Skip to main content

Browse the archive

https://github.com/cilium/cilium
09 April 2024, 21:14:05 UTC
sort by:
Revision Author Date Message Commit Date
c4002d6 Daniel Borkmann 23 May 2023, 11:28:58 UTC bpf: Implement Pod network priority levels into bandwidth manager [ tbd ] Closes: #24194 Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> 23 May 2023, 12:16:42 UTC
84058ec Jussi Maki 23 May 2023, 08:23:12 UTC bgpv1: Fix use of k8s.LocalNodeResource and LocalCiliumNodeResource types Due to a merge race the new tests in pkg/bgpv1 broke after 69dca4b53b was merged. Fix the types in the tests. Fixes: 69dca4b53b ("k8s: Remove unnecessary boxing in Local(Cilium)NodeResource") Signed-off-by: Jussi Maki <jussi@isovalent.com> 23 May 2023, 09:44:56 UTC
b5173f0 Paul Chaignon 22 May 2023, 16:25:37 UTC bpf: Cover high-scale IPcache in complexity tests This feature requires Linux 5.19 so we'll only cover it in the net-next complexity tests. Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com> 23 May 2023, 08:24:23 UTC
4d55de8 Michi Mutsuzaki 19 May 2023, 17:12:18 UTC contrib/scripts: Ignore all vendor sub-directories Make these check scripts slightly more future-proof by ignoring all sub-directories named vendor. Signed-off-by: Michi Mutsuzaki <michi@isovalent.com> 23 May 2023, 08:23:50 UTC
e49b16a Chance Zibolski 12 May 2023, 20:06:07 UTC Update push-chart workflow concurrency group I think we're seeing unintended cancellations of this workflow because it's a workflow_run event in most cases and github.event.after might not be working as we expect. First, add the event name into the concurrency group and then use a different ref based on the event type based on the git SHA the image chart will use for the image tags. This ensures we'll get one build for each image build but if we re-run the same job with the same parameters it'll cancel any previous invocations with for the same ref and event type. Signed-off-by: Chance Zibolski <chance.zibolski@gmail.com> 23 May 2023, 08:21:20 UTC
bfa4656 Jarno Rajahalme 12 May 2023, 14:37:42 UTC docs: Remove non-x86 restriction Remove logic from Documentation/Makefile that skips building 'update-helm-values' on non-x86 platforms. This limitation is no longer needed as we use the helm toolbox image, which is available for multiple architectures. Fixes: #20236 Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> 23 May 2023, 08:19:15 UTC
72e47b5 Jarno Rajahalme 09 May 2023, 12:41:03 UTC signal: Use signalmap for auth required Use signalmap instead of monitor events to notify userspace of missing authentication. Execute authentications concurrently and check for pending or completed authentications before starting a new one with the same key. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> 23 May 2023, 08:09:01 UTC
25c00b0 Jarno Rajahalme 10 May 2023, 11:01:56 UTC signal: Generalize for multiple targets Move definition of the signal data to the signal handlers to limit go dependencies. Signal delivery channel is now buffered so that signal manager will not get blocked by any one of the signal handlers. Pause/Unpause is generalized so that the perf events are paused only when all the signals have been paused. Current implementation uses bit mask (64 bits) which limits the max number of signals to 64. Signal registration is to be done only from init or cell OnStart functions, so that no locking is needed for managing signal handlers. Mute/Unmute calls can happen concurrently. Manage dependencies via Hive/Cell. Add a fake signalmap so that controlplane tests may depend on it. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> 23 May 2023, 08:09:01 UTC
baef7a7 Jarno Rajahalme 06 May 2023, 11:22:30 UTC daemon: Remove eventsmap and signalmap from map status Maximum nunber of entries in both eventsmap and signalmap is the number of possible CPUs, which never changes, is a low number, and is not adding any real information to the status report. Remove them to reduce direct dependencies to these maps. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> 23 May 2023, 08:09:01 UTC
3855672 Jarno Rajahalme 09 May 2023, 12:43:38 UTC node: Add GetNodeIP() to NodeHandler Add GetNodeIP(nodeID uint16) that returns the node IP for which the given nodeID was allocated for. This will be used for authentication handshake in later commits. Check for 0 (== local node) explicitly and return local node address from pkg/node in that case, as local node IPs are not in the maps. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> 23 May 2023, 08:09:01 UTC
66de2bf Mark Pashmfouroush 03 May 2023, 23:29:09 UTC garp: Introduce Gratuitous ARP Cell Gratuitous ARP is the process of broadcasting unsolicited ARP packets, usually with the goal of informing all Layer 2 devices of a new IP/MAC association on the L2 domain and forcing any switches to relearn the MAC address. Here we add the `garp` cell. While not really useful yet, the purpose is to provide a simple Hive Cell that implements the new `garp.Sender` interface, so that any other Cell may send gratuitous ARP packets. Signed-off-by: Mark Pashmfouroush <mark@isovalent.com> 23 May 2023, 08:08:22 UTC
dab7bd6 Tam Mach 23 May 2023, 00:27:35 UTC gha: Move to helm mode for Gateway jobs Signed-off-by: Tam Mach <tam.mach@cilium.io> 23 May 2023, 07:32:14 UTC
