Skip to main content

Browse the archive

https://github.com/cilium/cilium
12 July 2024, 03:14:21 UTC
sort by:
Revision Author Date Message Commit Date
d3ddb75 Daniel Borkmann 05 October 2020, 15:23:12 UTC test Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> 05 October 2020, 15:23:12 UTC
c2d170a Daniel Borkmann 21 August 2020, 08:16:40 UTC bpf: use fast netns pod switch for ingress Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> 02 October 2020, 15:26:39 UTC
1010757 Glib Smaga 29 September 2020, 18:05:23 UTC pkg/hubble/filters: Add HTTP method filters Signed-off-by: Glib Smaga <code@gsmaga.com> 02 October 2020, 13:49:06 UTC
cbccac4 Glib Smaga 28 September 2020, 22:47:25 UTC api/v1: Add http method filter entry Signed-off-by: Glib Smaga <code@gsmaga.com> 02 October 2020, 13:49:06 UTC
98356e2 Paul Chaignon 02 October 2020, 12:08:05 UTC docs: Document make target for operator Docker image Signed-off-by: Paul Chaignon <paul@cilium.io> 02 October 2020, 12:12:21 UTC
2779bfd Weilong Cui 24 September 2020, 04:35:24 UTC Restores ClusterIP service entry upon LRP removal. Deleting an LRP shadowing a ClusterIP service today will delete such service entry entirely, this is problematic in cases where the original service is still needed, e.g., NodeLocalDNS. This allows for restoring ClusterIP service when correspoding LRP is removed. We acquire original service info from Cilium's service cache and enforce an update event to restore the service entry. With LRP, `cilium service list`: ID Frontend Service Type Backend 1 10.91.240.10:53 LocalRedirect 1 => 10.88.1.242:53 2 10.91.241.27:53 ClusterIP 1 => 10.88.1.117:53 2 => 10.88.0.46:53 3 10.91.240.1:443 ClusterIP 1 => 35.193.66.178:443 4 10.91.254.119:443 ClusterIP 1 => 10.88.1.127:443 After removing the LRP, `cilium service list`: ID Frontend Service Type Backend 2 10.91.241.27:53 ClusterIP 1 => 10.88.1.117:53 2 => 10.88.0.46:53 3 10.91.240.1:443 ClusterIP 1 => 35.193.66.178:443 4 10.91.254.119:443 ClusterIP 1 => 10.88.1.127:443 5 10.91.240.10:53 ClusterIP 1 => 10.88.1.117:53 2 => 10.88.0.46:53 Signed-off-by: Weilong Cui <cuiwl@google.com> 02 October 2020, 07:57:17 UTC
d6ad56b Paul Chaignon 01 October 2020, 13:01:29 UTC test: further increase range of accepted values for bandwidth test Our current range for the 25Mbps target is [18; 32]. We seem to always fall short of the 18 bound. Expected cases of regressions are likely to be either a lack of connectivity or a lack of rate limiting. So with a range [1; 30] we're likely to catch most regression cases without missing on cases where there's no rate limiting (which we could miss if we keep increase the whole range). Fixes: #13062 Co-authored-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: Paul Chaignon <paul@cilium.io> 02 October 2020, 07:34:33 UTC
ca9992e Lehner Florian 01 October 2020, 18:08:48 UTC cleanup: remove unused code Signed-off-by: Lehner Florian <dev@der-flo.net> 01 October 2020, 19:05:50 UTC
55209b7 Paul Chaignon 01 October 2020, 15:38:12 UTC docs: Move performance guide under Operations Signed-off-by: Paul Chaignon <paul@cilium.io> 01 October 2020, 18:31:41 UTC
e4b3689 Paul Chaignon 01 October 2020, 15:15:19 UTC docs: Move scalability guide under Operations Signed-off-by: Paul Chaignon <paul@cilium.io> 01 October 2020, 18:31:41 UTC
b769c64 Paul Chaignon 01 October 2020, 14:52:46 UTC docs: operations/ dir to match displayed structure Signed-off-by: Paul Chaignon <paul@cilium.io> 01 October 2020, 18:31:41 UTC
175c7da Tobias Klauser 01 October 2020, 13:18:06 UTC datapath/connector: move CheckLink to daemon/cmd This function is only used in daemon/cmd in a single place, so move it there and unexport it. Signed-off-by: Tobias Klauser <tklauser@distanz.ch> 01 October 2020, 18:29:39 UTC
96648d0 Tobias Klauser 01 October 2020, 12:03:19 UTC datapath/connector: remove unused funcs The last remaining user of DeriveEndpointFrom was removed by commit 532ad9d44a6f ("rm pkg/workloads"). GetNetInfoFromPID and GetVethInfo were only used by DeriveEndpointFrom, so remove them as well. Signed-off-by: Tobias Klauser <tklauser@distanz.ch> 01 October 2020, 18:29:39 UTC
7257d4a Ilya Dmitrichenko 01 October 2020, 09:58:14 UTC install: RBAC permissions for finalizers subresources Since Cilium sets ownership references on pods, it needs permission to delete pods via finalizers and for that purpose it also needs permissions to set the finalizers on pods. This change is required for OpenShift, however it's based on the GC admission controller that was introduced in Kubernetes 1.5 (https://github.com/kubernetes/kubernetes/pull/34829). Also add explicit permissions for finalizers on all CRs, to ensure that agent and operator can set finalizers on their own resources. Signed-off-by: Ilya Dmitrichenko <errordeveloper@gmail.com> 01 October 2020, 16:42:55 UTC
b6d0054 Maciej Kwiek 30 September 2020, 09:45:13 UTC test: enable operator metrics in stresspolicy suite Signed-off-by: Maciej Kwiek <maciej@isovalent.com> 01 October 2020, 16:20:30 UTC
657171f Daniel Borkmann 01 October 2020, 10:19:16 UTC vagrant: bump bpf-next vagrant box version Pull in latest BPF kernel features from bpf-next [0]. [0] https://lore.kernel.org/bpf/cover.1601477936.git.daniel@iogearbox.net/ Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> 01 October 2020, 12:29:36 UTC
18dc9f2 Jarno Rajahalme 30 September 2020, 12:03:45 UTC envoy: Stop using deprecated filter names Stop using deprecated Envlyo filter names in order to get rid of deprecation warning logs. Signed-off-by: Jarno Rajahalme <jarno@covalent.io> 01 October 2020, 09:27:28 UTC
28b4c96 Alexandre Perrin 29 September 2020, 14:41:23 UTC fsnotify: correctly check for event operation fsnotify Event.Op is a bit mask and testing for strict equality might not detect the event operation correctly. This patch make it so we check for fsnotify event operation consistently as documented at https://github.com/fsnotify/fsnotify. Signed-off-by: Alexandre Perrin <alex@kaworu.ch> 01 October 2020, 08:56:44 UTC
b71cf0d Joe Stringer 30 September 2020, 22:13:35 UTC contrib: Improve start-release.sh script Due to an extra `v` in the branch name, this script would fail with: $ ~/git/cilium/contrib/release/start-release.sh v1.6.12 128 fatal: 'origin/vv1.6' is not a commit and a branch 'pr/prepare-v1.6.12' cannot be created from it Signal ERR caught! Traceback (line function script): 62 main /home/joe/git/cilium/contrib/release/start-release.sh Fix it. While we're at it, update the instructions at the end for next steps, since there's also now a `submit-backport.sh` script to send the PR from the CLI. Signed-off-by: Joe Stringer <joe@cilium.io> 01 October 2020, 08:11:45 UTC
