Skip to main content

Browse the archive

https://github.com/cilium/cilium
22 July 2024, 03:12:21 UTC
sort by:
Revision Author Date Message Commit Date
8a7ef24 Martynas Pumputis 09 April 2021, 05:07:24 UTC daemon: Add --bpf-lb-wireguard This flag enables Wireguard encryption for NodePort BPF traffic. This is mainly going to be used to opt out from the Wireguard NodePort BPF traffic encryption to avoid the side effect of the pod2host encryption mentioned in the previous commit. Signed-off-by: Martynas Pumputis <m@lambda.lt> 09 April 2021, 13:46:35 UTC
4f6fadd Martynas Pumputis 09 April 2021, 04:40:44 UTC wireguard: Encrypt pod2host traffic when NodePort BPF is on When running Wireguard with KPR, we want to encrypt the following NodePort BPF traffic: 1. A request from a client to a service handled by NodePort BPF when a remote service endpoint is selected (after SNAT and DNAT). 2. A reply from the service endpoint to the request above from on the remote node. The 1. is marked for encryption from the NodePort BPF program (once it detects that the service endpoint is remote). The encryption of 2. is more complicated. Previously, when we had a Wireguard tunnel IP, the request was SNAT-ed to the tunnel IP. This made the reply to automatically go over the Wireguard tunnel. Unfortunately, after removing the Wireguard tunnel IP, this is no longer the case. The request is SNAT-ed to a node IP, and therefore a reply (src=podIP|dst=nodeIP) is no longer encrypted, as it does not go over the Wireguard tunnel. To fix this, we mark a packet sent from a pod for the encryption if we detect that dst is REMOTE_NODE_ID. Then later on, the packet is being routed by the stack to the Wireguard tunnel device (thanks to the mark). Unfortunately, this introduces an asymmetry for non-NodePort host2pod traffic, as host2pod will go unencrypted over a native device while pod2host will go over the tunnel and will be encrypted. Signed-off-by: Martynas Pumputis <m@lambda.lt> 09 April 2021, 13:46:35 UTC
2fbc947 Martynas Pumputis 06 April 2021, 09:37:06 UTC wireguard: Add NodeIP to AllowedIPs list This commit adds a remote NodeIPv{4,6} to the AllowedIPs to the corresponding peer entry. This is required, as after we have removed the Wireguard tunnel IP, requests forwarded by NodePort BPF will have the NodeIP instead of the tunnel IP. So the remote peer will receive such requests on "cilium_wg0" with srcIP = NodeIP. If the NodeIP is not in the AllowedIPs list, the request will be dropped by the Wireguard device driver. Signed-off-by: Martynas Pumputis <m@lambda.lt> 09 April 2021, 13:46:35 UTC
36dd795 Martynas Pumputis 06 April 2021, 09:39:51 UTC wireguard: Completely disable rp_filter Just having a default route is not enough to pass the rp_filter check in the loose mode. So, disable it completely. Signed-off-by: Martynas Pumputis <m@lambda.lt> 09 April 2021, 13:46:35 UTC
4d64cbc Martynas Pumputis 06 April 2021, 09:27:16 UTC wireguard: Remove operator This commit removes the Wireguard operator which previously was used to allocate a Wireguard tunnel IP. After taking a closer look into the Wireguard source code in the kernel and realising that we don't see the tunnel IP on the wire, we came to realisation that the IP is not needed at all. For host2host encryption with Wireguard (TODO) we don't need to rely on the tunnel IP (we will be able to use the nodeIP and Wireguard's fwmark to avoid the loop). Signed-off-by: Martynas Pumputis <m@lambda.lt> 09 April 2021, 05:14:52 UTC
c603c5e Chris Tarazi 15 March 2021, 06:13:25 UTC test: Convert LoadBalancer test to use BGP We can reuse this test that already validates connectivity to the external IP of a service of type LoadBalancer (LoadBalancerIP). Previously, we deployed a custom made controller to allocate external IPs for the sake of testing. Now that BGP announcements of service IPs has been implemented, let's convert the test to leverage this. The newly added "frr.yaml.tmpl" and "bgp-configmap.yaml.tmpl" files are a Go text/template of a YAML file containing the pod spec for the BGP router and the ConfigMap, respectively. They are templated because we want to avoid hardcoding node names, node IPs, and BGP router IPs, which would otherwise make this test un-runnable outside of our CI using vagrant. Signed-off-by: Chris Tarazi <chris@isovalent.com> 08 April 2021, 16:10:12 UTC
d8dbb82 Chris Tarazi 09 March 2021, 01:00:45 UTC daemon, bgp, watchers: Implement LB IP announcement via BGP This commit implements LoadBalancer IP announcements by integrating MetalLB natively into Cilium. Each node in the K8s cluster running a Cilium Agent will be a BGP speaker. The speaker controller is notified of K8s events, specifically updates to services, endpoints, and nodes. The speaker is interested in the following K8s objects and events: Services -> OnUpdateService(), OnDeleteService() Endpoints -> OnUpdateEndpoints() Nodes -> OnUpdateNode() For Services updates, if the object contains a service of type LoadBalancer with an LB IP (allocated by the Operator, see previous commit), then the Agents will consider whether to advertise the LB IP to the configured BGP router (provided by the user), depending on whether the service's externalTrafficPolicy (either Cluster or Local). For the difference between the two, see https://metallb.universe.tf/usage/#bgp. This is also dependant on whether the service has healthy backends (endpoints) running. For Service deletions, if the speaker was previously announcing the service via BGP, then it will withdraw that advertisement. This will cause the BGP router to remove the route to the node advertising that it can route the LB IP. For Endpoints updates, we watch for these because we must know the health of the backends (endpoints). When all backends of a service are healthy, only then is a BGP announcement made. If the backends become unhealthy, then the announcement is withdrawn. A mapping is stored internally for services to endpoints, so that we may cross-reference them back to a Service. For Node updates, we watch for these because MetalLB allows users to limit BGP peers to certain nodes. See https://metallb.universe.tf/configuration/#limiting-peers-to-certain-nodes for more details. For this event, we are only interested in the labels of a Node. All of these events described above are enqueued into an internal queue for processing. The processing of the events off of the queue is done in a separate goroutine. Having a queue allows us to retry on errors in the reconciliation logic. The reason it's used is to avoid retrying directly inside the event handlers of the K8s watcher, which would block other handlers from running. Instead, the event is re-enqueued and eventually re-processed again at a later time. Each reconciliation attempt returns a status, either types.SyncStateSucess, types.SyncStateError, or types.SyncStateReprocessAll. Any attempt with types.SyncStateError is retried. For types.SyncStateReprocessAll, MetalLB returns this only when the BGP configuration changes. However, this does not apply to Cilium because our BGP configuration is statically provided via CLI flags, Helm values file, or via ConfigMap. We do not support dynamically reloading the configuration at runtime, therefore we don't care for types.SyncStateReprocessAll. Signed-off-by: Chris Tarazi <chris@isovalent.com> 08 April 2021, 16:10:12 UTC
