Skip to main content

Browse the archive

https://github.com/cilium/cilium
17 August 2024, 22:12:05 UTC
sort by:
Revision Author Date Message Commit Date
324d212 Michi Mutsuzaki 04 May 2020, 16:54:39 UTC Add state change num Signed-off-by: Michi Mutsuzaki <michi@isovalent.com> 21 May 2020, 20:20:32 UTC
4afb2f1 Michi Mutsuzaki 21 April 2020, 03:31:41 UTC Clean up EventFilter Signed-off-by: Michi Mutsuzaki <michi@isovalent.com> 21 May 2020, 20:20:32 UTC
1851bfc Michi Mutsuzaki 17 April 2020, 04:37:41 UTC WIP Draft for relay API Signed-off-by: Michi Mutsuzaki <michi@isovalent.com> 21 May 2020, 20:20:32 UTC
054dd16 Joe Stringer 21 May 2020, 01:59:30 UTC matchpattern: Support matchPattern="*" to match "." DNS servers may request a list of root nameservers by forming an NS request for ".". We have received reports that when applying a visibility policy with the DNS matchPattern "*", DNS requests of this kind were being dropped in the proxy. Fix this by extending the visibility match "*" to explicitly match on either "[validdnscharacters].", or ".". If the matchPattern is more complicated than simply "*", do not match on ".". Signed-off-by: Joe Stringer <joe@cilium.io> 21 May 2020, 20:06:30 UTC
43ccfc9 Maciej Kwiek 18 May 2020, 15:50:54 UTC ci: fix archiving artifacts in runtime jenkinsfile Signed-off-by: Maciej Kwiek <maciej@isovalent.com> 21 May 2020, 18:10:25 UTC
5a8f408 Michi Mutsuzaki 21 May 2020, 17:32:55 UTC doc: Update spelling for Netlify We need these words for Netlify build that happens outside the docker container that we use. Signed-off-by: Michi Mutsuzaki <michi@isovalent.com> 21 May 2020, 17:37:28 UTC
13f8fca Michi Mutsuzaki 15 May 2020, 02:04:36 UTC doc: Enable Netlify Deploy Preview Signed-off-by: Michi Mutsuzaki <michi@isovalent.com> 21 May 2020, 17:29:11 UTC
a89d83c Jarno Rajahalme 20 May 2020, 19:52:40 UTC test: Re-enable Services test with L7 policy Fixes: #11578 Signed-off-by: Jarno Rajahalme <jarno@covalent.io> 21 May 2020, 17:27:14 UTC
9dc4ed6 Chris Tarazi 20 May 2020, 18:57:12 UTC linux/routing: Clarify debug logs in test This should make it easier to know which messages to pay attention to or not. Signed-off-by: Chris Tarazi <chris@isovalent.com> 21 May 2020, 17:11:56 UTC
c4f91e4 Chris Tarazi 20 May 2020, 18:36:22 UTC linux/routing: Centralize netns handling in test Previously, the code set the original root netns back when the entire test suite finishes. This commit changes that to switch back to the root netns when each individual test completes. This simplifies the handling of netns's with regard to the their creation and corresponding destruction. Given that we now are locking the goroutine which executes the test to a OS thread, this makes the execution flow easier to follow. The flow becomes: 1) Grab Golang runtime OS thread lock 2) Save reference to original / root netns 3) Create and switch to new netns 4) Execute test 5) Cleanup resources under new netns 6) Close new netns 7) Switch back to original / root netns 8) Unlock Golang runtime OS thread lock This is an effort to reduce the flakiness of this test suite. Signed-off-by: Chris Tarazi <chris@isovalent.com> 21 May 2020, 17:11:56 UTC
fc77166 Chris Tarazi 20 May 2020, 16:50:28 UTC linux/routing: Lock Golang runtime OS thread This locks the runtime from switching threads (read: goroutines) when handling network namespaces. This is required as network namespaces used with the vishvananda/netns library are thread-local variables. Due to this, we must pin and disallow any other goroutine from running on the OS thread by issuing a runtime.LockOSThread. This allows us to safely invoke the OS services for getting a new netns, executing the test under that netns, and cleanup the netns. This is an effort to reduce the flakiness of this test suite. Read here from more info: https://pkg.go.dev/github.com/vishvananda/netns?tab=doc https://tip.golang.org/src/runtime/proc.go?h=LockOSThread#L3762 Signed-off-by: Chris Tarazi <chris@isovalent.com> 21 May 2020, 17:11:56 UTC
5821704 Chris Tarazi 20 May 2020, 16:46:09 UTC linux/routing: List devices when adding dummy dev This allows assert if the device already exists before running the tests, and assert that the device truly was created before running the tests. This is an effort to reduce the flakiness of this test suite. Signed-off-by: Chris Tarazi <chris@isovalent.com> 21 May 2020, 17:11:56 UTC
b30be85 Joe Stringer 20 May 2020, 22:54:31 UTC docs: Refresh ginkgo CLI flags documentation Signed-off-by: Joe Stringer <joe@cilium.io> 21 May 2020, 15:57:27 UTC
6ed1d36 Joe Stringer 20 May 2020, 21:28:23 UTC test: Support running DatapathConfiguration tests on single node Recent refactoring of the manifest deployments has broken the ability to run these tests on a single note (such as microk8s / minikube). Restore this ability by adding a new `-cilium.multinode` flag which can be disabled, and autodisabling it for these two integrations. Signed-off-by: Joe Stringer <joe@cilium.io> 21 May 2020, 15:57:02 UTC
9bad3ad Joe Stringer 20 May 2020, 21:52:07 UTC test: Fix DeployRandomNamespace function comment Signed-off-by: Joe Stringer <joe@cilium.io> 21 May 2020, 15:57:02 UTC