57d3473 Gilberto Bertin 30 September 2020, 13:52:57 UTC bugtool: get bpffs mountpoint from /proc/self/mounts Rather then hardcoding the /sys/fs/bpf value in bugtool, use the `mountinfo` package (which exposes the information in /proc/self/mounts) to determine the correct mountpoint for the BPF filesystem. Fixes: #13218 Signed-off-by: Gilberto Bertin <gilberto@isovalent.com> 01 October 2020, 07:50:19 UTC
c0236a4 Joe Stringer 01 October 2020, 04:51:06 UTC README: Fix the versions listing An improperly formatted table cause the versions listing to disappear. Fix it up. Fixes: 3bb016ffd4f5 ("Update stable releases") Signed-off-by: Joe Stringer <joe@cilium.io> 01 October 2020, 07:07:53 UTC
b9e44f3 Daniel Borkmann 29 September 2020, 09:42:39 UTC bpf: optimize datapath through host netns Optimize the direct routing host data path via redirect_neigh() helper based on our recent kernel work [0]. As outlined at Plumbers [1] (the first out of the two new helpers), the current routing scheme is suboptimal in that we push skbs up the host stack. This has a huge cost in itself and additionally it also orphans the skb from the socket so that TCP stack does not get right backpressure signal for TSO. With the redirect_neigh() helper we can perform the forwarding in tc layer _only_ while we let kernel handle neighboring subsystem in reply path. This also means we bypass things like netfilter in host netns thus if masquerading is enabled it must be done via BPF. This preserves also skb->sk all the way till qdisc layer which also helps BPF bandwidth manager for FQ. Used agent config on apoc/tank with bpf-next tree each: ./daemon/cilium-agent --identity-allocation-mode=crd --enable-ipv6=true --enable-ipv4=true \ --disable-envoy-version-check=true --tunnel=disabled --k8s-kubeconfig-path=$HOME/.kube/config \ --kube-proxy-replacement=strict --enable-l7-proxy=false --auto-direct-node-routes=true \ --native-routing-cidr=10.217.0.0/16 --enable-bandwidth-manager=true --enable-bpf-masquerade=true Benchmark via direct routing, pod to pod, over wire gives a nice stable improvement that way: * Before: root@apoc:~# kubectl exec -it netperf-5fdd54b4cc-bcqzg -- netperf -H 10.217.1.93 -t TCP_STREAM MIGRATED TCP STREAM TEST from 0.0.0.0 (0.0.0.0) port 0 AF_INET to 10.217.1.93 (10.217.) port 0 AF_INET Recv Send Send Socket Socket Message Elapsed Size Size Size Time Throughput bytes bytes bytes secs. 10^6bits/sec 131072 16384 16384 10.00 9460.80 * After: root@apoc:~# kubectl exec -it netperf-5fdd54b4cc-bcqzg -- netperf -H 10.217.1.93 -t TCP_STREAM MIGRATED TCP STREAM TEST from 0.0.0.0 (0.0.0.0) port 0 AF_INET to 10.217.1.93 (10.217.) port 0 AF_INET Recv Send Send Socket Socket Message Elapsed Size Size Size Time Throughput bytes bytes bytes secs. 10^6bits/sec 131072 16384 16384 10.00 15769.68 This is automatically enabled by having --enable-host-legacy-routing=false as default. If the underlying kernel does not support the new BPF helper, then the agent falls back to --enable-host-legacy-routing=true automatically. Similarly, if a user needs backwards compat --enable-host-legacy-routing=true can be set to opt-out from it. [0] https://lore.kernel.org/bpf/cover.1601477936.git.daniel@iogearbox.net [1] https://linuxplumbersconf.org/event/7/contributions/674/attachments/568/1002/plumbers_2020_cilium_load_balancer.pdf Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> 01 October 2020, 05:31:32 UTC
692c348 Daniel Borkmann 29 September 2020, 08:43:51 UTC bpf: update/sync helper list Pull in latest BPF uapi helpers. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> 01 October 2020, 05:31:32 UTC
3bb016f Joe Stringer 01 October 2020, 02:42:54 UTC Update stable releases Signed-off-by: Joe Stringer <joe@cilium.io> 01 October 2020, 04:47:33 UTC
062c942 jedsalazar 11 September 2020, 14:47:24 UTC improve policy get Signed-off-by: Jed Salazar jed@isovalent.com 30 September 2020, 23:58:47 UTC
1ed8c87 jedsalazar 10 September 2020, 21:57:16 UTC fixes markdown in hostnet policy troubleshooting Signed-off-by: Jed Salazar jed@isovalent.com 30 September 2020, 23:58:47 UTC
3179a47 Thomas Graf 30 September 2020, 14:07:38 UTC datapath: Support enable-endpoint-routes with encapsulation It is reasonable to support encapsulation with enable-endpoint-routes. The existing code derived a new datapath mode when enable-endpoint-routes was enabled, which automatically disabled encapsulation. Signed-off-by: Thomas Graf <thomas@cilium.io> 30 September 2020, 23:53:11 UTC
1f32562 Timo Beckers 30 September 2020, 10:02:37 UTC logfields: remove unused BuildDuration and EndpointRegenerationTime constants As discussed in https://github.com/cilium/cilium/pull/13323, these are unused, we don't explicitly guarantee API compatibility for them, and are not passed to the caller across package boundaries. The goal is to move some packages out of pkg/ to improve clarity around which packages we provide API stability for. Signed-off-by: Timo Beckers <timo@isovalent.com> 30 September 2020, 22:58:54 UTC
6f8de5a Timo Beckers 30 September 2020, 09:31:13 UTC docs: document policy/endpoint regen metric rename for 1.9 Signed-off-by: Timo Beckers <timo@isovalent.com> 30 September 2020, 22:58:54 UTC
c52ae28 Timo Beckers 29 September 2020, 09:28:07 UTC endpoint: rename policy/endpoint regeneration 'buildDuration' to 'total' The endpoint/policy regeneration time's ambiguous "buildDuration" metric is now called "total", since it spans the full regeneration duration. Before: ``` cilium_endpoint_regeneration_time_stats_seconds scope="buildDuration" status="success" 2.429326 cilium_policy_regeneration_time_stats_seconds scope="buildDuration" status="success" 0.000917 ``` After: ``` cilium_endpoint_regeneration_time_stats_seconds scope="total" status="success" 2.243356 cilium_policy_regeneration_time_stats_seconds scope="total" status="success" 0.000104 ``` Fixes: #13222 Signed-off-by: Timo Beckers <timo@isovalent.com> 30 September 2020, 22:58:54 UTC
641c0f9 Paul Chaignon 30 September 2020, 16:41:01 UTC maps: Use fmt.Sprint() instead of string() Otherwise, the privileged unit tests fail with: pkg/maps/eppolicymap/eppolicymap_test.go:72:32: conversion from int to string yields a string of one rune, not a string of digits (did you mean fmt.Sprint(x)?) Signed-off-by: Paul Chaignon <paul@cilium.io> 30 September 2020, 22:13:40 UTC
