Skip to main content

Browse the archive

https://github.com/cilium/cilium
09 April 2024, 21:14:05 UTC
sort by:
Revision Author Date Message Commit Date
3eee19a Quentin Monnet 16 January 2023, 13:56:21 UTC docs: Drop sphinxcontrib-openapi fork, switch back to upstream Once upon a time, Cilium docs used the openapi Sphinx add-on to generate its API reference based on the code. And things were good. One day, Dependabot raised a security alert, stating that Mistune v2.0.2 was vulnerable to catastrophic backtracking [0] - this is a regex parsing thing. Mistune was a dependency to m2r, an add-on to parse Markdown in Sphinx, which in turn was a dependency to openapi. The easy path would have been to update m2r to use the latest, fixed Mistune version; but m2r was incompatible with Mistune >= 2.0.0, and also it was no longer in development. There was a fork, m2r2, which had little activity, and would avoid the security issue by very simply pinning the Mistune version to 0.8.4 (which would either fail to build Cilium's reference correctly, or bring some incompatibilities with other dependencies, at this point the narrator does not remember for sure). There was a fork of the fork, sphinx-mdinclude. We could use that project to update openapi, except that it was not compatible with recent versions of docutils, and that this would cause openapi's test suite to fail to pass. ... So we ended up forking the openapi repository to update the dependency to sphinx-mdinclude locally, and this is what we've been using since last summer. And things were good again. But things are even better when they go upstream [citation needed]. We also filed the issue for docutils compatibility in sphinx-mdinclude [1]. It was fixed (thanks!). We submitted a PR to have openapi switch to sphinx-mdinclude [2]. It was adjusted (thanks!), merged, and a new tag was created. Now at last, we can switch back to the upstream version of openapi! [And the build system lived happily ever after.] [0]: https://github.com/advisories/GHSA-fw3v-x4f2-v673 [1]: https://github.com/omnilib/sphinx-mdinclude/issues/8 [2]: https://github.com/sphinx-contrib/openapi/pull/127 I did _not_ run `make -C Documentation update-requirements`, because the resulting changes seemed to break the Netlify preview [3]. I stuck to openapi and bumped sphinx-mdinclude to >= 0.5.2, as required by openapi. [3] https://app.netlify.com/sites/docs-cilium-io/deploys/63c55fcc5531c6000838b87c Signed-off-by: Quentin Monnet <quentin@isovalent.com> 17 January 2023, 09:41:25 UTC
4ec82bb Martynas Pumputis 21 December 2022, 10:47:52 UTC gh/workflows: Add endpoint routes to ci-datapath We enable it only on two jobs, because until [1] it would disable the BPF host routing. Also, we get a fair coverage of it in the managed K8s GHA jobs. In addition, we no longer create a CI job per kernel version, as we want to test more configurations w/o running them sequentially (one of the ci-datapath goals is to run under 30min). [1]: https://github.com/cilium/cilium/pull/22006 Signed-off-by: Martynas Pumputis <m@lambda.lt> 16 January 2023, 14:29:17 UTC
b65c23e Martynas Pumputis 21 December 2022, 06:57:26 UTC gh/workflows: Add LB mode to ci-datapath Signed-off-by: Martynas Pumputis <m@lambda.lt> 16 January 2023, 14:29:17 UTC
ff05a61 Julian Wiedmann 12 January 2023, 07:35:09 UTC bpf: lb: fix L3 pseudo-hdr csum update for SCTP in __lb6_rev_nat() Same as in commit 9f27973a1052 ("bpf: lb: fix check for L3 pseudo-hdr csum update in lb6_xlate()"), only update the L3 pseudo-hdr component in the L4 csum when the L4 protocol requires it (ie. for TCP/UDP, but not for SCTP). Signed-off-by: Julian Wiedmann <jwi@isovalent.com> 16 January 2023, 13:00:21 UTC
34d128a ArthurChiao 19 December 2022, 10:02:36 UTC pkg/metrics: include revision and arch info in cilium_version This will be helpful if users are running different revisions and/or on different platforms, e.g. how many linux/amd64 as well as linux/arm64 cilium nodes they have in the cluster(s). Signed-off-by: ArthurChiao <arthurchiao@hotmail.com> 14 January 2023, 12:36:32 UTC
9ccaaf8 Joe Stringer 12 January 2023, 21:03:27 UTC envoy: Fix lock leak in config validation failure If XDS listener configuration validation failed, addListener() would not unlock the XDSServer.mutex, leading to the lock being locked forever. Fix it by using a standard defer() approach. CC: Jarno Rajahalme <jarno@isovalent.com> Fixes: 1042b81daa52 ("envoy: Add xDS resource validation") Signed-off-by: Joe Stringer <joe@cilium.io> 14 January 2023, 01:28:54 UTC
43121d9 David Bimmler 02 December 2022, 14:24:03 UTC relay: pass peer to goroutine The first instance is a cosmetic change, as there was no issue. It's still good practice to pass the var to the goroutine. The second instance fixes a race. Signed-off-by: David Bimmler <david.bimmler@isovalent.com> 13 January 2023, 20:21:42 UTC
10738e7 Julian Wiedmann 12 January 2023, 15:04:49 UTC bpf: lb: catch write error in lb6_xlate() Handle any error returned by ipv6_store_daddr(). Signed-off-by: Julian Wiedmann <jwi@isovalent.com> 13 January 2023, 14:41:15 UTC
818a603 Tam Mach 04 January 2023, 04:24:21 UTC bpf: Relax constant check for dst_id The constant validation by __builtin_constant_p() failed for clang 14, it is mainly due to LXC_ID evaluation. The actual value of LXC_ID is written by datapath header file (written by pkg/datapath/linux/config/config.go). This commit is to drop constant check for dst_id in clang 14+, so that cilium can still be compiled with clang 14+ while still honours the original goal in a246aa0ce4f5879219069eb6055ce022f346d280. Relates: a246aa0ce4f5879219069eb6055ce022f346d280 Relates: #22834 Signed-off-by: Tam Mach <tam.mach@cilium.io> 13 January 2023, 10:30:04 UTC
03c195e Yutaro Hayakawa 26 December 2022, 08:53:04 UTC bpf: Introduce per-cluster NAT maps To distinguish two same IP addresses belong to the different clusters, we need to extend NAT maps' keys to contain ClusterID. However, currently it is impossible to change NAT maps without breaking user's connection. Thus, we'll take a different approach that creates NAT maps per cluster. Signed-off-by: Yutaro Hayakawa <yutaro.hayakawa@isovalent.com> 13 January 2023, 10:29:22 UTC
1600545 Tobias Klauser 12 January 2023, 09:03:14 UTC kafka, go.mod, vendor: use github.com/cilium/kafka fork We have been using that fork since 2017. Let's replace the import path in the few instances we use github.com/optiopay/kafka to get rid of another replace in go.mod (and thus make life a tiny bit easier for downstream packages importing github.com/cilium/cilium). Suggested-by: Robin Hahling <robin.hahling@gw-computing.net> Signed-off-by: Tobias Klauser <tobias@cilium.io> 13 January 2023, 10:28:08 UTC
