Skip to main content

Browse the archive

https://github.com/cilium/cilium
09 April 2024, 21:14:05 UTC
sort by:
Revision Author Date Message Commit Date
08469dd Daniel Borkmann 13 August 2020, 15:35:17 UTC cilium, docs: add gsg for bandwidth manager Add a simple GSG guide for the bandwidth manager along with a deployment example users can verify. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> 13 August 2020, 16:20:14 UTC
6a629ad Daniel Borkmann 13 August 2020, 10:16:09 UTC cilium, status: add bandwidth manager status Add status info message about bandwidth manager. Example output with agent flag --enable-bandwidth-manager=true and supported kernel: # ./cilium/cilium status [...] BandwidthManager: EDT with BPF [eno1] [...] Otherwise: # ./cilium/cilium status [...] BandwidthManager: Disabled [...] Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> 13 August 2020, 12:52:35 UTC
af8c32f Daniel Borkmann 13 August 2020, 10:07:07 UTC cilium, api: regenerate API code after adding bandwidth manager Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> 13 August 2020, 12:52:35 UTC
a3fd1bc Daniel Borkmann 13 August 2020, 10:04:13 UTC cilium, api: extend openapi to dump bandwidth manager status Dump info on whether it is enabled and if so which devices are managed. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> 13 August 2020, 12:52:35 UTC
389e0f5 Daniel Borkmann 12 August 2020, 23:55:23 UTC cilium: mount cgroup v1/v2 into /var/run/cilium/ We also need to mount the v1's net_cls into /var/run/cilium/ so it is accessible from the Cilium container w/o remapping the host fs, the getCgroupNetMounts() will make sure to find the v1. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> 13 August 2020, 12:52:35 UTC
a29ca8d Joe Stringer 21 October 2019, 22:45:16 UTC cilium, cgroups: support per-endpoint cgroup configuration Base infra for determining classid path for Pods. Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> 13 August 2020, 12:52:35 UTC
e344e8e Joe Stringer 25 October 2019, 20:07:57 UTC cilium, k8s: refactor fetching pod metadata Refactor the fetching of pod metadata so that a more generic structure is returned, which can hold more information than just the basic labels and annotations. Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> 13 August 2020, 12:52:35 UTC
5f6e300 Daniel Borkmann 13 August 2020, 12:49:01 UTC cilium, bpf: add metric counter for EDT drop horizon Add a counter so we can inspect rate-limiting drops due to too large departure time windows. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> 13 August 2020, 12:52:35 UTC
1af4ca6 Daniel Borkmann 04 August 2020, 16:42:57 UTC cilium: add bandwidth manager Base layer which implements setup of BBR + {MQ/FQ, FQ} as well as EDT based rate-limiting in BPF. Agent code implements map setup and handling of egress bandwidth label for Pods. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> 13 August 2020, 09:37:09 UTC
f6df0d9 Daniel Borkmann 12 August 2020, 16:32:27 UTC cilium, k8s: regenerate API after adding QOSClass ... autogenerated as per cilium/pkg/k8s/slim/README.md. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> 13 August 2020, 09:37:14 UTC
a70af80 Daniel Borkmann 12 August 2020, 16:29:27 UTC cilium, k8s: add QOSClass to PodStatus We need the Pod QOS class for the cgroup path, so add to slim struct. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> 13 August 2020, 09:37:09 UTC
547b598 Daniel Borkmann 04 August 2020, 21:21:47 UTC cilium: disable timer migration Avoid spinlock contention on resetting TCP retransmit timer for large servers. Not disabling timer_migration is known to cause issues on larger servers with >= 64 CPUs. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Link: https://lore.kernel.org/netdev/CANn89iKS6fas9O74U5w1wb+8DN==fXRKQ8nzq0tkT_VOXRtYBQ@mail.gmail.com 04 August 2020, 21:24:54 UTC
8198094 Daniel Borkmann 04 August 2020, 16:36:50 UTC cilium: do not ignore JIT and unpriv sysctl errors We really do want them to succeed, so don't ignore errors here. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> 04 August 2020, 21:24:54 UTC
8acb370 Tam Mach 03 August 2020, 11:16:58 UTC style(imports): Remove duplicate imports in same file Remove duplicate imports in same file Signed-off-by: Tam Mach <sayboras@yahoo.com> 04 August 2020, 08:08:08 UTC
62b4c29 Joe Stringer 31 July 2020, 18:56:02 UTC connectivity-check: Add DNS query tool for debugging Add a new section to the connectivity checks specifically for manual debugging. These new tools will not fail by themselves so they are not appropriate for continuous integration testing. The new tool can be generated specifically via: $ cue cmd -t type=tool -t component=proxy dump Or by building the new generic connectivity-debug-tools.yaml target: $ make -C examples/kubernetes/connectivity-check connectivity-debug-tools.yaml To use the new tool, deploy it and follow the logs: $ kubectl logs -l name=query-dns-policy --timestamps -f Then take manual actions that may influence DNS proxy forwarding & observe how the output of the pod changes over time. Signed-off-by: Joe Stringer <joe@cilium.io> 04 August 2020, 08:07:12 UTC
7b0960a Joe Stringer 03 August 2020, 19:54:42 UTC connectivity-check: Add tool type[=autocheck] Add a new label, "type" which will have two settings, either autocheck (ie connectivity check script that fails based on certain conditions, suitable for automated runtime usage in CI), and "tool" which requires manual deployment & observation from a human. Signed-off-by: Joe Stringer <joe@cilium.io> 04 August 2020, 08:07:12 UTC
e0b0e92 Jarno Rajahalme 14 July 2020, 15:11:01 UTC tests: Dev VM MySQL smoke test script Envoy MySQL filter only works with MySQL 5.5. To test, run at the cilium repo in Dev VM: $ make $ sudo -E make install $ sudo service cilium restart $ cd tests $ sudo -E ./sql-proxy.sh Signed-off-by: Jarno Rajahalme <jarno@covalent.io> 04 August 2020, 02:13:22 UTC
040e88d Jarno Rajahalme 03 August 2020, 18:36:30 UTC envoy: Experimental support for MongoDB and MySQL enforcement Add Envoy filter chain configuration for MongoDB and MySQL. Signed-off-by: Jarno Rajahalme <jarno@covalent.io> 04 August 2020, 02:13:22 UTC