df8238d Paul Chaignon 30 September 2020, 07:54:01 UTC vagrant: Bump all Vagrant box versions Signed-off-by: Paul Chaignon <paul@cilium.io> 30 September 2020, 22:13:40 UTC
2371071 Kornilios Kourtis 30 September 2020, 20:51:32 UTC Documentation: performance evaluation improvements - Add multi-stream results - Add lower/higher is better labels - use (lat vs batch) and (tput vs batch) plots for TCP_RR - improve text Signed-off-by: Kornilios Kourtis <kornilios@isovalent.com> 30 September 2020, 21:14:19 UTC
bfdaae9 Joe Stringer 29 September 2020, 22:38:09 UTC helm: Always respect global.identityAllocationMode This option was not being respected in the case where the user enables etcd configuration. In this case, when also configuring Cluster Mesh, it is important to manage identities via the kvstore to ensure that remote clusters have access to the identities of the local cluster. However, for users who are not using Cluster Mesh, it is reasonable to run Cilium with identities managed via CRDs, and deployments may already be deployed in this way. Failing to respect the option means that users who upgrade may observe temporary dataplane upgrade during upgrade due to the transition from CRD to kvstore for identity management. To prevent unintentional dataplane outage during upgrade from earlier releases, revert the helm changes from commit 8c9539205edc ("doc: Fix clustermesh documentation to set the correct identityMode"). The above commit already clarified the instructions for clustermesh users, which was the main goal of that commit so no other changes are necessary in this commit. Fixes: 8c9539205edc ("doc: Fix clustermesh documentation to set the correct identityMode") Reported-by: Dan Sexton <dan.b.sexton@gmail.com> Signed-off-by: Joe Stringer <joe@cilium.io> 30 September 2020, 20:08:14 UTC
285c4e3 Robin Hahling 30 September 2020, 11:52:09 UTC doc: add instructions to configure Hubble in ClusterMesh Signed-off-by: Robin Hahling <robin.hahling@gw-computing.net> 30 September 2020, 19:02:37 UTC
94a7a89 Robin Hahling 30 September 2020, 11:50:14 UTC doc: add a new Observability subsection in the Concepts section This new section provides information about Hubble, its components and the different modes that can be enabled. It will also allow providing instructions to configure Hubble for specific use-cases. Signed-off-by: Robin Hahling <robin.hahling@gw-computing.net> 30 September 2020, 19:02:37 UTC
54f2824 Timo Beckers 30 September 2020, 11:52:57 UTC docs: mention install/upgrade.rst in contrib guide Signed-off-by: Timo Beckers <timo@isovalent.com> 30 September 2020, 12:25:24 UTC
5c6c4a6 John Fastabend 21 September 2020, 01:57:18 UTC cilium: xfrm tests can work with bpf_host loaded now Add test for case with enncryption done in bpf_host. Signed-off-by: John Fastabend <john.fastabend@gmail.com> 29 September 2020, 23:45:25 UTC
5b83cc1 John Fastabend 22 September 2020, 03:21:21 UTC Revert "daemon: Fatal if IPSec and devices are used together" This reverts commit 8cbd3096a829940035eea95e1e6b10980b07e46e. Now that devices and encryption can coexist we can drop this patch. Signed-off-by: John Fastabend <john.fastabend@gmail.com> 29 September 2020, 23:45:25 UTC
7ba0e83 John Fastabend 17 September 2020, 00:39:02 UTC cilium: from-netdev and from-network BPF programs conflicting hooks Currently, enabling IPsec and a feature that uses a from-netdev program type may conflict when both attempt to load on the network facing device. If this happens then init.sh will load the ipsec program from-network and then after that the golang bpf loader will replace it with the from-netdev program. Which could be OK if the from-netdev program handled IPsec decryption correctly. Unfortunately, it doesn't and what we get is dropped ESP (IPsec encryption protocol) packets and broken connections. To fix teach from-netdev how to handle ingress IPsec decryption. And while doing this cleanup the encryption code blocks so encryption/decryption logic is split into from_host and from_network parts. This way encrypt piece is used in from_host and decrypt is used in from_network case. Signed-off-by: John Fastabend <john.fastabend@gmail.com> 29 September 2020, 23:45:25 UTC
9ed106a John Fastabend 21 September 2020, 13:32:36 UTC cilium: create lib for encryption To allow both bpf_network and bpf_host to use the same code add a encrypt.h file to put common routines. Signed-off-by: John Fastabend <john.fastabend@gmail.com> 29 September 2020, 23:45:25 UTC
0b8148b Sebastian Wicki 29 September 2020, 09:03:49 UTC hubble: Support `--since` requests in combination with follow-mode Previously, the observer implementation assumed time range filters on the request are not compatible with follow-mode. This however is no longer the case, we can now apply the since filter when rewinding the ring buffer. This means that if the user specifies a `since` timestamp, we first dump all flows newer than `since` before we enter follow-mode. Fixes: cilium/hubble#363 Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> 29 September 2020, 22:20:34 UTC
3cf224e Jarno Rajahalme 29 September 2020, 12:45:54 UTC Envoy: Update to release 1.14.5 Signed-off-by: Jarno Rajahalme <jarno@covalent.io> 29 September 2020, 21:58:36 UTC
bb832bf Maciej Kwiek 29 September 2020, 11:24:02 UTC test: restart pods on GKE Signed-off-by: Maciej Kwiek <maciej@isovalent.com> 29 September 2020, 18:11:29 UTC
3c77388 Maciej Kwiek 29 September 2020, 10:01:32 UTC use correct test image in nightlies Signed-off-by: Maciej Kwiek <maciej@isovalent.com> 29 September 2020, 18:11:29 UTC
ff3ca77 Chris Tarazi 24 September 2020, 21:52:12 UTC operator: Move CRD registration to operator In pursuit of delegating all cluster operations to cilium-operator from the agent, this commit moves the CRD registration under the purview of cilium-operator. Signed-off-by: Chris Tarazi <chris@isovalent.com> 29 September 2020, 16:43:59 UTC
db9f562 Chris Tarazi 24 September 2020, 21:50:37 UTC operator: Move K8s init logic to function This commit is mostly a refactoring change to ease future commits. It also removes a duplicated `Update()` call which is already done in `Init()`. Signed-off-by: Chris Tarazi <chris@isovalent.com> 29 September 2020, 16:43:59 UTC
