Skip to main content

Browse the archive

https://github.com/cilium/cilium
31 August 2024, 23:00:30 UTC
sort by:
Revision Author Date Message Commit Date
58b3111 Daniel Borkmann 24 August 2023, 18:47:17 UTC bpf: still todo Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> 24 August 2023, 18:50:59 UTC
5051850 Daniel Borkmann 24 August 2023, 18:45:43 UTC bpf: Simplify srv6_refib Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> 24 August 2023, 18:50:50 UTC
db64887 Daniel Borkmann 24 August 2023, 18:34:38 UTC bpf: Add fib wrapper functions to pass params from caller Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> 24 August 2023, 18:37:27 UTC
2400f64 Daniel Borkmann 24 August 2023, 18:25:02 UTC Revert "bpf,fib: introduce fib_do_redirect function" This reverts commit 5fff05daf9f04e69c8372d9bd46ddbfc876663d6. 24 August 2023, 18:25:02 UTC
feb3fd6 Daniel Borkmann 24 August 2023, 18:24:44 UTC Revert "bpf,fib: introduce fib_lookup_v4/6 functions" This reverts commit e275bcf57491d751babda286848c0f11a2672ee6. 24 August 2023, 18:24:44 UTC
0eec38d Daniel Borkmann 24 August 2023, 18:24:40 UTC Revert "bpf: fib: delay smac selection until fib_do_redirect() has picked the oif" This reverts commit 7eb280114341d39a00c0b4057a2c05e02d643930. 24 August 2023, 18:24:40 UTC
6217d01 Daniel Borkmann 24 August 2023, 08:46:18 UTC cilium, docs: Add a note about KPR and nfs dependencies Add a note under limitations to the needed kernel commit for getting nfs working, and reference to the GH issue, so that the discussion is easier to find. Once we get this into stable releases, we can update this bullet with more info. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> 24 August 2023, 18:16:22 UTC
d1b8613 Kaloyan Yordanov 31 July 2023, 15:02:48 UTC fix: add check if debug is enabled when adding trace levels to envoy deamonset. Signed-off-by: Kaloyan Yordanov <kaloian995@gmail.com> 24 August 2023, 17:02:22 UTC
dcef00d weizhou.lan@daocloud.io 23 August 2023, 13:06:27 UTC doc: typo of the mesh secret name Signed-off-by: weizhou.lan@daocloud.io <weizhou.lan@daocloud.io> 24 August 2023, 13:41:12 UTC
87518a3 Andrii Iuspin 08 August 2023, 17:55:03 UTC Read FQDNRejectResponseCode from config Currently dnsProxy.dnsRejectResponseCode helm value is ignored because FQDNRejectResponseCode is not populated from viper Signed-off-by: Andrii Iuspin <yuspin@gmail.com> 24 August 2023, 08:07:28 UTC
eb1f266 Cilium Imagebot 22 August 2023, 13:56:56 UTC images: update cilium-{runtime,builder} Signed-off-by: Cilium Imagebot <noreply@cilium.io> 24 August 2023, 04:44:21 UTC
97387b4 renovate[bot] 22 August 2023, 13:10:32 UTC chore(deps): update docker.io/library/golang:1.21.0 docker digest to b490ae1 Signed-off-by: renovate[bot] <bot@renovateapp.com> 24 August 2023, 04:44:21 UTC
69c3a5d Jaff Cheng 20 July 2023, 10:11:23 UTC ipam/test: Avoid using a shared metricsapi in unit tests Create a separate metricsapi for every test case to prevent interference between each other. Related: #26617 Signed-off-by: Jaff Cheng <jaff.cheng.sh@gmail.com> 24 August 2023, 04:41:29 UTC
5683e2a Jaff Cheng 18 July 2023, 07:54:36 UTC ipam: Fix race in NodeManager.Resync TestNodeManagerManyNodes had been flaky before ported from aws/eni, and was eventually disabled in aws tests: https://github.com/cilium/cilium/issues/11560 One of the sources of this flake is the races in the values of metricsapi, e.g. `metricsapi.Nodes("total")` and `metricsapi.AllocatedIPs("available")`, which is not protected from concurrent writes in NodeManager.Resync. Allowing multiple goroutines to execute Resync simultaneously doesn't really make sense, since `Node.resyncNode` is already executed in parallel and controlled by semaphore. this patch serializes NodeManager.Resync to avoid data races on metricsAPI. Some excerpts of failed tests: --- FAIL: Test (17.29s) --- FAIL: Test/IPAMSuite (17.29s) --- FAIL: Test/IPAMSuite/TestIPAMMetadata (0.01s) testing.go:1446: race detected during execution of test --- FAIL: Test/IPAMSuite/TestNodeManagerManyNodes (3.88s) node_manager_test.go:610: ... obtained int = 850 ... expected int = 1000 --- FAIL: Test (17.74s) --- FAIL: Test/IPAMSuite (17.74s) --- FAIL: Test/IPAMSuite/TestNodeManagerManyNodes (4.36s) node_manager_test.go:606: ... obtained int = 87 ... expected int = 100 Related: #26617 Signed-off-by: Jaff Cheng <jaff.cheng.sh@gmail.com> 24 August 2023, 04:41:29 UTC
615f5d5 Dan Everton 26 July 2023, 06:16:52 UTC Extend API/CLI to support updating policy by label This change extends the HTTP API to allow updating the agent policy repository by label. This is existing functionality that this change just exposes over the HTTP API as well. The `cilium policy import` command has been updated to make this functionality available from the CLI. Signed-off-by: Dan Everton <deverton@godaddy.com> 24 August 2023, 04:24:41 UTC
c976dd1 Andrew Sauber 22 August 2023, 22:07:51 UTC Update stable releases Signed-off-by: Andrew Sauber <andrew.sauber@isovalent.com> 24 August 2023, 03:56:11 UTC
6367398 Marco Iorio 23 August 2023, 09:00:39 UTC gha: set kvstoremesh image when pushing the development helm chart Configure the kvstoremesh repository and tag to match the one of the other cilium components. Additionally, explicitly disable the digest, which is otherwise configured in stable branches. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> 23 August 2023, 21:50:15 UTC
