Skip to main content

Browse the archive

https://github.com/cilium/cilium
09 April 2024, 21:14:05 UTC
sort by:
Revision Author Date Message Commit Date
8788ff7 Maciej Kwiek 30 November 2020, 13:10:17 UTC wip 03 December 2020, 13:21:15 UTC
8bf3ed8 Paul Chaignon 27 November 2020, 10:19:46 UTC ci: Enable NFS for Runtime tests Signed-off-by: Paul Chaignon <paul@cilium.io> 30 November 2020, 10:10:45 UTC
a77842b Paul Chaignon 26 November 2020, 17:27:04 UTC test: Avoid use of install with NFS Running the Runtime tests in CI with NFS enabled currently fails because 'install' reports a permission error when trying to change permissions of cilium.conf.ginkgo. This commit switches 'install' for 'chmod' which works fine. The reason for this error is that 'install' relies on the fsetxattr(2) system call to change the permissions and, as pointed by Quentin, there is no support for Extended File Attributes in NFS [1]. 'install' therefore fails whereas 'chmod', which relies on fchmodat(2) works fine. That bug wasn't found when running the Runtime test with NFS locally because, for local tests, a different implementation of RenderTemplateToFile() is used, one that does not rely on 'install'. 1 - https://tools.ietf.org/html/rfc8276 Signed-off-by: Paul Chaignon <paul@cilium.io> 30 November 2020, 10:10:45 UTC
81dc19b Paul Chaignon 23 November 2020, 19:01:16 UTC bpf: Don't compile unused BPF sections When we load a BPF program in the kernel, tc loads the entire object file, meaning it attempts to load each BPF program found in the object file. In some cases (e.g., ICMPv6 code in bpf_xdp.o), we include BPF program as sections in the object file even though we never tail call to them. This commit fixes it by ensuring we only compile those sections if they are needed. This also fixes a failure to load bpf_xdp on 4.19 when compiled with our MAX_LB_OPTIONS options combination: ENABLE_IPV4 ENABLE_IPV6 ENABLE_HOST_SERVICES_TCP ENABLE_HOST_SERVICES_UDP ENABLE_IPSEC. Signed-off-by: Paul Chaignon <paul@cilium.io> 30 November 2020, 10:10:23 UTC
7e8cc0e Tam Mach 20 November 2020, 23:04:00 UTC lint: Enforce unused linter This commit is to enforce unused linter to avoid similar issue in future. Signed-off-by: Tam Mach <sayboras@yahoo.com> 30 November 2020, 10:07:32 UTC
966071b Tam Mach 20 November 2020, 23:02:57 UTC cleanup/unused: Remove un-used code in codebase This commit is to remove un-used methods and params in code base. Signed-off-by: Tam Mach <sayboras@yahoo.com> 30 November 2020, 10:07:32 UTC
fc4a476 Maciej Kwiek 26 November 2020, 12:37:40 UTC ci: change manifest path for perf test These tests failed because default manifest path was wrong. Signed-off-by: Maciej Kwiek <maciej@isovalent.com> 30 November 2020, 10:02:15 UTC
89c0f08 Daniel Borkmann 18 November 2020, 15:46:58 UTC bpf, cilium: add IPIP for DSR under XDP in LB-only mode Add a new agent flag for the lb-only load-balancer which is able to select a DSR dispatch method (--bpf-lb-dsr-dispatch). This is used in direct routing for forwarding the original request IPIP encapsulated (v4v4 or v6v6) to the related remote service backend. This is an alternative to the IP option based dispatch which is the current default in the agent. Example invocation: # ./daemon/cilium-agent --enable-ipv4=true --enable-ipv6=true \ --datapath-mode=lb-only --bpf-lb-algorithm=maglev \ --bpf-lb-maglev-table-size=65521 --bpf-lb-mode=dsr \ --bpf-lb-acceleration=native --bpf-lb-dsr-dispatch=ipip \ --devices=enp2s0np0 Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> 27 November 2020, 23:43:50 UTC