f748ae3 Nicolas Busseneau 15 May 2023, 16:05:16 UTC ci: fix Cilium CLI install in ConformanceKindEnvoyDaemonSet In cef9595361e970dbee47eed659bac56ea68d73cd we switched to using a cilium-cli GHA for installing the CLI, but this workflow was merged in main at a later point. We edit the workflow to be consistent with the other workflows when installing the CLI. Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> 23 May 2023, 07:30:39 UTC
48eeff4 Jussi Maki 17 April 2023, 12:27:44 UTC k8s: Use slim_corev1.Node instead of v1.Node The LocalNode resource now uses slim_corev1.Node which avoids the unnecessary conversions to it from v1.Node. Adds ProviderID to slim_corev1.Node as it was needed by BGP. Signed-off-by: Jussi Maki <jussi@isovalent.com> 23 May 2023, 07:29:36 UTC
69dca4b Jussi Maki 12 April 2023, 12:50:01 UTC k8s: Remove unnecessary boxing in Local(Cilium)NodeResource The struct wrapping and boxing of resource creates an unnecessary pointer indirection. Just newtyping Resource[T] is enough. Signed-off-by: Jussi Maki <jussi@isovalent.com> 23 May 2023, 07:29:36 UTC
693605f harsimran pabla 15 May 2023, 13:33:30 UTC bgpv1: Introduction of bgp component tests Introducing bgp control plane component tests. This change introduces test harness and basic BGP tests related to podCIDR advertisements, lb service advertisements and neighbor events. Motivation of this change is to increase test coverage around boundaries of BGP subsystem and also to validate actual peering state at high level for primary BGP features. Types of test cases to add here would range from exposed BGP features like route advertisements and various neighbor configuration settings. Signed-off-by: harsimran pabla <hpabla@isovalent.com> 23 May 2023, 07:27:37 UTC
aa8dae0 harsimran pabla 15 May 2023, 13:31:29 UTC bgpv1: pass parameters to gobgp logger for reusability Pass log parameters to gobgp logger instead of hardcoding them in log methods. This is done so we can reuse the logger and pass on different log fields. Signed-off-by: harsimran pabla <hpabla@isovalent.com> 23 May 2023, 07:27:37 UTC
a63aabc Nikolay Aleksandrov 08 May 2023, 06:33:58 UTC datapath/linux: make sure we have a local rule with proto kernel This reverts commit 9d6034110fc3dc01a5a0636ed6f98ad2443ef038. Signed-off-by: Nikolay Aleksandrov <nikolay@isovalent.com> 23 May 2023, 07:13:54 UTC
3afe3b1 Nikolay Aleksandrov 10 May 2023, 08:42:15 UTC datapath/linux/route: DeleteRule takes family as an argument Remove the IPv6-specific DeleteRuleIPv6() and add a family argument to DeleteRule so we can use the same function for both families. Signed-off-by: Nikolay Aleksandrov <nikolay@isovalent.com> 23 May 2023, 07:13:54 UTC
21ddcc1 Nikolay Aleksandrov 08 May 2023, 06:30:14 UTC bugtool: dump fib rule protocol This reverts commit a9cad19a2bb7351740ac1c3639feee21b1cf3503. Signed-off-by: Nikolay Aleksandrov <nikolay@isovalent.com> 23 May 2023, 07:13:54 UTC
6170375 Nikolay Aleksandrov 08 May 2023, 06:30:09 UTC datapath: remove RouteProtocolIPSec and use proto kernel This reverts commit 05593eec57257b4cb2d978c6fd74f639282ade14. Signed-off-by: Nikolay Aleksandrov <nikolay@isovalent.com> 23 May 2023, 07:13:54 UTC
2678be5 Nikolay Aleksandrov 08 May 2023, 06:30:04 UTC datapath/linux/node: use proto kernel for fib rules and routes This reverts commit 2b6d5c40b57623245bfed7b3abadb4a1a699b090. Signed-off-by: Nikolay Aleksandrov <nikolay@isovalent.com> 23 May 2023, 07:13:54 UTC
27e6b83 Nikolay Aleksandrov 08 May 2023, 06:29:55 UTC datapath/linux/routing: use proto kernel for fib routes and rules This reverts commit 9b5e74b49564e554a5e93b992bdf10b94b3d671d. Signed-off-by: Nikolay Aleksandrov <nikolay@isovalent.com> 23 May 2023, 07:13:54 UTC
5be9047 Nikolay Aleksandrov 08 May 2023, 06:29:48 UTC datapath/loader: use proto kernel for ENI fib rules and routes This reverts commit afdc51f6f48935e4133e8f3a9ab5464a9974762d. Signed-off-by: Nikolay Aleksandrov <nikolay@isovalent.com> 23 May 2023, 07:13:54 UTC
b415812 Nikolay Aleksandrov 08 May 2023, 06:29:36 UTC egressgw: use proto kernel for fib routes and rules This reverts commit 3271cb25d3171df77c3fd8831c2b05f450833b0b. Signed-off-by: Nikolay Aleksandrov <nikolay@isovalent.com> 23 May 2023, 07:13:54 UTC
548bee5 Nikolay Aleksandrov 08 May 2023, 06:29:26 UTC datapath/linux/route: use proto kernel when installing routes This reverts commit 0f3e98926d65c620ca3e830aa442821787ed7d27. Signed-off-by: Nikolay Aleksandrov <nikolay@isovalent.com> 23 May 2023, 07:13:54 UTC
3a0e77e Nikolay Aleksandrov 08 May 2023, 06:29:18 UTC datapath/linux/route: add support for rule protocol This reverts commit 5fb791d247d715d353234d3b15aef3cfebdc9b17. Signed-off-by: Nikolay Aleksandrov <nikolay@isovalent.com> 23 May 2023, 07:13:54 UTC
4e4e880 Nikolay Aleksandrov 08 May 2023, 06:28:34 UTC init.sh: take local lookup rule priority as an argument This reverts commit 9e62a84a5f2e66bcd636a4fc6fc0bd14d921aa7a. Signed-off-by: Nikolay Aleksandrov <nikolay@isovalent.com> 23 May 2023, 07:13:54 UTC
9b63f57 Nikolay Aleksandrov 08 May 2023, 06:28:07 UTC init.sh: install ip rules and routes with proto kernel This reverts commit dbce5f16e75d1a836ca34fa53b900a5adc92431a. Signed-off-by: Nikolay Aleksandrov <nikolay@isovalent.com> 23 May 2023, 07:13:54 UTC
1f5fd5a Nikolay Aleksandrov 08 May 2023, 06:25:08 UTC linux_defaults: add local lookup priority to use for fib rules This reverts commit ed5114dc125355f0b9b45e3e2635a5701bfb689f. Signed-off-by: Nikolay Aleksandrov <nikolay@isovalent.com> 23 May 2023, 07:13:54 UTC
8ccc3bb Nikolay Aleksandrov 08 May 2023, 06:24:45 UTC linux_defaults: add default rt protocol to use for fib rules and routes This reverts commit 368ec8e6b8c6e44538ecd306ae81ec37e18a85ec. Signed-off-by: Nikolay Aleksandrov <nikolay@isovalent.com> 23 May 2023, 07:13:54 UTC