adfaa33 Joe Stringer 20 May 2020, 21:51:37 UTC test: Add manifest.GetFilename() helper This will be used to select which file to deploy in the following commit. Signed-off-by: Joe Stringer <joe@cilium.io> 21 May 2020, 15:57:02 UTC
123d03c Maciej Kwiek 21 May 2020, 12:37:31 UTC ci: skip fqdn restart test Signed-off-by: Maciej Kwiek <maciej@isovalent.com> 21 May 2020, 14:22:54 UTC
d7f58e8 Swaminathan Vasudevan 14 May 2020, 04:57:24 UTC Fix up ipcache access in datapath This PR replaces the ipcache_lookup[46]() with lookup_ip[46]_remote_endpoint() where the older kernel does not support it. Fixes: #11351 Signed-off-by: Swaminathan Vasudevan <svasudevan@suse.com> 21 May 2020, 09:47:05 UTC
ee55fa5 André Martins 18 May 2020, 15:33:15 UTC config/templates: disable cnp-status update for new installations CNP status updates don't provide any useful information and prevents Cilium from scaling for large clusters as each CNP node update will trigger a k8s event to all remaining nodes. Signed-off-by: André Martins <andre@cilium.io> 21 May 2020, 09:31:35 UTC
354099a André Martins 18 May 2020, 15:27:17 UTC config/templates: configure ipam mode if neither gke, azure nor eni are enabled This avoids a duplicated entry for the "ipam" field in case the user sets the ipam value manually and picks a GKE mode. Fixes: 787c2763c06f ("gke: Enable native-routing mode on GKE by default") Signed-off-by: André Martins <andre@cilium.io> 21 May 2020, 09:31:35 UTC
6060045 André Martins 18 May 2020, 15:26:13 UTC config/templates: allow to enable health checks with helm options Signed-off-by: André Martins <andre@cilium.io> 21 May 2020, 09:31:35 UTC
3604c4c André Martins 18 May 2020, 15:24:42 UTC agent/templates: add K8S_SERVICE_{HOST,PORT} in init container Might be useful to pass the K8S_SERVICE_HOST and K8S_SERVICE_PORT to the Cilium's init container. Signed-off-by: André Martins <andre@cilium.io> 21 May 2020, 09:31:35 UTC
3123abd André Martins 15 May 2020, 18:05:58 UTC maps/policymap: only dump keys of policy map When the endpoint is synchronizing the desired policy with the enforced policy it only uses the policy map keys. This commit introduces a new function that will only dump the policy map keys, not the values. This will help to decrease the memory consumption from 32 bytes to 8 bytes per Policy entry. Signed-off-by: André Martins <andre@cilium.io> 21 May 2020, 09:31:35 UTC
10ef261 André Martins 15 May 2020, 16:40:32 UTC k8s/types: do not store full ObjectMeta for CEPs It's not required to store the full ObjectMeta of CEPs. This will help to reduce the memory consumption of CEPs since a none of the ObjectMeta fields are used when processing a CEP k8s event. Signed-off-by: André Martins <andre@cilium.io> 21 May 2020, 09:31:35 UTC
20458c2 André Martins 15 May 2020, 16:39:15 UTC operator/watchers: also store ResourceVersion If the resource version is not stored, the watcher won't be able to keep up the last resource version it has seen for this object type so it will assume that any event received from kube-apiserver is an event that should be processed. Fixes: 3a1bde594b61 ("types/slim: add slim packages for k8s structures") Signed-off-by: André Martins <andre@cilium.io> 21 May 2020, 09:31:35 UTC
8dd41ee André Martins 15 May 2020, 10:27:08 UTC pkg/endpoint: optimize GetCiliumEndpointStatus To get a GetCiliumEndpointStatus the function does not need to get an endpoint model has it is expensive in terms of CPU and memory to do it so. Thus, GetCiliumEndpointStatus is now optimized to only generate the api Models for the fields that it actually needs. Signed-off-by: André Martins <andre@cilium.io> 21 May 2020, 09:31:35 UTC
c4138f7 André Martins 15 May 2020, 09:24:43 UTC install/kubernetes: set the brief header when request for /healthz Similar to what done with cilium status --brief, we should perform the HTTP request by sending the same headers set with `cilium status --brief` to Cilium server. Fixes: d613dea5d524 ("install/kubernetes: use HTTP for agent {liveness,readiness}Probe") Signed-off-by: André Martins <andre@cilium.io> 21 May 2020, 09:31:35 UTC
76fb7c5 André Martins 15 May 2020, 09:23:11 UTC k8s/watchers: set BlockOwnerDeletion to true in CEP This field should be set to true so that k8s will block the deletion of Pod until the CEP is also removed by k8s. Fixes: 08dc8ca31968 ("pkg/endpoint: set Pod as the endpoint owner of a CiliumEndpoint") Signed-off-by: André Martins <andre@cilium.io> 21 May 2020, 09:31:35 UTC
59d1412 Chris Tarazi 21 May 2020, 00:19:17 UTC Makefile: Fix error when specifying RACE Fixes: ``` $ sudo -E make SKIP_VET=true SKIP_KVSTORES=true TESTPKGS=pkg/aws/eni RACE=1 unit-tests make -C tools/maptool/ .. echo "mode: count" > coverage-all-tmp.out echo "mode: count" > coverage.out ... for pkg in github.com/cilium/cilium/pkg/aws/eni; do \ go test -mod=vendor -race -ldflags "-X github.com/cilium/cilium/pkg/kvstore.consulDummyConfigFile=/tmp/cilium-consul-certs/cilium-consul.yaml -X github.com/cilium/cilium/pkg/testutils.CiliumRootDir=/home/chris/code/cilium/cilium -X github.com/cilium/cilium/pkg/datapath.DatapathSHA=1234567890abcdef7890 -X github.com/cilium/cilium/pkg/logging.DefaultLogLevelStr="error"" $pkg -test.v -timeout 360s -coverprofile=coverage.out -covermode=count -coverpkg github.com/cilium/cilium/pkg/aws/eni \ || exit 1; \ tail -n +2 coverage.out >> coverage-all-tmp.out; \ done -covermode must be "atomic", not "count", when -race is enabled make: *** [Makefile:224: unit-tests] Error 1 ``` Signed-off-by: Chris Tarazi <chris@isovalent.com> 21 May 2020, 07:05:06 UTC