325547f Chris Tarazi 27 September 2020, 04:46:39 UTC operator: Deprecate crd-wait-timeout This commit deprecates the crd-wait-timeout option as the functionality has been removed in the previous commit. This option will be removed in 1.10. This commit also updates the cmdref accordingly. Signed-off-by: Chris Tarazi <chris@isovalent.com> 29 September 2020, 16:43:59 UTC
8b4b010 Chris Tarazi 25 September 2020, 17:09:31 UTC operator: Revert waiting for CRDs This commit reverts the following two commits, along with the vendored changes that are no longer needed. The rationale is that we no longer need cilium-operator to wait for CRDs as cilium-operator will now register the CRDs (in a future commit), previously done by the agent. --- Commit 5dbe4133a92644278406a47df7892f6e8e7b44c2 ("operator: Make CRD availability timeout configurable") was selectively reverted, only keeping the declarations of the crd-wait-timeout flag, so that they can be deprecated in a future commit. --- Revert "operator: Wait for CRDs before running informers" This reverts commit 8e4f348e1982a081547e90d32221aa058b6fb71c. Signed-off-by: Chris Tarazi <chris@isovalent.com> 29 September 2020, 16:43:59 UTC
4dd4e0c Chris Tarazi 24 September 2020, 22:32:19 UTC install: Grant operator permissions for CRD ops This commit deprecates the permissions for CRD operations and marks them for removal in v1.10 from the agent. Additionally, this commit grants them to cilium-operator. This commit is a preparatory for a future commit to move the CRD operations to the cilium-operator. Signed-off-by: Chris Tarazi <chris@isovalent.com> 29 September 2020, 16:43:59 UTC
ae5aa9a Chris Tarazi 28 September 2020, 22:45:14 UTC preflight: Use v1beta1 client when appropriate This commit fixes a previously missed instance of using the v1beta1 client as the default when interacting with CRD objects. Since moving to v1 CRDs as the default, we must check if the K8s apiserver understands v1 CRDs. Apiservers <= 1.15 need to use the v1beta1 client. Fixes: c2ca49c4c1 ("k8s: Support v1 & v1beta1 CRDs") Signed-off-by: Chris Tarazi <chris@isovalent.com> 29 September 2020, 13:55:55 UTC
3bf6ae5 Robin Hahling 25 September 2020, 12:16:06 UTC doc: document how to use custom TLS certificates for Hubble In addition, remove beta warning now that mTLS is supported by Hubble and enabled by default. Signed-off-by: Robin Hahling <robin.hahling@gw-computing.net> 29 September 2020, 07:59:13 UTC
6950573 Robin Hahling 25 September 2020, 12:29:28 UTC CODEOWNERS: add hubble team for hubble doc Signed-off-by: Robin Hahling <robin.hahling@gw-computing.net> 29 September 2020, 07:59:13 UTC
9afc0b1 Deepesh Pathak 28 September 2020, 13:37:19 UTC test: use net.JoinHostPort to construct address in tests * This commit fixes an issue in the tests where we were not parsing the IPv6 addresses correctly in tests. The previous implementation joined the string for host and port using ":" delimiter which does not give correct results for IPv6 addresses. Replace these to use net.JoinHostPort for constructing addresses. Signed-off-by: Deepesh Pathak <deepshpathak@gmail.com> 29 September 2020, 07:36:25 UTC
1b02ca7 Deepesh Pathak 24 September 2020, 10:03:42 UTC test: enable k8s ipv6 dual stack in kubeadm v1beta2 config Signed-off-by: Deepesh Pathak <deepshpathak@gmail.com> 29 September 2020, 07:36:25 UTC
deffa27 Paul Chaignon 29 September 2020, 06:35:01 UTC docs: Clarify session affinity support on <5.7 Because network namespace cookies are only available in v5.7+, on older kernels, all pods on a given node will be serviced by the same backend for a given service, for east-west traffic. Fixes: 864f2f9 ("docs: Update list of optional kernel requirements") Reported-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Paul Chaignon <paul@cilium.io> 29 September 2020, 07:33:30 UTC
156a111 Tobias Klauser 28 September 2020, 10:01:37 UTC cilium: print names for reserved identities in `cilium ip list` Currently, the identities in the output of `cilium ip list` are always in numeric format: $ cilium ip list IP IDENTITY SOURCE 0.0.0.0/0 2 10.0.0.39/32 1 10.0.0.78/32 4 10.0.0.109/32 61205 k8s 10.0.0.179/32 39864 k8s 10.0.2.15/32 1 10.192.1.86/32 4 10.192.1.110/32 4 10.192.1.144/32 7749 k8s 10.192.1.169/32 4 172.28.128.6/32 1 192.168.9.1/32 1 192.168.36.1/32 7749 k8s 192.168.36.11/32 1 192.168.37.11/32 1 f00d::a0f:0:0:76d5/128 7749 k8s f00d::a0f:0:0:79ba/128 4 f00d::a0f:0:0:9fb8/128 4 f00d::a0f:0:0:f4ec/128 4 fc00::10ca:1/128 7749 k8s Make it easier to immediately recognize reserved identities by their name (without having to remember them) by changing the output to print the name by default: $ cilium ip list IP IDENTITY SOURCE 0.0.0.0/0 world 10.0.0.39/32 host 10.0.0.78/32 health 10.0.0.109/32 61205 k8s 10.0.0.179/32 39864 k8s 10.0.2.15/32 host 10.192.1.86/32 health 10.192.1.110/32 health 10.192.1.144/32 7749 k8s 10.192.1.169/32 health 172.28.128.6/32 host 192.168.9.1/32 host 192.168.36.1/32 7749 k8s 192.168.36.11/32 host 192.168.37.11/32 host f00d::a0f:0:0:76d5/128 7749 k8s f00d::a0f:0:0:79ba/128 health f00d::a0f:0:0:9fb8/128 health f00d::a0f:0:0:f4ec/128 health fc00::10ca:1/128 7749 k8s This behavior can be disabled (i.e. the identities are all printed in numeric format) by specifying the `-n` flag. Signed-off-by: Tobias Klauser <tklauser@distanz.ch> 28 September 2020, 20:07:56 UTC
348ef4e Maciej Kwiek 28 September 2020, 11:42:37 UTC ci: Run policy stress tests on a nightly basis Signed-off-by: Maciej Kwiek <maciej@isovalent.com> 28 September 2020, 19:02:06 UTC
5b68613 Maxime VISONNEAU 25 September 2020, 14:18:57 UTC helm: configurable nodeSelector and tolerations for all charts Added configuration options nodeSelector (deployments) and tolerations (daemonsets and deployments) for all the existing charts: - agent - hubble-relay - hubble-ui - managed-etcd - nodeinit - operator - preflight On the preflight one, I also simplified the tolerations with a single 'operator: Exists'. Other than that, the behaviour with default values should remain identical. Initially, my use case was to be able to avoid having the hubble-relay pods running on tainted nodes. I went forward with updating all the charts as I felt this could probably be useful for others. Signed-off-by: Maxime VISONNEAU <maxime.visonneau@gmail.com> 28 September 2020, 15:16:22 UTC