3020a1b Jarno Rajahalme 14 July 2020, 17:06:45 UTC envoy: Update for L7 metadata match support Introduce a generic mechanism for L7 enforcement on Envoy network filters that expose maningful metadata. For an L7 policy to use an envoy filter, the 'l7proto' must be set to the canonical name of the Envoy network filter, e.g., "envoy.filters.network.mysql_proxy". L7 policy key/value pairs are mapped to Envoy metadata matchers as follows: - "action" key is consumed by the translation and if given with value "deny", will make the rule to drop the connection if there is a match. - Other keys are translated to metadata paths separated by slashes ('/'), values are translated to present matches if empty, otherwise the value is translated to a list match that matches if the value string is one of the values in the metadata. For example: [{ "endpointSelector": {"matchLabels":{"mysql-client":""}}, "egress": [{ "toPorts": [{ "ports": [{"port": "3306", "protocol": "TCP"}], "rules": { "l7proto": "envoy.filters.network.mysql_proxy", "l7": [{ "action": "deny", "user.mysql": "select" }] } }] }] }] This policy drops the TCP connection established to port 3306 if at any point the Envoy filter "envoy.filters.network.mysql_proxy" exposes metadata that has the string "select" in the metadata keyed by "user.mysql" ('user' table of the 'mysql' database). Policy decisions are access logged translating the filter metadata to L7 key-value pairs, where the values are JSON formatted. For example: -> Request envoy.filters.network.mysql_proxy from 734 ([container:mysql-client]) to 2341 ([container:mysql-server]), identity 18656->28273, verdict Forwarded -> Request envoy.filters.network.mysql_proxy from 734 ([container:mysql-client]) to 2341 ([container:mysql-server]), identity 18656->28273, verdict Denied user.mysql:["select"] In the first case the filter had not yet exposed any metadata, e.g., during MySQL handshake, authentication, or any operation not related to a table. The second case shows the deny verdict based on the policy above. Note that these access log messages are aggregated and are emitted only when the exposed metadata changes so that multiple operations on the same table may only emit one access log message. Note that the Envoy MySQL filter is only used for illustrative purposes here and it is trivially defeated by allowing the client and server to negotiate an SSL connection, or using a newer version of MySQL not fully supported by the Envoy filter (which has been tested only with MySQL 5.5). The purpose of this commit is to allow experimentation and development of more tailored Cilium policy support for the more mature Envoy filters. Signed-off-by: Jarno Rajahalme <jarno@covalent.io> 04 August 2020, 02:13:22 UTC
715591a Maciej Kwiek 03 August 2020, 11:05:17 UTC test: put hubble tests on quarantine in GKE Signed-off-by: Maciej Kwiek <maciej@isovalent.com> 03 August 2020, 18:44:26 UTC
bda4733 Sebastian Wicki 29 July 2020, 17:31:40 UTC hubble: Add new monitor consumer implementation This adds a Hubble-specific implementation for the glue code between the monitor agent and the Hubble observer. It is similar to the existing listener implementation, but will deals with data types instead of GOB encoded binary data and keeps track of the number of events dropped if the Hubble observer is unavailable. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> 03 August 2020, 17:23:23 UTC
cf7e4dc Tobias Klauser 03 August 2020, 09:47:56 UTC proxy: remove unused dialer and socket code This code is unused since commit 03777e0ce0f1 ("proxy: Move Kafka proxy to Envoy Go extensions"), so it can be removed as well. Signed-off-by: Tobias Klauser <tklauser@distanz.ch> 03 August 2020, 16:27:13 UTC
ae3917b Martynas Pumputis 03 August 2020, 11:17:34 UTC ctmap: Add unit test for ICMP CT/NAT GC Signed-off-by: Martynas Pumputis <m@lambda.lt> 03 August 2020, 15:51:23 UTC
c633c2d Martynas Pumputis 31 July 2020, 16:27:54 UTC datapath: Fix CT tuple ports for ICMP Echo Previously, when an ICMP EchoRequest was sent from one node A to another node B with Echo ID > NAT_MIN_EGRESS, the ICMP EchoReply sent from B -> A created a CT entry and NAT entries which could not be related by GC. E.g. node A (192.168.34.12) pings node B (192.168.34.11): ICMP IN 192.168.34.12:0 -> 192.168.34.11:38193 XLATE_DST 192.168.34.11:38193 Created=6292sec HostLocal=1 ICMP OUT 192.168.34.11:38193 -> 192.168.34.12:0 XLATE_SRC 192.168.34.11:38193 Created=6292sec HostLocal=1 ICMP OUT 192.168.34.11:0 -> 192.168.34.12:38193 expires=16783063 RxPackets=0 RxBytes=0 RxFlagsSeen=0x00 LastRxReport=0 TxPackets=1 TxBytes=50 TxFlagsSeen=0x00 LastTxReport=16783005 Flags=0x0000 [ ] RevNAT=0 SourceSecurityID=0 IfIndex=0 This made the NAT entries to escape the CT GC meaning that the CT entry was removed, while the NAT entries were kept which made them to stay forever until a user manually ran "cilium bpf nat flush". Fix this by setting ICMP Echo ID in a port which belongs to addr of the local node, so that the CT GC could relate the NAT entries. In the previous example, the CT entry after the fix is the following: ICMP OUT 192.168.34.11:38193 -> 192.168.34.12:0 expires=16783063 RxPackets=0 RxBytes=0 RxFlagsSeen=0x00 LastRxReport=0 TxPackets=1 TxBytes=50 TxFlagsSeen=0x00 LastTxReport=16783005 Flags=0x0000 [ ] RevNAT=0 SourceSecurityID=0 IfIndex=0 The fix does not change the ID placement in a port for the case when B -> A sends ICMP EchoRequest. Signed-off-by: Martynas Pumputis <m@lambda.lt> 03 August 2020, 15:51:23 UTC
4b0460d Jarno Rajahalme 24 July 2020, 20:46:57 UTC test: Try out all GKE clusters in random order Signed-off-by: Jarno Rajahalme <jarno@covalent.io> 03 August 2020, 15:29:12 UTC
c320d62 Alexandre Perrin 03 August 2020, 08:21:08 UTC helm: run relay in debug mode when debug is globally enabled Along with a couple of comment fixes. Signed-off-by: Alexandre Perrin <alex@kaworu.ch> 03 August 2020, 15:26:11 UTC
6e6421a Maciej Kwiek 03 August 2020, 09:39:43 UTC ci: add DeleteLong to accommodate longer resource deletion Signed-off-by: Maciej Kwiek <maciej@isovalent.com> 03 August 2020, 15:18:20 UTC
81a8931 Thomas Gosteli 24 July 2020, 10:36:54 UTC endpointsynchronizer: suppress context.Canceled error on CEP creation/update Fixes: 12636 Signed-off-by: Thomas Gosteli <thomas.gosteli@protonmail.ch> 03 August 2020, 15:17:09 UTC
30470c6 Paul Chaignon 24 July 2020, 11:02:22 UTC docs: Janitors should update backport PR labels This commit updates the documentation to clarify that members of the Janitors team should take care of updating labels when merging backport PRs. This commit also updates the example set-labels.py commands. Related: https://github.com/cilium/cilium/pull/12346#issuecomment-652574319 Reported-by: Robin Hahling <robin.hahling@gw-computing.net> Signed-off-by: Paul Chaignon <paul@cilium.io> 03 August 2020, 15:13:52 UTC
484e435 Alexandre Perrin 27 July 2020, 13:56:03 UTC make: refactor the way -tags is given to go build/test While go build accept several -tags, go test doesn't: go test: tags flag may be set only once This patch introduce $GO_TAGS_FLAGS to aggregate the tags and provide them as a single comma-separated list to go build/test. Signed-off-by: Alexandre Perrin <alex@kaworu.ch> 03 August 2020, 15:08:14 UTC
d939041 Alexandre Perrin 27 July 2020, 13:49:18 UTC make: refactor the way "join with comma" is done Moved $(empty), $(space), and $(comma) from Makefile to Makefile.defs and added the $(join-with-comma) expression. Signed-off-by: Alexandre Perrin <alex@kaworu.ch> 03 August 2020, 15:08:14 UTC
0ff3454 Alexandre Perrin 24 July 2020, 14:13:45 UTC make: uses $GO_CLEAN_FLAGS in $GO_CLEAN Before this patch, $GO_CLEAN_FLAGS was unused and $GO_CLEAN used $GO_TEST_FLAGS. Signed-off-by: Alexandre Perrin <alex@kaworu.ch> 03 August 2020, 15:08:14 UTC
7c6a896 Alexandre Perrin 24 July 2020, 08:39:06 UTC use os.user instead of reading /etc/group Signed-off-by: Alexandre Perrin <alex@kaworu.ch> 03 August 2020, 15:08:14 UTC