a877fad Chris Tarazi 03 March 2021, 00:21:44 UTC bgp, operator: Implement LB IP allocation via MetalLB This commit implements LoadBalancer IP allocation via MetalLB integration for service IP announcement via BGP. This is done by monitoring all service objects via K8s watchers. Each object seen by the service watcher is pushed into a BGP Manager queue where they are processed by calling down to the MetalLB reconciliation logic. If a reconciliation fails (types.SyncStateError), then the object is re-added into the queue. Once reconciliation for an object returns types.SyncStateSucess, then it is removed from the queue. During reconciliation, it's possible for MetalLB to return types.SyncStateReprocessAll under two circumstances: 1) A service is deleted 2) Configuration changes (1) is explained below. (2) does not apply to Cilium because our BGP configuration is static and cannot change dynamically, therefore we don't need to react to this event. The MetalLB reconciliation occurs when a service of type LoadBalancer is found. Once found, It'll allocate an LB IP for it from the configured IP pool(s), which is provided by the user. Once the IP is allocated, the Operator will update the service object accordingly. The Agents will receive this update and announce via BGP (announcement varies depending on externalTrafficPolicy=Cluster or Local). The Operator now requires the use of the cache.Store (indexer) associated with the informer (cache.Controller). Previously, we avoided the use of the indexer in favor of our own K8s service cache. However, it is not applicable for this BGP implementation because our service cache stores services in an internal representation of a service (k8s.Service). This makes it unusable because the types are obviously incompatible with MetalLB's API. In addition, we need to be able to re-list all services in the cluster. If we had to re-list all the services from the cache and convert their type, it would be a purely wasteful (useless) operation. Instead, keeping the services in their original type is a more efficient use of compute resources. The reason we need to re-list the services anyway is in the case of the LB IP pool(s) being exhausted. If the pool(s) are exhausted, then new services will sit in a pending state waiting for their LB IP to be allocated. Only when a service is deleted (reconciliation returns types.SyncStateReprocessAll) can we reassign IPs to pending services. Therefore, we must re-list all the services upon a service delete event to find which services are in need of an LB IP. Signed-off-by: Chris Tarazi <chris@isovalent.com> 08 April 2021, 16:10:12 UTC
c8571ad Chris Tarazi 06 April 2021, 19:46:11 UTC bgp: Add k8s package for MetalLB client This package provides common K8s client code to be used from the speaker and manager packages. Signed-off-by: Chris Tarazi <chris@isovalent.com> 08 April 2021, 16:10:12 UTC
1fa52e5 Chris Tarazi 23 March 2021, 22:44:32 UTC bgp: Add central logging package This package will be shared by the controller and speaker BGP packages that will be added in future commits. Signed-off-by: Chris Tarazi <chris@isovalent.com> 08 April 2021, 16:10:12 UTC
4a61e56 Chris Tarazi 12 March 2021, 04:07:18 UTC bgp: Add config package This package will allow both the BGP speaker and the BGP controller to use the same logic for configuration. It currently does not support loading configuration dynamically at runtime. Signed-off-by: Chris Tarazi <chris@isovalent.com> 08 April 2021, 16:10:12 UTC
dede69f Chris Tarazi 03 March 2021, 22:53:38 UTC vendor: Add go.universe.tf/metallb For now use fork of MetalLB until the changes have been upstreamed. This bumps the github.com/miekg/dns module because it is a transient dependency, but we have a replace directive for it anyway. Signed-off-by: Chris Tarazi <chris@isovalent.com> 08 April 2021, 16:10:12 UTC
b57be71 Chris Tarazi 08 March 2021, 20:36:27 UTC install: Grant cilium-operator update permission for services This is needed in order to update the status of service objects from the Operator, in order to set the LB IP allocated by MetalLB. Signed-off-by: Chris Tarazi <chris@isovalent.com> 08 April 2021, 16:10:12 UTC
b3d6568 Chris Tarazi 17 March 2021, 20:16:29 UTC k8s: Add endpoints getter from service cache This will be used in future commits where the mapping between services and endpoints is crucial for the BGP speaker. Specifically, whenever there are service resource updates, we need to ensure that the MetalLB controller receives the correct and most up-to-date backends for a given service. Otherwise, the BGP announcements won't work properly as the MetalLB controller won't be able to determine if the backends are healthy, and therefore might cause spurious / missed announcements for the LB IP (of the service). Signed-off-by: Chris Tarazi <chris@isovalent.com> 08 April 2021, 16:10:12 UTC
0cbfb20 Chris Tarazi 10 March 2021, 05:20:33 UTC k8s: Provide slim Service -> v1 Service helpers This is needed for the BGP controller inside the Operator. The reason they're needed is because the Operator watches slim Service objects, while the BGP controller is based off MetalLB which uses the raw v1 type. Inside the handlers for BGP, a conversion is necessary before calling into MetalLB. Signed-off-by: Chris Tarazi <chris@isovalent.com> 08 April 2021, 16:10:12 UTC
5f66325 Chris Tarazi 08 March 2021, 23:04:51 UTC watchers: Consolidate add and update logic for endpoints Signed-off-by: Chris Tarazi <chris@isovalent.com> 08 April 2021, 16:10:12 UTC
e65f82d Chris Tarazi 04 March 2021, 22:46:08 UTC k8s, k8s/slim: Add LoadBalancerIP field This field is crucial for BGP integration with MetalLB because a user can perfer an LB IP by setting this field, rather than allocate a random IP for an IP pool. Signed-off-by: Chris Tarazi <chris@isovalent.com> 08 April 2021, 16:10:12 UTC
0479133 Chris Tarazi 02 March 2021, 23:35:17 UTC daemon, install, operator, option: Introduce BGP flags This option is shared between the Agent and the Operator, and will be required to be passed to both. This commit also updates the Helm charts with the new flags. BGP configuration is passed via a file path, which when running with K8s will point to a mounted ConfigMap created by the user before starting Cilium. Due to the lack of upstream support for EndpointSlices in MetalLB, we must fallback to using the regular Endpoints object. See https://github.com/metallb/metallb/issues/811. Signed-off-by: Chris Tarazi <chris@isovalent.com> 08 April 2021, 16:10:12 UTC
d351abf Chris Tarazi 02 March 2021, 23:19:34 UTC operator: Move leader election vars under the correct section They were declared under the "Azure" section and this commit moves them to the general vars section. Signed-off-by: Chris Tarazi <chris@isovalent.com> 08 April 2021, 16:10:12 UTC
664d129 Chris Tarazi 24 March 2021, 01:55:45 UTC operator/watchers: Clarify logic inside endpoint controller init Signed-off-by: Chris Tarazi <chris@isovalent.com> 08 April 2021, 16:10:12 UTC
5649aa5 Chris Tarazi 02 March 2021, 23:08:30 UTC operator/watchers: Separate out service watcher initialization The service controller inside the Operator is created inside StartSynchronizingServices(). This function is only called when the kvstore is configured and `--synchronize-k8s-services` is passed to the Operator. Besides creating a service controller, it also performs other tasks unrelated to services, which makes it unusable for reuse. This commit refactors the service synchronization in the watcher package to move the controller outside of StartSynchronizingServices(). In future commits, creating a service controller for BGP announcement of service IPs will be implemented, and thus depends on this refactor. Signed-off-by: Chris Tarazi <chris@isovalent.com> 08 April 2021, 16:10:12 UTC