49919da Dylan Reimerink 10 August 2023, 13:09:22 UTC bpf,tests: Change makefile cache to rebuild on header changes During BPF test development, it is common to make changes in dependencies of the test C file and then re-test. However, because we don't explicitly list header files and don't use them in the traditional way of only containing forward declarations and using other C files for the contents, the makefile doesn't understand it needs to rebuild. This commit makes clang emit a dependency file for each C file, this dependency file is then fed into `make` so it is aware of all files that contribute to the test C file, this makes it so any changes to any dependent file including .h files will invalidate the `make` cache. Signed-off-by: Dylan Reimerink <dylan.reimerink@isovalent.com> 23 August 2023, 21:21:18 UTC
2cdeb6a Cilium Imagebot 23 August 2023, 05:57:44 UTC ci: update docs-builder Signed-off-by: Cilium Imagebot <noreply@cilium.io> 23 August 2023, 20:01:01 UTC
ae5b99d dependabot[bot] 23 August 2023, 03:50:56 UTC build(deps): bump tornado from 6.2 to 6.3.3 in /Documentation Bumps [tornado](https://github.com/tornadoweb/tornado) from 6.2 to 6.3.3. - [Changelog](https://github.com/tornadoweb/tornado/blob/master/docs/releases.rst) - [Commits](https://github.com/tornadoweb/tornado/compare/v6.2.0...v6.3.3) --- updated-dependencies: - dependency-name: tornado dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> 23 August 2023, 20:01:01 UTC
6ef4736 renovate[bot] 21 August 2023, 16:40:58 UTC chore(deps): update dependency cilium/cilium-cli to v0.15.6 Signed-off-by: renovate[bot] <bot@renovateapp.com> 23 August 2023, 19:47:11 UTC
9389b2c Martynas Pumputis 23 August 2023, 08:50:22 UTC ci-ipsec-upgrade: Skip upon test/Documentation changes Reported-by: Joe Stringer <joe@cilium.io> Signed-off-by: Martynas Pumputis <m@lambda.lt> 23 August 2023, 19:10:08 UTC
e5d5afe Maartje Eyskens 02 August 2023, 12:20:38 UTC Add a bpf auth flush command This command in cilium-agent allows the user to flush the auth map. This can be used to force re-auths between all enteties for debugging purposes. Signed-off-by: Maartje Eyskens <maartje@eyskens.me> Signed-off-by: Maartje Eyskens <maartje.eyskens@isovalent.com> 23 August 2023, 18:59:54 UTC
48023b9 gray 17 August 2023, 12:26:55 UTC Add conn-disrupt-test action for reuse This commit makes conn-disrupt-test a github action, so upgrade test and IPsec key rotation test don't have to copy and paste everywhere. The idea is to allow caller workflow to specify the commands to execute, then this action will follow the steps: 1. Run "cilium-cli connectivity test --conn-disrupt-test-setup"; 2. Run whatever caller workflow passes: could be upgrade operation or IPsec key rotation; 3. Run "cilium-cli connectivity test --include-conn-disrupt-test"; Signed-off-by: Zhichuan Liang <gray.liang@isovalent.com> 23 August 2023, 18:43:45 UTC
0d10aca Daniel Borkmann 23 August 2023, 15:15:50 UTC cilium, iptables: Extend to cover default route in enable-masquerade-to-route-source Extend the enable-masquerade-to-route-source option to cover also SNAT targets for the default route on a given interface. The example from commit e731cbe27ef2 ("cilium, iptables: Support option to masquerade source IP from routing layer") now extends to inserting a default route (***): [...] [0:0] -A CILIUM_POST_nat -s 10.244.0.0/24 -m set --match-set cilium_node_set_v4 dst -m comment --comment "exclude traffic to cluster nodes from masquerade" -j ACCEPT [0:0] -A CILIUM_POST_nat -s 10.244.0.0/24 -d 1.1.1.1/32 -m comment --comment "cilium snat non-cluster via source route" -j SNAT --to-source 192.168.2.99 [0:0] -A CILIUM_POST_nat -s 10.244.0.0/24 -d 192.168.2.13/32 -o enp5s0 -m comment --comment "cilium snat non-cluster via source route" -j SNAT --to-source 192.168.2.99 [0:0] -A CILIUM_POST_nat -s 10.244.0.0/24 -o enp5s0 -m comment --comment "cilium snat non-cluster via source route" -j SNAT --to-source 192.168.2.12 (***) [0:0] -A CILIUM_POST_nat -s 10.244.0.0/24 ! -d 10.244.0.0/16 ! -o cilium_+ -m comment --comment "cilium masquerade non-cluster" -j MASQUERADE [...] This needs to be done in a second pass as otherwise iptables' linear processing would not be able to process the more specific rules. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> 23 August 2023, 18:43:14 UTC
23d2dc5 Maciej Kwiek 23 August 2023, 10:09:26 UTC contrib: fix bump-readme script bump-readme script failed when there were two matches for version in README.rst. take only the first match. Signed-off-by: Maciej Kwiek <maciej@isovalent.com> 23 August 2023, 18:37:46 UTC
f08e6f8 Dylan Reimerink 23 August 2023, 12:45:21 UTC statedb: Disable StateDB metrics by default The StateDB metrics have the potential to be high cardinality. Most of the metrics were implemented to monitor the performance StateDB which is more of a developer concern than an operator concern. By disabling them by default, we keep the amount of metrics lean for normal users but allow developers or advanced users to enable them if they need to. Signed-off-by: Dylan Reimerink <dylan.reimerink@isovalent.com> 23 August 2023, 16:15:53 UTC
b22bc6d Marco Hofstetter 22 August 2023, 12:09:24 UTC envoy: log access log server listening start This commit introduces a log message once the Envoy access log server starts to listen for incoming connections. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> 23 August 2023, 13:01:53 UTC