1fd0457 Daniel Borkmann 06 July 2020, 22:45:36 UTC bpf: do not create CT entry for forwarding DSR services Not needed here given the reply won't ever be seen on this node, so spare this expensive fast-path overhead (which needs to lock the map) when under DSR. We really only need to track the CT_SERVICE ones to pick an established backend. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> 27 November 2020, 23:43:50 UTC
72d2848 Tobias Klauser 27 November 2020, 12:43:55 UTC monitor, vendor: bump github.com/cilium/ebpf to v0.3.0 Release notes: https://github.com/cilium/ebpf/releases/tag/v0.3.0 Note that this removes MapABI and ProgramABI. The former is used in pkg/monitor. Replace its single use by the respective func now available directly for ebpf.Map. Signed-off-by: Tobias Klauser <tklauser@distanz.ch> 27 November 2020, 18:10:08 UTC
fd88d18 fankaixi.li 26 November 2020, 02:08:59 UTC daemon_main: fix comments error The option.Confog is replaced with option.Config. Signed-off-by: fankaixi.li <fankaixi.li@bytedance.com> 27 November 2020, 18:08:03 UTC
19a6011 Deepesh Pathak 25 November 2020, 10:10:31 UTC test: use kubectl helper for cilium cleanup in upgrade tests Signed-off-by: Deepesh Pathak <deepshpathak@gmail.com> 27 November 2020, 18:04:58 UTC
8f20d3b Jarno Rajahalme 19 November 2020, 19:57:51 UTC daemon: Postpone ipcache upserts until after policy changes have been regenerated by endpoints. Move ipcache CIDR upserts and releases to the policy reaction queue, where upserts can be executed after regenerations have been completed, i.e. after endpoint policy maps have been updated. This way IP addresses are mapped to newly allocated identities only after endpoint policy maps are ready to classify them. Correspondingly, on deletes the to-be-deleted CIDR identities are first deleted from ipcache so that when they are deleted from endpoint policy maps they are no longer used in classification. Releases of CIDR identities must still be serialized with ipcache upserts via the policy reaction queue so that they are executed in the same order w.r.t. ipcache upserts as policy deletes and adds. Signed-off-by: Jarno Rajahalme <jarno@covalent.io> 27 November 2020, 17:55:42 UTC
60bd47f Jarno Rajahalme 19 November 2020, 17:49:11 UTC fqdn: Delay ipcache upserts until policies have been updated Add a map for newly allocated identities to ipcache.AllocateCIDR functions that the caller can use to upsert the IPs to ipcache later, after affected endpoint policy maps have been updated. Use this new functionality on the DNS proxy code path, that makes sure that new policy map entries are in place before an IP received from a DNS server is placed in ipcache. This is really straightforward as the logic for waiting was already in place for delaying the forwarding of the DNS response. Policy update path is still allowing ipcache upserts at policy ingestion time rather than waiting for the policy maps to be updated. This means that new, more specific CIDRs (e.g., 10.0.0/24) in policies can still cause momentary drops on traffic currently using a less specific CIDR (e.g., 10.0/16). Signed-off-by: Jarno Rajahalme <jarno@covalent.io> 27 November 2020, 17:55:42 UTC
263421a Maciej Kwiek 26 November 2020, 16:22:12 UTC test: quarantine flaking datapathconfig tests on 1.17 this change extends quarantine for k8s-all job to 1.17 k8s version, which will help us checking whether 1.18 job actually fails due to these flakes. Signed-off-by: Maciej Kwiek <maciej@isovalent.com> 27 November 2020, 15:41:44 UTC
