured at the same time the datapth is set up, sine we cannot rely on data which is only eventually updated at runtime. The filter drops any unencrypted tcp/udp egress traffic which originates from and is sent to the PodCIDR and also leaves the node. Signed-off-by: Benedict Schlueter <benedict.schlueter@inf.ethz.ch> Signed-off-by: Leonard Cohnen <lc@edgeless.systems> Co-authored-by: Benedict Schlueter <benedict.schlueter@inf.ethz.ch> 30 June 2023, 13:58:21 UTC
0680d39 Tobias Klauser 30 June 2023, 12:21:58 UTC images: update cilium-{runtime,builder} Signed-off-by: Tobias Klauser <tobias@cilium.io> 30 June 2023, 13:55:50 UTC
0bb0a4e renovate[bot] 30 June 2023, 11:46:31 UTC chore(deps): update docker.io/library/ubuntu:22.04 docker digest to 6120be6 Signed-off-by: renovate[bot] <bot@renovateapp.com> 30 June 2023, 13:55:50 UTC
119c85a networkop 28 June 2023, 09:40:42 UTC docs: Istio docs fix sidecar inject method Turns out `istioctl kube-inject` does not work with URLs, so this commit changes how the sidecards are injected in the demo application example. Signed-off-by: Michael Kashin <michael.kashin@isovalent.com> 30 June 2023, 13:50:35 UTC
386b17a Ioannis Androulidakis 16 June 2023, 22:01:24 UTC hubble: Add logic to redact Kafka API key in L7 flows * Extend accepted values for the `--hubble-redact` CLI option * Add unit tests for Kafka in L7 parser * Update the `visibility.rst` document * Update Helm chart templates and values Co-authored-by: ChrsMark <chrismarkou92@gmail.com> Signed-off-by: Ioannis Androulidakis <androulidakis.ioannis@gmail.com> 30 June 2023, 13:49:29 UTC
fe07332 Ioannis Androulidakis 16 June 2023, 22:00:19 UTC hubble: Introduce default value for redaction Co-authored-by: ChrsMark <chrismarkou92@gmail.com> Signed-off-by: Ioannis Androulidakis <androulidakis.ioannis@gmail.com> 30 June 2023, 13:49:29 UTC
77d92f7 renovate[bot] 30 June 2023, 08:53:24 UTC fix(deps): update all go dependencies main Signed-off-by: renovate[bot] <bot@renovateapp.com> 30 June 2023, 12:43:05 UTC
1cb6bc7 Feroz Salam 29 June 2023, 18:39:18 UTC vendor: Update go-restful This resolves a high severity vulnerability reported by Prisma Cloud. Signed-off-by: Feroz Salam <feroz.salam@isovalent.com> 30 June 2023, 12:28:11 UTC
8fd8bcf renovate[bot] 30 June 2023, 08:55:15 UTC chore(deps): update all github action dependencies Signed-off-by: renovate[bot] <bot@renovateapp.com> 30 June 2023, 12:23:54 UTC
e8fa91d Julian Wiedmann 29 June 2023, 06:59:07 UTC bpf: nodeport: provide L4 ports for SNAT in LB egress path For LB traffic that gets forwarded to a remote backend in non-DSR mode, tail_nodeport_nat_egress_ipv*() calls snat_v*_nat() to perform SNAT on the packet. Under the covers, this extracts a fresh CT tuple to look up / build a SNAT entry. But for LB traffic we don't require any of the ICMP handling in that code path, and we already extract a CT tuple for building tunnel headers in XDP mode. So we can optimize this code path, and provide a fully populated CT tuple to the SNAT helper. One additional benefit is that we fix handling for fragmented IPv4 packets, as lb4_extract_tuple() knows how to extract their L4 ports while snat_v4_nat() doesn't. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> 30 June 2023, 11:44:19 UTC
b8e562b Julian Wiedmann 30 June 2023, 05:45:51 UTC bpf: dsr: skip DSR check for inbound ICMP traffic In a full-DSR config, nodeport_uses_dsr() returns `true` even for ICMP traffic. Have such packets skip the unnecessary check for embedded DSR info. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> 30 June 2023, 11:42:14 UTC
8be6990 Julian Wiedmann 30 June 2023, 05:44:23 UTC bpf: nodeport: consider inbound ICMP traffic in revSNAT bypass nodeport_uses_dsr() returns `true` for ICMP traffic when using full-DSR, but `false` when Hybrid-DSR is enabled. That's typically no concern, as we only expect to call this helper for SVC-eligible traffic. Except if nodeport_lb*() wants to shortcut the RevSNAT stage when BPF-Masquerading is disabled - here it might also get applied to inbound ICMP traffic. Consequently we currently get different behaviour for ICMP traffic: - DSR disabled: no RevSNAT bypass - Hybrid DSR: no revSNAT bypass - full DSR: RevSNAT bypass Slightly rework the code to get consistent behaviour - always bypass RevSNAT for ICMP when BPF-Masquerading is off, regardless of the DSR configuration. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> 30 June 2023, 11:42:14 UTC