04b07fd Marco Hofstetter 22 August 2023, 05:59:40 UTC envoy: introduce dependency xDS server -> accesslog server In addition to introducing the LocalEndpointStore to get rid of the direct dependency between accesslog and xDS server, the dependency from the xDS server to the accesslog server gets introduced. This dependency only serves the purpose of enforcing the accesslog server being initialized first before the xDS server is started up. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> 23 August 2023, 13:01:53 UTC
e555f7a Marco Hofstetter 22 August 2023, 05:52:31 UTC envoy: introduce LocalEndPointStore Currently, the envoy accesslog server depends on the xDS server to get information about local endpoints. This leads to the xDS server being initialized and started before the accesslog server. Therefore, the accesslog server might not be ready when Envoy is receiving the xDS resources and starts to initialize Cilium components in envoy. This results in silent errors. This commit introduces the LocalEndPointStore which contains this information and is shared between the two components. The direct dependency between the accesslog server and xDS server can be replaced - and the components start initializing at the same time. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> 23 August 2023, 13:01:53 UTC
3f23ba7 Tam Mach 11 August 2023, 13:03:30 UTC helm: Add validation rule for Envoy L7 Load Balancer This is to ensure that proxy must be enabled if Envoy L7 Load balancer feature is enabled. Signed-off-by: Tam Mach <tam.mach@cilium.io> 23 August 2023, 12:45:48 UTC
fe37586 Tam Mach 11 August 2023, 12:58:14 UTC proxy: Ignore visibility annotation if proxy is disabled This is to avoid the below error if proxy is disabled as part of installation, but the visibility annotation is added to pods later. ``` 2023-08-11T12:42:41.390575371Z goroutine 1522 [running]: 2023-08-11T12:42:41.390581994Z github.com/cilium/cilium/pkg/proxy.(*Proxy).CreateOrUpdateRedirect(0x0, {0x3ae74b8, 0xc000650280}, {0x3aeb440?, 0xc0016e4560?}, {0xc0010ba1b0, 0x12}, {0x3afd260, 0xc000982000}, 0xc001c9c980) 2023-08-11T12:42:41.390589198Z github.com/cilium/cilium/pkg/proxy/proxy.go:459 +0xb7 2023-08-11T12:42:41.390596081Z github.com/cilium/cilium/pkg/endpoint.(*Endpoint).addVisibilityRedirects(0xc000982000, 0x1, 0xc001874ba0?, 0xc001c9c980?) 2023-08-11T12:42:41.390602613Z github.com/cilium/cilium/pkg/endpoint/bpf.go:343 +0x443 2023-08-11T12:42:41.390614345Z github.com/cilium/cilium/pkg/endpoint.(*Endpoint).addNewRedirects(0xc000982000, 0xc001874870?) 2023-08-11T12:42:41.390651325Z github.com/cilium/cilium/pkg/endpoint/bpf.go:424 +0x3c5 2023-08-11T12:42:41.390658068Z github.com/cilium/cilium/pkg/endpoint.(*Endpoint).runPreCompilationSteps(0xc000982000, 0xc000e31800, 0x0) 2023-08-11T12:42:41.390663999Z github.com/cilium/cilium/pkg/endpoint/bpf.go:802 +0x4fe 2023-08-11T12:42:41.390669690Z github.com/cilium/cilium/pkg/endpoint.(*Endpoint).regenerateBPF(0xc000982000, 0xc000e31800) 2023-08-11T12:42:41.390675451Z github.com/cilium/cilium/pkg/endpoint/bpf.go:542 +0x1a5 2023-08-11T12:42:41.390681112Z github.com/cilium/cilium/pkg/endpoint.(*Endpoint).regenerate(0xc000982000, 0xc000e31800) 2023-08-11T12:42:41.390686893Z github.com/cilium/cilium/pkg/endpoint/policy.go:467 +0x9c6 2023-08-11T12:42:41.390692564Z github.com/cilium/cilium/pkg/endpoint.(*EndpointRegenerationEvent).Handle(0xc000131b50, 0x0?) 2023-08-11T12:42:41.390698385Z github.com/cilium/cilium/pkg/endpoint/events.go:53 +0x325 2023-08-11T12:42:41.390704045Z github.com/cilium/cilium/pkg/eventqueue.(*EventQueue).run.func1() 2023-08-11T12:42:41.390709716Z github.com/cilium/cilium/pkg/eventqueue/eventqueue.go:245 +0x142 ``` Fixes: #27594 Signed-off-by: Tam Mach <tam.mach@cilium.io> 23 August 2023, 12:45:48 UTC
f6eb7aa Tam Mach 18 August 2023, 14:17:11 UTC k8s: Replace generate-internal-groups.sh script This commit is to change to kube_codegen.sh as per the suggestion in the output. ``` $ make generate-k8s-api ... WARNING: generate-internal-groups.sh is deprecated. WARNING: Please use k8s.io/code-generator/kube_codegen.sh instead. .. ``` Relates: https://github.com/kubernetes/code-generator/commit/13056260ff7da3927a710f720f22440f65b4bf8a Signed-off-by: Tam Mach <tam.mach@cilium.io> 23 August 2023, 11:33:27 UTC
21964b6 Haiyue Wang 23 August 2023, 03:09:27 UTC docs: Update the mutual authentication key format The commit 31592e7ce066 ("auth: optimize log output for pending auth") adds new field 'key' to beautify the log message. So update the authentication key format according to the real log message captured: 2023-08-23T10:22:04.308373113+08:00 level=debug msg="Policy is requiring authentication" key="localIdentity=13137, remoteIdentity=43715, remoteNodeID=54264, authType=spire" subsys=auth 2023-08-23T10:22:04.313513823+08:00 level=debug msg="Validating Server SNI" SNI ID=43715 subsys=auth 2023-08-23T10:22:04.313513823+08:00 level=debug msg="Validated certificate" subsys=auth uri-san="[spiffe://spiffe.cilium/identity/43715]" 2023-08-23T10:22:04.314043168+08:00 level=debug msg="Successfully authenticated" key="localIdentity=13137, remoteIdentity=43715, remoteNodeID=54264, authType=spire" remote_node_ip=10.10.10.1 subsys=auth Signed-off-by: Haiyue Wang <haiyue.wang@intel.com> 23 August 2023, 06:57:04 UTC
e183014 weizhou.lan@daocloud.io 22 August 2023, 13:12:17 UTC typo in the debug document Signed-off-by: weizhou.lan@daocloud.io <weizhou.lan@daocloud.io> 23 August 2023, 06:18:07 UTC
