Skip to main content

Browse the archive

https://github.com/cilium/cilium
17 August 2024, 22:12:05 UTC
sort by:
Revision Author Date Message Commit Date
3ccf12c Alexandre Perrin 14 January 2021, 13:30:56 UTC actions: Add check for hubble-cli.yaml Signed-off-by: Alexandre Perrin <alex@kaworu.ch> 19 April 2021, 07:21:34 UTC
57ac3d6 Alexandre Perrin 14 January 2021, 13:13:22 UTC helm: add install/kubernetes/hubble-cli.yaml In order to debug Relay to Hubble connectivity issues, it is sometimes useful to have a Pod running with the Hubble CLI. Because the Relay image is based on a scratch image, kubectl exec'ing into it is not possible. While the Hubble CLI can be found in the Cilium Pods, the Relay certificate needed to establish the mTLS handshake to the Hubble server is not mounted into the Cilium Pods. This commit introduce a new hubble-cli.yaml file. When debugging Relay mTLS issues, it can be used to quickly run a hubble-cli Pod: kubectl create -f /path/to/hubble-cli.yaml Since the Relay mTLS certificates are mounted into the hubble-cli Pod, one can connect to a Hubble server given it's IP address: kubectl exec -it -n kube-system hubble-cli -- \ hubble observe --server tls://${IP?}:4244 \ --tls-server-name worker0.default.hubble-grpc.cilium.io \ --tls-ca-cert-files /var/lib/hubble-relay/tls/hubble-server-ca.crt \ --tls-client-cert-file /var/lib/hubble-relay/tls/client.crt \ --tls-client-key-file /var/lib/hubble-relay/tls/client.key Signed-off-by: Alexandre Perrin <alex@kaworu.ch> 19 April 2021, 07:21:31 UTC
3b5b8dc Alexandre Perrin 14 January 2021, 11:01:56 UTC helm: move name on top of volumes block For better readability. Signed-off-by: Alexandre Perrin <alex@kaworu.ch> 19 April 2021, 07:19:22 UTC
8722cd7 Liang Zhou 16 April 2021, 14:46:43 UTC docs: update the section BPF Newsletter The orignal link returns 404, the correct one should be: https://cilium.io/blog/categories/eBPF . And added the updated resource link https://ebpf.io/blog Signed-off-by: Liang Zhou <zhoul110@chinatelecom.cn> 17 April 2021, 21:06:50 UTC
7ee1037 ArthurChiao 15 April 2021, 09:49:02 UTC daemon/ipam: correct total IP count in `cilium status` output Ref: https://github.com/cilium/ipam/blob/master/service/ipallocator/allocator.go#L61 Currently two (the base and broadcast) IPs are excluded from IPAM when using hostscope mode (see above link), but the status output only excludes one. Signed-off-by: ArthurChiao <arthurchiao@hotmail.com> 16 April 2021, 23:17:23 UTC
6149fa1 Blazek, Ondrej 15 April 2021, 13:01:56 UTC daemon: Create RuntimePath if not equal to StateDir This change fixes an issue if StateDir is specified and is different from defaults.RuntimePath which is used to store pidfile in. When host is rebooted /var/run is clean. In case StateDir is set to something else than "/var/run/cilium" the daemon fails to create pidfile under "/var/run/cilium" path since that is not created: level=fatal msg="Failed to create Pidfile" error="open /var/run/cilium/cilium.pid: no such file or directory" file-path=/var/run/cilium/cilium.pid subsys=daemon Signed-off-by: Ondrej Blazek <ondra.blazkuj@gmail.com> 16 April 2021, 23:15:04 UTC
378c8a1 ArthurChiao 16 April 2021, 06:41:31 UTC kvstore/etcd: fix etcd rate limit (QPS) not working Fixes: b4e218089ebe ("Add rate limiting for etcd kvstore operations") kvstore/etcd sets a default QPS=20 for rate limiting, but this value is accidently overriden by 0 (rateLimitOpt.value="" -> Atoi=0, and the error is ignored), which eventually performs no rate limiting at all (0 means Inf in `time/rate` package). This patch fixes the problem, and also dumps the etcd cilent configuration to log, which will faciliate trouble-shooting, as shown below: ``` level=info msg="Creating etcd client" ConfigPath=/var/lib/etcd-config/etcd.config KeepAliveHeartbeat=15s KeepAliveTimeout=25s RateLimit=30 subsys=kvstore level=info msg="Creating etcd client" ConfigPath=/var/lib/cilium/clustermesh/cluster-1 KeepAliveHeartbeat=15s KeepAliveTimeout=25s RateLimit=20 subsys=kvstore ``` Example configuration: * kvstore='etcd' * kvstore-opt='{"etcd.config": "/var/lib/etcd-config/etcd.config", "etcd.qps": "30"}' Signed-off-by: ArthurChiao <arthurchiao@hotmail.com> 16 April 2021, 23:02:42 UTC
6181255 Maciej Kwiek 16 April 2021, 19:03:13 UTC test: ensure kubectl version is available for test run This change makes K8s ginkgo test suite download kubectl version compatible with current cluster version if it's not available. Signed-off-by: Maciej Kwiek <maciej@isovalent.com> 16 April 2021, 20:21:07 UTC
edbc34b Nicolas Busseneau 16 April 2021, 13:47:28 UTC workflows: fix EKS encryption testing not using aws operator image We missed this when merging #15669. Woops :D Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> 16 April 2021, 18:51:51 UTC
95fe1bf Ilya Dmitrichenko 08 April 2021, 14:43:41 UTC docs: Update OpenShift (OKD) GSG to use OLM operator Signed-off-by: Ilya Dmitrichenko <errordeveloper@gmail.com> 16 April 2021, 15:59:11 UTC
fb08c6c Paul Chaignon 16 April 2021, 09:57:32 UTC test: Format test-only's kernel_version to avoid mistakes I often try to start test-only builds with e.g.: test-only --kernel_version=4.19 --focus="..." That fails because our tests expect "419". We can extend the Python script used to parse argument to recognize that and update kernel_version to the expected format. Signed-off-by: Paul Chaignon <paul@cilium.io> 16 April 2021, 15:58:19 UTC