2a26618 Nikolay Aleksandrov 08 May 2023, 06:23:45 UTC datapath/linux/route: fix CI expectations for rule string format This reverts commit 53fef5426fa21df0f3982831f8ab6bb44d4d6466. Signed-off-by: Nikolay Aleksandrov <nikolay@isovalent.com> 23 May 2023, 07:13:54 UTC
b330d4d Nikolay Aleksandrov 10 May 2023, 09:14:26 UTC vendor: update vishvananda/netlink/ Update vishvananda/netlink/ so we can make use of fib rule RTA_PROTOCOL attribute. Signed-off-by: Nikolay Aleksandrov <nikolay@isovalent.com> 23 May 2023, 07:13:54 UTC
ab1c66c pengbinbin1 26 April 2023, 09:04:37 UTC fix the comments about Delete The endpoint's IP is not released int the function Delete, it is release in the function EndpointDeleted. This comments will confused the code reader. Signed-off-by: pengbinbin1 <pengbiny@163.com> 23 May 2023, 07:13:54 UTC
f5db9ca Timo Beckers 22 May 2023, 09:10:09 UTC MAINTAINERS: add Dylan Reimerink to the list of maintainers Voting results: YES: 32 (70%) NO: 0 (0%) ABSTAIN: 14 (30%) With the Company Block Vote Limit applied: YES: (30 / (30/6)) + 2 = 8 votes NO: 0 votes Signed-off-by: Timo Beckers <timo@isovalent.com> 23 May 2023, 02:01:08 UTC
2f9c40c Julian Wiedmann 15 May 2023, 06:41:23 UTC bpf: test: add IPv6 DSR tests Copy & adjust the IPv4 tests for DSR processing in a LB / backend node. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> 22 May 2023, 20:47:37 UTC
1f6f0a5 Julian Wiedmann 15 May 2023, 06:56:01 UTC bpf: test: clean up IPv4 DSR backend test We don't need to register a service at the backend node. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> 22 May 2023, 20:47:37 UTC
ba91f98 Julian Wiedmann 13 May 2023, 15:36:47 UTC bpf: test: add support for building IPv6 NEXTHDR_DEST extension This will be used for testing IPv6 DSR. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> 22 May 2023, 20:47:37 UTC
a176aea Julian Wiedmann 13 May 2023, 14:25:58 UTC bpf: dsr: use struct ipv6_opt_hdr in dsr_opt_v6 Clarify the semantics of the nexthdr / len fields in the struct. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> 22 May 2023, 20:47:37 UTC
4203a95 Julian Wiedmann 14 February 2023, 13:13:43 UTC bpf: lb: use l3_off when walking IPv6 headers in lb6_extract_tuple() We take a l3_off as parameter, pass that on to the helper that walks the IPv6 header + extensions. This makes no difference today (as all callers pass ETH_HLEN). But it is needed by an integration test in a subsequent patch. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> 22 May 2023, 20:47:37 UTC
9a30035 Dylan Reimerink 08 May 2023, 11:48:20 UTC hive,docs: Improved the pkg/hive/job documentation PR #24558 got merged before the docs feedback was in, this PR applies the suggested improvements to the Hive docs related to jobs. Signed-off-by: Dylan Reimerink <dylan.reimerink@isovalent.com> 22 May 2023, 16:26:54 UTC
13aff18 Paul Chaignon 17 May 2023, 14:54:05 UTC test: Populate world CIDR map in high-scale ipcache test Now that the datapath encapsulation and decapsulation are implemented, the end-to-end test will fail. To decide whether we should encapsulate or not, we lookup the world CIDR map. If no match is found, we encapsulate. That means that we will currently always encapsulate (even when e.g. resolving a domain name from 8.8.8.8) because the world CIDR map is not currently populated. The world CIDR map will be populate once the patchset introducing the new CRD is merged. Until then, we can add a catch-all 0.0.0.0/0 entry to not encapsulate anything. This commit can be reverted once the CiliumWorldCIDRSet CRD is merged. Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com> 22 May 2023, 15:38:42 UTC
87855a9 Paul Chaignon 13 May 2023, 16:26:46 UTC bpf: Set outer source IP to pod IP We can use the recent extension of the bpf_skb_set_tunnel_key BPF helper to set the outer source IP of encapsulated packets. When the high-scale IPcache mode is enabled, we want to set that outer source IP to the source pod IP address. We don't set the outer source IP from XDP as this is only relevant for traffic from pods. For older kernels, we need to pass a smaller bpf_tunnel_key struct to the helper because they don't support the larger struct with the source IP. Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com> Signed-off-by: Julian Wiedmann <jwi@isovalent.com> 22 May 2023, 15:38:42 UTC
295ae43 Paul Chaignon 13 May 2023, 16:26:33 UTC probe, daemon: Probe for the ability to set outer source IP This commit defines a new kernel probe to check that the bpf_skb_set_tunnel_key BPF helper can be used to set the outer source IP address. This new probe is then used to fatal if it isn't supported and high-scale IPcache mode is enabled. IPcache mode will require this kernel feature (see subsequent commit). Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com> 22 May 2023, 15:38:42 UTC