dff7aa1 Quentin Monnet 29 June 2023, 08:27:41 UTC bpf: Replace deprecated "-target bpf" with "--target=bpf" for clang Passing the target to clang with "-target <name>" has been considered deprecated since clang 3.4 [0], released in 2013, in favour of the more recent syntax "--target=<name>". Let's update our code and documentation to use the recommended syntax. This replicates a similar patch submitted to the Linux kernel [1]. [0] https://github.com/llvm/llvm-project/commit/274b6f0c87a6a1798de0a68135afc7f95def6277 [1] https://lore.kernel.org/all/20230624001856.1903733-1-maskray@google.com/ Signed-off-by: Quentin Monnet <quentin@isovalent.com> 30 June 2023, 08:40:48 UTC
6c8f4b6 Daniel Borkmann 30 June 2023, 06:22:37 UTC cilium, docs: Add rc.0 to development releases Add it to the table and remove the snapshot since the rc.0 is the latest one. Snapshot can be brought back for 1.15 once we have them again. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> 30 June 2023, 08:06:55 UTC
3ba3d53 Quentin Monnet 29 June 2023, 15:14:16 UTC ci: Run documentation workflow on README.rst updates In commit 5951d1ddef15 ("docs: Run rstcheck on README.rst, too."), we added README.rst to the list of files on which we run rstcheck, be it manually or as part of the CI workflow for documentation. However, the workflow does not trigger for updates to README.rst. Let's address this. Building the full documentation for README.rst-only updates is not necessary, but we're interested in rstcheck (run from check-build.sh) to catch RST formatting issue, which seems an acceptable trade-off given the low volume of changes on README.rst. Signed-off-by: Quentin Monnet <quentin@isovalent.com> 30 June 2023, 08:02:12 UTC
bfc44c0 Feroz Salam 28 June 2023, 16:25:06 UTC ci: Fix container scanning workflow Using `act` to locally run the workflow didn't find a syntax error, which means that the workflow doesn't run correctly in GitHub Actions. I fixed this issue, which brought to light some other minor issues with images not being available on specific branches, as well as one unnecessary step. I've fixed all of the above and added v1.14 as another branch to scan. Signed-off-by: Feroz Salam <feroz.salam@isovalent.com> 30 June 2023, 06:14:23 UTC
28de75d Marco Hofstetter 22 June 2023, 10:17:37 UTC auth: cleanup auth module This commit cleans up the auth module. * improve comments * renamed newAuthManager -> registerAuthManager * grouped params in authManagerParams * rename gc job names * split registration into instantiation & job/lifecycle registration sections Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> 30 June 2023, 05:43:16 UTC
d7b96fd Marco Hofstetter 22 June 2023, 08:57:57 UTC auth: dedicated auth map gc test case per type This commit separates the existing auth map gc tests into multiple tests per "type" * identities * nodes * policies * expiration Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> 30 June 2023, 05:43:16 UTC
ea0514b Marco Hofstetter 19 June 2023, 09:18:17 UTC auth: fix cleanup expired auth entries log message Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> 30 June 2023, 05:43:16 UTC
443e98c Marco Hofstetter 19 June 2023, 07:31:28 UTC auth: combine auth map gcs This commit combines the different timer based auth map gc jobs into a single job. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> 30 June 2023, 05:43:16 UTC
a35e884 Marco Hofstetter 19 June 2023, 07:18:20 UTC auth: delete nodes related auth map entries in gc job Currently, auth map entries related to a deleted node are immediately deleted when the event has been received. To prevent events result in errors, the events should no longer delete auth map entries. Therefore, this commit refactors that the deletion information is stored within the garbage collector, and the actual garbage collection run uses these information to cleanup the map. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> 30 June 2023, 05:43:16 UTC