52c9268 Jarno Rajahalme 16 April 2021, 03:51:00 UTC envoy: Update to release 1.17.2 Update Envoy image to release 1.17.2, including the latest security fixes. Signed-off-by: Jarno Rajahalme <jarno@covalent.io> 16 April 2021, 15:45:52 UTC
7e3b405 Jarno Rajahalme 15 April 2021, 17:57:14 UTC envoy: Update to build with Envoy 1.17.1 security fixes Envoy 1.17.1 build with Security fixes for: * CVE-2021-28683 (CVSS score 7.5, High): Envoy through 1.17.1/1.16.2/1.15.3/1.14.6 contains a remotely exploitable NULL pointer dereference and crash in TLS when an unknown TLS alert code is received. * CVE-2021-28682 (CVSS score 7.5, High): Envoy through 1.17.1/1.16.2/1.15.3/1.14.6 contains a remotely exploitable integer overflow in which a very large grpc-timeout value leads to unexpected timeout calculations. * <CVE ID still pending> (CVSS score 7.5, High): Envoy through 1.17.1/1.16.2/1.15.3/1.14.6 contains a remotely exploitable vulnerability where an HTTP2 request with an empty metadata map can cause Envoy to crash. Signed-off-by: Jarno Rajahalme <jarno@covalent.io> 16 April 2021, 15:45:52 UTC
b75ed21 André Martins 15 April 2021, 23:10:57 UTC .github: fix kind GH action for encryption e2e tests The cilium install command is missing some arguments that would allow it to install the right Cilium image version. Fixes: f35430d6c900 ("CI 3.0: A New Hope") Signed-off-by: André Martins <andre@cilium.io> 16 April 2021, 12:44:07 UTC
c34d5e3 André Martins 15 April 2021, 22:48:19 UTC pkg/datapath: ignore certain error types on route delete When removing endpoint routes it is not always necessary to log errors. One example would be in case the returned error from the kernel would be "no such process" Fixes: c4581b37dc1c ("loader : Log upsert and remove route errors") Signed-off-by: André Martins <andre@cilium.io> 16 April 2021, 12:43:45 UTC
a3ad0a1 Sebastian Wicki 13 April 2021, 20:38:03 UTC daemon: Hook up Hubble Recorder API This commit adds the required command-line arguments and setup code in the Cilium Agent to serve the Hubble Recorder API. It is only served on the Hubble Unix domain socket and needs to be explicitly enabled. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> 16 April 2021, 08:22:28 UTC
85a70bf Sebastian Wicki 13 April 2021, 20:37:02 UTC hubble/recorder: Add Hubble Recorder packages This commit adds the API implementation and required plumbing for the Hubble Recorder API. It contains of three main components: - `pkg/hubble/recorder/pcap` is a minimalistic library to write pcap files into a `io.Writer`. - `pkg/hubble/recorder/sink` contains the recorder sinks. Whenever a new datapath recorder has been set up, the corresponding captures are pushed into the monitor perf event ring buffer. The `sink.Dispatch` type attaches to the monitor to receive and decode these kind of events and dispatches incoming packets to registered pcap writers. - `pkg/hubble/recorder` contains the API implementation. It is responsible to start and stop recordings on behalf of the client. It is responsible to allocate `ruleIDs` for the datapath filters. When a new recording is started, it calls into `pkg/recorder` to install the filters and into `pkg/hubble/recorder/sink` to set up the corresponding file sinks. Its options are defined in a separate `recorderoption` package. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> 16 April 2021, 08:22:28 UTC
b13318f Sebastian Wicki 13 April 2021, 20:34:31 UTC images: Add recorder to hubble-proto Also remove the unneccesary invocation of `apk add`. The builder image already contains all necessary tools. The image version will be updated in a subsequent PR, as currently the infrastructure to push new versions of this image is not present in our GitHub Actions setup. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> 16 April 2021, 08:22:28 UTC
9404818 Sebastian Wicki 13 April 2021, 20:30:47 UTC api: Add Hubble Recorder API This commit adds the protobuf definition for the new Hubble Recorder API. It is intended to be used for low-level packet capture on the XDP datapath parts when Cilium is running in LB-mode. Therefore, it only supports 5-tuple filters instead of the more expressive Hubble flow metadata queries of the Hubble Observer API. To start a recording, the client has to send a `StartRecording` message via the `Record` method. To stop it, a `StopRecording` message must be sent. This means that the recording itself is bound to a client context and therefore allows the server to stop a recording if the client has disconnected. The stop message is explicit such that the client can wait for the final status report. This API has been designed to be possibly extended in the future to support other kinds of sinks. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> 16 April 2021, 08:22:28 UTC
35d2b41 Sebastian Wicki 13 April 2021, 20:31:51 UTC hubble/parser: Do not warn about missing identities This commit is intended to make Hubble more usable when Cilium is running in LB-only mode. Identity lookup in the Hubble parser might fail for various reasons, for example, when running in the LB-datapath mode. Since the user cannot do anything about this (and the absent data is still detectable via Hubble API), stop emitting a warning in the logs and use a debug statement instead. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> 16 April 2021, 08:22:28 UTC