d380acf Paul Chaignon 01 April 2021, 15:38:25 UTC bpf/Makefile: Disable custom calls on 4.19 When compiling bpf_lxc with all possible options on 4.19, we hit the maximum program size (4096) [1]. Let's disable ENABLE_CUSTOM_CALLS on that kernel to avoid this issue. Other options we could disable are ENABLE_DSR and ENABLE_EGRESS_GATEWAY, but they are likely more widespread and likely to have a stronger effect. 1 - https://github.com/cilium/cilium/issues/15539 Signed-off-by: Paul Chaignon <paul@cilium.io> 08 April 2021, 12:46:30 UTC
68ba5d4 Paul Chaignon 30 March 2021, 17:28:40 UTC bpf/Makefile: Disable Maglev for bpf_host and bpf_lxc There is currently a complexity issue, in both bpf_lxc and bpf_host, when enabling both Maglev and the host firewall in the datapath. We therefore need to disable Maglev for those programs when trying to maximize the program size and complexity. 1 - https://github.com/cilium/cilium/issues/14047 Signed-off-by: Paul Chaignon <paul@cilium.io> 08 April 2021, 12:46:30 UTC
0ad05db Paul Chaignon 30 March 2021, 14:12:14 UTC bpf/Makefile: Move global config options to MAX_BASE_OPTIONS Unless an option maximizes program size in a BPF program and minimizes it in another, there is no good reason to define global options in each MAX_*_OPTIONS. This commit instead moves all global options to MAX_BASE_OPTIONS. This commit also fixes several options that were missing for bpf_host (ENABLE_HOSTPORT, ENABLE_SRC_RANGE_CHECK, and ENABLE_IPV4_FRAMENTS). ENABLE_EGRESS_GATEWAY is kept in each MAX_*_OPTIONS macro because it can't be enabled for bpf_xdp or we'd get the following compilation errors: In file included from bpf_xdp.c:38: /cilium/bpf/lib/nodeport.h:1108:20: error: no member named 'ifindex' in 'struct xdp_md' if (info && ctx->ifindex != ENCAP_IFINDEX) { ~~~ ^ /cilium/bpf/lib/nodeport.h:1108:31: error: use of undeclared identifier 'ENCAP_IFINDEX'; did you mean 'CB_IFINDEX'? if (info && ctx->ifindex != ENCAP_IFINDEX) { ^~~~~~~~~~~~~ CB_IFINDEX /cilium/bpf/lib/common.h:599:2: note: 'CB_IFINDEX' declared here CB_IFINDEX, ^ 2 errors generated. make: *** [Makefile:188: bpf_xdp.ll] Error 1 Signed-off-by: Paul Chaignon <paul@cilium.io> 08 April 2021, 12:46:30 UTC
fd18f64 Paul Chaignon 30 March 2021, 13:34:58 UTC bpf/Makefile: Define missing options for verifier tests The MAX_*_OPTIONS defined in bpf/Makefile are used by the K8sVerifier test and intended to maximize program size (and hopefully, complexity). This commit adds two datapath options that were missing: - NEEDS_RELAX_VERIFIER: On older kernels, the Cilium agent defines NEEDS_RELAX_VERIFIER to compile in verifier pruning points, which have been manually added. We should do the same in our verifier tests. Note this won't be needed anymore once [1] is addressed. - ENABLE_MASQUERADE: This option controls BPF masquerading and is supported on kernels >4.19. 1 - https://github.com/cilium/cilium/issues/15498 Signed-off-by: Paul Chaignon <paul@cilium.io> 08 April 2021, 12:46:30 UTC
e83890b Joao Victorino 06 April 2021, 00:09:37 UTC bpf_host: declare variables in the beginning of the block That way we can define HOST_REDIRECT_TO_INGRESS without mixing declaration and code. Updates: #15559 Signed-off-by: Joao Victorino <joao@accuknox.com> 08 April 2021, 10:52:49 UTC
353d245 l1b0k 15 March 2021, 06:45:15 UTC add doc for AlibabaCloud ENI Signed-off-by: l1b0k <libokang.dev@gmail.com> 08 April 2021, 09:54:34 UTC
86eab65 Sebastian Wicki 24 March 2021, 18:32:56 UTC endpoint: Delete egress rules for all routing CIDRs In ENI IPAM mode, the CNI plugin will add more than one egress rule in case there are multiple CIDRs on the VPC. When cleaning up the endpoint rules, we therefore also want to remove all of them, as the previous implementation would just give up with a warning (due it finding more than one egress rule). We obtain the routing CIDRs from `node.GetRoutingInfo()` which is populated from the router IPAM allocation result during the Cilium agent initialization: https://github.com/cilium/cilium/blob/3be939385f28154fef564e6d625e86d1898c7043/daemon/cmd/ipam.go#L238 Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> 08 April 2021, 09:52:50 UTC
3ebb47d Sebastian Wicki 31 March 2021, 15:50:03 UTC docs/eni: Update docs regarding primary ENI IP Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> 08 April 2021, 09:52:50 UTC
4a914bd Sebastian Wicki 23 March 2021, 13:46:27 UTC ipam: Configure ENI devices This code also checks the CiliumNode CRD for newly added interfaces and will assign the primary IP of the ENI to the corresponding Linux network interface. This fixes an issue where SNAT assigned the wrong IP to packets Co-authored-by: Tom Payne <tom@isovalent.com> Signed-off-by: Tom Payne <tom@isovalent.com> Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> 08 April 2021, 09:52:50 UTC
94567e4 Sebastian Wicki 15 March 2021, 15:42:57 UTC ipam: Pass MTU configuration to nodeStore The IPAM CRD allocator will need to maintain the routes and rules on the existing interfaces in cases new routes are added or removed. To be able to do this, it will need to know the configured MTU. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> 08 April 2021, 09:52:50 UTC
958008a Tom Payne 12 March 2021, 10:07:26 UTC logging: Add more standard fields Signed-off-by: Tom Payne <tom@isovalent.com> 08 April 2021, 09:52:50 UTC
7c1bb35 Sebastian Wicki 23 March 2021, 13:37:02 UTC aws/ec2: Exclude primary ENI IP from IPAM pool This commit removes the primary ENI IP address from the IPAM pool. The existing allocation code did already not consider it when computing the number of IPs to allocate, but it was still returned in the allocation result and therefore assigned to Cilium endpoints. A subsequent commit will assign the primary IP to the Linux network interface, to ensure SNAT works correctly for packets sent out via the ENI. Therefore, we must not allocate the primary IP to endpoints. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> 08 April 2021, 09:52:50 UTC
7226197 Michi Mutsuzaki 03 April 2021, 04:57:24 UTC hubble: Add a flag to write Hubble events to a rotated file Add a flag to write Hubble events from OnDecodeEvent() to a rotated file. It could be useful for troubleshooting to have access to recent events beyond what's kept in memory. Use it with caution as it can add significant overhead on busy nodes. Signed-off-by: Michi Mutsuzaki <michi@isovalent.com> 08 April 2021, 09:35:28 UTC
427e7a2 dependabot[bot] 07 April 2021, 23:52:55 UTC build(deps): update actions/upload-artifact requirement to ee69f02b3dfdecd58bb31b4d133da38ba6fe3700 Updates the requirements on [actions/upload-artifact](https://github.com/actions/upload-artifact) to permit the latest version. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](https://github.com/actions/upload-artifact/commits/ee69f02b3dfdecd58bb31b4d133da38ba6fe3700) Signed-off-by: dependabot[bot] <support@github.com> 08 April 2021, 01:29:56 UTC
f710b5e dependabot[bot] 07 April 2021, 23:53:00 UTC build(deps): bump docker/setup-buildx-action Bumps [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action) from 154c24e1f33dbb5865a021c99f1318cfebf27b32 to 1.1.2. This release includes the previously tagged commit. - [Release notes](https://github.com/docker/setup-buildx-action/releases) - [Commits](https://github.com/docker/setup-buildx-action/compare/154c24e1f33dbb5865a021c99f1318cfebf27b32...2a4b53665e15ce7d7049afb11ff1f70ff1610609) Signed-off-by: dependabot[bot] <support@github.com> 08 April 2021, 01:29:10 UTC