8ea31e0 Paul Chaignon 13 May 2023, 16:26:25 UTC bpf: Decapsulate traffic encapsulated with pod IPs When the high-scale ipcache is enabled, we will receive traffic encapsulated with the pod IP addresses on the native device. Since the destination IP is not assigned to the host (but to a container), the Linux stack won't demultiplex it to the overlay device (e.g., cilium_vxlan). Instead, the packets will follow their normal way to the container, via cilium_host if endpoint routes are disabled. We want to decapsulate the packet before they reach the lxc devices. We could decapsulate in bpf_lxc, but then the packet paths would be assymetric. This commit adds support for decapsulation in cilium_host. Note that will only work when endpoint routes are disabled. Therefore, in bpf_host, we filter all incoming VXLAN traffic based on the UDP port and remove the first IP, UDP, VXLAN, and Ethernet headers. We also parse the source security identity from the VXLAN header. We then redirect the packet to its expected path, via cilium_vxlan, with the security identity in skb->cb. In bpf_overlay, we need a special case for the high-scale ipcache, to retrieve the security identity from skb->cb instead of getting it from the tunnel metadata as usual (since packet is already decapsulated at this point). Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com> 22 May 2023, 15:38:42 UTC
281d131 Paul Chaignon 13 May 2023, 16:26:15 UTC bpf, option: Encapsulate traffic with pod IPs In case the high-scale ipcache mode is enabled, we want to encapsulate pod-to-pod traffic with the pod IP address. The goal of this encapsulation is simply to carry the security identity for the source. Previous commits introduced a new CRD and its corresponding map. They tell us which IP addresses belong to entities outside of the cluster, or at least entities to which we shouldn't encapsulate traffic when in high-scale IPcache mode. This commit makes use of the new map. We perform an LPM lookup into the map to know if we should encapsulate traffic or not. We also need to take this into account when computing the MTU. Thus, the TunnelExists() function is updated to return true when the high-scale ipcache mode is enabled. Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com> Signed-off-by: Julian Wiedmann <jwi@isovalent.com> 22 May 2023, 15:38:42 UTC
63f0b86 Paul Chaignon 13 May 2023, 16:25:58 UTC bpf: Cover ENABLE_HIGH_SCALE_IPCACHE in compile tests Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com> 22 May 2023, 15:38:42 UTC
3d0b0f6 Paul Chaignon 13 May 2023, 16:25:30 UTC loader, daemon: Create tunneling device for high-scale ipcache Similarly to the egress gateway feature, the high-scale ipcache mode requires the tunneling device even if we're running with native routing. This is because we use that device to send pod-to-pod traffic encapsulated with the pod IPs (just to carry the identity). Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com> 22 May 2023, 15:38:42 UTC
b1c6905 Paul Chaignon 13 May 2023, 16:25:22 UTC bpf, maps: Create world CIDR map This commit adds a new LPM map for world CIDRs. Only IPv4 is supported for now. The map will be populated via a new CRD in a separate patchset. Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com> 22 May 2023, 15:38:42 UTC
7e65ca1 Marco Iorio 11 May 2023, 09:22:00 UTC docs: add clustermesh-apiserver metrics Extend the "Monitoring & Metrics" documentation page to include information about the metrics exposed by the clustermesh-apiserver. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> 22 May 2023, 11:25:50 UTC
7d5e217 Marco Iorio 12 May 2023, 13:27:03 UTC metrics: rephrase description of kvstore_events_queue_seconds metric Rephrase the description of the 'kvstore_events_queue_seconds` metrics for improved clarity. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> 22 May 2023, 11:25:50 UTC
1757c8d Marco Iorio 08 May 2023, 13:15:57 UTC clustermesh-apiserver: extend helm chart to expose metrics This commit extends the helm chart to allow configuring the exposition of Prometheus metrics for the clustermesh-apiserver component (including both the apiserver and the etcd containers). Specifically, it adds the corresponding configuration knobs and introduces a dedicated service and servicemonitor (disabled by default). Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> 22 May 2023, 11:25:50 UTC
88c6557 Marco Iorio 08 May 2023, 09:02:53 UTC clustermesh-apiserver: add metrics server cell This commit extends the clustermesh-apiserver with a new cell in charge of exposing Prometheus metrics (disabled by default). It currently exposes basic go-related metrics, and kvstore-related metrics; Additional metrics will be introduced in subsequent commits. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> 22 May 2023, 11:25:50 UTC
c1e2848 Marco Iorio 17 May 2023, 07:13:10 UTC metrics: make the metrics namespace configurable Currently, the metrics namespace is hard-coded to the `cilium` value. This commit changes it to be a variable (assigned by default the same value) to allow changing it when metrics are exposed by a different component (e.g., clustermesh-apiserver). Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> 22 May 2023, 11:25:50 UTC
3b3e8d0 Paul Chaignon 16 May 2023, 19:54:17 UTC node: Don't encrypt traffic to CiliumInternalIP For the similar reasons as in the previous commit, we don't want to encrypt traffic going from a pod to the CiliumInternalIP. This is currently the only node IP address type that is associated an encryption key. Since we don't encrypt traffic from the hostns to remote pods anymore (see previous commit), encrypting traffic going to a CiliumInternalIP (remote node) would result in a path asymmetry: traffic going to the CiliumInternalIP would be encrypted, whereas reply traffic coming from the CiliumInternalIP wouldn't. This commit removes that caseand therefore ensures we never encrypt traffic going to a node IP address. Reported-by: Gray Lian <gray.liang@isovalent.com> Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com> 22 May 2023, 11:15:12 UTC