e992ff2 Marco Hofstetter 19 June 2023, 06:40:43 UTC auth: reordered garbage collector This commit reorders the functions within the garbage collector Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> 30 June 2023, 05:43:16 UTC
4258ae3 Marco Hofstetter 19 June 2023, 06:23:24 UTC auth: delete identity related auth map entries in gc job Currently, auth map entries related to a deleted cilium identity are immediately deleted when the event has been received. The actual deletion might result in errors, which no longer can be reported back to the IdentityAllocator which emits the events. To prevent events result in errors, the events should no longer delete auth map entries. Therefore, this commit refactors that the deletion information is stored within the garbage collector, and the actual garbage collection run uses these information to cleanup the map. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> 30 June 2023, 05:43:16 UTC
17e7b83 Marco Hofstetter 16 June 2023, 14:23:38 UTC auth: auth map gc interval 5m Latest changes reflect deleted identities and nodes only in the internal state of the garbage collector without deleting the related entries immediately. Therefore, this commit changes the auth map gc interval from `15m` to `5m` which reflects the changes faster in the map itself. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> 30 June 2023, 05:43:16 UTC
90cfb93 Marco Hofstetter 16 June 2023, 14:19:21 UTC helm: rename authentication.expiredGCInterval to gcInterval This commit renames the helm value `authentication.expiredGCInterval` to `authentication.gcInterval` as it will be used for multiple types of auth related GC's. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> 30 June 2023, 05:43:16 UTC
3aba41b Jussi Maki 14 June 2023, 13:42:22 UTC auth: Switch to observing identity changes Observe the identity changes via the CachingIdentityAllocator instead of using CiliumIdentity CRD directly. This both fixes the issue of having two informers (and thus double the bandwidth), but it also allows auth to work with the kvstore identity allocation backend. Co-authored-by: Marco Hofstetter <marco.hofstetter@isovalent.com> Signed-off-by: Jussi Maki <jussi@isovalent.com> 30 June 2023, 05:43:16 UTC
6248d61 Julian Wiedmann 06 June 2023, 14:08:38 UTC monitor: update DBG_CT_LOOKUP4_2 / DBG_CT_LOOKUP6_2 output bde55cdeb3b7 ("bpf: ct: introduce scope parameter for CT lookup") added additional `dir` and `scope` fields to the debug message. Format these in the monitor output. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> 29 June 2023, 19:21:42 UTC
76217a1 Quentin Monnet 28 June 2023, 17:49:43 UTC bpf: nat: Handle errors from snat_v(4|6)_prepare_state() Functions snat_v4_prepare_state() and snat_v6_prepare_state() woule return a boolean, indicating whether SNAT should happen. They would not report errors that might occur when trying to determine that. In this commit, we change their return type to an int, in order to report any error to the caller. We report errors if any of revalidate_data(), ct_is_reply4(), ct_is_reply6(), or ipv6_hdrlen() fails. Suggested-by: Julian Wiedmann <jwi@isovalent.com> Signed-off-by: Quentin Monnet <quentin@isovalent.com> 29 June 2023, 15:58:30 UTC
cc9f038 Jaff Cheng 03 June 2023, 08:37:23 UTC ipam,alibabacloud: Improve event driven instance resync Currently in AWS/Alibabacloud ipam modes, every time the IP allocation/release event happens, the cilium operator triggers a resync and fetches all the ENIs from instance API. In a large and frequently changing cluster, the full sync might take several tens of seconds. This slows down the IP allocation process severely and also imposes a lot of pressure on the instance API. The full sync here should be unnecessary since we only need to update the ENIs of the instance that triggered the event. This patch introduces a new `Node.instanceSync` trigger to