66eb29e Joey Espinosa 02 August 2020, 04:07:57 UTC docs: Add SmileDirectClub to Cilium users Add SmileDirectClub to the list of users in the "Who is using Cilium?" doc, along with contact info. Signed-off-by: Joey Espinosa <jlouis.espinosa@gmail.com> 03 August 2020, 09:58:15 UTC
ac9732a Sebastian Wicki 29 July 2020, 15:14:20 UTC test/K8sServices: Fix externalTrafficPolicy=Local with kube-proxy This commit fixes the test harness for `externalTrafficPolicy=Local` in the case where we are accessing a node IP without a local backend from a node with host reachable services enabled. This is a known incompatibility between our kube-proxy replacement and upstream kube-proxy. The existing test harness assumed that we only need to handle this case if we are running without kube-proxy. This assumption however is wrong, as we are running these tests in hybrid mode, where we are running with both kube-proxy and Cilium's kube-proxy replacement. This has not been hit in our existing test suites up until recently, because we did not have a test setup with both kube-proxy and the kube-proxy replacement enabled at the same time. As GKE has been upgraded to Linux 4.19, it is now using the described setup which has caused the tests to break. The test matrix as of writing now looks as follows: | Test Suite | kube-proxy | kube-proxy replacement | | -------------------------- | ---------- | ----------------------- | | K8s-1.18-kernel-4.9 | Yes | No (Kernel 4.9.x) | | K8s-1.17-Kernel-4.19 | No | Yes (Kernel 4.19.57) | | K8s-1.12-Kernel-netnext | No | Yes (Kernel 5.8.0-rc1+) | | Cilium-PR-Ginkgo-Tests-k8s | Yes | No (Kernel 4.9.x) | | Cilium-PR-K8s-GKE | Yes | Yes (Kernel 4.19.112+) | Fixes: 67f85e3e06f4 ("tests: enable additional externalTrafficPolicy=Local tests") Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> 31 July 2020, 11:03:36 UTC
9ffd980 Sebastian Wicki 29 July 2020, 15:46:54 UTC docs: Update versions used in GKE pipeline Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> 31 July 2020, 11:03:36 UTC
ea53587 Chris Tarazi 16 July 2020, 16:56:17 UTC Vagrantfile: Add workaround for VirtualBox See code comment for more context. Signed-off-by: Chris Tarazi <chris@isovalent.com> 31 July 2020, 07:16:21 UTC
0efe737 Chris Tarazi 13 July 2020, 22:17:29 UTC doc: Add workarounds section to e2e testing guide This is helpful for users who run into the occasional issues regarding VirtualBox. See below as an instance of this issue. ``` cuiwl@weil0ng:~/cilium/test$ ginkgo --focus="K8sServicesTest" --noColor (...) ==> k8s1-1.18: Cloning VM... ==> k8s1-1.18: Matching MAC address for NAT networking... ==> k8s1-1.18: Checking if box 'cilium/ubuntu-dev' version '175' is up to date... ==> k8s1-1.18: Setting the name of the VM: test_k8s1-118_1594680058871_70391 ==> k8s1-1.18: Clearing any previously set network interfaces... A host only network interface you're attempting to configure via DHCP already has a conflicting host only adapter with DHCP enabled. The DHCP on this adapter is incompatible with the DHCP settings. Two host only network interfaces are not allowed to overlap, and each host only network interface can have only one DHCP server. Please reconfigure your host only network or remove the virtual machine using the other host only network. ``` Signed-off-by: Chris Tarazi <chris@isovalent.com> 31 July 2020, 07:16:21 UTC
208ef7a Maciej Kwiek 30 July 2020, 18:10:45 UTC ci: Delete cilium-node-init ds before cilium install `--validate` helm flag introduced in 82cc7c3d07 caused ci to fail in gke where we enable node init daemonset. It needs to be cleared before cilium installation. Signed-off-by: Maciej Kwiek <maciej@isovalent.com> 30 July 2020, 20:44:40 UTC
eb2b708 Aditi Ghag 30 July 2020, 06:38:23 UTC cilium/build Set GOPATH in CI VM Signed-off-by: Aditi Ghag <aditi@cilium.io> 30 July 2020, 17:21:40 UTC
d40eef1 Tam Mach 30 July 2020, 16:20:36 UTC style(errors.Is): To enforce errors.Is usage instead of comparison (#12707) This PR is not only to correct existing error comparison (e.g. e1 == e1), but also to enable linting check. Excetion: - Skip the error comparision in test file - Skip io.EOF as per https://github.com/golang/go/issues/39155 Signed-off-by: Tam Mach <sayboras@yahoo.com> 30 July 2020, 16:20:36 UTC
87d68ea Thomas Graf 30 July 2020, 07:32:17 UTC agent: Fix bootstrap metric for kvstore Do not account kvstore initialization as k8s bootstrap time. Signed-off-by: Thomas Graf <thomas@cilium.io> 30 July 2020, 13:57:00 UTC
c8fd3e9 Thomas Graf 30 July 2020, 07:09:56 UTC k8s: Register CRDs in parallel Individual CRD registrations do not depend on each other, the registration can be done in parallel. Signed-off-by: Thomas Graf <thomas@cilium.io> 30 July 2020, 13:57:00 UTC
ba1c2fc Sebastian Wicki 29 July 2020, 16:54:08 UTC monitor: Add consumer interface for internal subscribers This adds the a new subscriber type to the monitor agent. The new type is called consumer and is very similar to how monitor listeners work, with the big exception that it does not perform any GOB encoding before sending the event to the subscriber. This interface is intended for Hubble and will eventually superseed the existing listener interface. However, for now we will support both consumers and listeners on the agent, as we want to support both monitor socket listeners as well as the Hubble observer. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> 30 July 2020, 13:08:08 UTC
089a38e Sebastian Wicki 20 July 2020, 08:22:03 UTC monitor: Extract startPerfReaderLocked method This commit contains no functional changes and is intended to improve the readability of subsequent refactoring commits. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> 30 July 2020, 13:08:08 UTC
26f22c4 Sebastian Wicki 20 July 2020, 08:09:17 UTC monitor: Rename send to sendToListeners This commit contains no functional changes and is intended to improve the readability of code changes in subsequent commits. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> 30 July 2020, 13:08:08 UTC
9b44cdf Sebastian Wicki 16 July 2020, 15:29:41 UTC monitor: Extract processPerfRecord method This commit contains no functional changes and is intended to improve the readability of subsequent commits and changes to the affected code. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> 30 July 2020, 13:08:08 UTC
86476e2 André Martins 29 July 2020, 09:52:40 UTC k8s: update k8s to 1.19.0-rc.3 Signed-off-by: André Martins <andre@cilium.io> 30 July 2020, 08:55:28 UTC
ab6efd2 Salvatore Mazzarino 29 July 2020, 12:54:02 UTC plugins/cilium-cni: add Interface Index to the CNI result This add the corresponding Interface index to the CNI result. CNI plugins like tc-redirect-tap expects this field to be filled. Signed-off-by: Salvatore Mazzarino <dev@mazzarino.cz> 30 July 2020, 07:46:46 UTC