c6d373c Chris Tarazi 21 May 2020, 00:27:19 UTC Makefile: Build maptool with CGO enabled if RACE Fixes: ``` $ sudo -E make SKIP_VET=true SKIP_KVSTORES=true TESTPKGS=pkg/aws/eni RACE=1 unit-tests dirname: missing operand Try 'dirname --help' for more information. make -C tools/maptool/ make[1]: Entering directory '/home/chris/code/cilium/cilium/tools/maptool' CGO_ENABLED=0 go build -mod=vendor -race -ldflags '-X "github.com/cilium/cilium/pkg/version.Version=1.7.90 2d4cc760b 2020-05-20T12:25:41-07:00 go version go1.14.2 linux/amd64" -s -w -X "github.com/cilium/cilium/pkg/envoy.RequiredEnvoyVersionSHA=a3385205ad620550b35d3b0b651e40898386e6e3" -X "github.com/cilium/cilium/pkg/datapath/loader.DatapathSHA=7359bebb8825a116e3b022e9a3ff35045d0709ce" ' -o maptool go build: -race requires cgo; enable cgo by setting CGO_ENABLED=1 make[1]: *** [Makefile:14: maptool] Error 2 make[1]: Leaving directory '/home/chris/code/cilium/cilium/tools/maptool' make: *** [Makefile:216: unit-tests] Error 2 ``` Signed-off-by: Chris Tarazi <chris@isovalent.com> 21 May 2020, 07:05:06 UTC
8b54d2f Jarno Rajahalme 19 May 2020, 22:57:25 UTC test: Add K8sServicesTest with L4-only policy Test flakes with L7 policy seem to be independent of the proxy redirection (e.g., tftp is not redirected, and still flakes). Add a new test with an L4-only policy to see if it also flakes. In local testing there are failures roughly on ~1/100 tests, when running a test in a loop: $ for i in {1..100}; do if kubectl exec -n kube-system log-gatherer-w4kbp \ -- curl --path-as-is -s -D /dev/stderr --fail --connect-timeout 5 \ --max-time 8 http://127.0.0.1:30870 2>/dev/null >/dev/null; \ then printf +; else printf $?; fi ; done && printf "\n" +++++++++++++++++++++++++28+++++++++++++++++++++++++28++++++++++++++++++++++++++++++++++++++++++++++++ Signed-off-by: Jarno Rajahalme <jarno@covalent.io> 21 May 2020, 02:54:55 UTC
6e36360 Jaime Caamaño Ruiz 13 May 2020, 16:38:05 UTC bpf: don't answer ARP requests for endpoint IP Previously, bpf_lxc was answering to all ARP requests. This causes an issue in an scenario where a duplicate address check is being conducted inside the container by sending an ARP request for the endpoint IP for which no answer is expected. This fixes it by answering to ARP requests for all IPs except the endpoint IP. Fixes: #10574 Signed-off-by: Jaime Caamaño Ruiz <jcaamano@suse.com> 21 May 2020, 02:46:43 UTC
2d4cc76 Jarno Rajahalme 20 May 2020, 19:25:41 UTC test: Fix looping tests Tell the shell to exit on first error, otherwise the last curl's success will determine the whole test's success, i.e., any failing curls other than the last will be ignored. Fixes: 58be565cfc4 ("test: Unroll curl requests in K8sService suite") Signed-off-by: Jarno Rajahalme <jarno@covalent.io> 20 May 2020, 22:44:02 UTC
f829636 Joe Stringer 16 May 2020, 00:20:23 UTC cilium: Add CLI to introspect IPIdentityCache The flow of IP <-> Identity mappings into the IPIdentityCache follow the path of: 1) K8s watch / local poll / generation of the mapping 2) pkg/ipcache:IPIdentityCache 3) pkg/bpf/map userspace cache of map entries being pushed into BPF map 4) Actual BPF map We can currently introspect some of (1) depending on the source; (3) always; and (4) depending on the kernel version in use. (2) cannot be introspected. This commit adds support for introspecting (2) to assist in troubleshooting issues related to the propagation of IP to Identity mappings. Example output: # cilium ip list IP IDENTITY SOURCE 0.0.0.0/0 2 10.29.2.92/32 51185 k8s 10.29.25.191/32 1 10.29.27.15/32 4 10.29.27.93/32 104 k8s 10.29.74.136/32 30909 k8s 10.29.78.12/32 16083 k8s 10.29.89.252/32 20623 k8s 10.29.136.128/32 3157 k8s 10.29.177.163/32 19933 k8s 10.29.194.215/32 22010 k8s 10.29.209.106/32 59801 k8s 10.29.224.16/32 589 k8s 192.168.1.29/32 1 Signed-off-by: Joe Stringer <joe@cilium.io> 20 May 2020, 20:44:40 UTC
cfeaf6e Jarno Rajahalme 20 May 2020, 16:16:50 UTC build: Set buildkit git origin to a relative path Set the path of the git origin for the build context shallow clone to a relativa path so that it also works when build directory was created in a mounted directory (host vs. VM). Signed-off-by: Jarno Rajahalme <jarno@covalent.io> 20 May 2020, 20:33:11 UTC