051032c ArthurChiao 01 April 2021, 12:53:39 UTC daemon/clustermesh-apiserver: add new option --allocator-list-timeout This enables user to configure how long they would like to wait before successfully listed objects from kvstore. Especially, this determines the agent restart frequency when clustermesh is enabled and remote kvstore has connection problems: too many restarts in really large clusters pose significant pressures on both k8s apiserver, local and remote kvstores. Signed-off-by: ArthurChiao <arthurchiao@hotmail.com> 07 April 2021, 23:57:33 UTC
f6a5724 Jaff Cheng 02 April 2021, 11:38:06 UTC logging: expose more syslog options Expose more syslog options via --log-opt to make syslog more configurable. Before this commit we can only log to the default facility `kern` of localhost, which may pollute kernel log file. Also, add a fatal out logic to cilium-agent, cilium-operator and cilium-health, if an error is returned from SetupLogging. The following option keys are added: syslog.network syslog.address syslog.facility syslog.severity syslog.tag configmap example for syslog driver: {"syslog.level":"info","syslog.facility":"local5","syslog.tag":"cilium-agent"} Signed-off-by: Jaff Cheng <jaff.cheng.sh@gmail.com> 07 April 2021, 23:56:58 UTC
39e09f3 Tobias Klauser 07 April 2021, 10:18:49 UTC Update Go to 1.16.3 Signed-off-by: Tobias Klauser <tobias@cilium.io> 07 April 2021, 23:53:08 UTC
97a46e0 dependabot[bot] 07 April 2021, 10:50:14 UTC build(deps): bump docker/setup-qemu-action Bumps [docker/setup-qemu-action](https://github.com/docker/setup-qemu-action) from 6520a2d2cb6db42c90c297c8025839c98e531268 to 1.0.2. This release includes the previously tagged commit. - [Release notes](https://github.com/docker/setup-qemu-action/releases) - [Commits](https://github.com/docker/setup-qemu-action/compare/6520a2d2cb6db42c90c297c8025839c98e531268...25f0500ff22e406f7191a2a8ba8cda16901ca018) Signed-off-by: dependabot[bot] <support@github.com> 07 April 2021, 23:52:39 UTC
ab755df dependabot[bot] 07 April 2021, 10:50:17 UTC build(deps): bump docker/build-push-action Bumps [docker/build-push-action](https://github.com/docker/build-push-action) from 9379083e426e2e84abb80c8c091f5cdeb7d3fd7a to 2.4.0. This release includes the previously tagged commit. - [Release notes](https://github.com/docker/build-push-action/releases) - [Commits](https://github.com/docker/build-push-action/compare/9379083e426e2e84abb80c8c091f5cdeb7d3fd7a...e1b7f96249f2e4c8e4ac1519b9608c0d48944a1f) Signed-off-by: dependabot[bot] <support@github.com> 07 April 2021, 23:52:27 UTC
e27c98b dependabot[bot] 07 April 2021, 16:22:31 UTC build(deps): bump Sibz/github-status-action Bumps [Sibz/github-status-action](https://github.com/Sibz/github-status-action) from e92e9076ba64fe070b6f06221720fc647d82e90e to 1.1.5. This release includes the previously tagged commit. - [Release notes](https://github.com/Sibz/github-status-action/releases) - [Commits](https://github.com/Sibz/github-status-action/compare/e92e9076ba64fe070b6f06221720fc647d82e90e...67af1f4042a5a790681aad83c44008ca6cfab83d) Signed-off-by: dependabot[bot] <support@github.com> 07 April 2021, 21:48:10 UTC
7a1039f Chris Tarazi 06 April 2021, 01:11:40 UTC k8s: Consolidate check for EndpointSlice support When v1 support for EndpointSlice is checked, the capability for the base EndpointSlice support is also toggled, therefore we can consolidate the logic inside the support helpers. It's not possible for one variant to return true and the other false, and vice versa. Fixes: 5ee4c6f4d1 ("add support for EndpointSlice V1") Signed-off-by: Chris Tarazi <chris@isovalent.com> 07 April 2021, 18:11:10 UTC
47f6817 Paul Chaignon 05 February 2021, 15:06:49 UTC test: Skip GKE for NodePort + hostfw test The host policy applied would require some additional work to not brick the nodes on GKE. Signed-off-by: Paul Chaignon <paul@cilium.io> 07 April 2021, 14:12:01 UTC
84b0823 Paul Chaignon 01 April 2021, 17:28:04 UTC test: Disable IPv6 tests in GKE, EKS, etc. Signed-off-by: Paul Chaignon <paul@cilium.io> 07 April 2021, 14:12:01 UTC
56ec514 Paul Chaignon 07 January 2021, 09:38:05 UTC test: Replace RunsWithKubeProxy by RunsWithKubeProxyReplacement This change is to allow for a CI pipeline where kube-proxy is installed, but our kube-proxy replacement is used by default. Such a pipeline will allow us to run tests that depend on kube-proxy on newer kernels. It will also enable better testing of the kube-proxy-replacement=probe setting. For this to be possible, we need to uncouple RunsWithoutKubeProxy (whether we run with our kube-proxy replacement) from RunsWithKubeProxy (whether kube-proxy is enabled). Thus, RunsWithKubeProxyReplacement now encodes whether we run with our kube-proxy replacement (we currently run it everywhere it's supported). This change has the side effect of enabling more tests in GKE. We do run our kube-proxy replacement in GKE (via kubeProxyReplacement=probe), so tests that have this as a requirement should run on GKE. Signed-off-by: Paul Chaignon <paul@cilium.io> 07 April 2021, 14:12:01 UTC
9bc95c8 Martynas Pumputis 06 April 2021, 06:05:11 UTC daemon: Remove --help flags grouping This commit reverts the --help flags grouping introduced by [1]. The motivation for removing the grouping is the following: - Some flags should be in multiple groups to help users to navigate through the flags (e.g. "IPMasqAgentConfigPath"). - Some grouping doesn't make much sense (e.g. "IP flags" - each flag should belong to a different group instead). - We tend to forget to add new flags. Therefore considering above, the alphabetical order yields better UX. [1]: https://github.com/cilium/cilium/pull/10795 Signed-off-by: Martynas Pumputis <m@lambda.lt> 07 April 2021, 14:09:32 UTC
fe14fc9 Joe Stringer 06 April 2021, 18:17:49 UTC docs: Hide "Edit on GitHub" buttons Following the instructions here, remove the buttons to edit on github since this is confusing for contributors since it opens PRs against branches where we don't accept contributions, bypasses the standard instructions like requiring signoffs, etc. https://github.com/readthedocs/readthedocs.org/blob/master/docs/guides/remove-edit-buttons.rst Signed-off-by: Joe Stringer <joe@cilium.io> 07 April 2021, 12:09:37 UTC
fbf3d38 Nicolas Busseneau 25 March 2021, 13:03:16 UTC ci: add AKS workflow This workflow has been migrated from https://github.com/cilium/cilium-cli/ as part of the CI 3.0 initiative, and adapted based on the previous migration made for GKE. See https://github.com/cilium/cilium/pull/15416 and https://github.com/cilium/cilium/pull/15482 for more details on the structure and adaptations made. Triggers: - `aks.yaml` is triggered automatically when a comment starting with `ci-aks` is made on an PR. In this case, a GitHub status check is manually registered for the PR SHA commit, and will show up in the PR status checks with a link to the workflow run. - `aks.yaml` is also triggered automatically on merge to `master`. In this case a GitHub status check is already automatically registered by the `push` event, so we skip manual status check registering. - A commented `pull_request` trigger is available for workflow developers: it may be uncommented and used in test PRs for testing the workflow using the `ci-run/gke` label (requires write privileges as it will only work for PRs from branches in the Cilium repo, not from fork). Of course it should be left commented for the real PR. Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> 07 April 2021, 11:07:18 UTC