8a03d54 Joe Stringer 29 July 2020, 22:27:57 UTC Extend connectivity-check for HTTP policy validation via CUE (#12599) * connectivity-check: Add 'make clean' support Factor out the targets for all YAMLs so it can be reused by a new phony target, 'clean'. Signed-off-by: Joe Stringer <joe@cilium.io> * connectivity-check: Introduce cuelang framework CUE (https://cuelang.org/) is a data constraint language built defined as a superset of JSON which aims to "simplify tasks involving defining and using data". In context of the connectivity check YAMLs, CUE is useful to allow us to "evaporate" the boilerplate necessary to define Kubernetes YAMLs for Deployments, Services and CiliumNetworkPolicies and allow developers to specify various permutations for connectivity checks concisely. Why should we use it? * It's more concise: One template definition, multiple reuse. This is useful for introducing new connectivity checks as upcoming commits will demonstrate as the developer doesn't need to perform the tedious and error-prone process of copying and modifying the YAMLs to implement various permutations of a check. Furthermore this helps reviewers as they will not have to read through swathes of YAMLs but can instead focus on the diffs in the templating that are introduced and compare to existing data definitions. * Consolidate constant declaration. When a core change needs to be made to something like the readinessProbe for probes that expect a success or failure, we can update one definition in the main CUE file and all YAMLs will subsequently be generated with this change in mind. During the process of preparing these changes, I noticed inconsistencies between various existing YAMLs which appear to just be unintentional, where some YAMLs were improved with better timeoute behaviour or error rendering, but other YAMLs were left out. * The data is more structured. Upcoming commits will introduce simple CLI tools that allow matching on different classes of connectivity checks to generate the corresponding YAMLs. Previously we have depended upon file naming schemes and Makefile globbing magic to implement this which quickly reaches a limit in which checks should be selected for a specific check. What are the dangers? * It's relatively immature. At current version v0.2.2 it is subject to language changes. Upcoming commits will pin the CLI tool usage to a docker container derived from this version to ensure compatibility. * One more language in the tree to understand, review and interact with. Mitigating circumstances: This language comes out of the Golang community and as such brings some commonalities; furthermore it is beginning to be used in other Kubernetes projects, so there is some broader community alignment. * Its power allows you to hide as much or as little complexity as you want. It's tricky to strike a fine balance between explicitly declaring (and duplicating) relevant fields in the local file vs. hiding convenient templating language in common files. For examples, see defaults.cue which automatically derives connectivity check destinations based on object name declarations matching regexes of "pod-to-X", and applies affinity/anti-affinity via matches on "intra-host" or "multi-host". * All declarations are additive, ie there is no ordering based upon the layout in code; instead, data dependencies are determined using the declarations, and all data is arranged into a lattice to determine the evaluation ordering[0]. This can be counter-intuitive to reason about for the uninitiated. The general approach used in this commit was to `cue import` various existing YAML files to generate JSON equivalents, then iteratively combining & consolidating existing definitions using the language constructs provided by CUE. CUE also provides mechanisms to generate schemas and autogenerate the structures used here directly from API definitions (eg from k8s source or Cilium tree), however this area was not explored in this PR yet. While this doesn't take advantage of one major aspect of the language, upcoming commits will demonstrate the way that these changes were validated without the use of standardized schemas from the underlying Kubernetes resource definitions. (TL;DR: `kubectl diff ...` with kubectl validation on a live cluster). This was sufficient to extend the connectivity checks and does not preclude future explanation of the use of schemas for these definitions. This commit introduces usage of CUE in a relatively minimal way into the tree which was useful for my goals of extending the connectivity checks. If we find that it is useful and powerful, we may consider whether to extend its usage to other areas of the code (such as for test manifest generation). [0] https://cuelang.org/docs/concepts/logic/#the-value-lattice Signed-off-by: Joe Stringer <joe@cilium.io> * connectivity-check: Add cue CLI tools Add some basic tooling around connectivity-check YAML generation: $ cue cmd help List connectivity-check resources specified in this directory Usage: cue [-t component=<component>] [-t name=<name>] [-t topology=<topology>] <command> Available Commands: dump Generate connectivity-check YAMLs from the cuelang scripts ls List connectivity-check resources specified in this directory List available connectivity-check components: $ cue cmd ls KIND COMPONENT TOPOLOGY NAME Service network-check any echo-a Service services-check any echo-b Service services-check any echo-b-headless Service services-check any echo-b-host-headless Deployment network-check any echo-a Deployment services-check any echo-b Deployment services-check any echo-b-host Deployment network-check any pod-to-a Deployment network-check any pod-to-external-1111 Deployment policy-check any pod-to-a-allowed-cnp Deployment policy-check any pod-to-a-denied-cnp Deployment policy-check any pod-to-external-fqdn-allow-google-cnp Deployment services-check multi-node pod-to-b-multi-node-clusterip Deployment services-check multi-node pod-to-b-multi-node-headless Deployment services-check intra-node pod-to-b-intra-node-clusterip Deployment services-check intra-node pod-to-b-intra-node-headless Deployment services-check multi-node host-to-b-multi-node-clusterip Deployment services-check multi-node host-to-b-multi-node-headless CiliumNetworkPolicy policy-check any pod-to-a-allowed-cnp CiliumNetworkPolicy policy-check any pod-to-a-denied-cnp CiliumNetworkPolicy policy-check any pod-to-external-fqdn-allow-google-cnp These can be filtered by component, topology or name. For example: $ cue cmd -t component=network ls KIND COMPONENT TOPOLOGY NAME Service network-check any echo-a Deployment network-check any echo-a Deployment network-check any pod-to-a Deployment network-check any pod-to-external-1111 Finally, to gather the (filtered) YAMLs for the specified resources: $ cue cmd dump | head -n 20 metadata: name: echo-a labels: name: echo-a topology: any component: network-check spec: ports: - port: 80 selector: name: echo-a type: ClusterIP apiVersion: v1 kind: Service --- ... Or with an upcoming commit you can just use the Makefile, which now depends on the cuelang/cue:v0.2.2 Docker image: $ make connectivity-check.yaml Signed-off-by: Joe Stringer <joe@cilium.io> * connectivity-check: Support generating YAMLs via cue Replace the