5fe2b2d Paul Chaignon 14 May 2023, 21:16:14 UTC bpf: Don't encrypt on path hostns -> remote pod In pod-to-pod encryption with IPsec and tunneling, Cilium currently encrypts traffic on the path hostns -> remote pod even though traffic is in plain-text on the path remote pod -> hostns. When using native routing, neither of those paths is encrypted because traffic from the hostns doesn't go through the bpf_host BPF program. Cilium's Transparent Encryption with IPsec aims at encrypting pod-to-pod traffic. It is therefore unclear why we are encrypting traffic from the hostns. The simple fact that only one direction of the connection is encrypted begs the question of its usefulness. It's possible that this traffic was encrypted by mistake: some of this logic is necessary for node-to-node encryption with IPsec (not supported anymore) and pod-to-pod encryption may have been somewhat simplified to encrypt *-to-pod traffic. Encrypting traffic from the hostns nevertheless creates several issues. First, this situation creates a path asymmetry between the forward and reply paths of hostns<>remote pod connections. Path asymmetry issues are well known to be a source of bugs, from of '--ctstate INVALID -j DROP' iptables rules to NAT issues. Second, Gray recently uncovered a separate bug which, when combined with this encryption from hostns, can prevent Cilium from starting. That separate bug is still being investigated but it seems to cause the reload of bpf_host to depend on Cilium connecting to etcd in a clustermesh context. If this etcd is a remote pod, Cilium connects to it on hostns -> remote pod path. The bpf_host program being unloaded[1], it fails. We end up in a cyclic dependency: bpf_host requires connectivity to etcd, connectivity to etcd requires bpf_host. This commit therefore removes encryption with IPsec for the path hostns -> remote pod when using tunneling (already unencrypted when using native routing). 1 - More specifically, in Gray's case, the bpf_host program is already loaded, but it needs to be reloaded because the IPsec XFRM config changed. Without this reload, encryption fails. Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com> 22 May 2023, 11:15:12 UTC
fd6fa25 Paul Chaignon 17 May 2023, 09:32:24 UTC bpf: Remove IPsec dead code in bpf_host TL;DR. this commit removes a bit of dead code that seems to have been intended for IPsec in native routing mode but is never actually executed. These code paths are only executed if going through cilium_host and coming from the host (see !from_host check above). For remote destinations, we only go through cilium_host if the destination is part of a remote pod CIDR and we are running in tunneling mode. In native routing mode, we go straight to the native device. Example routing table for tunneling (10.0.0.0/24 is the remote pod CIDR): 10.0.0.0/24 via 10.0.1.61 dev cilium_host src 10.0.1.61 mtu 1373 <- we follow this 10.0.1.0/24 via 10.0.1.61 dev cilium_host src 10.0.1.61 10.0.1.61 dev cilium_host scope link 192.168.56.0/24 dev enp0s8 proto kernel scope link src 192.168.56.11** Example routing table for native routing: 10.0.0.0/24 via 192.168.56.12 dev enp0s8 <- we follow this 10.0.1.0/24 via 10.0.1.61 dev cilium_host src 10.0.1.61 10.0.1.61 dev cilium_host scope link 192.168.56.0/24 dev enp0s8 proto kernel scope link src 192.168.56.11 Thus, this code path is only used for tunneling with IPsec. However, IPsec in tunneling mode should already be handled by the encap_and_redirect_with_nodeid call above in the same functions (see info->key argument). So why was this added? It was added in commit b76e6eb59 ("cilium: ipsec, support direct routing modes") to support "direct routing modes". I found that very suspicious because, per the above, in native routing mode, traffic from the hostns shouldn't even go through cilium_host. I thus tested it out. I've checked IPsec with native routing mode, with and without endpoint routes. I can confirm that, in all those cases, traffic from the hostns is not encrypted when going to a remote pod. Therefore, this code is dead. I'm unsure when it died. Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com> 22 May 2023, 11:15:12 UTC
3e80530 Martynas Pumputis 18 May 2023, 14:29:14 UTC ci-l4lb-v1.1{1,2}: Remove helm charts They are no longer needed, as thanks to [1] [2] we started to run the L4LB in DinD instead of Kind. [1]: https://github.com/cilium/cilium/pull/25528 [2]: https://github.com/cilium/cilium/pull/25523 Signed-off-by: Martynas Pumputis <m@lambda.lt> 22 May 2023, 07:05:10 UTC
f66f4b1 Paul Chaignon 21 May 2023, 14:47:09 UTC test/fqdn: Switch from jenkins.cilium.io to cilium.io jenkins.cilium.io is down since Thursday. We can simply switch to cilium.io. Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com> 21 May 2023, 18:15:44 UTC
4bcfebc Paul Chaignon 21 May 2023, 14:46:28 UTC test/fqdn: Avoid hardcoding the test FQDN Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com> 21 May 2023, 18:15:44 UTC
71712cf Daneyon Hansen 18 May 2023, 00:39:34 UTC Updates endpoint pkg to use netip.Addr Signed-off-by: Daneyon Hansen <daneyon.hansen@solo.io> 19 May 2023, 23:17:46 UTC
db941f9 Jarno Rajahalme 17 May 2023, 19:31:58 UTC Update stable releases Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> 19 May 2023, 10:15:21 UTC
4e9aff0 Aleksander Mistewicz 20 April 2023, 08:17:13 UTC test: Use github.com/cilium/fake to generate data for benchmarks Signed-off-by: Aleksander Mistewicz <amistewicz@google.com> 18 May 2023, 23:11:11 UTC