5a02646 Jarno Rajahalme 16 May 2020, 01:02:20 UTC build: Optionally use git for all docker builds with BUILDKIT Make building with DOCKER_BUILDKIT and using a shallow git clone as the build context opt-in: the developer must define DOCKER_BUILDKIT to use these. When DOCKER_BUILDKIT is defined, the following takes place: 1. A separate docker build directory for all docker image targets is used. This makes sure the build context only contains the files in git and none of the other files that may exist in the working directory. '_build' in the repo is used as the root of the build directory by default (can be overridden by defining BUILD_DIR). A shallow bare git clone of the main repo is created in '_build/.git', which is checked out into '_build/context'. The build context is subsequently synced with git fetch to avoid overwriting all files. This makes docker build context sync much faster and allows docker to use cached build stages. 2. The .git directory is left out of the build context, so that any changes in there will not affect docker build stage caching. During the build context sync a file '_build/context/.git' points to '_build_.git', but that is removed before the context is handed to docker. 3. BUILD_DIR can be passed in to specify an alternate build root (replacing the default '_build'). This is beneficial in keeping the main repo directory cleaner, and also to avoid slow file I/O in a shared file system (e.g, between the host and a CI VM). Testing this on a MacBook Pro yielded the following results: - Clean and build cilium, cilium-docker-plugin, cilium-operator, and hubble-relay Before these changes: $ time make docker-image 8m17.558s After: $ time make docker-image 5m35.515s $ DOCKER_BUILDKIT=1 time make docker-image 2m49.41s Signed-off-by: Jarno Rajahalme <jarno@covalent.io> 20 May 2020, 20:33:11 UTC
d365d35 Jarno Rajahalme 18 May 2020, 23:22:02 UTC build: Fix parallel build dependency on clean Signed-off-by: Jarno Rajahalme <jarno@covalent.io> 20 May 2020, 20:33:11 UTC
c42eb9a Jarno Rajahalme 19 May 2020, 04:08:55 UTC build: Add 'veryclean' make target to gut docker Add new 'veryclean' target that cleans up the docker (desktop) instance, useful if docker's file system becomes full. Signed-off-by: Jarno Rajahalme <jarno@covalent.io> 20 May 2020, 20:33:11 UTC
0c80bde Jarno Rajahalme 16 May 2020, 00:33:01 UTC build: Avoid using git if not in a git repo Do not use git if not in a git repo. Only create GIT_VERSION if the existing file is already not the same. This helps docker caching. Store the list bpf files to a temporary file BPF_SRCFILES, which is ignored by git like GIT_VERSION. This allows builds to succeed without git. Signed-off-by: Jarno Rajahalme <jarno@covalent.io> 20 May 2020, 20:33:11 UTC
c87770a Jarno Rajahalme 15 May 2020, 22:59:15 UTC .gitignore: Add 'test/*tmp' Add 'test/*tmp' to cover 'test/gke@tmp/' and anything like it in future. Signed-off-by: Jarno Rajahalme <jarno@covalent.io> 20 May 2020, 20:33:11 UTC
278f3b4 Jarno Rajahalme 15 May 2020, 17:16:10 UTC contrib: Update check scripts Add exclusion of _build to pass checks, as otherwise '_build/context/vendor/' would cause problems. Exclude also '.git' to speed them up. Unify syntax to use grep's --exclude-dir={dir1,dir2,...} syntax. Signed-off-by: Jarno Rajahalme <jarno@covalent.io> 20 May 2020, 20:33:11 UTC
4cd69dc Joe Stringer 19 May 2020, 21:25:15 UTC test: Avoid deleting container-registry namespace Commit 31f3b5e5b984 ("test: Delete all non-essential namespaces before initial test") broke CI_INTEGRATION=microk8s by clobbering the namespace used for deploying the container image. Fix it by adding this namespace to the list of sacred namespaces that the CI won't touch. Signed-off-by: Joe Stringer <joe@cilium.io> 20 May 2020, 19:47:39 UTC
119f1b3 Joe Stringer 19 May 2020, 22:10:06 UTC test: Disable ipv6 for microk8s integration Commit ced4ad0bcaa8 ("ipam: Add "kubernetes" IPAM mode") autoenabled --k8s-require-ipv6-pod-cidr if --enable-ipv6 is enabled, which causes a Cilium to get stuck waiting for the IPv6 pod CIDR to be populated in the node. Fix it by disabling ipv6 for microk8s CI. Signed-off-by: Joe Stringer <joe@cilium.io> 20 May 2020, 19:47:39 UTC
6b90ed7 Robin Hahling 20 May 2020, 15:20:42 UTC contrib/vagrant: enable hubble listener on :4244 (TCP) by default Hubble-relay needs to connect to hubble peers for multi-node support. Enabling hubble server on :4244 makes working on hubble-relay easier as one does not need to perform an extra step to reconfigure every VM on a locally deployed vagrant k8s cluster to start playing with hubble-relay. Signed-off-by: Robin Hahling <robin.hahling@gw-computing.net> 20 May 2020, 17:56:03 UTC
da9a724 Michi Mutsuzaki 19 May 2020, 23:41:38 UTC doc: Use docker.io instead of quay.io There was some confusion among new contributors whether they should use the Cilium image from docker.io or quay.io for running integration tests locally. Technically both are fine, but changing the documentation to use the Cilium image from docker.io to signify that it is considered a bit more official. Signed-off-by: Michi Mutsuzaki <michi@isovalent.com> 20 May 2020, 17:26:51 UTC
60ab759 Martynas Pumputis 18 May 2020, 12:25:12 UTC test: Call GinkgoRecover() from testNodePort() goroutines Otherwise, in a case of a failure, ginkgo will panic leaving a cryptic message, from which it's harder to determine which test case has failed. Signed-off-by: Martynas Pumputis <m@lambda.lt> 20 May 2020, 17:20:06 UTC