4887d60 Nicolas Busseneau 25 March 2021, 12:13:15 UTC ci: add EKS workflow This workflow has been migrated from `cilium-cli` as part of the CI 3.0 initiative, and adapted based on the previous migration made for GKE. See https://github.com/cilium/cilium/pull/15416 and https://github.com/cilium/cilium/pull/15482 for more details on the structure and adaptations made. Triggers: - `eks.yaml` is triggered automatically when a comment starting with `ci-eks` is made on an PR. In this case, a GitHub status check is manually registered for the PR SHA commit, and will show up in the PR status checks with a link to the workflow run. - `eks.yaml` is also triggered automatically on merge to `master`. In this case a GitHub status check is already automatically registered by the `push` event, so we skip manual status check registering. - A commented `pull_request` trigger is available for workflow developers: it may be uncommented and used in test PRs for testing the workflow using the `ci-run/gke` label (requires write privileges as it will only work for PRs from branches in the Cilium repo, not from fork). Of course it should be left commented for the real PR. Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> 07 April 2021, 11:07:00 UTC
e3cc8d3 dependabot[bot] 07 April 2021, 08:44:14 UTC build(deps): bump actions/download-artifact Bumps [actions/download-artifact](https://github.com/actions/download-artifact) from 4a7a711286f30c025902c28b541c10e147a9b843 to 2.0.9. This release includes the previously tagged commit. - [Release notes](https://github.com/actions/download-artifact/releases) - [Commits](https://github.com/actions/download-artifact/compare/4a7a711286f30c025902c28b541c10e147a9b843...158ca71f7c614ae705e79f25522ef4658df18253) Signed-off-by: dependabot[bot] <support@github.com> 07 April 2021, 10:49:43 UTC
d164e55 Nicolas Busseneau 26 March 2021, 18:28:18 UTC ci: fix/update GKE workflow Actions: - Pin actions using SHA. - Switch to PR comment triggering based on a trigger phrase (see below). - Split post-test steps in order to make sure clean up is always ran, even if information gathering fails. - Fix cluster names using `run_number`, which would conflict with other PRs. - Remove unused checkout action. Triggers: - `gke.yaml` is triggered automatically when a comment starting with `ci-gke` is made on an PR. In this case, a GitHub status check is manually registered for the PR SHA commit, and will show up in the PR status checks with a link to the workflow run. - `gke.yaml` is also triggered automatically on merge to `master`. In this case a GitHub status check is already automatically registered by the `push` event, so we skip manual status check registering. - A commented `pull_request` trigger is available for workflow developers: it may be uncommented and used in test PRs for testing the workflow using the `ci-run/gke` label (requires write privileges as it will only work for PRs from branches in the Cilium repo, not from fork). Of course it should be left commented for the real PR. Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> 07 April 2021, 08:43:43 UTC
c83dca2 Jaff Cheng 26 March 2021, 04:16:33 UTC agent: stop endpoints in parallel on exit Endpoints are stopped on exit signals in an agent cleanup function. This patch does this in goroutines to speed it up, reduces the probability of agent exiting timeout, that is, reduces the possibility of pod network disconnection caused by interrupted regeneration. Related: #15446 Signed-off-by: Jaff Cheng jaff.cheng.sh@gmail.com 07 April 2021, 01:03:04 UTC
4a51d48 Aditi Ghag 06 April 2021, 22:45:57 UTC docs: Update DNS proxy timeout value The timeout value is currently set to 10s by the constant ProxyForwardTimeout Signed-off-by: Aditi Ghag <aditi@cilium.io> 07 April 2021, 00:41:57 UTC
f7489a4 André Martins 06 April 2021, 16:41:35 UTC jenkinsfiles: remove symlink for kubernetes-upstream.Jenkinsfile As files are currently stored in the `jenkinsfiles/` we can safely remove this file. Signed-off-by: André Martins <andre@cilium.io> 06 April 2021, 22:16:46 UTC
6328219 André Martins 06 April 2021, 16:40:44 UTC remove unused jenkinsfiles These jobs are no longer used in master so we can safely remove them. Signed-off-by: André Martins <andre@cilium.io> 06 April 2021, 22:16:46 UTC
ca31483 Joe Stringer 02 April 2021, 21:37:05 UTC daemon: Add hidden --cflags debug command Support compiling with dedicated compile options to assist development. Signed-off-by: Joe Stringer <joe@cilium.io> 06 April 2021, 21:54:27 UTC
9be5183 Matthew Fenwick 06 April 2021, 11:10:38 UTC add cyclonus network policy tester Signed-off-by: Matt Fenwick <mfenwick100@gmail.com> 06 April 2021, 20:26:22 UTC
e13f6bf Paul Chaignon 06 April 2021, 11:53:53 UTC examples: Split host policies for dev. VMs The current extensive host policy for the development VMs (implements the most restrictive policy possible) was written to support both values of enable-remote-node-identity. When that flag is enabled, rules for the remote node are implemented with the remote-node entity; when it is disabled, the node CIDR is used. Unfortunately, when enable-remote-node-identity is given, the policy is not the most restrictive possible anymore, because we now have additional rules matching on node CIDR. To ensure we have the most restrictive policy possible, we need to split the existing host policy into two policies, for each value of the flag. Signed-off-by: Paul Chaignon <paul@cilium.io> 06 April 2021, 20:02:38 UTC
79b5cfa Yiannis 06 April 2021, 16:19:24 UTC Fix BPF_JMP_MAP_ID on tail call toy example. Toy example for tail call defines BPF_JMP_MAP_ID for the tail call, but uses JMP_MAP_ID at the __section_tail function. This would load the program and map but __section_tail will not be loaded to JMP_MAP because the IDs don't match. Small fix to address this and use BPF_JMP_MAP_ID everywhere. Signed-off-by: Yiannis Yiakoumis <yiannis@selfienetworks.com> 06 April 2021, 17:48:40 UTC
38ebbf8 Paul Chaignon 06 April 2021, 14:51:07 UTC Revert "ci: push cilium-test image to quay.io, use it in nightly" This reverts commit 18a2ff1b45ba79ee18d33c69188dfb32838da8ff. All image CI builds started failing in pull requests after we merged this pull request. Reverting while we investigate and find a fix. Reported-by: André Martins <andre@cilium.io> Signed-off-by: Paul Chaignon <paul@cilium.io> 06 April 2021, 14:57:08 UTC
261fae4 Chris Tarazi 01 April 2021, 02:12:34 UTC ipam: Fix empty interface number in Azure Since commit 4d50ae70f ("cni, routing: Plumb interface number") added the interface number to the IPAM allocation result to fix a bug in ENI mode (https://github.com/cilium/cilium/issues/14336), Azure has been broken. However, we were able to avoid issues like pod connectivity because there was a separate bug with Azure that hid it, which commit ba069702c ("azure: Add the correct JSON tag to GatewayIP field in CiliumNode CRD") fixed. Once that was fixed, then we began to see pod failing to be set up by the CNI (see linked issue below). The reason this didn't manifest in v1.9.5 even though the ENI fixes were backported there is because the ba069702c ("azure: Add the correct JSON tag to GatewayIP field in CiliumNode CRD") is not part of any release yet. In any case, this commit will need to be backported as the latter commit (ba069702c) is now part of the v1.9 tree. Fixes: https://github.com/cilium/cilium/issues/15496 Signed-off-by: Chris Tarazi <chris@isovalent.com> 06 April 2021, 14:45:10 UTC