50ed938 Chance Zibolski 15 December 2022, 23:33:21 UTC Make cilium pprof listen address configurable Cilium's profiles cannot be gathered by other tools running outside the cilium pod if it's only listening on localhost. To enable continuous profiling with tools like Parca or Phlare which operate on a scrape model, we should make the pprof listen address configurable. Signed-off-by: Chance Zibolski <chance.zibolski@gmail.com> 13 January 2023, 10:27:37 UTC
5776a06 Chris Tarazi 11 January 2023, 20:48:12 UTC MAINTAINERS: Add missing link to GitHub account Fixes: 78146e5202 ("Update MAINTAINERS.md to include Tom Hadlaw") Signed-off-by: Chris Tarazi <chris@isovalent.com> 13 January 2023, 10:25:57 UTC
0f07685 dependabot[bot] 12 January 2023, 14:04:09 UTC build(deps): bump go.uber.org/multierr from 1.8.0 to 1.9.0 Bumps [go.uber.org/multierr](https://github.com/uber-go/multierr) from 1.8.0 to 1.9.0. - [Release notes](https://github.com/uber-go/multierr/releases) - [Changelog](https://github.com/uber-go/multierr/blob/master/CHANGELOG.md) - [Commits](https://github.com/uber-go/multierr/compare/v1.8.0...v1.9.0) --- updated-dependencies: - dependency-name: go.uber.org/multierr dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> 13 January 2023, 10:25:35 UTC
df1123c Martynas Pumputis 12 January 2023, 15:31:25 UTC datapath: Get rid of NO_REDIRECT define The define was introduced by 4132b71e9abe ("bpf: Avoid redirect in bpf_netdev for NodePort") - the reason is listed in the commit msg. It's very unlikely that any user will run w/ netfilter/iptables disabled today. So we can remove the define for now, as it was always set. Signed-off-by: Martynas Pumputis <m@lambda.lt> 13 January 2023, 10:23:57 UTC
13cdd07 yoyo-go 27 November 2022, 09:34:41 UTC docs: move star wars demo to getting started Signed-off-by: Yoyo Wu <yoyo19980720@126.com> 12 January 2023, 21:43:20 UTC
b11a065 Sandipan Panda 15 November 2022, 20:42:29 UTC build: Generate SBOM during image release Add a Software Bill of Materials (SBOM) generated from source code and the image using the Kubernetes bom tool to the Cilium image during image build. Generating SBOM describing the source in the Cilium repository using bom takes, on average, 10 minutes. As a result, the CI build time increases by 30 minutes if we generate an SBOM describing the source for all three CI images in Image CI Build and the CI ultimately fails, throwing an error that no space is left on the runner. So, SBOM generation from source was removed from Image CI Build. In theory, if you run "bom generate" in the same environment where you are building (especially after building), all modules should be there already downloaded, and bom can reuse them. But this does not happen. One thing that bom will not do is download stuff into your go directory. If a module is missing, bom will download it to /tmp/spdx/gomod-scanner/, look at it there, and remove it. Even after performing a "go mod download" before running "bom generate", the downloaded modules are not being picked up by the go interpreter when bom runs. Fixes: #20712 Signed-off-by: Sandipan Panda <samparksandipan@gmail.com> 12 January 2023, 16:12:54 UTC
48ddc9a Tobias Klauser 11 January 2023, 16:59:07 UTC ci: update cilium-cli to v0.12.12 v0.12.12 release notes: https://github.com/cilium/cilium-cli/releases/tag/v0.12.12 Signed-off-by: Tobias Klauser <tobias@cilium.io> 12 January 2023, 09:23:46 UTC
1fec8eb Yutaro Hayakawa 12 December 2022, 13:16:51 UTC bpf: Add tests for extended tunnel map APIs Signed-off-by: Yutaro Hayakawa <yutaro.hayakawa@isovalent.com> 12 January 2023, 08:26:26 UTC
9501c3d Yutaro Hayakawa 12 December 2022, 13:09:42 UTC bpf: Don't use global variable inside tunnel map APIs Tunnel map APIs (Set/Get/Delete/SilentDelete) are implemented as a method of Map (tunnel map) struct. However, they all uses global TunnelMap valiable internally. Fix for readability and ease of tests. Signed-off-by: Yutaro Hayakawa <yutaro.hayakawa@isovalent.com> 12 January 2023, 08:26:26 UTC
cda8767 Yutaro Hayakawa 12 December 2022, 13:03:32 UTC bpf: Make tunnel map APIs aware of ClusterID Modify tunnel map APIs (Set/Get/Delete/SilentDelete) to be aware of the cluster-aware addressing. Currently, there's no user interface to set non-zero ClusterID. Signed-off-by: Yutaro Hayakawa <yutaro.hayakawa@isovalent.com> 12 January 2023, 08:26:26 UTC
b4e75da Yutaro Hayakawa 12 December 2022, 12:10:32 UTC clustermesh: Add some helper functions to PrefixCluster Implement required helpers to implement tunnel map with cluster-aware addressing. Signed-off-by: Yutaro Hayakawa <yutaro.hayakawa@isovalent.com> 12 January 2023, 08:26:26 UTC
b0aa384 Yutaro Hayakawa 12 December 2022, 09:43:15 UTC bpf: Extend tunnel map key with ClusterID In Cluster Mesh with overlapping PodCIDR, we have to identify remote endpoint with IP + ClusterID. Thus, we should also lookup tunnel map using IP + ClusterID. Signed-off-by: Yutaro Hayakawa <yutaro.hayakawa@isovalent.com> 12 January 2023, 08:26:26 UTC
fd52b2f Julian Wiedmann 04 January 2023, 09:52:56 UTC bpf: nodeport: skip CT lookup for non-NodePort replies in RevDNAT path Consider a pod-to-external connection that gets masqueraded in to-netdev. A reply for such a connection first gets revSNATed in tail_nodeport_nat_ingress_ipv4(), and then passes into rev_nodeport_lb4() to check whether it's actually a reply to a forwarded NodePort connection. Here the CT lookup succeeds, but then the additional checks for ct_state.node_port and ct_state.rev_nat_index fail. Therefore the reply tail-calls back into CILIUM_CALL_IPV4_FROM_NETDEV and eventually gets delivered towards the pod. On the pod's ingress path there is a second (expected) CT lookup. As the first CT lookup succeeded, we end up double-accounting the reply in __ct_lookup(). A similar scenario affects host-to-external connections. With non-DSR NodePort they are also in scope of our SNAT code (to avoid clashes with forwarded Nodeport connections), and get connection-tracked. The external-to-host reply traffic will then do a CT lookup in the revSNAT path, and the gratuitious CT lookup in the revDNAT path results in double accounting. So before calling ct_lookup4() in the RevDNAT nodeport path, first check if we will find a relevant CT entry. As ct_has_nodeport_egress_entry4() expects a full 5-tuple, add a new LB-specific helper that extracts the tuple. Make the helper generic enough (ie. handle ICMP) so that we can re-use it for the SVC lookup path in the future. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> 12 January 2023, 08:26:07 UTC
d2f4734 Julian Wiedmann 20 December 2022, 11:44:22 UTC bpf: nodeport: short-cut the Ingress path if no revDNAT is needed The nodeport Ingress path for reply traffic (ie. everything that is *not* a service request) first applies RevSNAT. This targets: - BPF-masqueraded connections (IPv4 only) - EgressGW reply traffic (IPv4 only) - host-originating connections - reply traffic by remote backends We only need to continue in the RevDNAT code to handle replies by remote backends[1]. So in a pure DSR config, we can recircle straight back to the program start. [1] and to redirect EgressGW reply traffic that piggy-backs on the RevDNAT's tunnel code. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> 12 January 2023, 08:26:07 UTC