existing YAML generation from individual YAML declarations for each service with generating YAMLs from the CUE definitions. Three new targets will assist in validating the migration from the existing definitions over to CUE: * make generate_all * For object declared in CUE, generate a file corresponding to that definition. For most of the existing YAMLs, this will overwrite the copy of the YAML in the tree. This can allow manual inspection of individual YAMLs, though the 'inspect' approach is broadly more useful for evaluating the overall diff. * make deploy * Deploy the hostport connectivity checks YAML into an existing cluster. * make inspect * Generate the YAML file for all connectivity checks, then use kubectl to diff these newly generated definitions against the running cluster (assuming it was deployed via make deploy). This commit is purely the makefile changes for easier review & inspection. Upcoming commits will use these targets to demonstrate that there is no meaningful change in the generated YAMLs for existing YAMLs in the tree. In particular, `make inspect` can be used in an iterative manner by initially deploying the current version of the YAMLs from the tree, then making changes to the CUE files and inspecting each time a change is made. When the diff in the cluster represents the changes that the developer intends to make, the developer can commit the changes to the CUE files and re-generate the tree versions of the YAMLs. Signed-off-by: Joe Stringer <joe@cilium.io> * connectivity-check: Replace YAMLs with cue-generated YAMLs Prior commits introduced CUE definitions that are equivalent to these YAML files, so we can now: * Remove the individual declarations which were previously source-of-truth for the connectivity checks * Update the overall connectivity-check YAMLs to reflect the minor changes that the CUE definitions represent. To validate this, heavy use of `make inspect` was used. As described in the prior commit message where this was introduced, this allows diffing the latest CUE-based YAML definitions against a running copy of the YAMLs in a cluster. There are few meaningful changes in this commit which are hard to assess directly from the git diff, but are easier using `make inspect`: * All containers are converted to use readinessProbe and not livenessProbe. * All readiness probes now specify --connect-timeout of 5s. * Readiness probes access `/public` or `/private` per the underlying container HTTP server paths rather than just accessing `/`. * DNS allow policies are converted to consistently allow both TCP and UDP-based DNS. * Container names are derived from pod names. * The new YAMLs declare additional labels for all resourcess, such as 'component' and 'topology'. Signed-off-by: Joe Stringer <joe@cilium.io> * connectivity-check: Introduce proxy checks These new checks configure various L7 proxy paths to validate connectivity via L7 proxies, in the following dimensions: - Apply policy on egress; ingress; or both (proxy-to-proxy) - Intra-node / Multi-node - Allow / Deny Note that proxy-to-proxy always configures egress allow policy to ensure that the traffic goes via the proxy and in the drop case the requests are only rejected at the destination. This is because applying egress deny at the source would prevent proxy-to-proxy connectivity, meaning the test would be equivalent to the egress-only reject policy case. This way, we ensure that the path via the egress proxy to the destination is tested in the reject case. These are implemented partially through a new 'echo-c' pod which always has ingress policy applied to allow GET requests to '/public'. Depending on whether ingress policy is needed to check the particular permutation the new checks may connect to 'echo-a' or 'echo-c'. These are implemented by adding pods for each permutation of policy apply point and topology; then by adding allow / deny containers within that pod to test the allow/deny cases. The 'connectivity-check-proxy.yaml' includes all of the above. Finally, the omissions: This commit does not attempt to address variations in datapath configuration. This includes IPv4 vs. IPv6; tunnel/direct-routing; endpoint config; kube proxy/free; encryption. These are left up to the cluster operator configuring Cilium in specific modes and subsequently deploying these YAMLs. Signed-off-by: Joe Stringer <joe@cilium.io> * connectivity-check: Minor naming fixups Make some of these resource names a bit more consistent. Signed-off-by: Joe Stringer <joe@cilium.io> * connectivity-check: Add quarantine label to metadata This new label will be used during YAML generation to ensure that resources which we are still working on fixes for are kept in a separate category apart from the regular connectivity checks, to allow us to check them in & distribute them without causing CI to instantly fail. Signed-off-by: Joe Stringer <joe@cilium.io> * connectivity-check: Add hostport + proxy checks Introduces checks for egress proxy policy when accessing a hostport on a remote node. These are added as part of the component=hostport-check to ensure they are not pulled in when running connectivity checks in environments without hostport support. Additionally, these new tests are quarantined for now as they are known to fail in some environments. Signed-off-by: Joe Stringer <joe@cilium.io> * connectivity-check: Expand readme for latest checks Signed-off-by: Joe Stringer <joe@cilium.io> * connectivity-check: Re-add liveness probes It appears that some of these checks require liveness probes rather than readiness probes to pass on the github actions smoke-test, so ensure all containers are checked with both. Signed-off-by: Joe Stringer <joe@cilium.io> * smoke-test: Improve state gathering upon failure Commit bb91571ea497 ("smoke-test: Print pod/deploy state on failure") attempted to improve the information available during a failure from the smoke-tests, but only added it to the quick-install test and not the conformance test. Add the same output also to the conformance test so we can more easily debug failures there. Signed-off-by: Joe Stringer <joe@cilium.io> * smoke-test: Disable bpf masquerading In the smoke test, we are relying on kube-proxy for service connectivity so it doesn't make sense to enable BPF masquerading. In fact, this causes issues for connectivity from a node to a pod on a remote node via ClusterIP (see related issue). For the moment, disable BPF masquerading while we figure out the longer-term solution to that issue. Related: #12699 Signed-off-by: Joe Stringer <joe@cilium.io> * docs: Update connectivity-check examples Signed-off-by: Joe Stringer <joe@cilium.io> 29 July 2020, 22:27:57 UTC