885a319 Martynas Pumputis 25 November 2020, 14:11:10 UTC daemon: Fix netns usage in kpr privileged unit tests Previously, the SetUpSuite() routine called netns.New(). It expected that the latter only creates a new netns without setting it. However, according to the docs it's not the case: package netns // import "github.com/vishvananda/netns" func New() (ns NsHandle, err error) New creates a new network namespace, sets it as current and returns a handle to it. This meant that we changed the netns before locking the OS thread which could result in other Go runtime threads running in the test netns. Fixes: b059c3185c ("daemon: Add unit tests for device detection") Signed-off-by: Martynas Pumputis <m@lambda.lt> 27 November 2020, 14:42:45 UTC
1eec075 Alexandre Perrin 27 November 2020, 10:13:36 UTC docs: Add missing Jobs to the Jenkins Trigger Phrases table Signed-off-by: Alexandre Perrin <alex@kaworu.ch> 27 November 2020, 14:32:07 UTC
f380dd3 Paul Chaignon 26 November 2020, 14:49:55 UTC test: Avoid installing Cilium for K8sBandwidth if tests are skipped The overall structure for test K8sBandwidth looks to have been extracted from K8sServices. It works fine but is more complex than necessary and leads to unintended behavior when tests are skipped. This commit simplifies the structure to have a single conditional Context (conditioned on net-next kernel) inside which the three It tests are run. Cilium was also installed with the bandwidth manager enabled *before* the conditional Context. That installation would therefore happen regardless of whether bandwidth tests should actually be skipped, sometimes even leading to flakes on 4.9 kernels [1]. Removing this initial installation of Cilium implies that the test pods are now deployed (once for all tests) before Cilium is installed. We therefore need to wait for the test pods, with a new helper waitForTestPods(), after each re-installation of Cilium. 1 - https://jenkins.cilium.io/job/Cilium-PR-Ginkgo-Tests-K8s/3740/testReport/junit/Suite-k8s-1/16/K8sBandwidthTest_Checks_Bandwidth_Rate_Limiting/ Signed-off-by: Paul Chaignon <paul@cilium.io> 27 November 2020, 14:30:51 UTC
ae069dc Robin Hahling 12 November 2020, 13:34:48 UTC hubble/relay: implement observer.GetNodes rpc endpoint Signed-off-by: Robin Hahling <robin.hahling@gw-computing.net> 27 November 2020, 12:44:37 UTC
f0a5ce9 Robin Hahling 12 November 2020, 10:26:34 UTC api/observer: re-generate protobuf code + add stub The new generated code breaks implementations of observer server because they are missing the new GetNodes method. To ensure that every commit compiles on its own, add stubs to implementations of observer server. Signed-off-by: Robin Hahling <robin.hahling@gw-computing.net> 27 November 2020, 12:44:37 UTC
95ff38b Robin Hahling 11 November 2020, 15:50:56 UTC api/observer: add GetNodes rpc endpoint This endpoint is intended to be implemented by Hubble Relay to provide information about nodes and their status. Signed-off-by: Robin Hahling <robin.hahling@gw-computing.net> 27 November 2020, 12:44:37 UTC
b614d18 Robin Hahling 10 November 2020, 21:13:05 UTC hubble/relay: add version information to status command Signed-off-by: Robin Hahling <robin.hahling@gw-computing.net> 27 November 2020, 12:44:37 UTC
b07b21a Robin Hahling 10 November 2020, 20:45:33 UTC hubble/observer: add version information to status command Signed-off-by: Robin Hahling <robin.hahling@gw-computing.net> 27 November 2020, 12:44:37 UTC
3f82e21 Robin Hahling 10 November 2020, 20:44:48 UTC hubble: add build package to provide hubble server and relay version Signed-off-by: Robin Hahling <robin.hahling@gw-computing.net> 27 November 2020, 12:44:37 UTC
b188534 Robin Hahling 10 November 2020, 15:27:11 UTC api/observer: re-generate protobuf code Signed-off-by: Robin Hahling <robin.hahling@gw-computing.net> 27 November 2020, 12:44:37 UTC