e3edfca John Fastabend 14 April 2021, 15:56:17 UTC cilium: gke workflow noticed we missed initial syn/ack bump sleep We missed the initial syn/ack from pod-to-pod test, ❌ SYN-ACK and(ip(src=10.16.1.24,dst=10.16.1.186),tcp(srcPort=8080),tcpflags(syn,ack)) not found for pod cilium-test/client-6c46bff775-ls4qm however the command did succeed so it must have been there, but missed. Lets bump the sleep slightly to be sure hubble and port forwarding is running. Changed from 15minutes to 30 mins. Also changing restart-pods to true seems to make tests stable. Signed-off-by: John Fastabend <john.fastabend@gmail.com> 15 April 2021, 21:10:35 UTC
4925988 John Fastabend 13 April 2021, 17:50:22 UTC cilium: Add vxlan datapath encryption tests in GKE We do not have a connectivity test for encryption with tunneling this adds on on GKE. We also bump the timer slightly to account for the extra runs. Signed-off-by: John Fastabend <john.fastabend@gmail.com> 15 April 2021, 21:10:35 UTC
7c8e1a4 John Fastabend 13 April 2021, 17:45:13 UTC cilium: Add GKE workflow to test vxlan Add vxlan test path for `./cilium connectivity test` at the moment we do not cover this path with workflow CI. Signed-off-by: John Fastabend <john.fastabend@gmail.com> 15 April 2021, 21:10:35 UTC
3729101 Martynas Pumputis 06 April 2021, 14:50:47 UTC test: Bump kube-wireguarder to 0.0.4 The bumped version includes the pub key annotation change which prevents from kube-wireguard picking up a pub key from previous Wireguard test runs in DatapathConfiguration. Signed-off-by: Martynas Pumputis <m@lambda.lt> 15 April 2021, 21:05:38 UTC
7cf9e32 Martynas Pumputis 06 April 2021, 13:19:03 UTC test: Add Wireguard pod2pod encryption tests Signed-off-by: Martynas Pumputis <m@lambda.lt> 15 April 2021, 21:05:38 UTC
793d45a Sebastian Wicki 12 April 2021, 09:41:14 UTC ipsec: Fix routing CIDR iteration on EKS When taking a reference of the iterated value in Golang, one needs to take care to copy the value before taking a reference. In the case of EKS (where we can have multiple VPC CIDRs, c.f. #15303) this meant that we only the last routing CIDR was appended to `IPv4PodSubnets`. Fixes: a42d442a096a ("cilium: auto-discovery pod subnets for ENI IPAM") Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> 15 April 2021, 19:13:41 UTC
4a8f407 jomenxiao 13 April 2021, 05:54:12 UTC fix chan panic Signed-off-by: jomenxiao <jomenxiao@gmail.com> 15 April 2021, 18:42:00 UTC
a0e0442 Maciej Kwiek 15 April 2021, 11:11:05 UTC ci: fix nightly image sha `env.GITHUB_SHA` is not available for action parameters, `github.sha` should work in this context. Signed-off-by: Maciej Kwiek <maciej@isovalent.com> 15 April 2021, 17:49:34 UTC
a571fb6 Chris Tarazi 10 April 2021, 21:32:42 UTC docs: Add section for filtering by subnet tags in ENI mode Users frequently ask how to properly filter subnets by tag in ENI mode. This commit adds a dedicated section to the AWS ENI guide on just that. Signed-off-by: Chris Tarazi <chris@isovalent.com> 15 April 2021, 17:17:10 UTC
9ba1151 Weilong Cui 12 April 2021, 22:01:54 UTC Adds ipv6 support for local-router-ip - breaks local-router-ip into local-router-ipv4 and local-router-ipv6 - removes a problematic ipam condition check when either of the above is specified Signed-off-by: Weilong Cui <cuiwl@google.com> 15 April 2021, 16:25:26 UTC
4b7bba2 Sebastian Wicki 30 March 2021, 18:31:48 UTC wireguard: Populate AllowedIPs from IPCache Wireguard's Cryptokey Routing [1] requires each peer to specify the list of source or destination IP addresses expected to be sent over the tunnel. In Cilium, these IP addresses are the addresses of all pods (for pod2pod traffic) hosted by the remote node. Before this commit, Wireguard would use the remote nodes pod cidr as the list of `AllowedIPs`. This approach however falls short on managed Kubernetes installations, where Cilium allocates pod IPs via cloud provider API. We therefore need to populate the `AllowedIPs` with a complete list of pod IPs we expect to observe for a given peer. This information is available in Cilium's IPCache, which this commit now integrates into the Wireguard setup code. In order to be able to add and remove individual IPs from the `AllowedIPs` list, we need to mirror the kernel state. This is implemented by storing a `peerConfig` for each known Wireguard peer. When a peer is first discovered via node manager, we obtain the remote peers `AllowedIPs` by querying Cilium's user-space copy of the IPCache in the agent. In addition, we also subscribe to IPCache updates in the Wireguard agent and update the `AllowedIPs` list of known peers accordingly. Ref #15462 [1] https://www.wireguard.com/#cryptokey-routing Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> 15 April 2021, 13:38:54 UTC
935d816 Daniel Borkmann 13 April 2021, 15:40:48 UTC cilium, recorder: rebuild upon wildcard mask change Add initial implementation of the recorder packages triggerDatapathRegenerate() handling. This will either disable or enable `capture_enabled` based on the current masks that the agent tracks. Also, this will generate an ordered mask list which is being pushed down to PREFIX_MASKS{4,6} for compilation. The triggerDatapathRegenerate() helper will only be called when the mask set changes but not otherwise, thus any subsequent API calls that do not need recompilation won't incur this overhead. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> 15 April 2021, 13:19:16 UTC
a399a16 Daniel Borkmann 13 April 2021, 15:20:01 UTC cilium, loader: add extra args for XDP compilation Extend the ReinitializeXDP() helper with an extraCArgs string slice so that callers are able to pass in extra compilation flags. Also, add a -Dcapture_enabled=0 to the initial compilation to make sure we initially disable (and thus compile out) any recorder bits from XDP given upon start there are no recorders anyway. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> 15 April 2021, 13:19:16 UTC