44b86b3 AwesomePatrol 22 August 2023, 06:42:54 UTC Apply suggestions from code review Co-authored-by: ZSC <zacharysarah@users.noreply.github.com> Signed-off-by: AwesomePatrol <AwesomePatrol@users.noreply.github.com> 23 August 2023, 06:17:25 UTC
f33f09b Aleksander Mistewicz 21 August 2023, 10:13:08 UTC Add documentation on Hubble Exporter Fixes #26970 Signed-off-by: Aleksander Mistewicz <amistewicz@google.com> 23 August 2023, 06:17:25 UTC
163e575 Quentin Monnet 07 August 2023, 10:07:08 UTC docs: Update references to legacy kube-proxy replacement modes The "strict" and "partial" mode for kube-proxy replacement (KPR) were deprecated in Cilium 1.14, in favour of the feature being enabled (the flag is set to "true" and all related options are turned on) or disabled (leaving users free to pick the options they want). This commit updates some references to the legacy modes, and update the surrouinding documentation accordingly. For L7 traffic management, we can narrow the minimal requirements (NodePort rather than full KPR set), and also remove the requirement on Kubernetes version 1.19+, now that 1.19 is the minimal version supported by Cilium anyway. Signed-off-by: Quentin Monnet <quentin@isovalent.com> 23 August 2023, 06:16:48 UTC
333ab95 Quentin Monnet 07 August 2023, 10:04:20 UTC docs: Replace deprecated "kubeProxyReplacement=strict" with "...=true" The "strict" and "partial" mode for kube-proxy replacement (KPR) were deprecated in Cilium 1.14, in favour of the feature being enabled (the flag is set to "true" and all related options are turned on) or disabled (leaving users free to pick the options they want). This commit is a simple update for the cases where "strict" can be replaced with "true" in the documentation. Signed-off-by: Quentin Monnet <quentin@isovalent.com> 23 August 2023, 06:16:48 UTC
d97cd7a Quentin Monnet 07 August 2023, 09:55:17 UTC docs: Replace mentions to KPR strict mode for per-node-config docs The "strict" and "partial" mode for kube-proxy replacement (KPR) were deprecated in Cilium 1.14, in favour of the feature being enabled (the flag is set to "true" and all related options are turned on) or disabled (leaving users free to pick the options they want). Let's update the documentation for per-node configuration accordingly and use "true" instead of "strict". Signed-off-by: Quentin Monnet <quentin@isovalent.com> 23 August 2023, 06:16:48 UTC
c0a5fbe Hemanth Malla 18 August 2023, 13:14:21 UTC Fix a bug where cilium host IP is not read from k8s node annotations After https://github.com/cilium/cilium/commit/0696874a932a07f9a5ed2b7a5f7aeb2db0757379 refactored the logic to read annotations and change the default behavior, addrs array was never assigned to newNode.IPAddresses after it was populated. Signed-off-by: Hemanth Malla <hemanth.malla@datadoghq.com> 23 August 2023, 03:46:42 UTC
2cec846 Aditi Ghag 23 August 2023, 01:34:02 UTC gha: Extend source directory for build runs Previously, the GHA ran only for PRs with changes in the test directory. However, this failed to catch build regressions in certain cases where PR changes affected ginkgo builds. Suggested-by: Joe Stringer <joe@cilium.io> Signed-off-by: Aditi Ghag <aditi@cilium.io> 23 August 2023, 03:35:08 UTC
b6bd49d Aditi Ghag 22 August 2023, 23:23:53 UTC pkg/cidr: Move linux specific variable references from netlink The netlink consts are linux specific, so move them accordingly. Reported-by: Tim Horner <timothy.horner@isovalent.com> Fixes: e731cbe27e "cilium, iptables: Support option to masquerade source IP from routing layer" Signed-off-by: Aditi Ghag <aditi@cilium.io> 23 August 2023, 03:35:08 UTC
c7bf490 Hemanth Malla 15 June 2023, 21:14:10 UTC Operator: Add missing observability for Azure API calls Currently we're not capturing response status and duration for some of the calls made to Azure. This commit calls ObserveAPICall() with status and duration for the operations missing them. Signed-off-by: Hemanth Malla <hemanth.malla@datadoghq.com> 22 August 2023, 21:06:24 UTC
edec2dc Daneyon Hansen 03 July 2023, 15:54:39 UTC Removes Unused TransformToNode() Func Signed-off-by: Daneyon Hansen <daneyon.hansen@solo.io> 22 August 2023, 21:05:30 UTC
bc3aa26 Jussi Maki 22 August 2023, 14:35:27 UTC statedb2: Add /statedb/dump REST API handler Signed-off-by: Jussi Maki <jussi@isovalent.com> 22 August 2023, 20:08:47 UTC
ce81e6a Jussi Maki 22 August 2023, 14:15:52 UTC CODEOWNERS: statedb to statedb2 Signed-off-by: Jussi Maki <jussi@isovalent.com> 22 August 2023, 20:08:47 UTC
5de12bb Jussi Maki 22 August 2023, 14:13:11 UTC statedb2: Fix metrics observing in Abort() The metrics should be observed only if it was a write transaction and it wasn't committed/aborted already. Signed-off-by: Jussi Maki <jussi@isovalent.com> 22 August 2023, 20:08:47 UTC
fe0f9a2 Jussi Maki 22 August 2023, 13:34:45 UTC statedb: Delete pkg/statedb and remove go-memdb dependency pkg/statedb has been replaced by pkg/statedb2. Follow-up PR will rename pkg/statedb2 to pkg/statedb. Signed-off-by: Jussi Maki <jussi@isovalent.com> 22 August 2023, 20:08:47 UTC
8abf620 Dylan Reimerink 22 August 2023, 13:08:54 UTC devices_controller: Switched devices and routes from StateDB to StateDB2 This commit switches the devices controller over from the old StateDB to the new StateDB2 implementation. Signed-off-by: Dylan Reimerink <dylan.reimerink@isovalent.com> 22 August 2023, 20:08:47 UTC