386964b Robin Hahling 11 November 2020, 15:45:41 UTC api/observer: add version field to ServerStatusResponse Knowing about the running version is useful, notably during a cluster upgrade. Signed-off-by: Robin Hahling <robin.hahling@gw-computing.net> 27 November 2020, 12:44:37 UTC
d50075d Manuel Buil 25 November 2020, 07:21:59 UTC Complete kube-router documentation BUG: #14152 Kube-router fetches the CIDRs from Kubernetes and thus ipam: cluter-pool configuration does not really work well. This patch clarifies this in the kube-router documentation Signed-off-by: Manuel Buil <mbuil@suse.com> 27 November 2020, 10:16:13 UTC
1b29044 Sebastian Wicki 19 November 2020, 11:35:17 UTC hubble/parser: Always preserve datapath numeric identity This introduces a check that we do not overwrite the numeric security identity provided by the datapath trace point. Only if the datapath did not provide an identity (i.e. in `FROM_LXC` trace points) do we want to fall back on the identity from the user-space ip cache or endpoint manager. The numeric identity from the datapath can differ from the one we obtain from user-space (e.g. the endpoint manager or the IP cache), because the identity could have changed between the time the datapath event was created and the time the event reaches the Hubble parser. To aid in troubleshooting, we want to preserve what the datapath observed when it made the policy decision. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> 27 November 2020, 10:15:40 UTC
acb2daa Paul Chaignon 11 November 2020, 10:52:50 UTC test: Use NFS by default for test VMs The new K8sVerifier test compiles some Cilium binaries inside the VM, which can lead to 'interrupted system call' errors. Using NFS should fix it by speeding up the filesystem accesses. This commit switches the test VMs to use NFS by default, thereby enabling NFS in our CI. NFS remains disabled in the CI's Runtime tests because it leads to permission errors [1]. 1 - https://jenkins.cilium.io/job/Cilium-PR-Runtime-4.9/2739/consoleFull Signed-off-by: Paul Chaignon <paul@cilium.io> 27 November 2020, 10:15:10 UTC
9dc8130 Vlad Ungureanu 22 November 2020, 04:50:45 UTC Consolidate ec2 client create call Signed-off-by: Vlad Ungureanu <vladu@palantir.com> 27 November 2020, 10:14:29 UTC
816b323 Paul Chaignon 25 November 2020, 11:50:02 UTC vagrant: Bump all Vagrant box versions These new images include the updated, pre-pulled Docker images: https://github.com/cilium/packer-ci-build/pull/245 Signed-off-by: Paul Chaignon <paul@cilium.io> 27 November 2020, 10:12:53 UTC
6d0a431 Paul Chaignon 26 November 2020, 18:15:48 UTC .travis: Run race detection builds on master commits only We had to temporarily subscribe to Travis CI because we consumed our 10000 free credits. Our current plan however only allows for two concurrent builds. With four builds per commit, we are constantly running behind, with Travis CI builds now taking longer to be scheduled than it takes our Jenkins tests to finish. Long gone are the days when we considered Travis CI a viable smoke test... This commit attempts to alleviate the issue by running our race detection builds only on master commits. Signed-off-by: Paul Chaignon <paul@cilium.io> 27 November 2020, 10:12:21 UTC
2a3e5d4 Daniel Borkmann 26 November 2020, 11:56:44 UTC cilium: disable bind-protection in kube-proxy free probe mode The probe mode is expected to only run alongside kube-proxy as hybrid. There was confusion that the kube-proxy log was throwing (harmless) warnings to its log that it could not bind sockets to service ports in the hostns. This is due to Cilium performing bind protection right out of the bind(2) syscall with eBPF. To avoid this confusion, defer to kube-proxy to bind sockets instead. This is less efficient and consuming more resources, but if users want to avoid the overhead, they would run kube-proxy free in strict mode anyway where Cilium does the bind protection by default anyway. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> 26 November 2020, 17:45:52 UTC