402f490 Daniel Borkmann 13 April 2021, 15:14:52 UTC cilium, loader: refactor XDP bits into separate function Given we need to recompile and reload the BPF XDP datapath for new masks, refactor and export ReinitializeXDP(), so it can be called from other packages. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> 15 April 2021, 13:19:16 UTC
236ab01 Daniel Borkmann 12 April 2021, 13:40:29 UTC cilium, recorder: upsert/delete recorder bpf map entries Add helpers to the recorder package which craft CaptureWcard{4,6} structs from tuples and push them down to the BPF datapath maps. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> 15 April 2021, 13:19:16 UTC
5cf5a7a Daniel Borkmann 12 April 2021, 13:40:29 UTC cilium, recorder: flush recorder bpf maps upon agent init We currently don't support restore functionality from Hubble API side, therefore flush the BPF maps upon agent restart instead of adding restore functionality. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> 15 April 2021, 13:19:16 UTC
6574cd3 Daniel Borkmann 12 April 2021, 19:56:35 UTC cilium, recorder: expose RecorderTuple and RecInfo for Hubble Given Hubble will be consuming the recorder API, expose all RecInfo and RecorderTuple fields, so they can be populated from external. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> 15 April 2021, 13:19:16 UTC
105a2f4 Daniel Borkmann 12 April 2021, 12:24:24 UTC cilium, recorder: add priority to mask based on ones Extend the masks and add a priority field to the API which allows for the `cilium recorder list` cli command to sort and dump the masks in the same order as the datapath would have. Example dump: # ./cilium/cilium recorder list ID Capture Length Wildcard Filters 10 <= 100 f00d::1/128:0 -> f00e::1/128:0 ANY 5.5.5.5/32:0 -> 3.3.3.3/32:0 ANY Users Priority Wildcard Masks 1 256 ffffffffffffffffffffffffffffffff:0 -> ffffffffffffffffffffffffffffffff:0 0 1 64 ffffffff:0 -> ffffffff:0 0 The order is based on the number of ones, which is necessary given we want to give longer prefixes a higher priority for the lookup. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> 15 April 2021, 13:19:16 UTC
b442cd9 Daniel Borkmann 12 April 2021, 11:42:25 UTC cilium, cli: add masks to cilium recorder list command Extend the `cilium recorder list` to also include all masks that the agent is tracking. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> 15 April 2021, 13:19:16 UTC
010d182 Daniel Borkmann 12 April 2021, 11:25:04 UTC cilium, api: hook up to recorder mask middle layer Implement the getRecorderMaskList() stub from the agent, and extend the recorder package with helpers to dump all masks and convert them to the API model. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> 15 April 2021, 13:19:16 UTC
405f1c6 Daniel Borkmann 12 April 2021, 10:39:21 UTC cilium, agent: add recorder mask server facing API Hook up stubs in the daemon for the auto-generated recorder mask API for the /recorder/masks path. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> 15 April 2021, 13:19:16 UTC
42cf227 Daniel Borkmann 12 April 2021, 10:30:32 UTC cilium, client: add recorder mask API to client package Extend the client recorder package with a GetRecorderMasks() helper to request retrieval of all masks. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> 15 April 2021, 13:19:16 UTC
c432b6d Daniel Borkmann 12 April 2021, 10:17:20 UTC cilium, api: add auto-generated recorder mask API for client/server Auto generated via `make generate-api` from api spec. Also, kept separate to ease review on the actual api/v1/openapi.yaml changes. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> 15 April 2021, 13:19:16 UTC
df670f6 Daniel Borkmann 12 April 2021, 10:07:40 UTC cilium, api: add wildcard mask status API for recorders Next up, extend the recorder API with a getter for all generated masks from the user installed tuples. This is exposed through `/recorder/masks` and helps for introspection purpose. The modelling is similar to the earlier RecorderSpec. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> 15 April 2021, 13:19:16 UTC
20a4175 Daniel Borkmann 07 April 2021, 20:28:21 UTC cilium, bugtool: add cilium recorder list to sysdump For ease of introspection on user issues, add `cilium recorder list` to the bug tool dump. We already have `cilium bpf recorder list` in there from BPF side, thus this complements the agent view. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> 15 April 2021, 13:19:16 UTC
0175fdd Daniel Borkmann 07 April 2021, 21:34:36 UTC cilium, doc: add cmdref documentation for cilium recorder Add all auto-generated cmdref doc bits. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> 15 April 2021, 13:19:16 UTC
45977bc Daniel Borkmann 09 April 2021, 16:23:14 UTC cilium, cli: add cilium recorder update command Add `cilium recorder update` command to the cilium cli to create or update a single recorder based on the given id. Cilium cli usage: # cilium recorder update --id 2 --caplen 100 --filters="10.0.0.0/8 0 1.1.1.1/32 80 TCP, 1.1.1.1/32 80 10.0.0.0/8 0 TCP" The above adds a recorder with id 2 and max capture length of 100 byte which holds two wildcard filters to capture all traffic from/to subnet 10.0.0.0/8 to a service IP 1.1.1.1/32 with port 80 and protocol TCP. The main purpose here is for manual testing. Idea is similar to `cilium service`, that is, regular service management is done through K8s watchers and the cli itself provides a means for manual editing/testing. The same is with recorders where Hubble will be the main infra to manage them. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> 15 April 2021, 13:19:16 UTC