a0e5078 Martynas Pumputis 18 May 2020, 08:18:29 UTC test: Skip duplicate ClusterIP tests Test ClusterIP from a pod netns and a hostnetns in testNodePort(), so that some ClusterIP test cases can be skipped. Signed-off-by: Martynas Pumputis <m@lambda.lt> 20 May 2020, 17:20:06 UTC
a8a4f46 Martynas Pumputis 18 May 2020, 08:02:14 UTC test: Move failBind tests to separate test case It's enough to test it only once, thus the move. Signed-off-by: Martynas Pumputis <m@lambda.lt> 20 May 2020, 17:20:06 UTC
58be565 Martynas Pumputis 15 May 2020, 14:56:09 UTC test: Unroll curl requests in K8sService suite To avoid excessive "kubectl exec", do curl requests in batches. Signed-off-by: Martynas Pumputis <m@lambda.lt> 20 May 2020, 17:20:06 UTC
2c8f58a Martynas Pumputis 15 May 2020, 14:02:13 UTC test: Parallelize testNodePort Regroup the test cases and run them in parallel. On my machine the invocation of testNodePort() went from ~2:50 min to ~1:15 min. Signed-off-by: Martynas Pumputis <m@lambda.lt> 20 May 2020, 17:20:06 UTC
151f816 Martynas Pumputis 15 May 2020, 12:13:04 UTC test: Get node names and ip addrs only once in K8sServices They don't change during test runs. Signed-off-by: Martynas Pumputis <m@lambda.lt> 20 May 2020, 17:20:06 UTC
5aee704 Thomas Graf 20 May 2020, 06:34:41 UTC test: Don't delete and redeploy Cilium at end of each test context There is no point in doing this. Each test context will deploy Cilium in BeforeAll() with the required configuration. Signed-off-by: Thomas Graf <thomas@cilium.io> 20 May 2020, 16:18:26 UTC
f2b7478 Robin Hahling 15 May 2020, 13:03:30 UTC test: add basic tests for hubble-relay These tests are the same tests for L3/L4 and L7 flows that target the local hubble server but they target hubble-relay instead. Signed-off-by: Robin Hahling <robin.hahling@gw-computing.net> 20 May 2020, 15:37:14 UTC
610b91c Robin Hahling 15 May 2020, 12:36:01 UTC test/k8sT: add assertion helpers for hubble-cli and hubble-relay Signed-off-by: Robin Hahling <robin.hahling@gw-computing.net> 20 May 2020, 15:37:14 UTC
3c156a3 Robin Hahling 15 May 2020, 12:15:15 UTC test: provision hubble-relay image Signed-off-by: Robin Hahling <robin.hahling@gw-computing.net> 20 May 2020, 15:37:14 UTC
813f1b5 Robin Hahling 18 May 2020, 11:51:27 UTC hubble: remove pkg/hubble/logger and use cilium's default logger This commit removes Hubble's custom logger and ensures that all hubble code makes use of Cilium's logger instead. Signed-off-by: Robin Hahling <robin.hahling@gw-computing.net> 20 May 2020, 15:11:40 UTC
93f33bd André Martins 19 May 2020, 13:39:23 UTC .github: check for diff in the agent and preflight clusterrole Add action to check for differences between the agent and preflight's clusterrole. Since helm does not allow to reference files outside of the chart we need and we need to make sure both files contain the same rules, this action will make us sure both files remain equal. Signed-off-by: André Martins <andre@cilium.io> 20 May 2020, 15:11:10 UTC
5c950b1 André Martins 19 May 2020, 13:20:47 UTC preflight/templates: add clusterrole for pre-flight The pre-flight deployment and daemonset might have different requirements for the clusterrole deployed in the cluster. Adding a specific clusterrole for the pre-flight allows users to run it successfully. Signed-off-by: André Martins <andre@cilium.io> 20 May 2020, 15:11:10 UTC
b8aa5c7 André Martins 19 May 2020, 11:11:58 UTC docs: add missing --namespace in upgrade guide Fixes: f611334d4b7d ("Use helm repository in docs") Signed-off-by: André Martins <andre@cilium.io> 20 May 2020, 15:11:10 UTC
2d5333f André Martins 19 May 2020, 11:03:07 UTC preflight/templates: do not set 'env' if unnecessary The 'env' section can be set even if no environments are being set by the user. With this commit we only set the 'env' section if one of the environment variables are set by the user. Fixes: ff863a8f20b2 ("add validation checker for installed CNPs in preflight") Signed-off-by: André Martins <andre@cilium.io> 20 May 2020, 15:11:10 UTC
be8b943 André Martins 19 May 2020, 10:48:50 UTC cilium/cmd: do not fail if CCNPs are not found In a cluster being upgraded from < 1.7, it is expected that CCNPs are not available. For this reason, the CNP validation tool should not fail has it is expected for CCNPs to not be available. Fixes: ff863a8f20b2 ("add validation checker for installed CNPs in preflight") Signed-off-by: André Martins <andre@cilium.io> 20 May 2020, 15:11:10 UTC
0997d33 Sebastian Wicki 18 May 2020, 12:13:55 UTC helm: Ensure hubble is enabled when hubble-ui is deployed Fixes: #11518 Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> 20 May 2020, 15:08:39 UTC
e6e571c Sebastian Wicki 18 May 2020, 12:12:56 UTC helm: Ensure hubble is enabled when hubble-relay is deployed Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> 20 May 2020, 15:08:39 UTC
34b9a36 Thomas Graf 19 May 2020, 14:19:10 UTC test: Cleanup default namespace before each Context() Many tests still deploy into the default namespace and sometimes leak resources. This makes it difficult to reliably re-use clusters for testing. Clean the default namespace from various deployment resources. This is specifically not using `delete all --all` so it can be used with the default namespace. It also doesn't touch services, serviceaccounts, secrets, clusterroles, ... with the assumption that these can always be safely overwritten. Signed-off-by: Thomas Graf <thomas@cilium.io> 20 May 2020, 15:01:59 UTC