758539b Kornilios Kourtis 17 September 2020, 10:06:49 UTC docs: add initial performance guide doc Initial guide with results and some basic tuning options for users. Signed-off-by: Kornilios Kourtis <kornilios@isovalent.com> Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: John Fastabend <john.fastabend@gmail.com> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> 25 September 2020, 22:14:48 UTC
0090b4d Robin Hahling 25 September 2020, 11:17:25 UTC helm: remove hubble-ca-certs Kubernetes TLS secret This Kubernetes TLS secret is actually unused. Signed-off-by: Robin Hahling <robin.hahling@gw-computing.net> 25 September 2020, 14:09:59 UTC
b3adc4d André Martins 18 September 2020, 17:16:07 UTC k8s: delete IPs from ipcache for no running Pods In Kubernetes, a Job creates a pod which will complete with either the "Succeeded" or "Failed" PodPhase. Kubernetes will leave these Pods around until the Job is deleted by the operator. As soon the pod enters either one of the previously described PodPhases, Kubelet will send a CNI delete event to Cilium agent which will then release the allocated IP addresses of that pod, making the IP address available again. If not disabled, Cilium will create a Cilium Endpoint for each Pod in the cluster that has its network managed by Cilium. Cilium agent populates the ipcache with the information retrieved from Pods and Cilium Endpoints events, in case of duplicated information, ipcache will be stored with the state from Cilium Endpoints. In a unlikely case of Cilium agent not running and the Pod enters the "Succeeded" state, it will mean the Cilium agent will not be available to delete the Cilium Endpoint created for that Pod. To complement this fix, Cilium agents will also prune Cilium Endpoints of not running pods on start up. Signed-off-by: André Martins <andre@cilium.io> 25 September 2020, 11:37:12 UTC
2988760 André Martins 18 September 2020, 16:07:58 UTC k8s/slim: add PodPhase as part of the slim structures This field is essential to understand if the pod is still running or not. Signed-off-by: André Martins <andre@cilium.io> 25 September 2020, 11:37:12 UTC
f1b61a7 André Martins 18 September 2020, 15:21:31 UTC pkg/k8s: do not watch for CiliumEndpoints if disable-endpoint-crd=true To avoid wasting resources in Cilium and to avoid leftover CiliumEndpoints from populating the ipcache, we should not watch for CiliumEndpoints when disable-endpoint-crd is set to true. Signed-off-by: André Martins <andre@cilium.io> 25 September 2020, 11:37:12 UTC
0fbd2b4 André Martins 22 September 2020, 16:51:44 UTC Revert "endpointsynchronizer: do not delete CEP when endpoint is deleted" This reverts commit 8068f1a91f043c26ecdc15ad78fe6878a8fc8957. This reverted commit introduces a regression where Cilium Endpoints can be left around after the Cilium Endpoint was locally deleted. Although it was a scale optimization for non existing docker images, the security aspect will overlap the scalability concern initially thought. Signed-off-by: André Martins <andre@cilium.io> 25 September 2020, 11:37:12 UTC
a07c651 Chris Tarazi 23 September 2020, 23:02:42 UTC docs: Add note for users upgrading K8s Updates: https://github.com/cilium/cilium/issues/12737 Signed-off-by: Chris Tarazi <chris@isovalent.com> 25 September 2020, 09:02:36 UTC
c1814ba André Martins 06 August 2020, 11:33:37 UTC pkg/k8s: fix data race in CNP rule validation This change fixes the following data race: ``` ================== WARNING: DATA RACE Write at 0x00c001cbe910 by goroutine 304: github.com/cilium/cilium/pkg/policy/api.(*PortProtocol).sanitize() /go/src/github.com/cilium/cilium/pkg/policy/api/rule_validation.go:393 +0x17a github.com/cilium/cilium/pkg/policy/api.(*PortRule).sanitize() /go/src/github.com/cilium/cilium/pkg/policy/api/rule_validation.go:345 +0xdb github.com/cilium/cilium/pkg/policy/api.(*IngressRule).sanitize() /go/src/github.com/cilium/cilium/pkg/policy/api/rule_validation.go:151 +0xbee github.com/cilium/cilium/pkg/policy/api.Rule.Sanitize() /go/src/github.com/cilium/cilium/pkg/policy/api/rule_validation.go:71 +0x1eb github.com/cilium/cilium/pkg/k8s/apis/cilium.io/v2.(*CiliumNetworkPolicy).Parse() /go/src/github.com/cilium/cilium/pkg/k8s/apis/cilium.io/v2/types.go:251 +0x663 github.com/cilium/cilium/pkg/k8s.(*CNPStatusUpdateContext).prepareUpdate() /go/src/github.com/cilium/cilium/pkg/k8s/cnp.go:144 +0x8d2 github.com/cilium/cilium/pkg/k8s.(*CNPStatusUpdateContext).UpdateStatus() /go/src/github.com/cilium/cilium/pkg/k8s/cnp.go:237 +0x550 github.com/cilium/cilium/pkg/k8s/watchers.(*K8sWatcher).updateCiliumNetworkPolicyV2AnnotationsOnly.func1() /go/src/github.com/cilium/cilium/pkg/k8s/watchers/cilium_network_policy.go:343 +0x7d github.com/cilium/cilium/pkg/controller.(*Controller).runController() /go/src/github.com/cilium/cilium/pkg/controller/controller.go:205 +0xc71 Previous read at 0x00c001cbe910 by goroutine 18: reflect.typedmemmove() /usr/local/go/src/runtime/mbarrier.go:177 +0x0 reflect.packEface() /usr/local/go/src/reflect/value.go:119 +0x126 reflect.valueInterface() /usr/local/go/src/reflect/value.go:1030 +0x1b9 reflect.Value.Interface() /usr/local/go/src/reflect/value.go:1000 +0x3c27 fmt.(*pp).printValue() /usr/local/go/src/fmt/print.go:726 +0x3c28 fmt.(*pp).printValue() /usr/local/go/src/fmt/print.go:869 +0xfd2 fmt.(*pp).printValue() /usr/local/go/src/fmt/print.go:810 +0x296e fmt.(*pp).printValue() /usr/local/go/src/fmt/print.go:869 +0xfd2 fmt.(*pp).printValue() /usr/local/go/src/fmt/print.go:810 +0x296e fmt.(*pp).printValue() /usr/local/go/src/fmt/print.go:869 +0xfd2 fmt.(*pp).printValue() /usr/local/go/src/fmt/print.go:810 +0x296e fmt.(*pp).printValue() /usr/local/go/src/fmt/print.go:880 +0x2709 fmt.(*pp).printArg() /usr/local/go/src/fmt/print.go:716 +0x25a fmt.(*pp).doPrintf() /usr/local/go/src/fmt/print.go:1030 +0x311 fmt.Sprintf() /usr/local/go/src/fmt/print.go:219 +0x73 github.com/cilium/cilium/pkg/policy/api.Rules.String() /go/src/github.com/cilium/cilium/pkg/policy/api/rules.go:34 +0x13c github.com/cilium/cilium/daemon/cmd.(*Daemon).policyAdd() /go/src/github.com/cilium/cilium/daemon/cmd/policy.go:265 +0x34b0 github.com/cilium/cilium/daemon/cmd.(*PolicyAddEvent).Handle() /go/src/github.com/cilium/cilium/daemon/cmd/policy.go:217 +0xc9 github.com/cilium/cilium/pkg/eventqueue.(*EventQueue).Run.func1() /go/src/github.com/cilium/cilium/pkg/eventqueue/eventqueue.go:260 +0x25d sync.(*Once).doSlow() /usr/local/go/src/sync/once.go:66 +0x103 sync.(*Once).Do() /usr/local/go/src/sync/once.go:57 +0x68 ``` Signed-off-by: André Martins <andre@cilium.io> 25 September 2020, 08:44:44 UTC