57f2efc Chris Tarazi 01 April 2021, 22:02:23 UTC k8s: Retry CRD update upon conflict Previously, when the Operators started up and were updating the CRDs, it was a race to who can update the CRDs first. Any Operator that wasn't first would error out and fatal (see linked issue for the msg). This commit fixes this by checking if the update operation ended in a conflict. If it did, then we retry the operation which includes fetching the latest version from the apiserver. We can detect this error because the K8s client libraries expose a convenience function (errors.IsConflict()) to check for these kinds of errors, as they are quite common in K8s code. Fixes: https://github.com/cilium/cilium/issues/14283 Signed-off-by: Chris Tarazi <chris@isovalent.com> 06 April 2021, 14:19:02 UTC
3366a2b Jaff Cheng 29 March 2021, 10:59:12 UTC policy: improve CNP initial sync Check for the existence of CNP egress rules before translating since we only do translation for egress rules. This reduces the time cost of an add event of CNP without egress rules and makes cilium agent start faster in a cluster with large amount of CNPs and services. Time cost comparison in a cluster with 10k CCNPs (all without egress rule), 44k services/endpoints: Before: per CNP add event time cost 20 ~ 30 ms overall time cost of initial CNP sync 255 s After: per CNP add event time cost 0.5 ~ 1 ms overall time cost of initial CNP sync 15 s Signed-off-by: Jaff Cheng <jaff.cheng.sh@gmail.com> 06 April 2021, 14:14:49 UTC
3a2b861 dependabot[bot] 06 April 2021, 13:19:45 UTC build(deps): bump KyleMayes/install-llvm-action from v1.1.1 to v1.2.1 Bumps [KyleMayes/install-llvm-action](https://github.com/KyleMayes/install-llvm-action) from v1.1.1 to v1.2.1. - [Release notes](https://github.com/KyleMayes/install-llvm-action/releases) - [Commits](https://github.com/KyleMayes/install-llvm-action/compare/v1.1.1...4609a7b44dbb15353bdb46dafaac2914948399c9) Signed-off-by: dependabot[bot] <support@github.com> 06 April 2021, 14:00:58 UTC
127a5d8 Tom Payne 13 January 2021, 12:06:28 UTC plugins/cilium-docker/driver: Validate endpoint IDs Signed-off-by: Tom Payne <tom@isovalent.com> 06 April 2021, 13:36:14 UTC
f5cda8b Tom Payne 06 January 2021, 13:09:36 UTC pkg/sysctl: Document exported values and reduce exports Signed-off-by: Tom Payne <tom@isovalent.com> 06 April 2021, 13:36:14 UTC
4742a65 Tom Payne 06 January 2021, 13:01:32 UTC pkg/sysctl: Sanitize parameter names This avoids a security warning raised by CodeQL. In theory, before this PR, carefully formed parameter names could read arbitrary files in the filesystem, e.g. sysctl.Read("../../etc/passwd") In practice, this is was likely unexploitable as '.'s were replaced with '/'s, making path traversal tricky. The updated code verifies that parameter names are valid. Signed-off-by: Tom Payne <tom@isovalent.com> 06 April 2021, 13:36:14 UTC
c4581b3 Gaurav Genani 14 March 2021, 11:30:31 UTC loader : Log upsert and remove route errors Fixes : #15282 Signed-off-by: Gaurav Genani <h3llix.pvt@gmail.com> 06 April 2021, 13:25:39 UTC
18a2ff1 Maciej Kwiek 06 April 2021, 10:37:41 UTC ci: push cilium-test image to quay.io, use it in nightly While migrating to quay.io images we missed `cilium-test` images. This change adds this image to image build and changes nightly workflow to use this image (and also use correct cilium/*-ci images). Signed-off-by: Maciej Kwiek <maciej@isovalent.com> 06 April 2021, 13:19:14 UTC
60bd290 Martynas Pumputis 30 March 2021, 09:34:01 UTC test: Make Wireguard tcpdump filter more fine grained It was reported that the native Wireguard CI test failed with the tcpdump assertion. This means that the tcpdump was able to capture a packet on the private iface (used for direct routing) targeting the pod on any port. Improve the filter by adding 'port $targetPort' filter to eliminate non service traffic. Also, write tcpdump output into test-output.log, so that next time we know whether a failure was a false positive. Reported-by: Nate Sweet <nathanjsweet@pm.me> Signed-off-by: Martynas Pumputis <m@lambda.lt> 06 April 2021, 08:54:35 UTC
beceabb Weilong Cui 30 March 2021, 01:38:32 UTC Reverts exported function names and adds comments for context. - revert `InstallEndpointNoTrackRules` to `InstallNoTrackRules` - revert `RemoveEndpointNoTrackRules` to `RemoveNoTrackRules` This would unbreak google's node-local-dns use case with Cilium. Signed-off-by: Weilong Cui <cuiwl@google.com> 06 April 2021, 08:52:15 UTC
15472a9 Paul Chaignon 26 March 2021, 13:44:11 UTC test: Allow hostfw tests to run on GKE Host firewall tests in tunneling mode can run on GKE. We just need to enable tunneling. Signed-off-by: Paul Chaignon <paul@cilium.io> 06 April 2021, 07:27:26 UTC
ae23400 l1b0k 02 March 2021, 12:52:35 UTC add AlibabaCloud operator The AlibabaCloud allocator is specific to Cilium deployments running in the AlibabaCloud and performs IP allocation based on IPs of ENI. More for ENI https://www.alibabacloud.com/help/doc-detail/58496.htm Signed-off-by: l1b0k <libokang.dev@gmail.com> 05 April 2021, 21:11:55 UTC
c8549e7 l1b0k 02 March 2021, 12:47:01 UTC add AlibabaCloud types Signed-off-by: l1b0k <libokang.dev@gmail.com> 05 April 2021, 21:11:55 UTC
73bd036 l1b0k 13 January 2021, 12:02:21 UTC add AlibabaCloud sdk Signed-off-by: l1b0k <libokang.dev@gmail.com> 05 April 2021, 21:11:55 UTC
e2291d6 dependabot[bot] 05 April 2021, 06:58:29 UTC build(deps): bump golangci/golangci-lint-action from v2.5.1 to v2.5.2 Bumps [golangci/golangci-lint-action](https://github.com/golangci/golangci-lint-action) from v2.5.1 to v2.5.2. - [Release notes](https://github.com/golangci/golangci-lint-action/releases) - [Commits](https://github.com/golangci/golangci-lint-action/compare/v2.5.1...5c56cd6c9dc07901af25baab6f2b0d9f3b7c3018) Signed-off-by: dependabot[bot] <support@github.com> 05 April 2021, 20:25:17 UTC
80bbe9e Paul Chaignon 01 April 2021, 16:05:35 UTC test: Remove nop condition from tests "RunsWithKubeProxy || RunsWithoutKubeProxy" is of course always true. Signed-off-by: Paul Chaignon <paul@cilium.io> 03 April 2021, 13:46:03 UTC
3af28df Paul Chaignon 30 March 2021, 14:36:38 UTC daemon: Fatal on XDP + egress gateway That combination of options is not currently supported and results in the following datapath compilation error: In file included from bpf_xdp.c:38: /cilium/bpf/lib/nodeport.h:1108:20: error: no member named 'ifindex' in 'struct xdp_md' if (info && ctx->ifindex != ENCAP_IFINDEX) { ~~~ ^ /cilium/bpf/lib/nodeport.h:1108:31: error: use of undeclared identifier 'ENCAP_IFINDEX'; did you mean 'CB_IFINDEX'? if (info && ctx->ifindex != ENCAP_IFINDEX) { ^~~~~~~~~~~~~ CB_IFINDEX /cilium/bpf/lib/common.h:599:2: note: 'CB_IFINDEX' declared here CB_IFINDEX, ^ 2 errors generated. make: *** [Makefile:188: bpf_xdp.ll] Error 1 Signed-off-by: Paul Chaignon <paul@cilium.io> 03 April 2021, 10:41:56 UTC
99070f6 John Fastabend 24 March 2021, 05:18:55 UTC cilium: clean up bpf_network includes bpf_network is pulling in unneeded headers resulting in compile errors on older kernels. Use the linux/*.h headers for the handful of types that the program actually uses. Signed-off-by: John Fastabend <john.fastabend@gmail.com> 02 April 2021, 17:56:06 UTC