3de518a Tobias Klauser 29 July 2020, 10:18:53 UTC api, cli, daemon: add BPF map sizes to cilium status When the dynamic BPF map sizing feature is used, for debugging, it would be useful to know the actual map sizes without asking users to run bpftool map show pinned ... or grepping logs of the agent. Thus, report the BPF map sizes in and the dynamic size ratio in `cilium status --verbose`. Example output: $ cilium status --verbose [...] BPF Maps: dynamic sizing: on (ratio: 0.030000) Name Size Non-TCP connection tracking 217226 TCP connection tracking 434452 Endpoint policy 65535 Events 2 IP cache 512000 IP masquerading agent 16384 IPv4 fragmentation 8192 IPv4 service 65536 IPv6 service 65536 IPv4 service backend 65536 IPv6 service backend 65536 IPv4 service reverse NAT 65536 IPv6 service reverse NAT 65536 Metrics 1024 NAT 434452 Neighbor table 434452 Global policy 16384 Per endpoint policy 65536 Session affinity 65536 Signal 2 Sockmap 65535 Sock reverse NAT 217226 Tunnel 65536 [...] Fixes #12643 Suggested-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Tobias Klauser <tklauser@distanz.ch> 29 July 2020, 11:59:13 UTC
ddd0969 Tobias Klauser 28 July 2020, 09:10:38 UTC maps/{eventsmap,signalmap}: pass map size as parameter to InitMap Both the events and the signal map are sized to the number of possible CPUs. Instead of twice querying the respective number, pass it as a parameter to InitMap, so the number of possible CPUs can be determined once before creating both maps. Also export the map size as MaxEntries for both maps. This will be used in a successive commit to report the map size in `cilium status --verbose`. Signed-off-by: Tobias Klauser <tklauser@distanz.ch> 29 July 2020, 11:59:13 UTC
84f44ff Tobias Klauser 27 July 2020, 20:19:16 UTC maps/ipmasq: export MaxEntries This is needed to report the ipmasq map size to report in `cilium status --verbose` in a successive commit. Signed-off-by: Tobias Klauser <tklauser@distanz.ch> 29 July 2020, 11:59:13 UTC
800e8b1 Tobias Klauser 27 July 2020, 11:44:16 UTC client: refactor FormatStatusResponse to take struct for additional details Adding a bool var for each additional details to print in the status makes requires changing the function and all its callers and additionaly makes certain invocations of the function hard to read without looking at its signature and godoc comment due to the list of bools. Refactor FormatStatusResponse to take a struct of bools with the additional details to print. This e.g. makes the invocation of a caller not interested in any details more readable as: client.FormatStatusResponse(w, sr, client.StatusNoDetails) compared to the previous version: client.FormatStatusResponse(w, sr, false, false, false, false, false) Adding a new option for additional details now only requires adding an additional bool member and its handling in FormatStatusResponse and StatusAllDetails. Only callers interested in this particular detail need to know about this flag and set it, existing callers don't need to be changed. Signed-off-by: Tobias Klauser <tklauser@distanz.ch> 29 July 2020, 11:59:13 UTC
0ec5463 Tobias Klauser 24 July 2020, 14:16:13 UTC api: remove trailing quotation mark in BPFMapEntry description Signed-off-by: Tobias Klauser <tklauser@distanz.ch> 29 July 2020, 11:59:13 UTC
c46f716 m4rx0 28 July 2020, 15:27:49 UTC helm: fix Hubble UI service account indent Fix indent of Hubble UI service account annotaions Helm condition. Signed-off-by: Marc Stulz <m@footek.ch> 29 July 2020, 11:00:05 UTC
0cf5c0b m4rx0 24 July 2020, 13:01:24 UTC helm: add Hubble Relay service account In setups with restricted pod security policies, it is required to have a service account to grant privileges. I.g. for hostPath volumes Signed-off-by: Marc Stulz <m@footek.ch> 29 July 2020, 11:00:05 UTC
d4ee5be m4rx0 24 July 2020, 12:52:27 UTC helm: change API to networking.k8s.io/v1beta1 for Ingress resource for newer k8s versions Change API endpoint for newer k8s versions to nonlegacy networking.k8s.io/v1beta1, available since v1.14. Signed-off-by: Marc Stulz <m@footek.ch> 29 July 2020, 11:00:05 UTC
6dbc217 Jarno Rajahalme 16 July 2020, 18:18:38 UTC test: Kafka egress K8s test Modify exising Kafka K8s test to include an egress Kafka policy while opening up the corresponding ingress policy to verify that the enforcement is indeed done by the egress policy. Correct language in test code and remove unnecessary `fmt.Sprintf()` calls. Signed-off-by: Jarno Rajahalme <jarno@covalent.io> 29 July 2020, 09:34:17 UTC
945b6a1 Jarno Rajahalme 28 July 2020, 02:44:13 UTC test: Kafka egress runtime test Modify one of the existing Kafka tests to use egress enforcement and visibility on ingress at the same time. Signed-off-by: Jarno Rajahalme <jarno@covalent.io> 29 July 2020, 09:34:17 UTC
03777e0 Jarno Rajahalme 28 July 2020, 10:48:53 UTC proxy: Move Kafka proxy to Envoy Go extensions Move Kafka proxy from Cilium agent to Envoy Go extensions. Avoid importing the whole api to proxylib by moving kafka to it's own api/kafka package. This helps reduce the proxylib binary bloat due to Kafka from 11.5MB down to 0.3MB. Move Kafka rule internals from pkg/policy/api/kafka to pkg/kafka. Add Rule type to pkg/kafka that can also be used from the proxylib kafka parser as-is. Simplify pkg/kafka logging to avoid duplicating dates, levels, etc. when the logs are piped to cilium agent. Signed-off-by: Jarno Rajahalme <jarno@covalent.io> 29 July 2020, 09:34:17 UTC
be1f9b7 Jarno Rajahalme 27 July 2020, 22:31:07 UTC proxylib: Add a parser interface for io.Reader parsers. Kafka request parsing uses io.Reader. Refactor the Reader code away from the Kafka parser to simplify the parser and to make other io.Reader parsers easier to integrate. Kafka replies need minimal parsing, just the first 8 bytes, after which the whole frame can be passed on. Use the parser frame length to ask for full frames before parsing requests. Signed-off-by: Jarno Rajahalme <jarno@covalent.io> 29 July 2020, 09:34:17 UTC
ae2b60c Jarno Rajahalme 15 July 2020, 20:35:24 UTC proxylib: Honor L3-dependency also without L7 rules. This is a proxylib fix to the same bug that was already fixed on Cilium Envoy filters by https://github.com/cilium/proxy/commit/c31482c3e49670980c05cafc914320f7949b266f. Remove the shortcut added earlier for sidecar support to check L3 dependency also when there are no L7 rules. Sidecars should still work as expected. Signed-off-by: Jarno Rajahalme <jarno@covalent.io> 29 July 2020, 09:34:17 UTC
bca8297 Jarno Rajahalme 27 July 2020, 21:59:54 UTC test: Validate Kafka access logging. Signed-off-by: Jarno Rajahalme <jarno@covalent.io> 29 July 2020, 09:34:17 UTC
09af6a6 Jarno Rajahalme 28 July 2020, 17:38:50 UTC envoy: Update API for Kafka Add access log message type for Kafka. Split multiple topics to separate access log messages on the cilium agent side for backwards compatibility. Refine the so far unused Kafka rule message. Signed-off-by: Jarno Rajahalme <jarno@covalent.io> 29 July 2020, 09:34:17 UTC
db5027a Aditi Ghag 28 July 2020, 20:31:39 UTC cilium/build Add GOPATH check for generate-k8s-api The GOPATH needs to be correctly set with respect to the cilium repository location so that k8s api files are generated at the right paths. Signed-off-by: Aditi Ghag <aditi@cilium.io> 29 July 2020, 08:30:02 UTC