efe593b André Martins 06 August 2020, 08:56:19 UTC pkg/azure: fix data race in shared field Fixes the following race: ``` WARNING: DATA RACE Read at 0x00c0002fe870 by goroutine 460: github.com/cilium/cilium/pkg/azure/ipam.(*Node).ResyncInterfacesAndIPs() /home/travis/gopath/src/github.com/cilium/cilium/pkg/azure/ipam/node.go:162 +0x1a4 github.com/cilium/cilium/pkg/ipam.(*Node).recalculate() /home/travis/gopath/src/github.com/cilium/cilium/pkg/ipam/node.go:357 +0x12b github.com/cilium/cilium/pkg/ipam.(*NodeManager).resyncNode() /home/travis/gopath/src/github.com/cilium/cilium/pkg/ipam/node_manager.go:384 +0x92 github.com/cilium/cilium/pkg/ipam.(*NodeManager).Resync.func1() /home/travis/gopath/src/github.com/cilium/cilium/pkg/ipam/node_manager.go:431 +0xa0 Previous write at 0x00c0002fe870 by goroutine 57: github.com/cilium/cilium/pkg/azure/ipam.(*InstancesManager).Resync() /home/travis/gopath/src/github.com/cilium/cilium/pkg/azure/ipam/instances.go:105 +0x8f9 github.com/cilium/cilium/pkg/ipam.(*NodeManager).instancesAPIResync() /home/travis/gopath/src/github.com/cilium/cilium/pkg/ipam/node_manager.go:186 +0x8b github.com/cilium/cilium/pkg/ipam.NewNodeManager.func1() /home/travis/gopath/src/github.com/cilium/cilium/pkg/ipam/node_manager.go:168 +0x8f github.com/cilium/cilium/pkg/trigger.(*Trigger).waiter() /home/travis/gopath/src/github.com/cilium/cilium/pkg/trigger/trigger.go:206 +0x5b1 ``` Fixes: 3dfd638dcf7b ("ipam: Move iterator logic into generic InstanceMap") Signed-off-by: André Martins <andre@cilium.io> 25 September 2020, 08:44:44 UTC
229a48d André Martins 05 June 2020, 15:37:12 UTC fqdn/dnsproxy: Close TCP and UDP server after each test To avoid concurrency issues across multiple tests we should shutdown and set up the TCP and UDP servers for each individual test. Signed-off-by: André Martins <andre@cilium.io> 25 September 2020, 08:44:44 UTC
97d4924 André Martins 05 June 2020, 15:06:00 UTC pkg/idpool: split tests that timeout with race detector set There is a test that times out in travis when running with the race detector set, this is primarily caused by the high amount of go routines started in parallel by such test. To avoid this issue we need to split the test in 2 different files, one that has a lower maxID, and therefore lower number of go routines started, for the builds with the race detection, and another one with the same maxID for the builds without the race detection. Signed-off-by: André Martins <andre@cilium.io> 25 September 2020, 08:44:44 UTC
9842dd5 André Martins 04 June 2020, 11:16:46 UTC fqdn/dnsproxy: use atomic Store/Load for the rejectReply return code SetRejectReply might set a field that is read from a different go routine. To protect this field against this race condition we need to use the atomic Store/Load and split the tests. Fixes: 1121202121f7 ("fqdn: L3-aware L7 DNS policy enforcement") Signed-off-by: André Martins <andre@cilium.io> 25 September 2020, 08:44:44 UTC
18981be André Martins 04 June 2020, 08:10:38 UTC identity/cache: close KVStore connection on tear down test Signed-off-by: André Martins <andre@cilium.io> 25 September 2020, 08:44:44 UTC
597528c André Martins 22 September 2020, 13:52:37 UTC travis: enable race detector in travis Signed-off-by: André Martins <andre@cilium.io> 25 September 2020, 08:44:44 UTC
5c6aad6 Chris Tarazi 23 September 2020, 22:44:08 UTC k8s: Remove CRD deleting functionality This commit removes the ability to delete CRDs from Cilium because that would delete all the CRs in the cluster. Follow-up from: https://github.com/cilium/cilium/pull/11477#discussion_r487816729 Updates: https://github.com/cilium/cilium/issues/12737 Signed-off-by: Chris Tarazi <chris@isovalent.com> 24 September 2020, 21:44:23 UTC
4ae7486 Tobias Klauser 24 September 2020, 13:49:47 UTC test, images: update helm to 3.3.4 In the provision script, also remove the downloaded tarball and unarchived directory after installation. Signed-off-by: Tobias Klauser <tklauser@distanz.ch> 24 September 2020, 21:43:23 UTC
71c5086 Deepesh Pathak 15 September 2020, 11:02:27 UTC test: add IPv6 NodePort services tests Signed-off-by: Deepesh Pathak <deepshpathak@gmail.com> 24 September 2020, 21:42:56 UTC
d888057 Deepesh Pathak 14 September 2020, 07:19:10 UTC bpf: fix nodeport ipv6 service revnat handling * This commit fixes an issue in nodeport service revnat handling where the interface index was not properly restored from the Conntrack state leading to packet redirects to invalid interface. Signed-off-by: Deepesh Pathak <deepshpathak@gmail.com> 24 September 2020, 21:42:56 UTC
745a26b Adam Wolfe Gordon 23 September 2020, 17:38:00 UTC k8s: Consider session affinity parameters when comparing Services Previously, if the `sessionAffinity` or `sessionAffinityTimeoutSec` of a Service changed, cilium would ignore the change. This meant that even though cilium correctly handles `sessionAffinity`, changing the `sessionAffinity` of a service without any other changes did not cause cilium to change its handling. Add `sessionAffinity` and `sessionAffinityTimeoutSec` handling to the comparator for services, so that cilium will notice affinity changes. Signed-off-by: Adam Wolfe Gordon <awg@digitalocean.com> 24 September 2020, 09:33:45 UTC
4058f10 Tam Mach 23 September 2020, 22:49:04 UTC test(smoketest): Run smoketest with kube 1.19.x This commit is to upgrade the k8s version to 1.19.1 for smoketest. - Bump kind version to 0.9.0 - Bump kind-action to v1.0.0 - Add nodeversion in kind-config-*.yaml Signed-off-by: Tam Mach <sayboras@yahoo.com> 24 September 2020, 08:04:27 UTC
97362f4 Maciej Kwiek 23 September 2020, 12:08:46 UTC test: check logs of operator and hubble relay This change expands Cilium logs checking at the end of the tests to also check operator and hubble relay logs for bad log messages. Signed-off-by: Maciej Kwiek <maciej@isovalent.com> 24 September 2020, 07:58:40 UTC