0b52fd7 John Fastabend 18 March 2021, 18:24:21 UTC cilium: encryption, insert "skip" rules to avoid ipsec policy In some configurations of tunnel mode, endpoint routes, etc. An encrypted packet will be sent through the stack. If the encrypted packet does not match a fwd policy rule AND it has previously been encrypted without passing through a kernel boundary that clears the cb[] (on older kernels) or skb extension (on newer kernels) fields the xfrm policy will miss and the packet will be dropped. This worked in the past because we mainly had older kernels where xfrm stack used cb[] for metadata and we cleared the cb[] fields from BPF stack. However, we do not clear skb extensions via BPF nor do we have a BPF helper to do this yet. So in order to deal with this case we add fwd xfrm policy rules so that when the routing stack detects the skb extensions for xfrm and attempts to do a policy lookup a policy is found and the packet is not dropped. Signed-off-by: John Fastabend <john.fastabend@gmail.com> 02 April 2021, 17:56:06 UTC
11a6d4d John Fastabend 17 March 2021, 16:16:38 UTC cilium: Use correct mask on xfrm delete The mask values used to match stale entries in the XFRM state and policy no longer matched the values we use. The result is stale entries get left in the node tables. If subsequently cilium agent picks a new IP address this can result in conflicts in the xfrm {state|policy} lookup Fix to use correct mask field. Signed-off-by: John Fastabend <john.fastabend@gmail.com> 02 April 2021, 17:56:06 UTC
07c857a John Fastabend 17 March 2021, 05:38:29 UTC cilium: remove rules when encryption is disabled Rules need to be correctly deleted otherwise its possible if in the future cilium agent picks up a new IP address and then re-enables encryption we may have some conflicting entries in the route table. Also its just cleaner to have only correct entires in the table attempting to debug a system with multiple invalid routes is more difficult than it needs to be. Signed-off-by: John Fastabend <john.fastabend@gmail.com> 02 April 2021, 17:56:06 UTC
bb086ec John Fastabend 19 March 2021, 15:00:43 UTC cilium: Revert "ipsec: Use 64bits for XFRM output sequence number" This reverts commit 4ea12ee32e48ea08de72aa36d45f8df0f5f468bf. Revert ESN support, the initial implementation is incomplete because it also needs to sync sequence numbers across restarts and node joins. For now solve this problem by making key rotation painless and simple through cilium CLI. We can add ESN back once sequence number sync operation is in place. Signed-off-by: John Fastabend <john.fastabend@gmail.com> 02 April 2021, 17:56:06 UTC
2c878a5 John Fastabend 16 March 2021, 06:09:26 UTC cilium: auto-detect network interfaces for IPAMENI case We need to auto-detect network interfaces in the EKS environment that by default uses three interfaces eth0, eth1, and eth2. This patch will walk the list of all devices in the system and attach to any device that is not a veth or lo device. This patch resolves the EKS case and leaves other cases for future work. We could use similar logic with a bit more exclusion logic to handle the general routing cases as well. In the process we pull the IPAMENI IPSec configuration into Reinitialize() path so that if net devices are added/removed we will pick up those at reinit time. Later work can bring the remaining parts, but that required more refactoring than I wanted for a bugfix. Signed-off-by: John Fastabend <john.fastabend@gmail.com> 02 April 2021, 17:56:06 UTC
a42d442 John Fastabend 16 March 2021, 05:56:12 UTC cilium: auto-discovery pod subnets for ENI IPAM When encryption is enabled with an IPAM using a single IP pool for the entire cluster instead of per node we need to know those CIDRs. This is required so we can place a decrypt/encrypt rules that covers the subnet. In this patch lookup the CIDRs from the routeInfo and use those. Otherwise users would need to manually modify helm charts, yamls, etc. Signed-off-by: John Fastabend <john.fastabend@gmail.com> 02 April 2021, 17:56:06 UTC
8b434b4 John Fastabend 15 March 2021, 17:25:21 UTC cilium: encryptInterface requires multiple interfaces in multi-dev env When a node is using multiple nodes and traffic is being source routed, or routed some other way, across multiple netdevs we need to ensure our bpf_network programs are attached to all interfaces that can receive pod traffic. This patch adds support for users to specify multiple interfaces. In order to do this lift bpf_network (encryption program) compile and load out of init.sh and do it from go side. Signed-off-by: John Fastabend <john.fastabend@gmail.com> 02 April 2021, 17:56:06 UTC
afad939 trevor tao 25 February 2021, 16:51:37 UTC Multi-arch enabled strip operations The current strip operations on Cilium related binaries only work on building on x86_64, and actually the strip operations commands are of the same name on both amd64 and arm64 platform which are defined by GNU: for striping amd64 binary, it's x86_64-linux-gnu-strip for striping arm64 binary, it's aarch64-linux-gnu-strip The '/usr/bin/strip' is just a soft link to each for each platform. Here we just unify the 2 utilities on differrent platforms (amd64, arm64), so that it can work on both amd64 and arm64 platforms. Signed-off-by: trevor tao <trevor.tao@arm.com> 02 April 2021, 14:42:12 UTC
17aa113 Martynas Pumputis 01 April 2021, 16:13:01 UTC wireguard: Fix rp_filter setting We need it only when IPv4 is enabled. Fixes: 3bb90864fa5 ("wireguard: Add agent code") Signed-off-by: Martynas Pumputis <m@lambda.lt> 01 April 2021, 20:44:08 UTC
97c841d André Martins 29 March 2021, 23:08:49 UTC docs: update k3s installation instructions This commit fixes the K3s installation instructions, removing the deprecated `--no-flannel` option and removing the unrecognized flags being passed to the agent. The installation instructions will now result in a successful installation. Co-authored-by: Adrian Goins <adrian.goins@suse.com> Signed-off-by: André Martins <andre@cilium.io> 01 April 2021, 16:39:19 UTC
e2460de André Martins 31 March 2021, 00:40:19 UTC pkg/k8s: fix concurrent access in CNP field When doing a StatusUpdate of a particular CNP, we are performing an unnecessary sanitization of the CNP. This is unnecessary as we have already performed it when the CNP event was received and we pass the result of this sanitation down to the status updater. Removing this code fixes some concurrent access in some of the fields in the CNP. ``` WARNING: DATA RACE Write at 0x00c000d956b0 by goroutine 406: github.com/cilium/cilium/pkg/policy/api.(*PortProtocol).Sanitize() /go/src/github.com/cilium/cilium/pkg/policy/api/rule_validation.go:393 +0x187 github.com/cilium/cilium/pkg/policy/api.(*PortRule).sanitize() /go/src/github.com/cilium/cilium/pkg/policy/api/rule_validation.go:345 +0xe9 github.com/cilium/cilium/pkg/policy/api.(*IngressRule).sanitize() /go/src/github.com/cilium/cilium/pkg/policy/api/rule_validation.go:151 +0xc24 github.com/cilium/cilium/pkg/policy/api.Rule.Sanitize() /go/src/github.com/cilium/cilium/pkg/policy/api/rule_validation.go:71 +0x1c6 github.com/cilium/cilium/pkg/k8s/apis/cilium.io/v2.(*CiliumNetworkPolicy).Parse() /go/src/github.com/cilium/cilium/pkg/k8s/apis/cilium.io/v2/cnp_types.go:227 +0x6f7 github.com/cilium/cilium/pkg/k8s.(*CNPStatusUpdateContext).prepareUpdate() /go/src/github.com/cilium/cilium/pkg/k8s/cnp.go:87 +0x6b github.com/cilium/cilium/pkg/k8s.(*CNPStatusUpdateContext).UpdateStatus() /go/src/github.com/cilium/cilium/pkg/k8s/cnp.go:180 +0x587 github.com/cilium/cilium/pkg/k8s/watchers.