replace `NodeManager.resyncTrigger`. Whenever an instance is mutated due to IP pool maintenance, the trigger attempts to incrementally resynchronize the corresponding instance to the local cache. This is achieved through the newly introduced `InstanceSync` method of the `AllocationImplementation` interface. While this feature is implemented for Alibabacloud, AWS and Azure still fall back to full resynchronization. Here are some time cost data from an Alibabacloud cluster during different periods: full sync InstanceSync time cost with ~8000 ENIs ~20s ~2s time cost with ~13000 ENIs ~35s ~2s Related: #25073 Signed-off-by: Jaff Cheng <jaff.cheng.sh@gmail.com> 29 June 2023, 15:09:31 UTC
dda1202 Dylan Reimerink 19 June 2023, 10:58:57 UTC k8s,metrics: Remove double k8s event accounting Resources increment the k8s event metrics themselves now. This causes duplicate metric accounting for k8s watchers that have been implemented in terms of resources and also do metrics tracking. This commit removes the metrics tracking done by k8s watchers that are implemented with resources. Signed-off-by: Dylan Reimerink <dylan.reimerink@isovalent.com> 29 June 2023, 13:53:06 UTC
893c530 Daniel Borkmann 29 June 2023, 12:07:41 UTC cilium, docs: Move Maglev out of beta state It has seen enough production exposure over the years and there are no known issues atm. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> 29 June 2023, 13:19:30 UTC
a1d92d9 Jarno Rajahalme 28 June 2023, 22:55:11 UTC helm: Use kubeProxyReplacement as string Helm coalesce does not consider a boolean variable with "false" value of having a value at all, so $defaultKubeProxyReplacement is picked even if `helm --set kubeProxyReplacement=false` is used with `--set upgradeCompatibility=1.12` (for which the default value is `disabled`). Fix this by explicitly converting .Values.kubeProxyReplacement to a string (also converting "<nil>" to an empty string). Alternatively we could have asked users to use `helm --set-string kubeProxyReplacement=false` instead, but requiring that and silently ignoring `--set kubeProxyReplacement=false` is confusing to users and would be incompatible with possible transition to a boolean kubeProxyReplecement in future. Prior to this PR this helm command gave this output: $ helm template cilium cilium --namespace kube-system --set upgradeCompatibility=1.12 --set kubeProxyReplacement=false | grep kube-proxy-replacement: kube-proxy-replacement: "disabled" After this PR the output is correct: $ helm template cilium cilium --namespace kube-system --set upgradeCompatibility=1.12 --set kubeProxyReplacement=false | grep kube-proxy-replacement: kube-proxy-replacement: "false" Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> 29 June 2023, 12:32:03 UTC
5598e56 Marcel Zieba 21 June 2023, 14:46:46 UTC Reverts quarantine K8sDatapathServicesTest Reverts https://github.com/cilium/cilium/pull/25670 Signed-off-by: Marcel Zieba <marcel.zieba@isovalent.com> 29 June 2023, 12:13:03 UTC
3a2ec02 Marcel Zieba 26 June 2023, 09:01:16 UTC Fix K8sDatapathServicesTest Checks N/S with host policy test Fix bug introduced in https://github.com/cilium/cilium/pull/26362 Signed-off-by: Marcel Zieba <marcel.zieba@isovalent.com> 29 June 2023, 12:13:03 UTC
2d5c713 Sebastian Wicki 28 June 2023, 16:07:47 UTC ci-multi-pool: Use ip-masq-agent for masquerading Now that #26262 has been fixed, we can use disjunct CIDRs for the IP pools. This will make the testing a bit more realistic, as we expect users to define IP pools from different CIDR ranges. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> 29 June 2023, 09:59:58 UTC
7af6450 Nate Sweet 15 June 2023, 01:07:13 UTC docs: Upgrade Note For Deny Policy Fix Signed-off-by: Nate Sweet <nathanjsweet@pm.me> 29 June 2023, 07:46:17 UTC
2b3d8a6 czybjtu 28 June 2023, 02:20:39 UTC add host-side interface info to cni.Result This commit adds host-side interface name and mac address to cni.Result according to CNI Specification (https://www.cni.dev/docs/spec/#section-5-result-types) Signed-off-by: czybjtu <smartczy@outlook.com> 29 June 2023, 06:04:07 UTC
back to top