815be6a Quentin Monnet 10 September 2020, 15:43:14 UTC iptables: comment on xt_connmark requirement for EKS rules EKS requires some specific rules for asymmetric routing with multi-node NodePort traffic. These rules relies on the xt_connmark kernel module, which is usually loaded by iptables when necessary. The rules are installed when the selected IPAM is ENI, meaning they are installed on AWS (but not only EKS). The xt_connmark module should be loaded in a similar way, unless loading modules after boot has been disabled, in which case the setup fails and the agent crashes. Add a comment to at least help debug the issue. Longer term, we may want to add more explicit hints to the logs if too many users hit the issue, but that would require parsing iptables' output for the specific error, so let's see how it goes with a simple comment in the code for now. Signed-off-by: Quentin Monnet <quentin@isovalent.com> 24 September 2020, 02:20:42 UTC
a301853 Quentin Monnet 10 September 2020, 20:37:43 UTC iptables, loader: use interface with default route for EKS rules Multi-node NodePort traffic on EKS needs specific rules regarding asymmetric routing. These rules were implemented for the eth0 interface (namely), because this is what EKS uses. With the default Amazon Linux 2 distribution. But EKS can also run with Ubuntu for example, and the name of the interface is not the same in that case. Instead of "eth0", use the interface with the dafault route. This is a quick fix, and longer term we want to add the rules to all relevant interfaces, as discussed in #12770. Fixes: #12770 Fixes: #13143 Signed-off-by: Quentin Monnet <quentin@isovalent.com> 24 September 2020, 02:20:42 UTC
09e9a46 Quentin Monnet 09 September 2020, 10:56:15 UTC iptables, loader: skip rules for EKS asymmetric routing if !IPv4 EKS needs some specific rules for asymmetric routing with multi-node NodePort traffic. These rules are implemented only for IPv4, so we can avoid installing them when IPv4 is disabled. This is what this commit does. Note that this check is, in fact, not necessary at the moment, because as the config package says: "IPv6 cannot be enabled in ENI IPAM mode". So we always run with IPv4. But let's have it for good measure, to avoid issues if IPv6 support comes in the future. For the same reason, we also do not have to implement equivalent rules for IPv6 at the moment. Signed-off-by: Quentin Monnet <quentin@isovalent.com> 24 September 2020, 02:20:42 UTC
01f8dcc Quentin Monnet 09 September 2020, 09:24:34 UTC loader: move ENI rules for asymmetric routing to dedicated function EKS needs some specific rules for NodePort traffic (see PR #12770, or comments in the code, for details). The addition of part of these rules were added to the body of the Reinitialize() function in the loader. To make them easier to maintain or extend, let's move them to a dedicated function called by Reinitialize(). No functional change. Signed-off-by: Quentin Monnet <quentin@isovalent.com> 24 September 2020, 02:20:42 UTC
510566a Kornilios Kourtis 16 September 2020, 10:41:54 UTC docs: backport documentation additions Signed-off-by: Kornilios Kourtis <kornilios@isovalent.com> Co-authored-by: Joe Stringer <joe@cilium.io> 23 September 2020, 13:14:42 UTC
511b15d Sebastian Wicki 22 September 2020, 14:16:48 UTC hubble: Fix filter by reply reporting flows with unknown reply state This fixes a bug in the reply filter on `reply=false` would report flows for which we actually do not know if they were replies or not. Not all trace points have connection tracking state available, thus looking at the reply flag alone is not sufficent to tell if something a flow was a reply or not. Ideally, we would fix this in the parser and make the `reply` an optional boolean, so we can distinguish between a `false` value and an absent value. This however is a breaking change in the Hubble API, which we want to avoid. Therefore, this commit modifies the reply filter to only report flows here for which we know that the reply field is reliable. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> 23 September 2020, 12:43:18 UTC
8e24ea3 Sebastian Wicki 22 September 2020, 14:15:12 UTC monitor: Add helper to determine if a trace point has conn state Not all trace observation points have access to the connection tracking state and populate the `Reason` field of `TraceNotify` accordingly. This commit extracts a helper function to determine which trace points currently do have access to connection tracking state. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> 23 September 2020, 12:43:18 UTC
6953fe8 Alexandre Perrin 21 September 2020, 12:30:06 UTC test: ensure that hubble has tls enabled Signed-off-by: Alexandre Perrin <alex@kaworu.ch> 23 September 2020, 10:07:07 UTC
6e1342a Alexandre Perrin 21 September 2020, 12:29:32 UTC test: enable hubble tls Signed-off-by: Alexandre Perrin <alex@kaworu.ch> 23 September 2020, 10:07:07 UTC
aa26f0c Tobias Klauser 21 September 2020, 13:45:26 UTC envoy: don't use deprecated listener and HTTP filter names While running runtime FQDN tests, the following deprecation warnings appeared in the logs: 15:39:07 Top 3 errors/warnings: 15:39:07 [[bazel-out/k8-opt/bin/external/envoy/source/extensions/common/_virtual_includes/utility_lib/extensions/common/utility.h:65] Using deprecated extension name 'envoy.router' for 'envoy.filters.http.router'. This name will be removed from Envoy soon. Please see https://www.envoyproxy.io/docs/envoy/latest/intro/deprecated for details. 15:39:07 [[bazel-out/k8-opt/bin/external/envoy/source/extensions/common/_virtual_includes/utility_lib/extensions/common/utility.h:65] Using deprecated extension name 'envoy.listener.tls_inspector' for 'envoy.filters.listener.tls_inspector'. This name will be removed from Envoy soon. Please see https://www.envoyproxy.io/docs/envoy/latest/intro/deprecated for details. Fix them by using the canonical names as suggested in https://www.envoyproxy.io/docs/envoy/latest/version_history/v1.14.0#deprecated Signed-off-by: Tobias Klauser <tklauser@distanz.ch> 23 September 2020, 10:05:32 UTC
5e1595c Maciej Kwiek 22 September 2020, 17:00:48 UTC ci: fix runtime kernel version typo Signed-off-by: Maciej Kwiek <maciej@isovalent.com> 23 September 2020, 09:20:04 UTC
6635cdf Maciej Kwiek 22 September 2020, 18:07:55 UTC build: Handle empty BASE_IMAGE in Makefile Signed-off-by: Maciej Kwiek <maciej@isovalent.com> 23 September 2020, 09:03:26 UTC
e0a04ba Maciej Kwiek 22 September 2020, 16:28:44 UTC ci: pass race-detection env vars to vagrant boxes Signed-off-by: Maciej Kwiek <maciej@isovalent.com> 23 September 2020, 09:03:26 UTC
6611d2d Maciej Kwiek 22 September 2020, 19:07:06 UTC ci: lock docker build Docker build for concurrently running gke builds for same git sha running on the same node will race. This affects only gke, since all other builds don't share a node. Signed-off-by: Maciej Kwiek <maciej@isovalent.com> 23 September 2020, 09:01:57 UTC