f8b7290 Julian Wiedmann 21 December 2022, 14:46:45 UTC bpf: remove check for ENABLE_EGRESS_GATEWAY in to-netdev's SNAT path EgressGW depends on BPF-Masquerading, and without ENABLE_MASQUERADE none of the EgressGW-specific SNAT logic will even be compiled in. So this check is redundant and can go away. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> 12 January 2023, 08:26:07 UTC
6936db5 Julian Wiedmann 07 December 2022, 07:49:36 UTC bpf: nodeport: drop reply by local backend if revDNAT is skipped RevDNAT for replies from a local service backend is handled by tail-calling from bpf_lxc to CILIUM_CALL_IPV*_NODEPORT_REVNAT with bpf_skip_recirculation() set. If rev_nodeport_lb*() then doesn't find a matching CT entry, don't return CTX_ACT_REDIRECT to the caller. Without a CT entry we also didn't perform a FIB lookup, so `ifindex` is still 0 and the subsequent bpf_redirect() won't do any good. As bpf_lxc only performs the tail-call if ct_state->node_port is set, finding no related Nodeport CT entry is unexpected. So drop the packet. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> 12 January 2023, 08:26:07 UTC
da6eb99 yanggang 25 December 2022, 11:17:13 UTC [cilium cmd] fix wrong notes. Signed-off-by: yanggang <gang.yang@daocloud.io> 12 January 2023, 08:25:19 UTC
1d0b4a8 Sebastian Wicki 11 January 2023, 15:09:10 UTC images: Update Hubble CLI to v0.11.0 Updated using `images/scripts/update-hubble-version.sh`. This commit needs to be backported to Cilium v1.13 as the Hubble CLI contains the new protobuf schema for the Hubble features present in Cilium v1.13. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> 12 January 2023, 08:24:54 UTC
5ee70b9 dependabot[bot] 11 January 2023, 14:02:51 UTC build(deps): bump go.uber.org/dig from 1.15.0 to 1.16.0 Bumps [go.uber.org/dig](https://github.com/uber-go/dig) from 1.15.0 to 1.16.0. - [Release notes](https://github.com/uber-go/dig/releases) - [Changelog](https://github.com/uber-go/dig/blob/master/CHANGELOG.md) - [Commits](https://github.com/uber-go/dig/compare/v1.15.0...v1.16.0) --- updated-dependencies: - dependency-name: go.uber.org/dig dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> 12 January 2023, 08:24:33 UTC
7f18fdc dependabot[bot] 11 January 2023, 14:05:54 UTC build(deps): bump golang.org/x/crypto from 0.3.0 to 0.5.0 Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.3.0 to 0.5.0. - [Release notes](https://github.com/golang/crypto/releases) - [Commits](https://github.com/golang/crypto/compare/v0.3.0...v0.5.0) --- updated-dependencies: - dependency-name: golang.org/x/crypto dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> 12 January 2023, 08:24:12 UTC
dbfcec3 yanggang 26 December 2022, 03:02:58 UTC [cilium-cmd bpf-metrics-list] return first when []*metricsRow is nil. Signed-off-by: yanggang <gang.yang@daocloud.io> 12 January 2023, 08:23:51 UTC
88d2e2b Nate Sweet 14 December 2022, 00:49:24 UTC Update CODEOWNERS file for pkg/safeio Signed-off-by: Nate Sweet <nathanjsweet@pm.me> 12 January 2023, 08:21:54 UTC
229a500 Nate Sweet 07 December 2022, 21:57:57 UTC Replace all io.ReadAll Invocations io.ReadAll is a potentially dangerous method invocation in a production system. All instances of this method are replaced with safeio.ReadAllLimit. Signed-off-by: Nate Sweet <nathanjsweet@pm.me> 12 January 2023, 08:21:54 UTC
1f6edce Nate Sweet 07 December 2022, 18:14:53 UTC Update customvet customvet now supports linting away io.ReadAll invocations. Signed-off-by: Nate Sweet <nathanjsweet@pm.me> 12 January 2023, 08:21:54 UTC
06b8d49 Nate Sweet 07 December 2022, 18:02:25 UTC Add safeio Package to Replace ReadAll io.ReadAll is a dangerous method in a production system as it can easily create a DoS vulnerability. The safeio package creates a ReadAllLimit method that attempts to read the entireity of an io.Reader up to a limit. Signed-off-by: Nate Sweet <nathanjsweet@pm.me> 12 January 2023, 08:21:54 UTC
c55943f Tam Mach 29 December 2022, 09:52:27 UTC gha: Replace deprecated set-output commands The changes are done by below command, thanks to @tklauser in https://github.com/cilium/cilium-cli/pull/1296 ```bash sed -i \ '/::set-output/ { s/::set-output name=//; s/::/=/; s/$/ >> $GITHUB_OUTPUT/; }' \ .github/workflows/*.yaml ``` https://github.blog/changelog/2022-10-11-github-actions-deprecating-save-state-and-set-output-commands/ Signed-off-by: Tam Mach <tam.mach@cilium.io> 11 January 2023, 17:59:10 UTC
b006a84 Yutaro Hayakawa 06 January 2023, 11:59:35 UTC clustermesh: Add missing brackets of etcd option When clustermesh-apiserver Pod is deployed on the IPv6 single-stack cluster, etcd fails to startup with the error like this. ``` invalid value "https://127.0.0.1:2379,https://a:1:0:3::fc75:2379" for flag -listen-client-urls: URL address does not have the form "host:port": https://a:1:0:3::fc75:2379 ``` This happens because we don't put brackets around the IPv6 address. Fix Helm template to correctly handle that. Fixes: #22952 Signed-off-by: Yutaro Hayakawa <yutaro.hayakawa@isovalent.com> 11 January 2023, 16:37:32 UTC
e4ca2aa Sebastian Wicki 11 January 2023, 15:48:30 UTC ci: Disable WireGuard in ci-multicluster again Seems to be failing pretty consistently since we reenabled it in #22815. Let's disable it again and investigate. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> 11 January 2023, 16:37:16 UTC
2b4a7f3 tanberBro 02 December 2022, 15:51:38 UTC netlink.LinkByName: elegant error handling use &netlink.LinkNotFoundError{} handling netlink.LinkByName returned not found error. Signed-off-by: tanberBro <pengfei.song@daocloud.io> 11 January 2023, 16:37:00 UTC
5c522b2 Julian Wiedmann 11 January 2023, 12:08:21 UTC ctmap: fix-up host_local flag in the DSR NAT entry for GC test DSR NAT entries don't have the .host_local flag set, see eg. snat_v4_create_dsr(). This was presumably just copy&pasted from the other NAT entries in the file. It currently doesn't make a difference for the test, but let's still fix it. Fixes: 790465042b91 ("ctmap: add support for GC of DSR orphaned entries") Signed-off-by: Julian Wiedmann <jwi@isovalent.com> 11 January 2023, 16:35:44 UTC
8d675a4 Casey Callendrello 05 January 2023, 21:30:33 UTC per-node configs: add unit tests; cleanup logs Add lots more unit test coverage. Fix some minor nits in how logs and output are generated. Signed-off-by: Casey Callendrello <cdc@isovalent.com> 11 January 2023, 16:35:04 UTC
0a48fa1 Casey Callendrello 05 January 2023, 21:25:32 UTC per-node configs: allow for null NodeSelector Mimic the way NetworkPolicyPeer works: if the selector is not supplied, it is assumed to match no nodes; if supplied empty, then matches all nodes. Signed-off-by: Casey Callendrello <cdc@isovalent.com> 11 January 2023, 16:35:04 UTC