1797d0e Chris Tarazi 29 July 2020, 04:36:02 UTC contrib: Tighten search for list of PRs Previously, if "set-labels.py" was in the PR title, then the `grep` would pick up extraneous lines which throw off the parsing. See failed example below: ``` $ ./contrib/backporting/submit-backport v1.8 ... Updating labels for PRs * #12640 -- backporting: Report progress in set-labels.py (@pchaigno) 12640 12626 12632 12654 12651 12652 12659 12521 12683 Set labels for all PRs above? [y/N] y usage: set-labels.py [-h] pr_number {pending,done} [version] set-labels.py: error: argument pr_number: invalid int value: 'api' Signal ERR caught! ``` Fixes: 3c4d43af8f ("contrib: Fix submit-backport PR set-labels detection") Signed-off-by: Chris Tarazi <chris@isovalent.com> 29 July 2020, 08:28:59 UTC
3b58cf6 Chris Tarazi 29 July 2020, 05:05:06 UTC contrib: Print PR number in set-labels.py Simple enough change and improves usability. Fixes: 9fdaf24555 ("backporting: Report progress in set-labels.py") Signed-off-by: Chris Tarazi <chris@isovalent.com> 29 July 2020, 08:28:44 UTC
732188f Deepesh Pathak 02 July 2020, 14:41:23 UTC pkg/k8s: mirror parent pod labels to cilium endpoints CiliumEndpoint object now mirrors the labels present on the Pod it is associated with. This is done to allow label based selection for cilium endpoints. ``` vagrant@k8s1:~/go/src/github.com/cilium/cilium$ kubectl get pods NAME READY STATUS RESTARTS AGE hello-kubernetes-56759c5dff-xpwdw 1/1 Running 0 3m15s vagrant@k8s1:~/go/src/github.com/cilium/cilium$ kubectl get ciliumendpoint --show-labels NAME ENDPOINT ID IDENTITY ID INGRESS ENFORCEMENT EGRESS ENFORCEMENT VISIBILITY POLICY ENDPOINT STATE IPV4 IPV6 LABELS hello-kubernetes-56759c5dff-xpwdw 1076 36777 ready 10.16.131.194 f00d::a0f:0:0:4583 app=hello-kubernetes,pod-template-hash=56759c5dff vagrant@k8s1:~/go/src/github.com/cilium/cilium$ kubectl label pod hello-kubernetes-56759c5dff-xpwdw new=temp pod/hello-kubernetes-56759c5dff-xpwdw labeled vagrant@k8s1:~/go/src/github.com/cilium/cilium$ kubectl get ciliumendpoint --show-labels NAME ENDPOINT ID IDENTITY ID INGRESS ENFORCEMENT EGRESS ENFORCEMENT VISIBILITY POLICY ENDPOINT STATE IPV4 IPV6 LABELS hello-kubernetes-56759c5dff-xpwdw 1076 36777 waiting-for-identity 10.16.131.194 f00d::a0f:0:0:4583 app=hello-kubernetes,new=temp,pod-template-hash=56759c5dff ``` Signed-off-by: Deepesh Pathak <deepshpathak@gmail.com> 29 July 2020, 07:39:26 UTC
82cc7c3 Deepesh Pathak 26 July 2020, 04:57:15 UTC test: generate cilium helm template validating against k8s cluster * Use --validate with `helm template` command to validate the generated manifest against the associated kubernetes cluster * For more information see - https://github.com/cilium/cilium/pull/12409#discussion_r453313631 Signed-off-by: Deepesh Pathak <deepshpathak@gmail.com> 29 July 2020, 07:38:31 UTC
930bde7 Deepesh Pathak 26 July 2020, 04:56:55 UTC install: update helm templates to add HA capabilities for operator Signed-off-by: Deepesh Pathak <deepshpathak@gmail.com> 29 July 2020, 07:38:31 UTC
df90c99 Deepesh Pathak 26 July 2020, 04:56:09 UTC operator: support HA mode for operator using k8s leaderelection library * Make leaderelection parameters configurable using command line flags * Update cmdref to include documentation for new flags. Signed-off-by: Deepesh Pathak <deepshpathak@gmail.com> 29 July 2020, 07:38:31 UTC
fb101df Deepesh Pathak 26 July 2020, 04:55:13 UTC k8s: add coordinationv1 capability check to k8s version package * Introduces config option `K8sLeasesFallbackDiscoveryEnabled` to check if fallback discovery is enabled for Leases. * K8sLeasesFallbackDiscovery is enabled by default only in operator. Signed-off-by: Deepesh Pathak <deepshpathak@gmail.com> 29 July 2020, 07:38:31 UTC
66c3d9c Deepesh Pathak 26 July 2020, 04:54:43 UTC vendor: vendor kubernetes leaderelection library Signed-off-by: Deepesh Pathak <deepshpathak@gmail.com> 29 July 2020, 07:38:31 UTC
4ea0ea4 André Martins 28 July 2020, 20:46:24 UTC pkg/k8s: remove unused variable Fixes: 56a9c1fe9368 ("pkg/k8s: remove manual generated DeepCopyInto function") Signed-off-by: André Martins <andre@cilium.io> 29 July 2020, 02:04:55 UTC
0a4f34a Tobias Klauser 28 July 2020, 19:47:50 UTC cilium/cmd: remove deprecated rev flag used with `cilium service update` (#12692) * tests: remove deprecated 10-proxy.sh This test is no longer executed since it was disabled/deprecated in commit 599d0c6cdb9d ("tests: deprecate 10-proxy.sh"). It uses the deprecated and non-functional `cilium service update --rev` flag which will be removed in the successive commit, so remove the test script as well. Signed-off-by: Tobias Klauser <tklauser@distanz.ch> * cilium/cmd: remove deprecated rev flag used with cilium service update This was deprecated for 1.7 in commit 39dea0071d53 ("cli: Warn if --rev flag is used with cilium service update") and no longer provides any functionality. Remove it for 1.9. Signed-off-by: Tobias Klauser <tklauser@distanz.ch> 28 July 2020, 19:47:50 UTC
56a9c1f André Martins 27 July 2020, 12:03:08 UTC pkg/k8s: remove manual generated DeepCopyInto function Replace the manual creation of the DeepCopyInto function with an autogenerated one. Signed-off-by: André Martins <andre@cilium.io> 28 July 2020, 18:16:11 UTC
8d56d06 Tobias Klauser 28 July 2020, 09:52:32 UTC .github: run Go prechecks as GitHub action Run `make precheck` as a GitHub action. This checks various formatting and package usage issues in Go code. Fixes #11730 Signed-off-by: Tobias Klauser <tklauser@distanz.ch> 28 July 2020, 12:00:29 UTC
bb91571 Joe Stringer 27 July 2020, 20:42:25 UTC smoke-test: Print pod/deploy state on failure Signed-off-by: Joe Stringer <joe@cilium.io> 28 July 2020, 08:46:42 UTC
8401097 Philippe Lafoucrière 27 July 2020, 13:31:03 UTC Use the global Azure key Just setting `nodeinit.azure` isn't enough, `global.azure.enabled` must be set to true to have Network Policies with Azure. To avoid confusion, the parameter has been removed from the `nodeinit` chart to use the global one, like the `config` and `operator` charts do. Signed-off-by: Philippe Lafoucrière <plafoucriere@gitlab.com> 28 July 2020, 08:46:17 UTC
7fc6c96 Tobias Klauser 27 July 2020, 13:18:32 UTC cilium/cmd: remove deprecated `bpf proxy (list|flush)` commands These were deprecated for Cilium 1.6 in #6921 and no longer provide functionality, remove them for 1.9. Signed-off-by: Tobias Klauser <tklauser@distanz.ch> 28 July 2020, 08:44:11 UTC
c3f9953 Tobias Klauser 27 July 2020, 13:11:55 UTC daemon: don't attempt to remove cilium_proxy{4,6} maps Cilium 1.6 is now the oldest supported release, so the deletion of the cilium_proxy{4,6} maps in daemon/cmd.(*Daemon).initMaps can be omitted. Signed-off-by: Tobias Klauser <tklauser@distanz.ch> 28 July 2020, 08:44:11 UTC
db9e637 Tam Mach 25 July 2020, 14:30:10 UTC feat(helm): Add serviceAccount field for hubble-ui This serviceAccount was deprecated in kube 1.18, however this should be added to support earlier kube version Signed-off-by: Tam Mach <sayboras@yahoo.com> 28 July 2020, 08:41:35 UTC