8a1324a Aditi Ghag 12 September 2020, 01:34:52 UTC doc Add getting started guide for CiliumLocalRedirectPolicy - Add a new GSG for LRP - Add example yaml files specified as part of the verification steps given in the GSG. Signed-off-by: Aditi Ghag <aditi@cilium.io> 22 September 2020, 23:59:00 UTC
e7bb8a7 Aditi Ghag 16 August 2020, 17:51:51 UTC k8s/cilium Event handlers and processing logic for LRPs - Define internal representation of LRP - Add event handlers for various resources (LRP CRs, pods, services) that update LRPs - Plumb datapath with policy configs TODO: Add unit tests Testing: Manually tested various cases and verified that loadbalancer service entries were getting created. - LRPs with address/service matchers - Delete service/backend pods - Update pod labels cilium service list ID Frontend Service Type Backend 1 172.20.0.20:5001 ClusterIP 1 => 10.16.189.7:5001 2 => 10.16.45.6:5001 2 172.20.0.1:443 ClusterIP 1 => 192.168.33.11:6443 3 172.20.0.194:80 LocalRedirect 1 => 10.16.86.228:80 6 172.20.0.10:53 ClusterIP 1 => 10.16.14.226:53 7 172.20.0.10:9153 ClusterIP 1 => 10.16.14.226:9153 kubectl exec nginx-client -- curl -s -I http://172.20.0.194/index.html HTTP/1.1 200 OK Server: nginx/1.19.2 Date: Fri, 21 Aug 2020 16:50:06 GMT Content-Type: text/html Content-Length: 612 Last-Modified: Tue, 11 Aug 2020 14:50:35 GMT Connection: keep-alive ETag: "5f32b03b-264" Accept-Ranges: bytes cilium -D monitor --related-to 2280 Listening for events on 6 CPUs with 64x4096 of shared memory Press Ctrl-C to quit level=info msg="Initializing dissection cache..." subsys=monitor -> endpoint 2280 flow 0x52c1fcd0 identity 7086->59395 state new ifindex lxca7d000aa6ecc orig-ip 10.16.224.211: 10.16.224.211:34262 -> 10.16.86.228:80 tcp SYN LRP with addressMatcher - cilium service list ID Frontend Service Type Backend 1 172.20.0.20:5001 ClusterIP 1 => 10.16.189.7:5001 2 => 10.16.45.6:5001 2 172.20.0.1:443 ClusterIP 1 => 192.168.33.11:6443 3 169.254.169.254:8080 LocalRedirect 1 => 10.16.86.228:80 6 172.20.0.10:53 ClusterIP 1 => 10.16.14.226:53 7 172.20.0.10:9153 ClusterIP 1 => 10.16.14.226:9153 kubectl exec nginx-client -- curl -I http://169.254.169.254:8080/index.html HTTP/1.1 200 OK After removing backend- cilium service list ID Frontend Service Type Backend 1 172.20.0.20:5001 ClusterIP 1 => 10.16.189.7:5001 2 => 10.16.45.6:5001 2 172.20.0.1:443 ClusterIP 1 => 192.168.33.11:6443 3 169.254.169.254:8080 LocalRedirect 6 172.20.0.10:53 ClusterIP 1 => 10.16.14.226:53 7 172.20.0.10:9153 ClusterIP 1 => 10.16.14.226:9153 Signed-off-by: Aditi Ghag <aditi@cilium.io> 22 September 2020, 23:59:00 UTC
2086746 Aditi Ghag 12 September 2020, 00:32:23 UTC pkg/k8s Add service type to Service Signed-off-by: Aditi Ghag <aditi@cilium.io> 22 September 2020, 23:59:00 UTC
564130d Aditi Ghag 17 August 2020, 18:13:24 UTC pkg/loadbalancer Define L4Type as an alias There are currently no method receivers defined to extend this type, hence, we can convert this to an alias. This allows one to use utility functions that take string as arguments, and doesn't need type casting whenever dealing with other string types defined for L4 protocol. Signed-off-by: Aditi Ghag <aditi@cilium.io> 22 September 2020, 23:59:00 UTC
1cc47b7 Aditi Ghag 11 August 2020, 02:04:36 UTC datapath/service: Introduce local redirect service An entry of the type "local redirect" will be created when a user installs a local redirect policy (LRP) to redirect traffic from a frontend (L3 + L4 or K8s service cluster IP + port) tuple to a backend within a node. The service thus will only have node-local backends. The lifecycle of a local redirect service will be tied to its associated LRP. When an LRP enables traffic redirection for a K8s service, it's service type will be changed to local redirect type, and the backends list will be filtered to only include node-local backends. Testing: cilium service list ID Frontend Service Type Backend 12 169.254.169.254:8080 LocalRedirect 1 => 10.16.69.61:80 sudo cilium bpf lb list SERVICE ADDRESS BACKEND ADDRESS 169.254.169.254:8080 0.0.0.0:0 (12) [LocalRedirect] 10.16.69.61:80 (12) kubectl exec nginx-client -- curl -I http://169.254.169.254:8080/index.html HTTP/1.1 200 OK cilium -D monitor --related-to 142 Listening for events on 6 CPUs with 64x4096 of shared memory Press Ctrl-C to quit level=info msg="Initializing dissection cache..." subsys=monitor <- endpoint 142 flow 0x480114f0 identity 7086->0 state new ifindex 0 orig-ip 0.0.0.0: 10.16.224.211:52718 -> 169.254.169.254:8080 tcp SYN -> endpoint 142 flow 0x682a7114 identity 10591->7086 state reply ifindex lxce3c498b8259e orig-ip 10.16.69.61: 169.254.169.254:8080 -> 10.16.224.211:52718 tcp SYN, ACK <- endpoint 142 flow 0x480114f0 identity 7086->0 state new ifindex 0 orig-ip 0.0.0.0: 10.16.224.211:52718 -> 169.254.169.254:8080 tcp ACK <- endpoint 142 flow 0x480114f0 identity 7086->0 state new ifindex 0 orig-ip 0.0.0.0: 10.16.224.211:52718 -> 169.254.169.254:8080 tcp ACK -> endpoint 142 flow 0x682a7114 identity 10591->7086 state reply ifindex lxce3c498b8259e orig-ip 10.16.69.61: 169.254.169.254:8080 -> 10.16.224.211:52718 tcp ACK -> endpoint 142 flow 0x682a7114 identity 10591->7086 state reply ifindex lxce3c498b8259e orig-ip 10.16.69.61: 169.254.169.254:8080 -> 10.16.224.211:52718 tcp ACK <- endpoint 142 flow 0x480114f0 identity 7086->0 state new ifindex 0 orig-ip 0.0.0.0: 10.16.224.211:52718 -> 169.254.169.254:8080 tcp ACK <- endpoint 142 flow 0x480114f0 identity 7086->0 state new ifindex 0 orig-ip 0.0.0.0: 10.16.224.211:52718 -> 169.254.169.254:8080 tcp ACK, FIN -> endpoint 142 flow 0x682a7114 identity 10591->7086 state reply ifindex lxce3c498b8259e orig-ip 10.16.69.61: 169.254.169.254:8080 -> 10.16.224.211:52718 tcp ACK, FIN <- endpoint 142 flow 0x480114f0 identity 7086->0 state new ifindex 0 orig-ip 0.0.0.0: 10.16.224.211:52718 -> 169.254.169.254:8080 tcp ACK Signed-off-by: Aditi Ghag <aditi@cilium.io> 22 September 2020, 23:59:00 UTC
4ff68f1 Aditi Ghag 05 August 2020, 19:38:26 UTC k8s/api: Define and register CiliumLocalRedirectPolicy CRDs Testing: kubectl get crds | grep local ciliumclusterwidelocalredirectpolicies.cilium.io 2020-08-12T22:37:56Z ciliumlocalredirectpolicies.cilium.io 2020-08-11T22:15:50Z kubectl get ciliumlocalredirectpolicy NAME AGE test-lrp 16m Signed-off-by: Aditi Ghag <aditi@cilium.io> 22 September 2020, 23:59:00 UTC
back to top