a845cdf Dylan Reimerink 22 August 2023, 11:40:29 UTC l2announcement: Switch from StateDB to StateDB2 This commit switches the l2announcer and datapath/l2responder to use StateDB2 instead of the original StateDB. Signed-off-by: Dylan Reimerink <dylan.reimerink@isovalent.com> 22 August 2023, 20:08:47 UTC
e731cbe Daniel Borkmann 21 August 2023, 09:43:29 UTC cilium, iptables: Support option to masquerade source IP from routing layer Add a new `--enable-masquerade-to-route-source` option to the agent which supports more fine-grained masquerading for advanced use cases. For example, a routing agent installs several CIDRs for a given interface and each of the CIDRs have a different source address selection criteria. Moreover, the next hops could even be part of a next hop group where the underlying next hops are reachable via different interfaces which may not be known to Cilium. Anyway, if the option is enabled, then the regular MASQUERADE target will only act as a catchall/fallback, and we install several j SNAT --to-source rules before that based on the routing setup (destination CIDR & source IP to use), so that Pod traffic can be masqueraded differenty. For the default route we keep relying on MASQUERADE target. Note that the user needs to ensure that there are no overlapping destination prefixes since iptables is only processing its rules linearly as opposed to routing layer. Example: --enable-masquerade-to-route-source=false (default): [...] [0:0] -A CILIUM_POST_nat -s 10.244.0.0/24 -m set --match-set cilium_node_set_v4 dst -m comment --comment "exclude traffic to cluster nodes from masquerade" -j ACCEPT [0:0] -A CILIUM_POST_nat -s 10.244.0.0/24 ! -d 10.244.0.0/16 ! -o cilium_+ -m comment --comment "cilium masquerade non-cluster" -j MASQUERADE [...] --enable-masquerade-to-route-source=true: [...] [0:0] -A CILIUM_POST_nat -s 10.244.0.0/24 -m set --match-set cilium_node_set_v4 dst -m comment --comment "exclude traffic to cluster nodes from masquerade" -j ACCEPT [0:0] -A CILIUM_POST_nat -s 10.244.0.0/24 -d 1.1.1.1/32 -m comment --comment "cilium snat non-cluster via source route" -j SNAT --to-source 192.168.2.99 [0:0] -A CILIUM_POST_nat -s 10.244.0.0/24 -d 192.168.2.13/32 -o enp5s0 -m comment --comment "cilium snat non-cluster via source route" -j SNAT --to-source 192.168.2.99 [0:0] -A CILIUM_POST_nat -s 10.244.0.0/24 ! -d 10.244.0.0/16 ! -o cilium_+ -m comment --comment "cilium masquerade non-cluster" -j MASQUERADE [...] In the latter, for the destination of 1.1.1.1/32 we SNAT to 192.168.2.99 instead of 192.168.2.12 which is the interface primary address. Similar for 192.168.2.13/32 which also has the -o enp5s0 as device: # ip r [...] 1.1.1.1 nhid 40 src 192.168.2.99 nexthop via 192.168.2.1 dev enp5s0 weight 1 nexthop via 192.168.2.2 dev enp5s0 weight 1 192.168.2.13 dev enp5s0 scope link src 192.168.2.99 [...] Support has been implemented for IPv4 and IPv6 masquerading. BPF-based masquerading is out of scope for now as we first need to land fib lookup extensions into the kernel (@brb). Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> 22 August 2023, 19:37:00 UTC
dd10304 Daniel Borkmann 22 August 2023, 14:52:01 UTC cilium, iptables: Convert EgressMasqueradeInterfaces to string slice Convert EgressMasqueradeInterfaces to string slice so that it can be easily iterated rather than first having to call into ... strings.Split(option.Config.EgressMasqueradeInterfaces, ",") ... to get to the array. For the existing cases this means, we need to join the array instead. Suggested-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> 22 August 2023, 19:37:00 UTC
44f0b0a Daniel Borkmann 22 August 2023, 07:12:04 UTC cilium, iptables: Do not hard-code ip6tables string Don't hardcode, but check based on prog as we do elsewhere. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> 22 August 2023, 19:37:00 UTC
9c47083 Tobias Klauser 22 August 2023, 13:56:44 UTC renovate: ignore all gops updates Otherwise the gops version in images/runtime/build-gops.sh will still be bumped, see https://github.com/cilium/cilium/pull/27624 Fixes: 14760a1b2ffb ("vendor: downgrade github.com/shirou/gopsutil/v3 to v3.23.2") Signed-off-by: Tobias Klauser <tobias@cilium.io> 22 August 2023, 14:46:46 UTC
917f625 weizhou.lan@daocloud.io 18 August 2023, 10:09:29 UTC fix: mtls does not work when kubelet does not listen on 0.0.0.0 Signed-off-by: weizhou.lan@daocloud.io <weizhou.lan@daocloud.io> 22 August 2023, 14:26:19 UTC
6b93a07 renovate[bot] 22 August 2023, 08:41:18 UTC chore(deps): update golangci/golangci-lint docker tag to v1.54.2 Signed-off-by: renovate[bot] <bot@renovateapp.com> 22 August 2023, 14:01:49 UTC
96e8bf8 renovate[bot] 22 August 2023, 09:16:11 UTC fix(deps): update all go dependencies main Signed-off-by: renovate[bot] <bot@renovateapp.com> 22 August 2023, 13:24:21 UTC
323b4cb Daniel Borkmann 22 August 2023, 11:07:08 UTC bpf, complexity-tests: Add HAVE_FIB_IFINDEX coverage Commit d1c362e1dd68 ("bpf: Always return target ifindex in bpf_fib_lookup") which HAVE_FIB_IFINDEX reflects is part of is 5.10+ kernels. Add the define to the complexity tests for 5.10 and net-next to better reflect real world. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> 22 August 2023, 12:28:02 UTC