8b947d2 Daniel Borkmann 09 April 2021, 15:52:51 UTC cilium, cli: add cilium recorder delete command Add `cilium recorder delete` command to the cilium cli to delete a single recorder based on the given id. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> 15 April 2021, 13:19:16 UTC
f8edcff Daniel Borkmann 09 April 2021, 15:40:12 UTC cilium, cli: add cilium recorder get command Add `cilium recorder get` command to the cilium cli to dump a single recorder based on the given id. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> 15 April 2021, 13:19:16 UTC
2f453fb Daniel Borkmann 07 April 2021, 20:26:12 UTC cilium, cli: add cilium recorder list command Add a `cilium recorder list` command to dump all existing recorders from the agent. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> 15 April 2021, 13:19:16 UTC
77ead47 Daniel Borkmann 07 April 2021, 20:13:06 UTC cilium, cli: add cilium recorder base command Add initial `cilium recorder` cli which will be used in similar way as the `cilium service` cli, that is, for introspection and management of pcap recorder middle layer. This complements `cilium bpf recorder` in that the former is for the agent middle layer while the latter is for the actual BPF datapath map. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> 15 April 2021, 13:19:16 UTC
b42d726 Daniel Borkmann 09 April 2021, 13:33:40 UTC cilium, api: hook up to recorder middle layer Complete the server API and extend stubs to integrate pkg/recorder bits, so we are able to handle actual requests. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> 15 April 2021, 13:19:16 UTC
bd8f23d Daniel Borkmann 08 April 2021, 11:42:49 UTC cilium, recorder: add middle layer implementation Add the core part of the recorder handling, that is, tracking of recorder entries as well as mask generation and back'n'forth conversion of the API model. We expose the following APIs from the package for external users to get, create/update, or delete a recorder: - func (r *Recorder) RetrieveRecorder(id ID) (*RecInfo, error) - func (r *Recorder) UpsertRecorder(recInfoNew *RecInfo) (bool, error) - func (r *Recorder) DeleteRecorder(id ID) (bool, error) And one more API to get a list of all current recorders: - func (r *Recorder) RetrieveRecorderSet() []*RecInfo A recorder object consists of a unique id, capture length and a list of corresponding filters: type RecInfo struct { id ID capLen uint16 filters []RecorderTuple } A single filter is defined as: type RecorderTuple struct { srcPrefix net.IPNet srcPort uint16 dstPrefix net.IPNet dstPort uint16 proto u8proto.U8proto } The recorder id management is delegated to caller code currently, but in future this could also be managed by the recorder package. Meaning, Hubble will have an internal id generator plus an internal mapping of id-to-pcap file. The id is not exposed to users, it is used as a means to correlate incoming recorder perf RB events which the Hubble reader will pick up and then push to the right pcap file. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> 15 April 2021, 13:19:16 UTC
05f7386 Daniel Borkmann 07 April 2021, 22:48:26 UTC cilium, agent: add recorder server facing API Hook up stubs in the daemon for the auto-generated recorder API for all /recorder/{id}/ and /recorder/ paths. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> 15 April 2021, 13:19:16 UTC
226c3b6 Daniel Borkmann 08 April 2021, 09:25:21 UTC cilium, recorder: add initial recorder package Trivial start of recorder package which adds a Recorder struct that the server-facing API handler will be using. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> 15 April 2021, 13:19:16 UTC
97fb9ef Daniel Borkmann 07 April 2021, 20:26:32 UTC cilium, client: add recorder API to client package Add an initial client recorder package which the cilium cli will be using in upcoming commits. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> 15 April 2021, 13:19:16 UTC
f618fe1 Daniel Borkmann 07 April 2021, 17:07:48 UTC cilium, api: add auto-generated recorder API for client/server Auto generated via `make generate-api` from api spec. Kept separate to ease review on the actual api/v1/openapi.yaml changes. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> 15 April 2021, 13:19:16 UTC
fd92d99 Daniel Borkmann 07 April 2021, 13:06:08 UTC cilium, api: add agent configuration API for recorders Add an agent API model to the recorder. Idea is that a recorder object is defined by a unique ID, capture length and an array of one or more wildcarded filters. The higher level entity that is configuring this API (e.g. Hubble) has awareness of the IDs and reads the perf RB where it can then output the content to different pcap files based on the ID. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> 15 April 2021, 13:19:16 UTC
99f9a71 Martynas Pumputis 15 April 2021, 08:15:19 UTC docs: Fix pip installation Some recent change in python dependencies started to pull Cython dependency which requires gcc to be compiled. Fix this by installing gcc and musl-dev. The latter is required for headers used by Cython. Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Martynas Pumputis <m@lambda.lt> 15 April 2021, 09:03:12 UTC