cb4df8e Michal Rostecki 14 July 2020, 12:43:38 UTC health: Differentiate between unknown and unreachable state Before this change, adding a new node with Cilium to the Kubernetes cluster resulted in the new node being reported as unreachable in cilium-health. That's because before Cilium gets fully provisions, the node status is going to contain empty status (for HTTP probe). That behavior was causing `cilium status` to show that the new nodes during the provisioning are unreachable, thus false alarming Cilium users and suggesting, that the provisioning of the new node failed. The same behaviour could be observed in the cilium_unreachable_nodes Prometheus metric. This change differentiates between unreachable and unhealthy status. In order to be considered as unreachable, the status has to contain an explicit error message, which is always set by the prober when it really has problems with reaching already provisioned Cilium endpoint. Otherwise its status is considered to be unknown, which usually should mean that the node is being provisioned. Fixes #11874 Signed-off-by: Michal Rostecki <mrostecki@opensuse.org> 28 July 2020, 08:34:26 UTC
491c927 André Martins 27 July 2020, 17:57:42 UTC pkg/policy: remove unused returned field This field was only used in unit tests, to simplify the code we can remove its return. Signed-off-by: André Martins <andre@cilium.io> 28 July 2020, 08:30:22 UTC
06261bc André Martins 27 July 2020, 17:54:03 UTC pkg/endpoint: remove unused functions The functions Get[Ingress|Egress]PolicyEnabledLocked are not used anywhere so we can clean them up. Signed-off-by: André Martins <andre@cilium.io> 28 July 2020, 08:30:22 UTC
87fe5c0 Paul Chaignon 27 July 2020, 07:54:59 UTC operator: Remove deprecated option metrics-address Signed-off-by: Paul Chaignon <paul@cilium.io> 27 July 2020, 18:15:20 UTC
8d31ecd Paul Chaignon 27 July 2020, 07:54:38 UTC operator: Remove deprecated option api-server-port Signed-off-by: Paul Chaignon <paul@cilium.io> 27 July 2020, 18:15:20 UTC
942ab70 Paul Chaignon 27 July 2020, 07:51:10 UTC operator: Remove deprecate rate-limiting AWS client options This commit removes aws-client-burst and aws-client-qps. Signed-off-by: Paul Chaignon <paul@cilium.io> 27 July 2020, 18:15:20 UTC
5f7f786 Paul Chaignon 27 July 2020, 07:48:33 UTC operator: Remove eni-parallel-workers option Remove the eni-parallel-workers option, deprecated in Cilium 1.8. Signed-off-by: Paul Chaignon <paul@cilium.io> 27 July 2020, 18:15:20 UTC
c52db14 Paul Chaignon 27 July 2020, 07:37:14 UTC operator: Remove deprecated EnableXXXGC options Remove the cilium-operator options cnp-node-status-gc, ccnp-node-status-gc, and cilium-endpoint-gc, which were deprecated in Cilium 1.8 in favor of their XXXGCInterval counterparts. Signed-off-by: Paul Chaignon <paul@cilium.io> 27 July 2020, 18:15:20 UTC
c5de694 Paul Chaignon 27 July 2020, 08:03:48 UTC docs: Fix label for 1.8 Upgrade Notes Fixes: 64b32ca ("option: remove prometheus-serve-addr-deprecated") Signed-off-by: Paul Chaignon <paul@cilium.io> 27 July 2020, 18:15:20 UTC
0e0e25a Robin Hahling 27 July 2020, 15:01:56 UTC hubble/relay: fix unavailable nodes count on ServerStatus The number of listed unavailable nodes is bounded. However, the count of unavailable nodes definitely should not be... Fix: cefe1458d Signed-off-by: Robin Hahling <robin.hahling@gw-computing.net> 27 July 2020, 17:54:11 UTC
1d1427b Robin Hahling 27 July 2020, 13:17:57 UTC api: re-generate protobuf code Commit `f18fcd9b` updated the following dependencies: - github.com/golang/protobuf: v1.3.2 => v1.4.2 - google.golang.org/genproto - google.golang.org/grpc: v1.26.0 => v1.27.0 However, the protobuf generated files were not re-generated which is what this commit addresses. The newly generated files should be backward compatible. However, the following warning is now emitted when generating them: WARNING: Package "github.com/golang/protobuf/protoc-gen-go/generator" is deprecated. A future release of golang/protobuf will delete this package, which has long been excluded from the compatibility promise. This is because this package was apparently never meant to be public as explained in this comment[0]. The fix for this is to migrate to `google.golang.org/protobuf/compiler/protogen` but this can't be done until a release of `grpc-go` which includes the following patch[1] is out. Update the Makefile to output a note with regard to this when generating the files It appears that with the newly generated files, protobuf now needs to be marked as an explicit dep. Fix it by by running: go mod tidy && go mod vendor && go mod verify Fix: f18fcd9b [0]: https://github.com/golang/protobuf/issues/1104#issuecomment-619420855 [1]: https://github.com/grpc/grpc-go/pull/3453 Signed-off-by: Robin Hahling <robin.hahling@gw-computing.net> 27 July 2020, 15:45:33 UTC
977e6fe Robin Hahling 24 July 2020, 13:56:59 UTC api: bump required protoc version to 3.12.3 This is the newest version of protoc. It still produces the same generated Go code, so the generated files are not affected. Signed-off-by: Robin Hahling <robin.hahling@gw-computing.net> 27 July 2020, 15:45:33 UTC
3d975fe Kornilios Kourtis 27 July 2020, 04:33:58 UTC docs: fix typo Signed-off-by: Kornilios Kourtis <kornilios@isovalent.com> 27 July 2020, 15:17:34 UTC
cefe145 Robin Hahling 24 July 2020, 15:41:04 UTC hubble/relay: report nodes connectivity status in ServerStatus Update `ObserverServer.ServerStatus` to include information about the number of nodes to which Hubble Relay is able to connect and those that are unavailable. A short and non exhaustive list of unavailable nodes is also reported. Example output: $ grpcurl -plaintext localhost:4245 observer.Observer.ServerStatus { "numFlows": "12288", "maxFlows": "12288", "seenFlows": "45439", "uptimeNs": "1191789765429", "numConnectedNodes": 3, "numUnavailableNodes": 1, "unavailableNodes": [ "kind-worker3" ] } Signed-off-by: Robin Hahling <robin.hahling@gw-computing.net> 27 July 2020, 13:11:58 UTC
55ae503 Robin Hahling 24 July 2020, 13:58:24 UTC api/observer: add new fields to inform about nodes status Add 3 new fields to the `ServerStatusResponse` message: - num_connected_nodes - num_unavailable_nodes - unavailable_nodes The intent is to provide a better status output when running `hubble status` with Hubble Relay. These fields are optional and intended to be implemented by Hubble Relay only. As these are new fields to an existing message, the change is backward compatible. The first two fields should not need further explanation. The third one is not meant to be an exhaustive list of all unavailable nodes, as documented, as with a large enough cluster, this would clutter. However, listing some of the unavailable nodes should already provide useful information when debugging Hubble Relay issues. Signed-off-by: Robin Hahling <robin.hahling@gw-computing.net> 27 July 2020, 13:11:58 UTC
37bc7a8 Maciej Kwiek 27 July 2020, 12:26:47 UTC Fix typo in gke cluster release script Signed-off-by: Maciej Kwiek <maciej@isovalent.com> 27 July 2020, 12:34:19 UTC
d5a0802 André Martins 25 July 2020, 13:30:41 UTC test: update k8s test versions to 1.17.9 and 1.18.6 Signed-off-by: André Martins <andre@cilium.io> 27 July 2020, 11:47:39 UTC
back to top