bd8b4d0 Daniel Borkmann 22 August 2023, 09:02:20 UTC cilium: Fix 16bit ifindex limitation The limitation exists mainly on old kernels where the fib lookup helper does not populate the outgoing ifindex. Only for this case we rely on the CT lookup stored ifindex which back then was added as a 16bit field due to limited padding space available. Nowadays this can be lifted after the big rework in #23884. We've seen users with high netdevice churn run into this limitation where the agent bails out. Apart from fixing the bleed, this can be further refined by not relying on the asm.FnRedirectPeer helper presence but by actually doing a runtime BPF program probe so that stable kernels can even be covered. Fixes: #16260 Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> 22 August 2023, 12:28:02 UTC
6f676a3 Dylan Reimerink 07 August 2023, 13:33:39 UTC statedb2: Add metrics This commit adds metrics to statedb2, metrics mostly center around locking, contention, number of entries and duration of certain operations since these topics are the most interesting to us. Signed-off-by: Dylan Reimerink <dylan.reimerink@isovalent.com> Signed-off-by: Jussi Maki <jussi@isovalent.com> 22 August 2023, 12:25:34 UTC
ef41d11 Jussi Maki 04 August 2023, 13:26:23 UTC statedb2: Simple fuzz test Add a simple fuzz test to test different random combinations of write transactions and operations. Signed-off-by: Jussi Maki <jussi@isovalent.com> 22 August 2023, 12:25:34 UTC
f945558 Jussi Maki 04 August 2023, 12:11:33 UTC statedb2: Add example application Add an example usage of statedb2 that showcases the pattern for implementing a resilient reconciliation loop on top of the library. Signed-off-by: Jussi Maki <jussi@isovalent.com> 22 August 2023, 12:25:34 UTC
23b0492 Jussi Maki 04 August 2023, 12:10:47 UTC statedb2: StateDB v2.0 with per-table locks and deletion tracking This introduces an evolution of pkg/statedb that solves the following issues: * Per-table locking instead of global writer lock for increased resiliency. * No more use of reflection in indexing. Indexes are defined in a type-safe way. * Revisions are built into the database so it does not need to be reimplemented by each table. * Deletions on a table can now be tracked and a consistent sequence of inserts and deletes can be derived from it to e.g. implement retryable reconciliation loops. It is introduced as pkg/statedb2 for easier code reviewing (no need to rewrite uses of pkg/statedb in this PR) and to allow some time for it to mature before replacing pkg/statedb. Signed-off-by: Jussi Maki <jussi@isovalent.com> 22 August 2023, 12:25:34 UTC
e7b569b Jussi Maki 04 August 2023, 12:06:05 UTC lock: SortableMutex for ordered locking of a mutex set SortableMutex is a mutex paired with a (globally unique) sequence number which allows sorting a set of them into a predicable order for ordered locking. This will be used in a follow-up commit to implement per-table locks for StateDB in a way that avoids deadlocks due to misordered locking sequence (A->B and B->A). Signed-off-by: Jussi Maki <jussi@isovalent.com> 22 August 2023, 12:25:34 UTC
c1edbf0 André Martins 22 August 2023, 10:54:26 UTC images: update cilium-{runtime,builder} Signed-off-by: André Martins <andre@cilium.io> 22 August 2023, 12:25:03 UTC
14760a1 André Martins 22 August 2023, 09:34:52 UTC vendor: downgrade github.com/shirou/gopsutil/v3 to v3.23.2 Until github.com/shoenig/go-m1cpu is added as an exception in the list of libraries that we can use, we need to downgrade this dependency down to the version that it didn't have the "github.com/shoenig/go-m1cpu" as part of it. Signed-off-by: André Martins <andre@cilium.io> 22 August 2023, 12:25:03 UTC
e6a7df4 Marco Iorio 28 July 2023, 13:14:46 UTC maps: refactor per-cluster CT maps manager Let's simplify the per-cluster CT maps management logic, removing the dependency on the global variable (which does not play well with the hive framework) and splitting the creation/removal tasks from the retrieval of inner maps. While being at it, let's also slightly improve the performance around these operations by avoiding to attempt opening the inner maps when not strictly necessary, as well as keeping the list of known Cluster IDs. Additionally, let's also move the fake implementation for testing purposes to a separate package, for better separation. Finally, let's validate the ClusterID in the `bpf ct list cluster <ID>` CLI command, to properly return an error in case it is invalid. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> 22 August 2023, 08:47:34 UTC
c926ac3 Marco Iorio 28 July 2023, 15:29:19 UTC maps: retrieve per-cluster maps for GC through Hive Currently, the per-cluster maps are accessed by the GC logic through a global variable. Let's instead propagate a function to retrieve them through the Hive framework, to prepare for the subsequent removal of the global variable and better align with the overall dependency injection approach. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> 22 August 2023, 08:47:34 UTC
b00b6f0 renovate[bot] 14 August 2023, 02:05:24 UTC chore(deps): update all kind-images main Signed-off-by: renovate[bot] <bot@renovateapp.com> 22 August 2023, 08:40:31 UTC
7b6d9b7 renovate[bot] 14 August 2023, 03:50:23 UTC chore(deps): update all kind-images main Signed-off-by: renovate[bot] <bot@renovateapp.com> 22 August 2023, 08:39:56 UTC
86d8999 Marco Hofstetter 17 August 2023, 08:54:15 UTC helm: put extraConfig to the end of ConfigMap cilium-config This commit puts the extraConfig back to the end of the ConfigMap cilium-config. This way all existing properties can be overwritten. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> 22 August 2023, 07:08:08 UTC