1393c25 John Fastabend 12 April 2021, 19:49:15 UTC cilium: enable eks workflow for encryption This enables an EKS workflow for encryption. Signed-off-by: John Fastabend <john.fastabend@gmail.com> 14 April 2021, 23:41:18 UTC
eaa5d1d John Fastabend 13 April 2021, 06:09:28 UTC cilium: fix panic when encryptInterfaces is empty Currently, we use encryptInterfaces[0] in EKS configuration, but this may not be populated before its reference. So we get a panic. To fix this case use the encryptInterface instead. But, after this change the only remaining user of encryptInterfaces is for setting rpfilters. This can also use the config variable though and then we can revert use of encryptInterfaces completely. Signed-off-by: John Fastabend <john.fastabend@gmail.com> Fixes: 8b434b4456452 ("cilium: encryptInterface requires multiple interfaces in multi-dev env") 14 April 2021, 23:41:18 UTC
99eff1b dependabot[bot] 14 April 2021, 06:53:07 UTC build(deps): bump KyleMayes/install-llvm-action from v1.2.1 to v1.2.2 Bumps [KyleMayes/install-llvm-action](https://github.com/KyleMayes/install-llvm-action) from v1.2.1 to v1.2.2. - [Release notes](https://github.com/KyleMayes/install-llvm-action/releases) - [Commits](https://github.com/KyleMayes/install-llvm-action/compare/v1.2.1...7673c1af8f0ae228f19f5962fc2cd6e3378305a8) Signed-off-by: dependabot[bot] <support@github.com> 14 April 2021, 13:35:07 UTC
b50c0db Divyansh Kamboj 12 April 2021, 05:59:40 UTC Update kube-router YAML to a newer release in the guide Fixes #15613 Signed-off-by: Divyansh Kamboj <divyansh.kamboj@accuknox.com> 14 April 2021, 09:00:29 UTC
36e45bf John Fastabend 13 April 2021, 20:01:55 UTC cilium: Use build-and-push-with-qemu for builder Fix images-legacy.yaml to use build-and-push-with-qemu. Fixes: 044afab2ecf30 ("ci: Set up qemu in images workflow and build cilium-test") Signed-off-by: John Fastabend <john.fastabend@gmail.com> 13 April 2021, 20:10:01 UTC
044afab Maciej Kwiek 08 April 2021, 09:18:42 UTC ci: Set up qemu in images workflow and build cilium-test This change fixes cilium-test image build that was reverted. The image build failed because qemu wasn't set up properly for buildx on action host which likely resulted with mixing of x86 and arm binaries in the image. Signed-off-by: Maciej Kwiek <maciej@isovalent.com> 13 April 2021, 17:11:13 UTC
27ae873 Martynas Pumputis 02 April 2021, 13:48:26 UTC daemon: Ignore L3 devices on unsupported kernels Skip devices which don't have L2 addr, if the kernel doesn't have skb_change_head helper (the case for < 5.8 kernels). Without the helper it is not possible to create the headroom for L2 hdr. Unfortunately, "skb_adjust_room(skb, 14, BPF_ADJ_ROOM_MAC, 0)" cannot be used either, as it does not set "skb->mac_header" which makes the packet to be dropped by [1] when redirecting to another device. [1]: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/net/core/filter.c?h=v5.8#n2118 Signed-off-by: Martynas Pumputis <m@lambda.lt> 13 April 2021, 16:13:09 UTC
51834ca Martynas Pumputis 15 March 2021, 08:29:30 UTC bpf: Add ETH_HLEN=0 to stress test complexity The PR "datapath: Support NodePort BPF on L2-less devices" [1] has increased the complexity of bpf_host and bpf_lxc by introducing a support for ETH_HLEN=0. Extend the base options by adding ETH_HLEN=0 to stress test the verifier complexity when running on net-next (ETH_HLEN=0 depends on the skb_change_head helper which was introduced in 5.8). [1]: https://github.com/cilium/cilium/pull/14858 Suggested-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Martynas Pumputis <m@lambda.lt> 13 April 2021, 16:13:09 UTC
7e8ec6c Alexandre Perrin 29 March 2021, 09:37:03 UTC helm: mark the hubble-ca-cert ConfigMap as deprecated Signed-off-by: Alexandre Perrin <alex@kaworu.ch> 13 April 2021, 15:44:09 UTC
08eb1af Alexandre Perrin 23 March 2021, 17:07:46 UTC helm,hubble: use ca.crt from the tls Secret instead of the hubble-ca-cert ConfigMap This commit make it possible to disable the TLS certificates generation for Hubble (using --set hubble.tls.auto.enabled=false from Helm) and use cert-manager[1] to populate both hubble-server-certs and hubble-relay-client-certs. Now that the CA certificate is stored in the TLS secret as ca.crt in addition to the hubble-ca-cert ConfigMap, we can use it directly in the Helm templates for Hubble and Relay. This assume that the same CA is used for both endpoints of the Hubble - Relay mTLS connection. Note that this was already assumed before this patch, as both Hubble and Relay would use the same hubble-ca-cert ConfigMap as CA to authenticate the other party. [1]: https://cert-manager.io/ Signed-off-by: Alexandre Perrin <alex@kaworu.ch> 13 April 2021, 15:44:09 UTC
c139881 Alexandre Perrin 23 March 2021, 16:43:07 UTC helm: add ca.crt in all the provided TLS Secrets Signed-off-by: Alexandre Perrin <alex@kaworu.ch> 13 April 2021, 15:44:09 UTC
ff3d7e4 Alexandre Perrin 23 March 2021, 14:50:13 UTC helm: fix custom TLS certificates check for Hubble Relay Before this patch, Hubble Relay TLS related Helm templates would check for either the certificate or the key to be present although both are required. This patch require both the certificate and the key to be provided as Helm value as it is done in the hubble server and the clustermesh apiserver Helm templates. Signed-off-by: Alexandre Perrin <alex@kaworu.ch> 13 April 2021, 15:44:09 UTC
8292875 Alexandre Perrin 23 March 2021, 17:19:59 UTC helm: bump certgen to v0.1.4 Bump certgen to a version that includes ca.crt into the generated TLS Secrets. Signed-off-by: Alexandre Perrin <alex@kaworu.ch> 13 April 2021, 15:44:09 UTC