157632f Daniel Borkmann 19 May 2020, 08:51:15 UTC bpf: use per-cpu scratch space from xdp context to store meta data Moving to per-CPU scratch space instead avoids cache-misses and allows to keep the meta buffer always hot in cache. Only really adjust the pkt meta data space if we push up the stack to signal tc layer that we handled the service xlation. This improves the performance on my local testing by roughly +1.2Mpps. We don't perform an expensive clearing of the scratch space upon entering XDP as usage here is all self-contained and across tail calls we only read out what we populated beforehand. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> 20 May 2020, 14:24:41 UTC
8abf68d Tam Mach 18 May 2020, 11:49:18 UTC feat(operator): Reuse existing port on Cilium Operator health api Enable custom TPC listener with SO_REUSEADDR and SOL_SOCKET Closes #11573 Signed-off-by: Tam Mach <sayboras@yahoo.com> 20 May 2020, 14:17:46 UTC
883b39f Robin Hahling 20 May 2020, 12:25:49 UTC hubble-relay: enable gRPC reflection This feature is useful for discovering the gRPC API without referring to the .proto files. Example: $ grpcurl -plaintext localhost:4245 list grpc.health.v1.Health grpc.reflection.v1alpha.ServerReflection observer.Observer $ grpcurl -plaintext localhost:4245 describe observer.Observer observer.Observer is a service: service Observer { rpc GetFlows ( .observer.GetFlowsRequest ) returns ( stream .observer.GetFlowsResponse ); rpc ServerStatus ( .observer.ServerStatusRequest ) returns ( .observer.ServerStatusResponse ); } $ grpcurl -plaintext localhost:4245 describe observer.GetFlowsRequest observer.GetFlowsRequest is a message: message GetFlowsRequest { uint64 number = 1; bool follow = 3; repeated .flow.FlowFilter blacklist = 5; repeated .flow.FlowFilter whitelist = 6; .google.protobuf.Timestamp since = 7; .google.protobuf.Timestamp until = 8; } Signed-off-by: Robin Hahling <robin.hahling@gw-computing.net> 20 May 2020, 14:04:43 UTC
85c9f56 Robin Hahling 19 May 2020, 06:49:22 UTC hubble: delete unused code from pkg/hubble/api/v1 This commit removes code in pkg/hubble/api/v1 that was unused. It also removes mock implementations in pkg/hubble/testutils/fake.go that were unused as well. For consistency reasons, also alias flow pb to flowpb instead of pb. Signed-off-by: Robin Hahling <robin.hahling@gw-computing.net> 20 May 2020, 14:02:36 UTC
55dbbcb Robin Hahling 18 May 2020, 13:04:40 UTC hubble/observer: use time.Since instead of Time.Now.Sub Signed-off-by: Robin Hahling <robin.hahling@gw-computing.net> 20 May 2020, 14:02:36 UTC
3f34738 Robin Hahling 18 May 2020, 13:02:50 UTC hubble/k8s: remove unused ParseNamespaceNames function Signed-off-by: Robin Hahling <robin.hahling@gw-computing.net> 20 May 2020, 14:02:36 UTC
859e178 Daniel Borkmann 19 May 2020, 10:39:58 UTC test: disable MetalLB service test until there's a drop-in replacement MetalLB performs ARP announcements which confuses the vbox test env setup since it infers IP addresses of its NAT device by sniffing ARP requests. We need a open-coded dummy LB which triggers creation of LoadBalancer service. Until then, disable it since it's causing too many CI flakes due to this issue. Related: #10763 Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> 20 May 2020, 10:11:01 UTC
a1d54e3 Paul Chaignon 15 May 2020, 14:04:22 UTC bpf: Hints to verifier's state pruning Introduce pruning checkpoints to help the verifier's state pruning on older kernels. All program sections now load with less than 128k processed instructions on v4.9.212 and less than 65k on v4.14. Signed-off-by: Paul Chaignon <paul@cilium.io> 19 May 2020, 16:54:19 UTC
489dbef Paul Chaignon 15 May 2020, 14:04:22 UTC bpf: Enforce host policies for IPv6 Signed-off-by: Paul Chaignon <paul@cilium.io> 19 May 2020, 16:54:19 UTC
88bf291 Paul Chaignon 15 May 2020, 14:04:22 UTC bpf: Enforce host policies for IPv4 Host policies are only enforced when --enable-host-firewall is set. Once enforced, they implement a default deny. Signed-off-by: Paul Chaignon <paul@cilium.io> 19 May 2020, 16:54:19 UTC
f9c205d Paul Chaignon 15 May 2020, 14:04:22 UTC pkg/policy: Host network policies This commit adds network policies for nodes. Node (or host) network policies are loaded with a new nodeSelector field. The nodeSelector and endpointSelector fields cannot co-exist for now. Rules with a nodeSelector field apply only to the special endpoint representing the host. Network policies for the host cannot contain L7 policies yet as this isn't supported in the datapath. Signed-off-by: Paul Chaignon <paul@cilium.io> 19 May 2020, 16:54:19 UTC
f2e7df4 Paul Chaignon 15 May 2020, 14:04:22 UTC bpf: localID as parameter of policy logic functions bpf_lxc programs have their localID hardcoded as SECLABEL, but that is not the case for the bpf_host program in the case of the host firewall. This commit prepares the policy_can_{egress,access_ingress} functions to take the localID as an argument. Signed-off-by: Paul Chaignon <paul@cilium.io> 19 May 2020, 16:54:19 UTC