05ac4ac Didier Durand 26 November 2020, 05:07:28 UTC fixing 1 typo in terminology.rst Signed-off-by: Didier Durand <durand.didier@gmail.com> 26 November 2020, 14:05:20 UTC
97f3b48 Tobias Klauser 20 November 2020, 14:27:31 UTC monitor: merge EndpointCreateNotification and EndpointDeleteNotification The types EndpointCreateNotification and EndpointDeleteNotification contain the same fields. Thus merge them in a single type named EndpointNotification which is used by func EndpointCreateMessage and EndpointDeleteMessage. Because the type is embedded into AgentNotifyMessage the consumer can still determine whether it was a create or delete event based on AgentNotifyMessage.Type. This change will simplify parsing of endpoint create/delete notifications when exposing agent events for Hubble. Signed-off-by: Tobias Klauser <tklauser@distanz.ch> 26 November 2020, 14:04:44 UTC
e0e9415 Tom Payne 26 November 2020, 00:59:36 UTC pkg/monitor/agent: Fix cilium typos Signed-off-by: Tom Payne <tom@isovalent.com> 26 November 2020, 01:34:36 UTC
3084181 Tom Payne 26 November 2020, 00:59:21 UTC docs: Fix cilium typos Signed-off-by: Tom Payne <tom@isovalent.com> 26 November 2020, 01:34:36 UTC
e38fd96 Joe Stringer 25 November 2020, 08:08:07 UTC helm: Fix description for clustermesh With the `disableEnvoyVersionCheck` option commented out and no subsequent comment for the `clustermesh` option, the autogeneration script was pulling the description for `disableEnvoyVersionCheck` in for `clustermesh`. Fix it by removing the dashes so no description is generated for this particular option. Signed-off-by: Joe Stringer <joe@cilium.io> 25 November 2020, 21:28:15 UTC
11e38d6 Tam Mach 20 November 2020, 11:01:26 UTC fix/helm: Correct nodeSelector values This commit is to use the correct nodeSelectors in etc, operator and preflight templates. Add deprecated note for .Values.nodeSelector option. Closes #14005 Signed-off-by: Tam Mach <sayboras@yahoo.com> 25 November 2020, 21:23:04 UTC
679f913 Joe Stringer 20 November 2020, 05:34:27 UTC kvstore: Fix event watcher serialization When using the watcher in log messages with JSON-based logging, logrus would give up on trying to generate the log message and print this to the logs instead: Failed to obtain reader, failed to marshal fields to JSON, json: unsupported type: kvstore.EventChan Fix it by fixing the JSON serialization tags to the structure to avoid serializing fields that don't make sense to be serialized, and to export the fields that do make sense to be serialized. Manually tested by applying this diff: diff --git a/pkg/kvstore/base_test.go b/pkg/kvstore/base_test.go index e9ee7da296bf..eb5a3548039b 100644 --- a/pkg/kvstore/base_test.go +++ b/pkg/kvstore/base_test.go @@ -292,3 +292,10 @@ func (s *BaseTests) TestListAndWatch(c *C) { w.Stop() } + +func (s *BaseTests) TestFoo(c *C) { + w := ListAndWatch(context.TODO(), "testWatcher2", "foo2/", 100) + c.Assert(c, Not(IsNil)) + + log.WithField(fieldWatcher, w).Fatal("Stopped watcher") +} diff --git a/pkg/logging/logging.go b/pkg/logging/logging.go index 9989e8db0280..6a651c0c87f4 100644 --- a/pkg/logging/logging.go +++ b/pkg/logging/logging.go @@ -50,7 +50,7 @@ const ( // DefaultLogFormat is the string representation of the default logrus.Formatter // we want to use (possible values: text or json) - DefaultLogFormat LogFormat = LogFormatText + DefaultLogFormat LogFormat = LogFormatJSON ) var ( Fixes: #14028 Signed-off-by: Joe Stringer <joe@cilium.io> 25 November 2020, 18:32:28 UTC