2a42f6e Casey Callendrello 05 January 2023, 12:32:20 UTC docs: add one-liner for how to run e2e tests in kind Might as well save someone else the trouble. Signed-off-by: Casey Callendrello <cdc@isovalent.com> 11 January 2023, 16:35:04 UTC
2d2fce6 Casey Callendrello 05 January 2023, 12:23:20 UTC test/k8s: add integration test for per-node configs This ensures that the full plumbing is end-to-end working. Signed-off-by: Casey Callendrello <cdc@isovalent.com> 11 January 2023, 16:35:04 UTC
20de35e Yutaro Hayakawa 23 December 2022, 06:33:22 UTC bpf: Introduce per-cluster conntrack maps To distinguish two same IP addresses belong to the different clusters, we need to extend conntrack maps' keys to contain ClusterID. However, currently it is impossible to change conntrack maps without breaking user's connection. Thus, we'll take a different approach that creates conntrack maps per cluster. Signed-off-by: Yutaro Hayakawa <yutaro.hayakawa@isovalent.com> 11 January 2023, 16:34:28 UTC
9988219 Julian Wiedmann 11 January 2023, 07:18:35 UTC bpf: nodeport: reset EDT aggregate ID for XDP-to-TC tunnel punt If a punted skb enters from-netdev on TC-Ingress with an RX queue mapping, this can collide with an aggregate in the THROTTLE_MAP when to-overlay calls edt_sched_departure(). So reset the aggregate ID before redirecting into the tunnel, same as we would do in the pure TC nodeport path. Fixes: 5af76a0b6a73 ("bpf: xdp: enable tunnel encap for EgressGW reply traffic") Signed-off-by: Julian Wiedmann <jwi@isovalent.com> 11 January 2023, 16:31:44 UTC
7b1e08b Tam Mach 10 January 2023, 04:46:17 UTC gha: Improve coverage for Ingress/GatewayAPI Ingress/GatewayAPI relies heavily on NodePort implementation, so we should have coverage for XDP in L7 Ingress. This commit is to enable XDP for one of existing Ingress GHA jobs (e.g. shared). Relates: #22985 Signed-off-by: Tam Mach <tam.mach@cilium.io> 11 January 2023, 16:31:14 UTC
db57c1e Yusuke Suzuki 10 January 2023, 08:49:37 UTC daemon: Fix BPF host routing can't be enabled if the devices are wildcard The EnableHostLegacy check needs to be performed after the device detection is called because it relies on option.Config.GetDevices() when it checks if all given network interfaces have L2 addr. If users specify devices with the wildcard options, for example eth+, Cilium performs this check with the devices that haven't been expanded, and the check fails. This PR puts back the EnableHostLegacy check where it was before #21129. kube_proxy_replacement_test.go never reaches probeKubeProxyReplacementOptions since the tests are always performed with option.Config.DryMode = true. So this change won't affect the unit test. Fixes: #22925 Signed-off-by: Yusuke Suzuki <yusuke-suzuki@cybozu.co.jp> 11 January 2023, 16:30:40 UTC
aad0927 Tom Hadlaw 23 November 2022, 04:41:17 UTC daemon/cmd/endpoint: add more fields to logging when deleting endpoint. Signed-off-by: Tom Hadlaw <tom.hadlaw@isovalent.com> 11 January 2023, 16:28:48 UTC
a1c33d8 Tom Hadlaw 22 November 2022, 06:24:42 UTC pkg/watchers: prevent endpoints overwriting existing ciliumendpoints. Prevents endpointsynchronizer from taking ownership and managing ciliumendpoints, except in the case of endpoint restore where the ciliumendpoint is on the same node as the agent. This fixes bugs related to two endpointsynchronizers running for pods of the same name (i.e. as can happen in the case of Stateful sets). Fixes: #19931 Signed-off-by: Tom Hadlaw <tom.hadlaw@isovalent.com> 11 January 2023, 16:28:48 UTC
f7824ba Tom Hadlaw 22 November 2022, 06:23:33 UTC endpoint: serialize ciliumendpoint UID with header data. This change adds writing the CiliumEndpoint UID to an endpoints restore. CiliumEndpoint UID is not currently written alongside the stored restore data. This can cause problems related to ambiguous ownership of CEPs by endpoint synchronizers. Signed-off-by: Tom Hadlaw <tom.hadlaw@isovalent.com> 11 January 2023, 16:28:48 UTC
b6c04ab Tom Hadlaw 22 November 2022, 06:07:16 UTC k8s/watchers: add uid to patch request document. This is intended to prevent endpoints from overwriting ciliumendpoints that have the same name but are being managed by a new endpoint sync. This can occur because endpointsynchronizer controllers can overlap when restarting a statefulset (i.e. two CEPs will have the same namespace and name as each other). By adding an operation for patching the UID, this ensures that only endpoints with the UID of the current CEP in apiserver will be able to successfully mutate the CEP status. All other requests will be rejected due to the immutability constraint on UID. Fixes: #19931 Signed-off-by: Tom Hadlaw <tom.hadlaw@isovalent.com> 11 January 2023, 16:28:48 UTC
0ac8c4c Tam Mach 23 November 2022, 08:07:07 UTC gha: Bump k8s version in kind conformance tests This commit is just to bump k8s version from 1.19 to 1.26.x in both conformance tests (i.e. ipv4 and ipv6). No point running the test on EOL k8s version (e.g. 1.19). This is suggested in Cilium slack by Timo/ Nicolas/Andre/Chance. PodSubnet CIDR is increased from /64 to /48, so that each node will be able to allocate .spec.podCIDR with /64 CIDR range. Without this change, there will be no .spec.podCIDR/podCIDRs for worker node, which will cause below issue in Cilium pod. Another change in kind-config* is to upgrade kubeadm InitConfiguration version from v1beta2 to v1beta3, which is to make sure that no taint setting is working for control-plane as expected. ``` level=debug msg="stopped waiting for caches to be synced" kubernetesResource="core/v1::Node" subsys=k8s level=info msg="Retrieved node information from kubernetes node" nodeName=kind-worker subsys=k8s level=warning msg="Waiting for k8s node information" error="required IPv6 PodCIDR not available" subsys=k8s ``` Signed-off-by: Tam Mach <tam.mach@cilium.io> 11 January 2023, 16:25:52 UTC
47eae08 Maxim Mikityanskiy 06 January 2023, 19:05:43 UTC bpf: Return better error codes from hooked syscalls When a syscall is rejected in BPF, by default the error code returned is -EPERM. Set more appropriate codes explicitly in the remaining places. The new error codes are chosen according to the documented possible return values of connect() and bind() syscalls in their corresponding man pages. When there is no health service to connect, ECONNREFUSED is returned. When map_update_elem returns an error (should only happen if max_entries is exceeded), ENOBUFS is returned, which is the closest error from the man page that indicates some internal error of the implementation: `Insufficient resources were available to complete the call`. Signed-off-by: Maxim Mikityanskiy <maxim@isovalent.com> 11 January 2023, 16:24:40 UTC