a112cab Tobias Klauser 17 August 2023, 14:26:45 UTC contrib/scripts/kind.sh: specify IPv4 prefix and range on secondary network Otherwise a default would be used. This allows to clearly distinguish it from the default primary network. Signed-off-by: Tobias Klauser <tobias@cilium.io> 21 August 2023, 21:06:21 UTC
cbfd29e Tobias Klauser 17 August 2023, 14:25:45 UTC contrib/scripts/kind.sh: simplify secondary network attachment Instead of relying on `docker ps` and filtering for the well-known label, use `kind get nodes` to list the nodes to attach to the secondary network. Signed-off-by: Tobias Klauser <tobias@cilium.io> 21 August 2023, 21:06:21 UTC
9e9665d renovate[bot] 21 August 2023, 04:20:27 UTC chore(deps): update cilium/cilium-cli action to v0.15.6 Signed-off-by: renovate[bot] <bot@renovateapp.com> 21 August 2023, 16:39:29 UTC
896d312 Nate Sweet 28 April 2023, 20:16:57 UTC docs: Document Potential Dual-Stack Upgrade Issues for 1.15 Signed-off-by: Nate Sweet <nathanjsweet@pm.me> Signed-off-by: Joe Stringer <joe@cilium.io> 21 August 2023, 16:37:05 UTC
603235d Andrei Kvapil 17 August 2023, 10:33:50 UTC cgroups: Fix race to load cgroup.hostRoot option While loading, the package 'pkg/cgroups/manager' sets the global variable 'cgroupRoot' from the 'pkg/cgroups' package. This occurs before the configuration is fully loaded and the correct path is set in the 'pkg/cgroups' package. This variable is later used by the 'validateCgroupPath' function. As a result, the 'validateCgroupPath' function always works with the default value instead of the user-defined one. Signed-off-by: Andrei Kvapil <kvapss@gmail.com> 21 August 2023, 16:25:53 UTC
8b9eff9 ishuar 13 August 2023, 19:58:06 UTC added affinity to `cillium-preflight` daemonset Signed-off-by: ishuar <ishansharma887@gmail.com> 21 August 2023, 16:20:27 UTC
d0d3a86 Marco Iorio 14 August 2023, 16:25:59 UTC cli: retrieve IPv6 NAT per-cluster maps if IPv6 is enabled Currently, the `bpf nat list cluster ID` command always return only IPv4 maps. Let's additionally retrieve the IPv6 ones when this address family is enabled, for consistency with the NAT global maps retrieval. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> 21 August 2023, 16:20:16 UTC
70d98f4 Marco Iorio 28 July 2023, 08:53:12 UTC maps: refactor per-cluster NAT maps manager Let's simplify the per-cluster NAT maps management logic, removing the dependency on the global variable (which does not play well with the hive framework) and splitting the creation/removal tasks from the retrieval of inner maps. While being at it, let's also slightly improve the performance around these operations by avoiding to attempt opening the inner maps when not strictly necessary. Finally, let's also move the fake implementation for testing purposes to a separate package, for better separation. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> 21 August 2023, 16:20:16 UTC
1d3a948 Marco Iorio 10 August 2023, 10:18:05 UTC maps: use typed constants for IP family in NAT maps Currently, IPv4 and IPv6 NAT maps are distinguished using untyped boolean constants. Let's replace that with an ad-hoc IPFamily type, and the corresponding IPv4 and IPv6 constants, for additional clarity. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> 21 August 2023, 16:20:16 UTC
eba103c ishuar 08 August 2023, 23:42:52 UTC added the securityContext in Spire server pod and container. - Updated docs (used gnu-sed in macOS for helm-values.rst) permanent fix in https://github.com/cilium/cilium/pull/27495 Signed-off-by: ishuar <ishansharma887@gmail.com> 21 August 2023, 16:19:36 UTC
9c4cd22 Marco Iorio 08 August 2023, 10:03:03 UTC node: introduce configurable prefix cluster mutator Introduce the possibility of configuring a prefix cluster mutator to customize the prefixes used as key when inserting and removing tunnel map entries. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> 21 August 2023, 14:08:13 UTC
4da2f4c Marco Iorio 08 August 2023, 09:39:30 UTC clustermesh: refactor PrefixClusterFrom* helpers Currently, these helpers always take the cluster ID as last parameter. Let's drop it in favor of possible extra options, to favor extensibility and simplify the usages when it is not required. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> 21 August 2023, 14:08:13 UTC
0f11ce8 Julian Wiedmann 21 August 2023, 07:33:32 UTC bpf: lxc: clarify kube-proxy workaround in to-container path ipv*_policy() (the pod ingress policy code) can be called in two ways: 1. as an EP-specific tail-call via CILIUM_MAP_POLICY (here tail_ipv*_policy() calls the policy code), or 2. when cil_to_container() is attached to the veth interface (here tail_ipv*_to_endpoint() is the caller) Lift the kube-proxy workaround into the callers, so we can fine-tune its behaviour. As cil_to_container() calls bpf_clear_meta(), we can trust that CB_IFINDEX is 0 and don't need to include the call to redirect_ep() from this path. This makes it perfectly clear that the cil_to_container() path simply lets the packet pass through to the veth peer. Note: it's *very* likely that we could also remove the PACKET_HOST part, but let's not change behaviour for now. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> 21 August 2023, 13:07:07 UTC