275bc82 Aleksander Mistewicz 29 December 2022, 09:09:19 UTC feat: Add field_mask to Experimental field in GetFlowsRequest Bug: b/254449724 Signed-off-by: Aleksander Mistewicz <amistewicz@google.com> 18 May 2023, 23:11:11 UTC
a0450d2 Aleksander Mistewicz 27 December 2022, 10:40:33 UTC test: Add Benchmark test for hubble relay It starts a few hubble servers and connects a relay component to it. Then it gets all flows stored on the servers. It measures how long it takes to transmit all flows from server through relay to client. As I was unable to push new flow events while a request to relay is active, it is best to set a constant number of iterations as the test may not scale linearly. Recommended values: 655350x and 100000x Bug: b/254449724 Signed-off-by: Aleksander Mistewicz <amistewicz@google.com> 18 May 2023, 23:11:11 UTC
3c93f9d Marco Hofstetter 09 May 2023, 09:54:23 UTC dnsproxy: fixed error handling during successful dns proxy shutdown Currently, dns server goroutine would exit with log.fatal in case of returning without an error from ActivateAndServe (in case of a properly initiated shutdown). This commit changes this behaviour to only fail fatally in case of a returned error. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> 18 May 2023, 23:10:53 UTC
9865f17 Marco Hofstetter 08 May 2023, 09:06:38 UTC dnsproxy: introduce ipfamily (v4 & v6) This commit introduces the ipfamily type with its current implementations v4 & v6. This way duplication can be avoided. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> 18 May 2023, 23:10:53 UTC
11828af Marco Hofstetter 03 May 2023, 12:52:23 UTC iptables: support switching localOnly (IP) in proxy rule redirect Currently, switching the localOnly property of a proxy rule doesn't get reflected in the iptables rules. The checks for adding iptable rules don't include the IP of a rule. Therefore, when upgrading, the old rule remains in the table. The same applies for the check whether an outdated rule should be deleted from the table. This commit fixes this, and adds support for changing the localOnly property of a proxy rule. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> 18 May 2023, 23:10:53 UTC
60a6031 Marco Hofstetter 03 May 2023, 11:48:43 UTC dnsproxy: refactor error-propagation in sessionFactory.SetSocketOptions This commit introduces proper error propagation when errors occur during sessionFactory.SetSocketOptions. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> 18 May 2023, 23:10:53 UTC
5304088 Marco Hofstetter 03 May 2023, 08:14:45 UTC dnsproxy: bind dns proxy to localhost only Currently the dns proxy is bound to all interfaces. With this commit, the dns proxy only gets bound to the localhost interfaces. Therefore, up to 4 DNS servers are created (udpv4, tcpv4, udpv6, tcpv6 - depending on the configuration) which all are using the same DNS handler. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> 18 May 2023, 23:10:53 UTC
e6406f9 Marco Hofstetter 11 May 2023, 13:04:11 UTC cmd: add auth type to cilium bpf policy get/list This commit adds the recently introduced auth type to the list of attributes which get printed when listing the policies with `cilium bpf policy get/list`. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> 18 May 2023, 23:10:40 UTC
1dbb9f8 Marco Hofstetter 11 May 2023, 11:20:36 UTC cmd: explicitly print Endpoint ID before policy map content Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> 18 May 2023, 23:10:40 UTC
a1ee10d Marco Hofstetter 11 May 2023, 11:12:27 UTC cmd: proper JSON/YAML output when listing all policy maps Currently, when listing all policy maps with structured output (e.g. `cilium bpf policy list -o json`), the output as a whole isn't structured as JSON, only the individual policy maps per endpoint. This prevents piping its output into other tools - e.g. jq. This commits changes this by formatting the full output as JSON/YAML with EndpointID, Path & Content. ``` [ { "EndpointID": "35", "Path": "/sys/fs/bpf/tc/globals/cilium_policy_00035", "Content": [ { // map entry }, { // map entry } ] }, { "EndpointID": "38", "Path": "/sys/fs/bpf/tc/globals/cilium_policy_00038", "Content": [ { // map entry }, { // map entry } ] }, ``` Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> 18 May 2023, 23:10:40 UTC
604afd0 Marco Hofstetter 16 March 2023, 17:56:52 UTC nodehandler: register node-id restore as hive lifecycle hook This commit moves the node id restore from the daemon to the hive cell - where it's implemented as hive lifecycle hook. Otherwise, dependent components are trying to lookup node ids before the actual restoration - which results in newly allocated node ids. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> 18 May 2023, 23:10:24 UTC
76eca78 Lin Dong 15 May 2023, 21:15:53 UTC watchers:Compare annotations before discarding CiliumNode updates. Currently we discard CiliumNode updates based on DeepEqual and labels. However DeepEqual is set to ignore Annotations, and the wg-pub-key annotation is used to exchange rotated Wireguard keys. The wireguard tunnel is broken when any node restart happens. After restart, the restarted node's public key got refreshed but not propagated to other nodes. The issue is caused by cilium dropping CiliumNode update events when the spec, status and labels between the old and new nodes are the same. Wireguard public key updates are transmitted through annotations. Signed-off-by: Lin Dong <lindongchn@gmail.com> 18 May 2023, 21:27:57 UTC