274614f Jarno Rajahalme 09 January 2023, 13:19:48 UTC build: Avoid re-building when building docs from the main Makefile Plain `make` builds twice as Documentation/Makefile also builds in the main directory. Avoid this by passing `SKIP_BUILD` from the main Makefile to make in Documentation. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> 10 January 2023, 19:56:16 UTC
0d3a374 dependabot[bot] 09 January 2023, 14:02:18 UTC build(deps): bump actions/cache from 3.0.11 to 3.2.3 Bumps [actions/cache](https://github.com/actions/cache) from 3.0.11 to 3.2.3. - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](https://github.com/actions/cache/compare/9b0c1fce7a93df8e3bb8926b0d6e9d89e92f20a7...58c146cc91c5b9e778e71775dfe9bf1442ad9a12) --- updated-dependencies: - dependency-name: actions/cache dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> 10 January 2023, 19:54:42 UTC
08c0e5e Tobias Klauser 10 January 2023, 09:35:10 UTC go.mod, vendor: bump sigs.k8s.io/controller-runtime to v0.14.1 This was bumped to an unreleased version as part of db7c577595db ("go.mod, vendor: drop client-go from replace directives") to fix a build failure when bumping to a newer client-go version and its respective transitive dependencies. Now that a new version of controller-runtime is released, bump to that version to allow dependabot to take care of future updates. Signed-off-by: Tobias Klauser <tobias@cilium.io> 10 January 2023, 19:39:13 UTC
a064973 Julian Wiedmann 10 January 2023, 12:49:10 UTC bpf: test: fix xdp_lb4_forward_to_other_node test The test is meant to check that a TCPv4 packet addressed to FRONTEND_IP:FRONTEND_PORT gets DNATed to BACKEND_IP:BACKEND_PORT and TXed back out. But right now we actually assert that the destination port *doesn't* get DNATed, and the test still works! The reason is that the .frag_off field in the IPv4 header isn't built correctly (it has the wrong endianness), so the LB code in lb4_xlate() believes that the packet doesn't have a L4 header and consequently also doesn't apply L4 DNAT on the packet. Fix both aspects. df1bc9660746 ("bpf: ported existing unit tests to new testing framework") Signed-off-by: Julian Wiedmann <jwi@isovalent.com> 10 January 2023, 19:37:57 UTC
b3747c8 Yutaro Hayakawa 16 November 2022, 04:20:24 UTC bpf: Change ipcache lookup functions to take ClusterID With Cluster Mesh with overlapping PodCIDR, remote endpoints must be identified using IP + ClusterID. Thus, ipcache lookup must be changed as well. This commit changes function signature and doesn't contain any code to use that. Signed-off-by: Yutaro Hayakawa <yutaro.hayakawa@isovalent.com> 10 January 2023, 19:35:15 UTC
0c06864 Yutaro Hayakawa 16 November 2022, 03:24:08 UTC bpf: Add a new field cluster_id to struct ipcache_key Consume one padding slot and encode cluster_id into struct ipcache_key. This fields will be used to lookup tunnel endpoint and security identity of the remote cluster with overlapping PodCIDR. Signed-off-by: Yutaro Hayakawa <yutaro.hayakawa@isovalent.com> 10 January 2023, 19:35:15 UTC
afad038 Yutaro Hayakawa 16 November 2022, 03:06:31 UTC clustermesh: Introduce a new type PrefixCluster Introduce a new type PrefixCluster which holds IP prefix and CluterID. Signed-off-by: Yutaro Hayakawa <yutaro.hayakawa@isovalent.com> 10 January 2023, 19:35:15 UTC
84032bd Sebastian Wicki 09 January 2023, 15:09:48 UTC hubble: Fix panic if IP address cannot be parsed The Hubble code internally still uses the old `net.IP` type. Because of this, when performing an IP lookup in the FQDN cache, we converted Hubble's `net.IP` to `netip.Addr` using `ippkg.MustAddrFromIP` which panics if the `net.IP` is nil. It's not yet clear why `net.IP` would be nil for L7 flows (see linked issue) - but we should avoid a panic if the IP is malformed. This commit fixes this by moving the translation from `net.IP` to `netip.Addr` to the Hubble code. This is a stopgap till we have ported the Hubble subsystem to also use `netip.Addr` internally. This commit is intentionally kept small to ease backporting. Fixes: #22949 Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> 10 January 2023, 19:34:08 UTC
a0e201b Paul Chaignon 09 January 2023, 23:08:25 UTC docs: Update hostfw tuto with ICMP policy rule This commit updates the host firewall getting started guide to also allow ICMP echo requests as part of the initial policy. Suggested-by: Rob Landers <landers.robert@gmail.com> Signed-off-by: Paul Chaignon <paul@cilium.io> 10 January 2023, 19:33:42 UTC
2c9c8c1 Aditi Ghag 19 December 2022, 04:33:23 UTC bpf: Fix LB loopback path with ingress policy When a service backend endpoint connects to itself via its service cluster IP address, the traffic is hairpin'd using a loopback IP address. We skip policy enforcement on egress, as a pod is allowed to connect to itself, and users don't have to specify additional policies to allow the hairpin'd traffic. We have a similar expectation on the ingress side. The ingress side was broken because of a regression due to which replies were dropped on the ingress policy enforcement path. The patch that introduced the regression split per packet load-balancing logic into a separate tail call, where (limited) LB state is stored in packet context, and restored later while handling rest of the packet processing including conntrack, and policy enforcement. When a service pod connects to itself via its clusterIP, post the forward service translation, conntrack state update is done on the conntrack entry with loopback address (the restored state). As a result, when a reply is reverse SNAT'd and DNAT'd, the policy verdict for the `CT_NEW` entry is denied, and the reply packet is dropped. Prior to the regression, the original conntrack entry would have the updated state, and loopback flag set. Fix: When hairpin'd traffic is reverse translated, and sent for a local delivery in case of bpf_lxc, we should directly redirect it to the endpoint, thereby skipping the tail call with ingress policy enforcement altogether. Here is the packet flow - Request path: podA -> clusterIP --> svc xlate (dAddr=podA) --> SNAT using loopback address (saddr=loopback IP) --> conntrack entry created (loopback IP, backend IP) with loopback flag state Reply path: cluster IP -> podA --> svc rev-xlate (saddr=podA address) --> SNAT using loopback (daddr=loopback IP) --> CT_REPLY match --> local_delivery Fixes: 7575ba03cc ("datapath: Reduce from LXC complexity") Signed-off-by: Aditi Ghag <aditi@cilium.io> 10 January 2023, 19:32:13 UTC
f920eb4 yulng 07 January 2023, 12:36:24 UTC fix:networking.k8s.io/v1beta1 for ingress "Ingress in the extensions/v1beta1 API version will no longer be served Migrate to use the networking.k8s.io/v1beta1 API version, available since v1.14. Existing persisted data can be retrieved/updated via the new version." https://kubernetes.io/blog/2019/07/18/api-deprecations-in-1-16/ Signed-off-by: yulng <wei.yang@daocloud.io> 10 January 2023, 19:30:18 UTC