573baf0 Alexandre Perrin 23 March 2021, 14:58:36 UTC helm: add ca.crt in all the generated TLS Secrets Embed the CA into the TLS Secrets. We do so in order to have the Secret `data` attribute populated the same way cert-manager[1] does. [1]: https://cert-manager.io/ Signed-off-by: Alexandre Perrin <alex@kaworu.ch> 13 April 2021, 15:44:09 UTC
165c047 Alexandre Perrin 23 March 2021, 16:49:00 UTC install/kubernetes: add quick-hubble-install.yaml to the clean make target Before this patch, `make clean` would not remove quick-hubble-install.yaml that could have been generated by the experimental-install target. Signed-off-by: Alexandre Perrin <alex@kaworu.ch> 13 April 2021, 15:44:09 UTC
4b4a74b Jussi Maki 07 April 2021, 13:57:55 UTC Do not increment delete error metric on delete of non-existing nat entry This fixes the spurious increments of the snat_v[46]_external delete fail metric by extending bpf.Map with SilentDelete() which allows deleting map entries that may not exist without error counter increments or deferred repeated delete via resolveErrors(). Fixes: #11485 Signed-off-by: Jussi Maki <jussi@isovalent.com> 13 April 2021, 14:41:57 UTC
969c2f7 André Martins 12 April 2021, 12:28:32 UTC daemon/cmd: fix Cilium version status output Similarly to other software, Cilium should print the version in a non-ambiguous format such as "v<Version>-<Commit>". Fixes: 65dd482bac77 ("Agent: Include Cilium version in output of cilium status --verbose") Signed-off-by: André Martins <andre@cilium.io> 13 April 2021, 13:41:59 UTC
b97becf Nicolas Busseneau 12 April 2021, 17:24:06 UTC workflows: add encryption for AKS testing Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> 13 April 2021, 11:30:44 UTC
fa1641c dependabot[bot] 13 April 2021, 02:54:40 UTC build(deps): bump actions/cache from v2.1.4 to v2.1.5 Bumps [actions/cache](https://github.com/actions/cache) from v2.1.4 to v2.1.5. - [Release notes](https://github.com/actions/cache/releases) - [Commits](https://github.com/actions/cache/compare/v2.1.4...1a9e2138d905efd099035b49d8b7a3888c653ca8) Signed-off-by: dependabot[bot] <support@github.com> 13 April 2021, 11:29:44 UTC
6722abf Chris Tarazi 12 April 2021, 22:20:28 UTC CODEOWNERS: Add pkg/bgp The kubernetes and the loadbalancer teams are assigned as the BGP integration is mostly K8s code and is relevant to services which the loadbalancer team is responsible for. Updates: https://github.com/cilium/cilium/issues/15611 Signed-off-by: Chris Tarazi <chris@isovalent.com> 13 April 2021, 09:43:38 UTC
cb8b505 John Fastabend 08 April 2021, 20:04:54 UTC hubble-fgs: Add encryption to GKE tests Signed-off-by: John Fastabend <john.fastabend@gmail.com> 13 April 2021, 09:37:14 UTC
8a80550 Nicolas Busseneau 12 April 2021, 17:51:40 UTC workflows: fix wrong artifact name in Kind workflow Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> 13 April 2021, 02:54:05 UTC
c0e55fd Nicolas Busseneau 12 April 2021, 17:51:12 UTC workflows: pin actions in Kind workflow Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> 13 April 2021, 02:54:05 UTC
5947fb6 Martynas Pumputis 09 April 2021, 05:55:06 UTC CODEOWNERS: Add @cilium/wireguard for pkg/wireguard Signed-off-by: Martynas Pumputis <m@lambda.lt> 13 April 2021, 02:48:56 UTC
31b44f3 Quentin Monnet 07 April 2021, 14:19:33 UTC docs: add to Kata GSG a note about incompatibility w/ KPR/Host Services Host-reachable services are not supported with Kata containers at this time. This is because they use socket-based load-balancing which requires hooking in the kernel at the socket level in the pods, but Kata containers are VMs with their own kernels, making it impossible. Kube-proxy replacement in strict mode implies host-reachable services, and is therefore not supported either. Update the documentation accordingly, to avoid users stumbling on it. Signed-off-by: Quentin Monnet <quentin@isovalent.com> 12 April 2021, 21:53:30 UTC
f1209d0 Paul Chaignon 07 April 2021, 14:18:33 UTC test: Enable IPSec tests on 4.19 Our IPSec tests are currently never tested on newer kernels (i.e., >4.9). Even worse, our IPSec + VXLAN test never runs because that combination of options required kernels >4.19. This commit enables IPSec tests on all CI jobs running with kube-proxy installed, namely 4.9 and 4.19. This is possible thanks to [1] and the previous commit. 1 - https://github.com/cilium/cilium/pull/15543 Fixes: https://github.com/cilium/cilium/issues/14155 Signed-off-by: Paul Chaignon <paul@cilium.io> 12 April 2021, 21:52:49 UTC
ef6e543 Paul Chaignon 07 January 2021, 09:41:15 UTC jenkinsfile: Keep kube-proxy for 4.19 CI job Signed-off-by: Paul Chaignon <paul@cilium.io> 12 April 2021, 21:52:49 UTC
4d7fc4c Paul Chaignon 08 April 2021, 21:25:20 UTC test: Fix and disable IPSec + bpf_host test We currently have two IPSec tests in native routing mode, one with bpf_host loaded on the native device and one without. By default, bpf_host is loaded on native devices if the host firewall or NodePort are enabled, so the goal of the first test is to verify IPSec still works in those conditions. Similarly, in tests, we only define 'devices' if the host firewall or NodePort are enabled. Devices are therefore undefined on 4.9 by default. Therefore, on 4.9, the 'with bpf_host' variant of the IPSec test runs with devices unspecified and doesn't actually test the integration with bpf_host. This commit first fixes that by explicitly defining devices in the test. Unfortunately, the integration with bpf_host is actually broken because of https://github.com/cilium/cilium/issues/12205, so we have to disable the test until that issue is fixed. So basically, this commit is a noop: it fixes a test that wasn't testing anything new just to then disable it because the tested functionality is broken ¯\_(ツ)_/¯ Fixes: 5c6c4a6 ("cilium: xfrm tests can work with bpf_host loaded now") Signed-off-by: Paul Chaignon <paul@cilium.io> 12 April 2021, 21:52:49 UTC