7570d08 Paul Chaignon 24 November 2020, 15:22:44 UTC test: Quarantine flakes from k8s-all CI pipeline "Check vxlan connectivity with per-endpoint routes" and "Check iptables masquerading with random-fully" are currently failing on the kubernetes-all CI pipeline for most K8s versions. This commit quarantines those tests. The list of K8s versions to exclude was retrieved using the CI dashboard [1]. 1 - https://datastudio.google.com/s/iCx91Z2LNH8 Signed-off-by: Paul Chaignon <paul@cilium.io> 25 November 2020, 16:44:14 UTC
ff897f7 Maciej Kwiek 25 November 2020, 13:09:56 UTC ci: fix nightly image hubble-perf-test docker repo no longer exists Signed-off-by: Maciej Kwiek <maciej@isovalent.com> 25 November 2020, 15:38:34 UTC
546b464 Joe Stringer 24 November 2020, 01:33:31 UTC docs: Improve DNS port documentation Some users had expressed confusion when using non-standard ports in conjunction with DNS policy. Clarify that when there is a k8s service, the CoreDNS / kube-dns port must be the backend port. Signed-off-by: Joe Stringer <joe@cilium.io> 25 November 2020, 14:59:58 UTC
1eedfb3 Joe Stringer 24 November 2020, 03:28:51 UTC Makefile: Remove microk8s prepull script The prepull script was a handy way to force microk8s to pull the new image into the container runtime, but we can also just directly pull it in from microk8s.ctr which simplifies the deployment and prevents issues where some kubernetes image pull problem prevents the image from being imported. Signed-off-by: Joe Stringer <joe@cilium.io> 25 November 2020, 14:59:27 UTC
dbc1c72 Paul Chaignon 16 November 2020, 17:13:07 UTC test: Disable the host firewall in Maglev tests Support for the host firewall + Maglev is currently broken due to an excessive BPF program size. This commit explicitly disables the host firewall to avoid tests failing when running with label ci/host-firewall or with env. variable HOST_FIREWALL=1. Related: https://github.com/cilium/cilium/issues/14047 Signed-off-by: Paul Chaignon <paul@cilium.io> 25 November 2020, 14:59:05 UTC
759dd49 Paul Chaignon 16 November 2020, 10:02:00 UTC test: Disable the host firewall in endpoint routes tests The host firewall cannot work in combination to per-endpoint routes yet. When opening a PR with label ci/host-firewall, the host firewall is enabled by default in all tests. It must be explicitly disabled in tests with per-endpoint routes to avoid those tests failing. Signed-off-by: Paul Chaignon <paul@cilium.io> 25 November 2020, 14:59:05 UTC
baf84ad Joe Stringer 24 November 2020, 01:56:37 UTC bugtool: Add lsmod Module listings can allow figuring out the availability of certain functionality like iptables or aes modules which can be useful when debugging certain types of problems. Signed-off-by: Joe Stringer <joe@cilium.io> 25 November 2020, 14:58:33 UTC
76e0cfe Tobias Klauser 20 November 2020, 10:19:31 UTC monitor/api: format agent start timestamp in RFC3339Nano format time.Time.String() may include a monotonic clock reading, e.g. when t is time.Now() which is e.g. the case for the agent start timestamp. The godoc for time.Time.String [1] states: If the time has a monotonic clock reading, the returned string includes a final field "m=±<value>", where value is the monotonic clock reading formatted as a decimal number of seconds. [1] https://golang.org/pkg/time/#Time.String The format including the monotonic clock reading is hard to decode because there is no predefined format string in the stdlib time package. Also, the monotonic clock reading isn't really useful for the agent start timestamp, the walltime clock should be enough. Thus, format the timestamp string in RFC3339Nano format which can easily be decoded using time.Parse(time.RFC3339Nano, t), e.g in the hubble API parser. Signed-off-by: Tobias Klauser <tklauser@distanz.ch> 25 November 2020, 14:56:45 UTC