7696c16 Maxim Mikityanskiy 06 January 2023, 16:41:27 UTC contrib: Fix GitHub token check to allow fine-grained tokens Classic GitHub tokens can be passed in the HTTP Authorization header in multiple ways, including as the username or as the password in Basic authentication. However, beta "Fine-grained personal access tokens" are not accepted as the username, which breaks the check in gitlib.sh. For the purpose of that check, pass the token as the password, allowing both classic and beta tokens to pass the check. Signed-off-by: Maxim Mikityanskiy <maxim@isovalent.com> 10 January 2023, 19:29:32 UTC
4ca3856 Jussi Maki 21 December 2022, 08:22:26 UTC node: Remove node deletion when stopping and wait for background workers NodeManager's Stop() was earlier only used by tests so it's behavior was to clean up datapath state by calling NodeDelete for each node. This is not the desired behavior as we want to preserve the datapath state when shutting down in order to not disrupt connectivity. This cleanup behavior was never used in any tests and prior this was only triggered by control-plane tests via call to Daemon.Close(), so it's safe to remove this. In addition Stop() did not wait for the backgroundSync() goroutine to exit in Stop(). Fix this by using workerpool. Signed-off-by: Jussi Maki <jussi@isovalent.com> 10 January 2023, 19:27:42 UTC
ee006f7 Jussi Maki 30 November 2022, 12:47:53 UTC hive: Drop left-over debug printf When printing the lifecycle hooks a left-over debug print appeared if a start function was not defined in a hook: "{<nil> 0x223af60} not defined". Signed-off-by: Jussi Maki <jussi@isovalent.com> 10 January 2023, 19:27:42 UTC
4ee40a2 Jussi Maki 31 August 2022, 07:42:57 UTC node: Add cell for node manager Dropped the unused selector cache and policy triggerer from node manager and moved the node handler subscription out from the manager creation. NodeDiscovery no longer needs to Close() the NodeManager as this is now done by a stop hook in NodeManager. Signed-off-by: Jussi Maki <jussi@isovalent.com> 10 January 2023, 19:27:42 UTC
8402fd3 Jussi Maki 16 October 2022, 12:44:28 UTC endpointmanager: Add endpointmanager.Cell This moves the creation of the endpoint manager from daemon.go into pkg/endpointmanager/cell.go. Signed-off-by: Jussi Maki <jussi@isovalent.com> 10 January 2023, 19:27:42 UTC
671acce Sebastian Wicki 30 August 2022, 14:00:26 UTC ci/multicluster: Rely on CLI feature detection for L7 tests WireGuard does not work with L7 proxy. Therefore, we manually disabled the L7 tests when running WireGuard-based connectivity tests. However, since Cilium CLI v0.12, it now auto-detects the presence of L7 policy support and skips the affected tests automatically. Therefore, there is no need to exclude those tests manually anymore. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> 10 January 2023, 19:27:11 UTC
920c8ca Sebastian Wicki 30 August 2022, 13:56:45 UTC ci/multicluster: Re-enable WireGuard testing PR cilium/cilium#21080 fixed WireGuard connectivity issues when using kvstore mode. This likely also affected clustermesh, as we WireGuard was previously flaky in the clustermesh / multicluster conformance tests workflow. This commit re-enables the WireGuard-based connectivity test. Fixes: #18699 Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> 10 January 2023, 19:27:11 UTC
a0a04db Gilberto Bertin 09 January 2023, 12:59:42 UTC iptables: skip reverse IP lookup When listing a table or chain with '-L', iptables will by default try to perform a reverse IP lookup for each IP referenced in the ruleset that is being listed. This adds a useless dependency on DNS, which can lead to an increased initialization time for the agent in case the DNS server is slow to respond. As the reverse lookup is not needed, switch to the '-S' command, which does not perform any reverse lookup. Signed-off-by: Gilberto Bertin <jibi@cilium.io> 10 January 2023, 19:26:37 UTC
479fb7d yulng 02 January 2023, 07:28:06 UTC make fsnotify event more readable Signed-off-by: yulng <wei.yang@daocloud.io> 10 January 2023, 19:25:20 UTC
c2d08c6 dependabot[bot] 09 January 2023, 14:31:55 UTC build(deps): bump github.com/osrg/gobgp/v3 from 3.5.0 to 3.10.0 Bumps [github.com/osrg/gobgp/v3](https://github.com/osrg/gobgp) from 3.5.0 to 3.10.0. - [Release notes](https://github.com/osrg/gobgp/releases) - [Changelog](https://github.com/osrg/gobgp/blob/master/.goreleaser.yml) - [Commits](https://github.com/osrg/gobgp/compare/v3.5.0...v3.10.0) --- updated-dependencies: - dependency-name: github.com/osrg/gobgp/v3 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> 10 January 2023, 19:24:57 UTC
a0eeb41 Raphaël Pinson 09 January 2023, 10:30:09 UTC Update Documentation/operations/upgrade.rst Co-authored-by: Quentin Monnet <qmonnet+github@qoba.lt> Signed-off-by: Raphaël Pinson <raphael@isovalent.com> 10 January 2023, 19:24:07 UTC
fb98a03 Raphaël Pinson 12 December 2022, 14:48:30 UTC Add upgrade note for hubble_policy_verdicts_total now listing L7 flows Signed-off-by: Raphaël Pinson <raphael@isovalent.com> 10 January 2023, 19:24:07 UTC
9144bb7 Raphaël Pinson 09 December 2022, 07:42:42 UTC feat(hubble): add L7 protocol to verdict metric match label Signed-off-by: Raphaël Pinson <raphael@isovalent.com> 10 January 2023, 19:24:07 UTC
469c0a5 Raphaël Pinson 08 December 2022, 16:43:15 UTC feat(hubble): add L7 verdicts to hubble_policy_verdicts_total metric Signed-off-by: Raphaël Pinson <raphael@isovalent.com> 10 January 2023, 19:24:07 UTC
91d52e4 Dorde Lapcevic 29 December 2022, 11:09:20 UTC Fix crash of CES queue delay metric when CESTracker is nil Avoid operator crashing from trying to access a field of a nil CESTracker. This can happen rarely with two consecutive CEP deletions that belong to the same CES. While the first CES update is being processed, the second CEP deletion causes the CES in cache to become empty, and CES update gets enqueued anyway, before the first CES update is finished. The first CES update then deletes CES tracker as the CES has 0 CEPs in it. Finally, the second CES update runs into the error. Signed-off-by: Dorde Lapcevic <dordel@google.com> 10 January 2023, 19:23:47 UTC
d7fc290 Tam Mach 30 December 2022, 08:13:44 UTC k8s: Add node-role.kubernetes.io/control-plane taint This new node-role.kubernetes.io/control-plane taint replaced old one node-role.kubernetes.io/master, mainly for promoting inclusive language. From k8s 1.26+ onward, the old taint is no longer working. Related docs: https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#removed Relates: #22893 Signed-off-by: Tam Mach <tam.mach@cilium.io> 10 January 2023, 19:23:20 UTC
4b4d1eb Daniel Borkmann 23 December 2022, 09:50:38 UTC cilium, testing: Extend NAT46x64 test suite with GW enabled We have only been testing the NAT46/NAT64 in relation to services but without the new gateway code enabled. Extend the curl tests also under --enable-nat46x64-gateway=true setting since they must continue to function there. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> 10 January 2023, 16:45:11 UTC