f74087e Paul Chaignon 15 May 2020, 14:04:22 UTC daemon: Introduce enable-host-firewall option BPF-based egress load balancing isn't supported from the host namespace, so the host policies will fail (due to wrong destination endpoint) if that was enabled. Most users likely use bpf_sock (newer kernels) or kube-proxy for egress load balancing so we just disable BPF-based egress load balancing with a warning if the host firewall is enabled. Signed-off-by: Paul Chaignon <paul@cilium.io> 19 May 2020, 16:54:19 UTC
38abe89 Michi Mutsuzaki 14 May 2020, 01:31:14 UTC doc: Add make render-docs-live-preview target - Install dependencies inside a virtualenv using pipenv and run sphinx-autobuild for real-time preview. - Update PyYAML dependency to 5.3.1. Pipenv complains about beta version dependencies by default. - Update the Documentation page. Signed-off-by: Michi Mutsuzaki <michi@isovalent.com> 19 May 2020, 15:04:05 UTC
cc52749 Michi Mutsuzaki 14 May 2020, 01:35:30 UTC doc: Update spelling_wordlist.txt Update spelling_wordlist.txt to include some words that are missing in the OS X English dictionary. Signed-off-by: Michi Mutsuzaki <michi@isovalent.com> 19 May 2020, 15:04:05 UTC
8d0211c Paul Chaignon 12 May 2020, 15:00:47 UTC pkg/identity: Watch and update labels for the host This commit adds a k8s watcher for label updates on the host. It allows node network policies to select the nodes based on labels. For now, the same label filters are used for the nodes as for the labels. Whatever the labels it receives, because we know there can be only one host endpoint per node, the host endpoint will always retain its security ID of 1. We therefore don't need to reload the host endpoint's datapaths on label updates. Signed-off-by: Paul Chaignon <paul@cilium.io> 19 May 2020, 09:58:58 UTC
ec4b2f5 Paul Chaignon 18 May 2020, 14:48:49 UTC identity: Recognize host and health identities as fixed The health and host identities should be recognized as fixed because endpoints with these identities will never receive new ones. So there's no point waiting on the kvstore for these endpoints. Fixes: #11559 Fixes: a695f53 ("Endpoint for host") Reported-by: André Martins <andre@cilium.io> Signed-off-by: Paul Chaignon <paul@cilium.io> 19 May 2020, 09:54:07 UTC
b6f4c70 Tam Mach 16 May 2020, 09:15:19 UTC fix(kvstore): Correct the error messages in kvstore get CLI The info log message `waiting for consul to elect a leader` is misleading. I move it inside retry with backoff loop. Separate two scenarios: error getting the key and key is nil. While checking for this issue, I found out consul version is quite old and not the same version in packer-ci-build (e.g. 1.1.0) https://github.com/cilium/packer-ci-build/blob/master/provision/pull-images.sh#L9 Closes #11567 Signed-off-by: Tam Mach <sayboras@yahoo.com> 19 May 2020, 08:32:34 UTC
ed59264 Martynas Pumputis 18 May 2020, 07:01:39 UTC datapath: Fix removal of bpf_netdev The name of a bpf_netdev object file which is attached to a native device has changed its name - from "bpf_netdev.o" to "bpf_netdev_${NATIVE_DEV_IFACE}.o". E.g.: $ sudo tc filter show dev enp0s8 ingress filter protocol all pref 1 bpf chain 0 filter protocol all pref 1 bpf chain 0 handle 0x1 bpf_netdev_enp0s8.o:[from-netdev] direct-action not_in_hw id 982 tag feca2ca7f6f80c7e jited The change of the name broke the removal of bpf_netdev from previously used native devs. Fixes: a695f532d06 ("Endpoint for host") Signed-off-by: Martynas Pumputis <m@lambda.lt> 19 May 2020, 07:27:15 UTC
ad7475b Martynas Pumputis 14 May 2020, 13:33:13 UTC datapath: Set ipv4-alloc-range if native-routing-cidr is not available Since we changed the SNAT logic in the previous commit, we need to set IPV4_SNAT_EXCLUSION_DST_CIDR (prev. IPV4_NATIVE_ROUTING_CIDR) in any case, otherwise traffic between pods on different nodes will be SNAT'd. Signed-off-by: Martynas Pumputis <m@lambda.lt> 19 May 2020, 07:27:15 UTC
2f0d1c3 Martynas Pumputis 14 May 2020, 13:12:33 UTC datapath: Do not SNAT if dst id is WORLD_ID Unfortunately, we cannot SNAT a packet from a local endpoint only if dst sec id is WORLD_ID. The problem with this is that in the case of an FQDN policy, a world destination can get its own sec id, which makes a packet destined to such target to bypass the check, and bypass the SNAT. To fix this, we SNAT a packet from a local endpoint if dst is neither from native-routing-cidr nor REMOTE_HOST_ID. Signed-off-by: Martynas Pumputis <m@lambda.lt> 19 May 2020, 07:27:15 UTC
9d3ad46 Martynas Pumputis 13 May 2020, 15:03:20 UTC test: Get rid of dedicated BPF masq test cases As BPF masq is enabled by default, we don't need a dedicated deployments (and test cases) to test the feature. Signed-off-by: Martynas Pumputis <m@lambda.lt> 19 May 2020, 07:27:15 UTC
9b567af Martynas Pumputis 13 May 2020, 14:07:39 UTC test: Set single --device in K8sUpdates test Cilium < v1.8 doesn't support multi-dev, so installing e.g. v1.7 with multiple devices (set by default in overwriteHelmOptions()) will crash cilium-agent. Therefore, in the upgrade test use a single device. Signed-off-by: Martynas Pumputis <m@lambda.lt> 19 May 2020, 07:27:15 UTC