455e0bc Julian Wiedmann 16 May 2023, 05:57:31 UTC bpf: ct: have DISABLE_LOOPBACK_LB exclude all loopback fields from ct_state Make it easier to catch stray users of the loopback-specific fields. And improve the compile tests to actually cover this. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> 18 May 2023, 17:16:44 UTC
e3d0230 Julian Wiedmann 15 May 2023, 15:18:11 UTC bpf: lb: wrap IPv4 RevNAT loopback handling in DISABLE_LOOPBACK_LB The loopback handling is only relevant for usage in bpf_lxc. Don't include it from the nodeport paths. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> 18 May 2023, 17:16:44 UTC
54f4276 Julian Wiedmann 15 May 2023, 14:13:07 UTC bpf: lb: remove state->addr assignments in lb4_local() Neither of the callers cares about this field. In particular for the loopback case, lb4_ctx_restore_state() simply sets up the "new" ct_state struct with IPV4_LOOPBACK when .loopback is set. So even here it's not required to reflect the .saddr back to the caller from lb4_local(). Signed-off-by: Julian Wiedmann <jwi@isovalent.com> 18 May 2023, 17:16:44 UTC
79c47e8 Julian Wiedmann 16 May 2023, 06:05:59 UTC bpf: ct: remove ct_state->addr from DBG_CT_CREATED4 event This hasn't aged well, so might as well remove it to make our life easier. For nodeport connections we inherit the ct_state from the preceding call to lb4_local(), and ct_state->addr is set to the backend address. We can get the same information from the actual connection tuple (as the packet has already been service-DNATed). For service connections from bpf_lxc we typically don't restore state->addr in lb4_ctx_restore_state(), so this field will just be 0. The expection being a loopback connection, where it's hard-coded to IPV4_LOOPBACK. In either case this has long stopped being the "lb address". Signed-off-by: Julian Wiedmann <jwi@isovalent.com> 18 May 2023, 17:16:44 UTC
0be7c69 Julian Wiedmann 15 May 2023, 14:08:23 UTC bpf: ct: limit loopback case in ct_create4() to CT_EGRESS The loopback case is only relevant after a successful service lookup in bpf_lxc's from-container flow. Here the CT entry is created with CT_EGRESS scope. Make this obvious in the code. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> 18 May 2023, 17:16:44 UTC
027db52 Julian Wiedmann 15 May 2023, 14:26:39 UTC bpf: ct: wrap IPv4 loopback handling in DISABLE_LOOPBACK_LB The relevant loopback code in lb4_local() already has this condition. So also apply it to all the CT paths that would process an entry with the .loopback flag set. This excludes the CT loopback code sections from all nodeport paths. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> 18 May 2023, 17:16:44 UTC
e858c93 Julian Wiedmann 15 May 2023, 15:18:02 UTC bpf: ct: remove loopback handling in ct_create6() There's no loopback support for IPv6, see lb6_local(). So this flag will always be 0. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> 18 May 2023, 17:16:44 UTC
67eb0ee Julian Wiedmann 16 May 2023, 05:21:50 UTC bpf: complexity: set DISABLE_LOOPBACK_LB for host / overlay / xdp progs Mirror how the agent compiles these programs, so that we can exclude the IPv4 loopback code from the nodeport LB paths. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> 18 May 2023, 17:16:44 UTC
2c367de Arthur Outhenin-Chalandre 18 April 2023, 11:48:32 UTC treewide: use /usr/bin/env bash instead of /bin/bash This commit switch most usage of "/bin/bash" to "/usr/bin/env bash". This allows to conform to the PATH env variable when invoking bash which is especially important on distros/installs in which bash is *NOT* installed in /bin/bash (for instance in some more "exotic" distros like NixOS or even if bash is installed in /usr/local/bin/ for whatever reasons). The goal here is not to be perfectly exhaustive but to address most low hanging fruits whenever this happens and most importantly should ease the Cilium contributions for people which don't have bash installed in /bin/bash. Signed-off-by: Arthur Outhenin-Chalandre <arthur@cri.epita.fr> 18 May 2023, 00:11:47 UTC
b2de07a Benjamin Leggett 11 May 2023, 21:29:17 UTC bpf: Fix missing drop notifications on ct lookup failures This is largely possible because a macro-defined func is reused in several places, and send_drop_notify is assumed to be deferred up the chain - but not all parents would actually invoke it, and by definition it seems clearer/less error prone to always explicitly issue drop notification at the source, where the drop is decided. This is a smidge more verbose, but it avoids the problem of bad assumptions or hard-to-catch mistakes causing missing drop notifications. Signed-off-by: Benjamin Leggett <benjamin.leggett@solo.io> 17 May 2023, 22:09:46 UTC
f2a4312 Sebastian Wicki 10 November 2022, 17:13:27 UTC nodemanager: Move to async IPCache API This commit moves the node/manager package to use the new asynchronous IPCache API. Instead of directly performing Upserts and Delete on the various node IPs (InternalIP, ExternalIP, HealthIPs etc), we now associate each node IP with the corresponding labels. The CEW identity is now also determined by the node's labels, rather than its numeric identity. This also fixes an issue where concurrent use of the synchronous and asynchronous API would lead to the encryption key for the kube-apiserver node being lost (c.f. cilium/cilium#19318). While we are at it, change the test to use netip types instead of net.IP. Co-authored-by: Chris Tarazi <chris@isovalent.com> Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> Signed-off-by: Chris Tarazi <chris@isovalent.com> 17 May 2023, 21:52:06 UTC