2b58e0f Martynas Pumputis 09 January 2023, 10:22:47 UTC datapath: Remove 2005 route table This commit fixes an L7 ingress policy problem a when a pod is reached directly from an outside cluster client and cilium-agent is running w/o the endpoint routes mode. Let's consider the following L7 netpol: apiVersion: "cilium.io/v2" kind: CiliumNetworkPolicy metadata: name: foobar spec: description: "Allow to GET on echo from outside" endpointSelector: matchLabels: kind: echo ingress: - fromEntities: - "world" toPorts: - ports: - port: "8080" protocol: TCP rules: http: - method: "GET" path: "/$" When the netpol is applied, accessing the `echo` pod from outside the cluster fails with: xx drop (Stale or unroutable IP) flow 0xf863e34e to endpoint 0, file bpf_host.c line 665, , identity 28143->unknown: 10.0.1.49:80 -> 192.168.34.1:32884 tcp SYN, ACK The drop is triggered by https://github.com/cilium/cilium/blob/v1.12.3/bpf/bpf_host.c#L626. What happens is that the L7 proxy sends the SYN-ACK which gets handled by `bpf_host @ cilium_host`, and then dropped. See the simplified `pwru` output (ifindex=9 is `cilium_host`): ip_local_out mark=0xa00 ifindex=0 10.0.1.49:80->192.168.34.1:32884 __ip_local_out mark=0xa00 ifindex=0 10.0.1.49:80->192.168.34.1:32884 nf_hook_slow mark=0xa00 ifindex=0 10.0.1.49:80->192.168.34.1:32884 ip_output mark=0xa00 ifindex=0 10.0.1.49:80->192.168.34.1:32884 nf_hook_slow mark=0xa00 ifindex=9 10.0.1.49:80->192.168.34.1:32884 rmor_ipv4_postroute mark=0xa00 ifindex=9 10.0.1.49:80->192.168.34.1:32884 ip_finish_output mark=0xa00 ifindex=9 10.0.1.49:80->192.168.34.1:32884 oup_bpf_run_filter_skb mark=0xa00 ifindex=9 10.0.1.49:80->192.168.34.1:32884 __ip_finish_output mark=0xa00 ifindex=9 10.0.1.49:80->192.168.34.1:32884 ip_finish_output2 mark=0xa00 ifindex=9 10.0.1.49:80->192.168.34.1:32884 dev_queue_xmit mark=0xa00 ifindex=9 10.0.1.49:80->192.168.34.1:32884 __dev_queue_xmit mark=0xa00 ifindex=9 10.0.1.49:80->192.168.34.1:32884 tcf_classify mark=0xa00 ifindex=9 10.0.1.49:80->192.168.34.1:32884 skb_ensure_writable mark=0x0 ifindex=9 10.0.1.49:80->192.168.34.1:32884 kfree_skb mark=0x0 ifindex=9 proto=8 9:80->192.168.34.1:32884 The packet is sent to the `cilium_host` because of the mark and the following IP rules / routes: $ ip rule list ... 10: from all fwmark 0xa00/0xf00 lookup 2005 $ ip route show table 2005 default via 10.0.1.116 dev cilium_host 10.0.1.116 dev cilium_host scope link One fix was to extend the troublesome check https://github.com/cilium/cilium/blob/v1.12.3/bpf/bpf_host.c#L626 by allowing proxy replies to `WORLD_ID`. Hovewer, Paul Chaignon did some archealogy, and discovered that the 2005 routing table was actually introduced because of historical reasons. The commit which introduced the 2005 is https://github.com/cilium/cilium/commit/f89a22ca779202e9180db40f389e2d677c767fab, and it says: This allows to route all packets from proxies through cilium_host regardless of their destination. The BPF program attached to cilium_host can then perform the proxy reverse translation and route accordingly. According to Paul: Checking the code from back then we do find a reverse_proxy function in bpf_netdev.c. That function was later removed by Jarno and replaced by TPROXY use with a commit (https://github.com/cilium/cilium/commit/d65adf83f8be1d6d07f63a9b1e8a8197bfe7ae0e) that sheds some light on what's going on here. So my understanding is that, back then, we weren't using TPROXY and were modifying the 4 tuple to redirect to proxy manually. Thus, on the return traffic we needed to do the reverse operation. That was needed for all return traffic regardless of client's origin. The rule is here to ensure that even traffic originated outside the cluster sees it's return proxy traffic going through cilium_host, to pass through reverse_proxy. Based on above, the 2005 route table is not needed. Thus, we can fix the original issue just by removing the table. Suggested-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Martynas Pumputis <m@lambda.lt> 10 January 2023, 16:10:28 UTC
ad11484 Daniel Borkmann 10 January 2023, 09:13:08 UTC bpf: Fix CB_NAT_46X64/CB_SRC_LABEL collision Remap CB_NAT_46X64 to CB_IFINDEX as it does collide in some cases with CB_SRC_LABEL inside nodeport_lb6(): [...] ctx_store_meta(ctx, CB_NAT_46X64, 0); ctx_store_meta(ctx, CB_SRC_LABEL, src_identity); ep_tail_call(ctx, CILIUM_CALL_IPV6_NODEPORT_NAT_INGRESS); return DROP_MISSED_TAIL_CALL; The issue has been observed in case of IPv4 frontend and IPv6 backend address. When the IPv6 reply from remote comes back to the gateway, then src_identity is 2 (world), and therefore CB_NAT_46X64 becomes true later on in the tail call even though it's not supposed to be. This has been observed in tc BPF while XDP BPF kept functioning given in tc BPF we extract identities in bpf_host: [...] case bpf_htons(ETH_P_IPV6): identity = resolve_srcid_ipv6(ctx, identity, from_host); ctx_store_meta(ctx, CB_SRC_LABEL, identity); [...] case bpf_htons(ETH_P_IP): identity = resolve_srcid_ipv4(ctx, identity, &ipcache_srcid, from_host); ctx_store_meta(ctx, CB_SRC_LABEL, identity); [...] The CB_IFINDEX does not collide with NAT46x64 given in case of LB it's only used in case of DSR to transfer IPv4/IPv6 service address info via tail call, whereas NAT46x64 gateway only operates in SNAT mode. Reproducer: # ./daemon/cilium-agent --enable-ipv4=true --enable-ipv6=true \ --datapath-mode=lb-only --bpf-lb-algorithm=maglev --bpf-lb-maglev-table-size=2039 \ --bpf-lb-acceleration=disabled --devices=enp5s0 --disable-envoy-version-check=true \ --enable-nat46x64-gateway=true The --enable-nat46x64-gateway must be enabled for this to trigger. # ./cilium/cilium service list ID Frontend Service Type Backend 2 2.2.2.2:80 ExternalIPs 1 => [2a03:2880:f11c:8183:face:b00c:0:25de]:80 (active) Before fix: # curl -4 --verbose http://2.2.2.2:80 * Trying 2.2.2.2:80... * TCP_NODELAY set < fail > After fix: # curl -4 --verbose http://2.2.2.2:80 * Trying 2.2.2.2:80... * TCP_NODELAY set * Connected to 2.2.2.2 (2.2.2.2) port 80 (#0) > GET / HTTP/1.1 > Host: 2.2.2.2 > User-Agent: curl/7.68.0 > Accept: */* > * Mark bundle as not supporting multiuse < HTTP/1.1 301 Moved Permanently < Location: https://2.2.2.2/ < Content-Type: text/plain < Server: proxygen-bolt [...] Reported-by: Julian Wiedmann <jwi@isovalent.com> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> 10 January 2023, 13:32:09 UTC
f9af2df Daniel Borkmann 10 January 2023, 09:03:21 UTC bpf: Clean up CB identity/label usage CB_SRC_IDENTITY is defined as 0 in nodeport header. This is actually the same as CB_SRC_LABEL defined in common.h. Clean this up to make it more obvious. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> 10 January 2023, 13:32:09 UTC