09e06f8 Martynas Pumputis 09 April 2021, 14:10:20 UTC wireguard: Disable KPR encryption After removing the Wireguard tunnel IP, a traffic forwarded by NodePort BPF cannot be encrypted as it used to be. When running Wireguard with KPR, we want to encrypt the following NodePort BPF traffic: 1. A request from a client to a service handled by NodePort BPF when a remote service endpoint is selected (after SNAT and DNAT). 2. A reply from the service endpoint to the request above from on the remote node. The 1. is marked for encryption from the NodePort BPF program (once it detects that the service endpoint is remote). The encryption of 2. is more complicated. Previously, when we had a Wireguard tunnel IP, the request was SNAT-ed to the tunnel IP. This made the reply to automatically go over the Wireguard tunnel. Unfortunately, after removing the Wireguard tunnel IP, this is no longer the case. The request is SNAT-ed to a node IP, and therefore a reply (src=podIP|dst=nodeIP) is no longer encrypted, as it does not go over the Wireguard tunnel. To fix this, we could mark a packet sent from a pod for the encryption if we detect that dst is REMOTE_NODE_ID. Then later on, the packet could be routed by the stack to the Wireguard tunnel device (thanks to the mark). Unfortunately, this introduces an asymmetry for non-NodePort host2pod traffic, as host2pod will go unencrypted over a native device while pod2host will go over the tunnel and will be encrypted. Because of the asymmetry, disable the KPR encryption until we can encrypt host2pod with Wireguard. In the end, the NodePort BPF encryption is the host2pod and pod2host encryption. Signed-off-by: Martynas Pumputis <m@lambda.lt> 12 April 2021, 20:33:58 UTC
a976581 Martynas Pumputis 06 April 2021, 09:39:51 UTC wireguard: Completely disable rp_filter Just having a default route is not enough to pass the rp_filter check in the loose mode. So, disable it completely. Signed-off-by: Martynas Pumputis <m@lambda.lt> 12 April 2021, 20:33:58 UTC
0ecab37 Martynas Pumputis 06 April 2021, 09:27:16 UTC wireguard: Remove operator This commit removes the Wireguard operator which previously was used to allocate a Wireguard tunnel IP. After taking a closer look into the Wireguard source code in the kernel and realising that we don't see the tunnel IP on the wire, we came to realisation that the IP is not needed at all. For host2host encryption with Wireguard (TODO) we don't need to rely on the tunnel IP (we will be able to use the nodeIP and Wireguard's fwmark to avoid the loop). Signed-off-by: Martynas Pumputis <m@lambda.lt> 12 April 2021, 20:33:58 UTC
8ae3d1d Tobias Klauser 12 April 2021, 10:11:21 UTC datapath/linux/probes: remove unused (*ProbeManager).GetMisc After commit 27eda2c934dd ("Remove NEEDS_RELAX_VERIFIER") the method. its corresponding member in type Features and the type Misc are no longer used in the code. Signed-off-by: Tobias Klauser <tobias@cilium.io> 12 April 2021, 20:25:16 UTC
73b0d4a Tobias Klauser 12 April 2021, 10:08:11 UTC datapath/linux/arp: avoid leaking sock fd if unix.SetNonblock fails in func listen At this point, the sock fd is not yet wrapped in an *os.File, so it needs to be closed explicitly on error. Signed-off-by: Tobias Klauser <tobias@cilium.io> 12 April 2021, 20:24:29 UTC
ddb916a Joe Stringer 16 March 2021, 02:46:12 UTC modules: Add stubs for non-Linux platforms Signed-off-by: Joe Stringer <joe@cilium.io> 12 April 2021, 17:18:51 UTC
e26d502 Joe Stringer 16 March 2021, 02:40:53 UTC health: Add stubs for non-Linux platforms Signed-off-by: Joe Stringer <joe@cilium.io> 12 April 2021, 17:18:51 UTC
e8ca92b Joe Stringer 16 March 2021, 02:37:39 UTC cgroups: Add stubs for non-Linux platforms Signed-off-by: Joe Stringer <joe@cilium.io> 12 April 2021, 17:18:51 UTC
4e845a1 Joe Stringer 16 March 2021, 02:37:20 UTC mountinfo: Add stubs for non-Linux platforms Co-authored-by: Tobias Klauser <tobias@cilium.io> Signed-off-by: Joe Stringer <joe@cilium.io> 12 April 2021, 17:18:51 UTC
eaa0172 André Martins 12 April 2021, 12:52:14 UTC .github: change dependabot interval to daily Signed-off-by: André Martins <andre@cilium.io> 12 April 2021, 13:40:50 UTC
a7b992c Martynas Pumputis 29 March 2021, 19:40:26 UTC datapath: Get rid of unused bpf/init.sh XDP args Signed-off-by: Martynas Pumputis <m@lambda.lt> 12 April 2021, 12:58:58 UTC
09de0cc Martynas Pumputis 29 March 2021, 19:22:32 UTC datapath: Load XDP program from Go This commit completely removes XDP handling from bpf/init.sh by moving the loading of it into the agent. The cidrmap removal is moved to the place where we delete all disabled BPF maps. Signed-off-by: Martynas Pumputis <m@lambda.lt> 12 April 2021, 12:58:58 UTC
fa12269 Martynas Pumputis 29 March 2021, 15:39:00 UTC datapath: Compile bpf_xdp.c from Go This commit moves bpf_xdp.c compilation from bpf/init.sh to Go. The same motivation as in the previous commit applies. In addition, it extends "progInfo" struct to accept extra arguments for compilation. Signed-off-by: Martynas Pumputis <m@lambda.lt> 12 April 2021, 12:58:58 UTC
back to top