bd487b6 Martynas Pumputis 12 May 2020, 14:01:17 UTC test: Do not set devices in DatapathConfiguration BPF masq tests As we enabled the BPF masq by default, the correct devices (default and private) are already set by DeployCilium(). Signed-off-by: Martynas Pumputis <m@lambda.lt> 19 May 2020, 07:27:15 UTC
bde9037 Martynas Pumputis 12 May 2020, 13:52:39 UTC test: Disable BPF masq for K8sKubeProxyFreeMatrix Disable the BPF masq in the vxlan tests until PublicInterfaceName is decluttered. The communication between pod and remote node has to be SNAT'd in the case of vxlan, which is currently not feasible, as bpf_netdev is loaded only on PublicInterfaceName. Signed-off-by: Martynas Pumputis <m@lambda.lt> 19 May 2020, 07:27:15 UTC
c620f34 Martynas Pumputis 08 May 2020, 15:46:18 UTC test: Enable BPF masquerading Enable BPF masquerading for the {{4.19,net-next},no-kube-proxy} CI jobs. Signed-off-by: Martynas Pumputis <m@lambda.lt> 19 May 2020, 07:27:15 UTC
13bcf96 Glib Smaga 18 May 2020, 19:19:47 UTC docs: Point GKE doc to the cluster name var It's created a few lines above Signed-off-by: Glib Smaga <code@gsmaga.com> 18 May 2020, 20:32:33 UTC
7e328b1 Thomas Graf 14 May 2020, 08:00:24 UTC doc: Change machine-type for GKE guide Due to defaulting to a CPU request of 0.1 core for all pods, the number of pods on the single core machine type is limited and insufficient to ru the connectivity-check deployment at times. Switch to a 4 core machine type to achieve a reliable connectivity-check result. Signed-off-by: Thomas Graf <thomas@cilium.io> 18 May 2020, 15:43:48 UTC
a2ff935 Thomas Graf 18 May 2020, 10:07:05 UTC test: Remove NodeCleanMetadata This seems useless and only prolongs test duration Signed-off-by: Thomas Graf <thomas@cilium.io> 18 May 2020, 15:41:21 UTC
1d618db Thomas Graf 18 May 2020, 13:21:47 UTC test: Disable Tests NodePort with L7 Policy This test has been failing in 7/10 builds in the Ginkgo-CI-Tests-4.19-Pipeline as of May 18. Signed-off-by: Thomas Graf <thomas@cilium.io> 18 May 2020, 13:34:53 UTC
3cef02f Tobias Klauser 15 May 2020, 09:21:34 UTC Update Go to 1.14.3 Signed-off-by: Tobias Klauser <tklauser@distanz.ch> 18 May 2020, 09:02:56 UTC
668dfca Tobias Klauser 07 May 2020, 13:20:22 UTC datapath/linux: drop dependency on pkg/option With all the preceding commits, pkg/datapath/linux/route is now the only package imported in the cilium-cni and cilium-docker plugins which pulls in pkg/option. This can easily be avoided by changing NodeDeviceWithDefaultRoute to not fetch the EnableIPv{4,6} options itself from pkg/option, but by taking them as arguments. Together with the preceding commits, this reduces the binary size of cilium-cni and cilium-docker by ~1 MiB each: before: -rwxr-xr-x 1 tklauser tklauser 15364096 Mai 4 16:39 plugins/cilium-cni/cilium-cni -rwxr-xr-x 1 tklauser tklauser 17399808 Mai 4 16:39 plugins/cilium-docker/cilium-docker after: -rwxr-xr-x 1 tklauser tklauser 13938688 Mai 4 17:00 plugins/cilium-cni/cilium-cni -rwxr-xr-x 1 tklauser tklauser 16523264 Mai 4 17:00 plugins/cilium-docker/cilium-docker Signed-off-by: Tobias Klauser <tklauser@distanz.ch> 18 May 2020, 08:38:17 UTC
a340554 Tobias Klauser 07 May 2020, 13:20:18 UTC datapath/connector: move ipvlan operation mode options from pkg/option The OperationModeL3 and OperationModeL3S consts are only used withing pkg/datapath/connector and daemon/cmd. The former is also imported e.g. in the cilium-cni and cilium-docker plugins. In order to avoid transitive dependencies on pkg/option and its imports through pkg/datapath/connector, move the option definitions there. Signed-off-by: Tobias Klauser <tklauser@distanz.ch> 18 May 2020, 08:38:17 UTC
b9ce4cb Tobias Klauser 07 May 2020, 13:19:27 UTC datapath: split datapath mode option values into own package These are used in several places where a full import of pkg/option (and thus all its dependencies) can be avoided because only the DatapathModeVeth and DatapathModeIpvlan constants are used. Together with the following commits, this helps to reduce the binary size of cilium-cni and cilium-docker. Signed-off-by: Tobias Klauser <tklauser@distanz.ch> 18 May 2020, 08:38:17 UTC
d335ede Tobias Klauser 07 May 2020, 13:19:05 UTC ipam: split IPAM mode option values into own package These are used in several places where a full import of pkg/option (and thus all its dependencies) can be avoided because only the IPAM mode constants are used. Together with the following commits, this helps to reduce the binary size of cilium-cni and cilium-docker. Signed-off-by: Tobias Klauser <tklauser@distanz.ch> 18 May 2020, 08:38:17 UTC
757493c Tobias Klauser 29 April 2020, 20:12:07 UTC plugins/cilium-cni: avoid parsing CNI configuration twice in cmdAdd There's already a call to types.LoadNetConf further up. This was probably added by mistake in commit ff49865d477a ("plugins/cilium-cni: disable CNI debug messages by default"). Signed-off-by: Tobias Klauser <tklauser@distanz.ch> 18 May 2020, 08:38:17 UTC
back to top