d5b41b5 Chris Tarazi 27 April 2023, 23:30:31 UTC node/manager: Refactor skip ipcache helper function This pulls out logic that is used in both NodeUpdated() and NodeDeleted() for proper code reuse. Signed-off-by: Chris Tarazi <chris@isovalent.com> 17 May 2023, 21:52:06 UTC
b86bd4b Chris Tarazi 22 March 2023, 20:44:15 UTC ipcache: Export PrefixInfo Signed-off-by: Chris Tarazi <chris@isovalent.com> 17 May 2023, 21:52:06 UTC
e6d7784 Chris Tarazi 22 March 2023, 20:34:06 UTC ipcache: Define new GetMetadataByPrefix This will be useful for fetching the metadata for particular entries in the ipcache. Signed-off-by: Chris Tarazi <chris@isovalent.com> 17 May 2023, 21:52:06 UTC
a0aba36 Chris Tarazi 22 March 2023, 20:29:40 UTC ipcache: Rename GetIDMetadataByIP to GetMetadataLabelsByIP The new name better represents what the function is. This commit has no functional impact. Signed-off-by: Chris Tarazi <chris@isovalent.com> 17 May 2023, 21:52:06 UTC
ba42dc5 Sebastian Wicki 01 March 2023, 10:11:10 UTC node: Simplify IPToNetPrefix conversion Since cilium/cilium#21183 it is no longer necessary to call `To4` before invoking `IPToNetPrefix`. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> 17 May 2023, 21:52:06 UTC
bdbac4b Sebastian Wicki 01 March 2023, 10:14:28 UTC node: Extract tunnel IP and encrypt key conditions This commit does not contain any functional changes. It will be used in a subsequent commit to invoke the same logic when removing the tunnel IP and encrypt key. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> 17 May 2023, 21:52:06 UTC
af26db5 Sebastian Wicki 10 November 2022, 14:32:05 UTC ipcache: Add TunnelPeer/EncryptKey metadata types This commit adds new types for specifying encrypt key and tunnel peer as IPCache metadata in the new asynchronous API. In contrast to other metadata such as labels, the tunnel IP or encryption key cannot be merged from other sources. It is assumed that only one source provides this information. If multiple sources provide a tunnel peer or encryption key, a log warning is emitted and only one of the provided peers/keys is picked. This will allow us to move the node/manager package to use this new API in a subsequent commit, as previously the only way to associate this data with a node IP was using the old synchronous API. Co-authored-by: Chris Tarazi <chris@isovalent.com> Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> Signed-off-by: Chris Tarazi <chris@isovalent.com> 17 May 2023, 21:52:06 UTC
0b27644 Chris Tarazi 14 April 2023, 21:51:04 UTC ipcache: Exclude ingress reserved identity from CIDR identity Similar to the health reserved identity, the ingress identity shouldn't have CIDR labels associated with it, so exclude it from the identity resolution logic. The ingress IPs comes from the CiliumNode object. Without this commit, ingress IPs will have a CIDR labels and therefore a CIDR identity, instead of having the reserved ingress identity. Related: https://github.com/cilium/cilium/issues/21142 Signed-off-by: Chris Tarazi <chris@isovalent.com> 17 May 2023, 21:52:06 UTC
00429c1 Maxim Mikityanskiy 11 May 2023, 19:27:37 UTC bpf: Move ICMPV6_PKT_TOOBIG handling to a separate function ICMPV6_PKT_TOOBIG handling in snat_v4_rev_nat is pretty self-contained, and two indentation levels can easily be saved by moving this code into a separate function with just slight modifications. Signed-off-by: Maxim Mikityanskiy <maxim@isovalent.com> 17 May 2023, 15:42:37 UTC
954ce4a Maxim Mikityanskiy 02 May 2023, 16:09:56 UTC bpf: Move ICMP_FRAG_NEEDED handling to a separate function ICMP_FRAG_NEEDED handling in snat_v4_rev_nat is pretty self-contained, and three indentation levels can easily be saved by moving this code into a separate function with just slight modifications. Signed-off-by: Maxim Mikityanskiy <maxim@isovalent.com> 17 May 2023, 15:42:37 UTC
5ba20bd Maxim Mikityanskiy 02 May 2023, 14:00:13 UTC bpf: Use ct_extract_ports4 for ct_lookup4 The switch in ct_lookup4 is almost identical to ct_extract_ports4. Reuse the existing function with a slight modification. Signed-off-by: Maxim Mikityanskiy <maxim@isovalent.com> 17 May 2023, 15:42:37 UTC
59dbe19 Tam Mach 15 May 2023, 08:58:21 UTC docs: Add upgrade docs for Gateway API Without ReferenceGrant v1beta1, we will have below error in the operator upon starting up. The existing provisioned resource will continue to work as usual, but new resources will not be handled properly. ``` 2023-05-10T13:49:48.691595989Z level=error msg="Unable to start controller" controller=gateway-api error="failed to wait for referencegrant caches to sync: timed out waiting for cache to be synced" subsys=gateway-controller ``` Signed-off-by: Tam Mach <tam.mach@cilium.io> 17 May 2023, 15:41:27 UTC
1672631 Tam Mach 14 May 2023, 12:06:46 UTC docs: Update gateway-api version to v0.6.1 After the PR #22680, the minimum Gateway API supported version is v0.6.x. Older version will not work due to changes in API version of CRDs. Relates: #22680 Fixes: #25377 Signed-off-by: Tam Mach <tam.mach@cilium.io> 17 May 2023, 15:41:27 UTC
0cfce97 Tom Hadlaw 15 May 2023, 17:42:57 UTC test/k8s: add host firewall workaround for svc host policy test. Change 439a0a0 introduced workaround to common flake we've been seeing relating to issue #15455. Any test enabling hostfw/host-policy will may suffer from the same issue. Addresses: #25411 Signed-off-by: Tom Hadlaw <tom.hadlaw@isovalent.com> 17 May 2023, 15:41:05 UTC
back to top