5af4a0e tigerK 03 January 2023, 03:43:50 UTC feat: deleted the pods that are not unmanaged by Cilium Set operator to remove the label of a pod that existed before the node taint 1. Delete the specified label pod according to the parameter --pod-restart-selector, default value is k8s-app=kube-dns 2. --pod-restart-selector="" Remove all pods Fixes: https://github.com/cilium/cilium/issues/21594 Signed-off-by: tigerK <yanru.lv@daocloud.io> 10 January 2023, 10:52:22 UTC
baf7f34 Martynas Pumputis 09 January 2023, 14:06:04 UTC datapath: Fix L7 ingress with XDP Fredrik Björkman has reported that the BPF L7 Ingress (and thus Gateway API) does not work when the Cilium's XDP is enabled. A quick glimps into the nodeport_lb4/6 revealed that in the case of an L7 service the ctx_redirect_to_proxy_hairpin_ipv4/6() is called. The latter invokes the ctx_redirect() to the cilium_host. Unfortunately, the redirect does not work when called from the bpf_xdp, as the cilium_host doesn't have any XDP prog attached. Fix this by offloading the L7 handling to the bpf_host at the TC BPF ingress. Reported-by: Fredrik Björkman <fredrik.bjorkman1@ingka.ikea.com> Signed-off-by: Martynas Pumputis <m@lambda.lt> 10 January 2023, 08:48:59 UTC
5b9188b Ryan Drew 30 November 2022, 17:51:10 UTC k8s/watchers: Adjust CNP handlers to set ProcessStartTime for PolicyAdd This commit adjusts the add and update event handlers of the CNP watchers to allow the PolicyImplementationDelay metric to track how long it takes for a CNP to be applied to an endpoint from the time the policy is first received from the API server. Before this commit, PolicyImplementationDelay tracked the time for a CNP to be applied to an endpoint from the start of the daemon's policyAdd function (see daemon/cmd/policy.go). The advantage of this change is that more insight is gained into the amount of time it takes for a CNP to be applied. The daemon's policyAdd function does not represent the full picture in applying a CNP, and can be considered fairly arbitrary from a user perspective. The downside to this change is that, since the surface this metric covers is larger, more work might need to be done while debugging to determine where delay is being introduced. Additionally, users monitoring PolicyImplementationDelay will probably notice a confusing bump in the metric after applying this commit. Also note, this change does not make PolicyImplementationDelay 100% accurate in tracking the time a policy is first received to when it is applied to an endpoint. This is because the initial start time is tracked within event handlers, rather than in the controllers' process loop (defined in pkg/k8s/informer/informer.go). Adjusting the process loop to track receive times would require changes across all watchers, with little gain, since the delay between when a policy is received to when it is sent to an event handler is largly determined by the upstream k8s client-go tools cache Controller implementation. Signed-off-by: Ryan Drew <ryan.drew@isovalent.com> 09 January 2023, 18:58:17 UTC
7fd7e76 Ryan Drew 30 November 2022, 17:28:32 UTC daemon/cmd: Add ProcessingStartTime to policy AddOptions This commit adds a new option in the policy AddOptions to pass a start time to be used in calculating the duration for PolicyImplementationDelay. Beforehand, the start time for this metric was set during the start of the daemon's policyAdd function, which prevents tracking policy implementation times from other points in the agent, such as when a policy is received from the API server by a watcher. Signed-off-by: Ryan Drew <ryan.drew@isovalent.com> 09 January 2023, 18:58:17 UTC
81bd556 vipul-21 03 January 2023, 19:41:44 UTC Parse the Ipaddress passed as CIDR notation from delegated ipam Fixes #22917 Signed-off-by: vipul-21 <vipul21sept@gmail.com> 09 January 2023, 18:04:09 UTC
e6c1c9b Shunpoco 09 January 2023, 09:17:17 UTC Docs: Fix kubernetes version which isn't emphasized The version is intended to be emphasized, but haven't. Signed-off-by: Shunsuke Tokunaga <tkngsnsk313320@gmail.com> 09 January 2023, 16:29:30 UTC
2633e87 Tomoya Fujita 04 January 2023, 23:03:57 UTC remove export from shell session to avoid inconsistency. Signed-off-by: Tomoya Fujita <Tomoya.Fujita@sony.com> 09 January 2023, 16:28:53 UTC
9f27973 Julian Wiedmann 06 January 2023, 07:37:52 UTC bpf: lb: fix check for L3 pseudo-hdr csum update in lb6_xlate() We never pass NULL for the csum_off pointer, so right now this check just always succeeds. But comparing to lb4_xlate(), we actually want to test csum_off->offset before updating the L3 pseudo-hdr csum in the L4 header. Looking at csum_l4_offset_and_flags(), this change fixes an issue for SCTP over IPv6. There we intentionally set csum->offset as 0 to opt out from the pseudo-header csum update. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> 09 January 2023, 16:27:56 UTC
09f8740 tommyp1ckles 15 December 2022, 05:28:30 UTC pkg/maps: fix maps being initialized before config is parsed. Package global declared maps are will be initialized prior to cilium config being parsed. Thus in some cases map events would always be set to enabled=false. This moves access to maps via function that forces init of map upon first use. Signed-off-by: Tom Hadlaw <tom.hadlaw@isovalent.com> 09 January 2023, 16:27:22 UTC
81dd830 Tom Hadlaw 11 December 2022, 06:22:14 UTC pkg/maps,pkg/defaults: allow configuring map events on several maps. Several maps that had caching, did not expose the option to configure bpf map events. This enables map events for those maps, and configures the default config map to include. Signed-off-by: Tom Hadlaw <tom.hadlaw@isovalent.com> 09 January 2023, 16:27:22 UTC
e0eaa66 Fish-pro 06 January 2023, 03:34:39 UTC Optimize the comparison mode of bool judgment Signed-off-by: Fish-pro <zechun.chen@daocloud.io> 09 January 2023, 16:26:47 UTC
80af06e yulng 02 January 2023, 10:06:07 UTC fix:'go routine' should be 'goroutine' Signed-off-by: yulng <wei.yang@daocloud.io> 07 January 2023, 00:46:36 UTC
624677e dependabot[bot] 06 January 2023, 14:01:48 UTC build(deps): bump actions/download-artifact from 3.0.1 to 3.0.2 Bumps [actions/download-artifact](https://github.com/actions/download-artifact) from 3.0.1 to 3.0.2. - [Release notes](https://github.com/actions/download-artifact/releases) - [Commits](https://github.com/actions/download-artifact/compare/9782bd6a9848b53b110e712e20e42d89988822b7...9bc31d5ccc31df68ecc42ccf4149144866c47d8a) --- updated-dependencies: - dependency-name: actions/download-artifact dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> 06 January 2023, 21:00:26 UTC
fda3667 Maxim Mikityanskiy 04 January 2023, 18:09:09 UTC docs: Document internalTrafficPolicy-related changes in the upgrade guide Pull request #21871 introduced a few minor behavioral changes and fixes. Document them in the upgrade guide for Cilium 1.13. Signed-off-by: Maxim Mikityanskiy <maxim@isovalent.com> 06 January 2023, 21:00:08 UTC
back to top