55e13b4 Julian Wiedmann 26 June 2023, 07:34:43 UTC bpf: lxc: clarify that RevNAT in from-container is only for loopback Per-packet RevDNAT for in-cluster access to services typically happens in the to-container path, as replies flow back to the client. It is applied when the CT lookup in CT_INGRESS direction returns a CT_REPLY result (ie it matches a CT_EGRESS entry) with a populated .rev_nat_index field. There is one exception though: in the loopback case, replies are already RevNATed in the from-container path, as they exit the backend. Here the CT_REPLY result is for a lookup in CT_EGRESS direction (ie it matches a CT_INGRESS entry). The only time a CT_INGRESS entry would have its .rev_nat_index field populated is when it's pre-populated by ct_create4() as part of creating a loopback CT_EGRESS entry. We can therefore remove the unused IPv6 code (there's no IPv6 loopback support). Also add a comment to the IPv4 path that explains its purpose. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> 21 August 2023, 12:34:41 UTC
3ae5ff1 Julian Wiedmann 17 June 2023, 10:05:03 UTC bpf: lxc: remove loopback artifacts from IPv6 path There's no IPv6 loopback support, and keeping this up-to-date with the IPv4 path is an annoyance. Let's add it back when actually needed. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> 21 August 2023, 12:34:41 UTC
ae5e182 Tam Mach 18 August 2023, 11:40:17 UTC gateway-api: Bump version to v0.8.0-rc1 This is to regularly sync-up with upstream releases, which will make things easy for v1.0.0 later. Uptream release: https://github.com/kubernetes-sigs/gateway-api/releases/tag/v0.8.0-rc1 Signed-off-by: Tam Mach <tam.mach@cilium.io> 21 August 2023, 10:39:05 UTC
957e953 Alex Waring 15 August 2023, 20:33:39 UTC docs: Correct comment on toFQDN API definition The comment is 5 years old and no longer valid, removing and updating the CRD. Signed-off-by: Alex Waring <ajmwaring@gmail.com> 18 August 2023, 17:05:47 UTC
eda13ea Tam Mach 18 August 2023, 12:10:16 UTC contrib: Make hint command copy and paste friendly This is to make it easier for contributor to copy and paste in case of failure. Similar was done in other scripts like below https://github.com/cilium/cilium/blob/cda37f604391d676e0812cda6e9510530acb976e/contrib/scripts/check-api-code-gen.sh#L46 Signed-off-by: Tam Mach <tam.mach@cilium.io> 18 August 2023, 16:53:52 UTC
2f0657e renovate[bot] 14 August 2023, 02:05:34 UTC chore(deps): update all github action dependencies Signed-off-by: renovate[bot] <bot@renovateapp.com> 18 August 2023, 15:09:20 UTC
9b6c8cf Robin Hahling 18 August 2023, 11:39:49 UTC images/builder: update cilium-builder Signed-off-by: Robin Hahling <robin.hahling@gw-computing.net> 18 August 2023, 14:15:58 UTC
1793120 Robin Hahling 17 August 2023, 11:57:31 UTC images/builder: bump proto plugins Release notes for protoc-gen-go: https://github.com/protocolbuffers/protobuf-go/releases/tag/v1.31.0 Signed-off-by: Robin Hahling <robin.hahling@gw-computing.net> 18 August 2023, 14:15:58 UTC
fe79d2e Robin Hahling 17 August 2023, 11:51:28 UTC images/builder: bump protoc to v24.0 Signed-off-by: Robin Hahling <robin.hahling@gw-computing.net> 18 August 2023, 14:15:58 UTC
5b93574 Marco Hofstetter 17 August 2023, 09:28:48 UTC codeowners: include sig-servicemesh into cilium envoy & spire helm This commit adds the team cilium/sig-servicemesh to the list of codeowners for helm chart changes specific to the cilium-envoy & spire deployments. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> 18 August 2023, 14:06:16 UTC
cda37f6 Tam Mach 17 August 2023, 11:42:06 UTC gateway-api: Support HTTP request mirror All validation logic in HTTPRoute is applied the same as with the normal backend, as backend for mirror requests is consolidated and merged with other backends in the same HTTPRoute. Signed-off-by: Tam Mach <tam.mach@cilium.io> 18 August 2023, 11:15:40 UTC
8dc1ae8 Tam Mach 16 August 2023, 11:38:36 UTC gateway-api: Enable HTTP redirect filter This commit is to enable HTTP redirect for port, schema and path. Small fix for TLS filter match on server name is done to avoid the below issue. As part of recent changes in upstream, if scheme and port are not specified, gateway listener port must be used. ```console 2023-08-16T11:28:20.797264246Z level=warning msg="NACK received for versions after 52 and up to 53; waiting for a version update before sending again" subsys=xds xdsAckedVersion=52 xdsClientNode="host~127.0.0.1~no-id~localdomain" xdsDetail="Error adding/updating listener(s) gateway-conformance-infra/cilium-gateway-same-namespace-with-https-listener/listener: error adding listener '127.0.0.1:10605': partial wildcards are not supported in \"server_names\"\n" xdsNonce=53 xdsStreamID=2 xdsTypeURL=type.googleapis.com/envoy.config.listener.v3.Listener ``` Signed-off-by: Tam Mach <tam.mach@cilium.io> 18 August 2023, 11:15:40 UTC
3cf560f Tam Mach 13 August 2023, 11:16:11 UTC gateway-api: Add support for rewrite path filter For prefix rewrite to work, we need to change the prefix match based on regex to PathSeparatedPrefix route match, so that the prefix match is recognized correctly. Signed-off-by: Tam Mach <tam.mach@cilium.io> 18 August 2023, 11:15:40 UTC
86bd1f8 Tam Mach 13 August 2023, 06:16:03 UTC gateway-api: Add support for rewrite host This is to add the support for extended feature HTTPRouteHostRewrite. Signed-off-by: Tam Mach <tam.mach@cilium.io> 18 August 2023, 11:15:40 UTC
182edfe Tobias Klauser 17 August 2023, 11:12:45 UTC k8s/resource: replace custom atomic counter type by sync/atomic type Use the sync/atomic.Int64 type introduced in Go 1.19. Signed-off-by: Tobias Klauser <tobias@cilium.io> 18 August 2023, 08:14:31 UTC
back to top