(*K8sWatcher).addCiliumNetworkPolicyV2.func1() /go/src/github.com/cilium/cilium/pkg/k8s/watchers/cilium_network_policy.go:215 +0x7d github.com/cilium/cilium/pkg/controller.(*Controller).runController() /go/src/github.com/cilium/cilium/pkg/controller/controller.go:208 +0xda6 Previous read at 0x00c000d956b0 by goroutine 377: reflect.Value.String() /usr/local/go/src/reflect/value.go:1876 +0x84 encoding/json.stringEncoder() /usr/local/go/src/encoding/json/encode.go:647 +0x210 [...] encoding/json.(*encodeState).marshal() /usr/local/go/src/encoding/json/encode.go:332 +0xd2 encoding/json.Marshal() /usr/local/go/src/encoding/json/encode.go:161 +0x78 github.com/cilium/cilium/pkg/policy/api.(*Rule).MarshalJSON() /go/src/github.com/cilium/cilium/pkg/policy/api/rule.go:140 +0x2e7 [...] encoding/json.Marshal() /usr/local/go/src/encoding/json/encode.go:161 +0x78 encoding/json.MarshalIndent() /usr/local/go/src/encoding/json/encode.go:176 +0x64 github.com/cilium/cilium/pkg/policy.JSONMarshalRules() /go/src/github.com/cilium/cilium/pkg/policy/repository.go:505 +0x8d github.com/cilium/cilium/daemon/cmd.(*getPolicy).Handle() /go/src/github.com/cilium/cilium/daemon/cmd/policy.go:760 +0x1d3 github.com/cilium/cilium/api/v1/server/restapi/policy.(*GetPolicy).ServeHTTP() /go/src/github.com/cilium/cilium/api/v1/server/restapi/policy/get_policy.go:60 +0x2e7 github.com/go-openapi/runtime/middleware.NewOperationExecutor.func1() /go/src/github.com/cilium/cilium/vendor/github.com/go-openapi/runtime/middleware/operation.go:28 +0xb3 net/http.HandlerFunc.ServeHTTP() /usr/local/go/src/net/http/server.go:2069 +0x51 github.com/go-openapi/runtime/middleware.NewRouter.func1() /go/src/github.com/cilium/cilium/vendor/github.com/go-openapi/runtime/middleware/router.go:78 +0x486 net/http.HandlerFunc.ServeHTTP() /usr/local/go/src/net/http/server.go:2069 +0x51 github.com/go-openapi/runtime/middleware.Redoc.func1() /go/src/github.com/cilium/cilium/vendor/github.com/go-openapi/runtime/middleware/redoc.go:72 +0x35a net/http.HandlerFunc.ServeHTTP() /usr/local/go/src/net/http/server.go:2069 +0x51 github.com/go-openapi/runtime/middleware.Spec.func1() /go/src/github.com/cilium/cilium/vendor/github.com/go-openapi/runtime/middleware/spec.go:46 +0x281 net/http.HandlerFunc.ServeHTTP() /usr/local/go/src/net/http/server.go:2069 +0x51 github.com/cilium/cilium/pkg/metrics.(*APIEventTSHelper).ServeHTTP() /go/src/github.com/cilium/cilium/pkg/metrics/middleware.go:69 +0x1ce github.com/cilium/cilium/pkg/api.(*APIPanicHandler).ServeHTTP() /go/src/github.com/cilium/cilium/pkg/api/apipanic.go:53 +0xe4 net/http.serverHandler.ServeHTTP() /usr/local/go/src/net/http/server.go:2887 +0xca net/http.(*conn).serve() /usr/local/go/src/net/http/server.go:1952 +0x87d ``` Fixes: 6ec0d0f8d00b ("k8s: add support for k8s 1.20 and drop support for k8s 1.12") Signed-off-by: André Martins <andre@cilium.io> 01 April 2021, 16:38:54 UTC
750895b André Martins 31 March 2021, 16:15:45 UTC test: update k8s tested versions Update to 1.18.17, 1.19.9 and 1.20.5 Signed-off-by: André Martins <andre@cilium.io> 01 April 2021, 16:17:04 UTC
d105c3f Ilya Dmitrichenko 31 March 2021, 11:30:09 UTC k8s/api: More consistent field name capitalisation When CiliumEgressNATPolicies API was introduced, the names of fields in JSON format lacked consistency with other APIs. This change makes IP and CIDR acronyms capitalised consistently Fixes: 141cd63 ("Add custom resource for egress nat gateway policy") Signed-off-by: Ilya Dmitrichenko <errordeveloper@gmail.com> 01 April 2021, 11:33:33 UTC
569189a Martynas Pumputis 01 April 2021, 07:57:04 UTC docs: Mention KUBEPROXY ENV var in e2e section Reported-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Martynas Pumputis <m@lambda.lt> 01 April 2021, 11:26:50 UTC
9a3875a Tobias Klauser 31 March 2021, 15:02:05 UTC aws/eni/limits: lazily populate limits map The static limits map generated ~30kB on the heap at init time before, regardless of whether limits were used. Avoid this by lazily populating the map on first use. Signed-off-by: Tobias Klauser <tobias@cilium.io> 01 April 2021, 11:17:24 UTC
5ee4c6f André Martins 30 March 2021, 16:56:54 UTC add support for EndpointSlice V1 With this commit Cilium will have support for EndpointSlice v1 which is being enabled by default in Kubernetes Clusters running with v1.21. To have backward compatibility, Cilium will still continue to support EndpointSlice v1beta1 for clusters below v1.21. Signed-off-by: André Martins <andre@cilium.io> 01 April 2021, 02:36:43 UTC
231a217 Chris Tarazi 02 February 2021, 02:03:19 UTC docs: first-interface-index new ENI default Mention that new nodes will default to 0 and existing nodes will continue to use 1 (first-interface-index). Signed-off-by: Chris Tarazi <chris@isovalent.com> 31 March 2021, 14:46:06 UTC
26aafcb Chris Tarazi 29 January 2021, 20:11:48 UTC ipam: Remove delay in refreshing IPAM nodes There was an artificial delay to refresh the IPAM nodes (ENI & Azure) that could cause Cilium to hang until the controller runs.[1] The NodeManager is kicked-off by the Cilium Operator by calling (*NodeManager).Start(). Inside here, said controller calls (*NodeManager).Resync() which iterates over a list of nodes that need IP addresses allocated. This eventually triggers the trigger "ipam-node-k8s-sync-x" where "x" is the node name. This triggers ipam.(*Node).syncToAPIServer() where the finalizing of the initialization of the CiliumNode resource takes place. At that point, the PreAllocate value is in-place and IP allocation can occur. The resource is updated with the value and pushed to the apiserver. The agent then picks up the change and can begin allocating IPs to pods and so on. If Cilium Operator is delayed in doing this, the agent sits in a loop, logging a msg.[1] This commit removes this potential delay that was hardcoded to one minute. [1]: ``` log.WithFields(logFields).WithField( logfields.HelpMessage, "Check if cilium-operator pod is running and does not have any warnings or error messages.", ).Info("Waiting for IPs to become available in CRD-backed allocation pool") ``` Signed-off-by: Chris Tarazi <chris@isovalent.com> 31 March 2021, 14:46:06 UTC
c970818 Chris Tarazi 28 January 2021, 01:25:38 UTC ipam, nodediscovery: Correct logic for PreAllocate This commit effectively reverts f0f948d781 ("ipam: Fix ENI IPAM on smaller instance types") as the majority of the logic it implemented is no longer needed, since the default for FirstInterfaceIndex has been changed to 0. While we're at it, correct the logic for computing the PreAllocate value which is vital for ENI (and Azure) mode. This should allow all instance types to be used with Cilium, including the smallest ones. Fixes: f0f948d781 ("ipam: Fix ENI IPAM on smaller instance types") Signed-off-by: Chris Tarazi <chris@isovalent.com> 31 March 2021, 14:46:06 UTC
d8e41c1 Chris Tarazi 28 January 2021, 01:16:08 UTC defaults, eni: Change FirstInterfaceIndex to 0 The motivation to change the default is to avoid issues with IPAM issues when Cilium is running on smaller instances types. Given that most of Cilium users would be running on these instances types, the default should be in their favor. For more advanced users, they then should edit the CiliumNode resource to set the FirstInterfaceIndex to whatever suits their needs. This commit also modifies the unit tests where appropriate to assert on the new default. A few tests were left with FirstInterfaceIndex equal to 1 for coverage. Signed-off-by: Chris Tarazi <chris@isovalent.com> 31 March 2021, 14:46:06 UTC
back to top