513ae0a Tobias Klauser 20 November 2020, 10:14:43 UTC monitor/api: fix godoc comments Correct godoc comments for type AgentNotifyMessage and func StartMessage to state the proper name. Signed-off-by: Tobias Klauser <tklauser@distanz.ch> 25 November 2020, 14:56:45 UTC
37a41da Tobias Klauser 20 November 2020, 10:14:25 UTC hubble/observer/types: fix comment for AgentEvent.Message It might contain a monitorAPI.AgentNotifyMessage as emitted by the *Message constructor funcs. Signed-off-by: Tobias Klauser <tklauser@distanz.ch> 25 November 2020, 14:56:45 UTC
f35478b Maciej Kwiek 24 November 2020, 12:05:00 UTC ci: Add quarantine capabilities to k8s-all jenkinsfile Signed-off-by: Maciej Kwiek <maciej@isovalent.com> 25 November 2020, 13:35:07 UTC
8470528 Paul Chaignon 25 November 2020, 07:47:17 UTC test: Disable K8sVerifier on 4.19 and net-next CI pipelines K8sVerifier was mistakenly enabled on 4.19 and net-next in eeecf15 ("test: Collect bpf_*.o artifacts on K8sVerifier failures"). This commit reverts it. Fixes: eeecf15 ("test: Collect bpf_*.o artifacts on K8sVerifier failures") Signed-off-by: Paul Chaignon <paul@cilium.io> 25 November 2020, 10:53:15 UTC
8704e85 Jarno Rajahalme 24 November 2020, 19:19:09 UTC endpoint: Update lock requirement comments Endpoint's Mutex has been renamed as 'mutex'. Update comments to reflect this and also the lock level requirement (Lock for writing, RLock for reading). Signed-off-by: Jarno Rajahalme <jarno@covalent.io> 24 November 2020, 19:30:47 UTC
baeb61f Martynas Pumputis 18 November 2020, 16:42:20 UTC endpoint: Add DebugPolicy option Add endpoint DebugPolicy option that, if enabled, logs endpoint policy map update details to /var/run/cilium/state/endpoint-policy.log. The new DebugPolicy option is enabled if the new flag --debug-verbose=policy is set, but can be enabled also independently via: cilium endpoint config <EPID> DebugPolicy=true Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Jarno Rajahalme <jarno@covalent.io> 24 November 2020, 19:30:47 UTC
a3d1f02 Quentin Monnet 23 November 2020, 17:26:44 UTC checkpatch: update image tag to latest Update the tag for the checkpatch image in order to benefit from the latest changes when running the GitHub actions: The latest image suppresses reports for FILE_PATH_CHANGES to avoid checkpatch to complain when files are added or moved under bpf/ directory. See discussion at https://github.com/cilium/cilium/pull/14088#issuecomment-731035505 Signed-off-by: Quentin Monnet <quentin@isovalent.com> 24 November 2020, 18:11:59 UTC
eeecf15 Paul Chaignon 11 November 2020, 14:51:49 UTC test: Collect bpf_*.o artifacts on K8sVerifier failures Signed-off-by: Paul Chaignon <paul@cilium.io> 24 November 2020, 18:11:20 UTC
40eba60 Paul Chaignon 11 November 2020, 14:51:30 UTC test: Define workdir for test-verifier pod Signed-off-by: Paul Chaignon <paul@cilium.io> 24 November 2020, 18:11:20 UTC
ab2fee8 Gilberto Bertin 23 November 2020, 12:25:42 UTC docs: clarify janitor duties Signed-off-by: Gilberto Bertin <gilberto@isovalent.com> 24 November 2020, 18:09:37 UTC
bc48d14 Paul Chaignon 16 July 2020, 09:35:12 UTC bpf/lb: Skip service handling for ICMP packets In case of ICMP{,v6}, a service lookup is performed with a 0 port. No service mapping is found for that port, but it can still lead to unnecessary map lookups and code execution. To avoid that, we can instead return DROP_NO_SERVICE for ICMP{,v6} packets and skip all service handling for that return code. Signed-off-by: Paul Chaignon <paul@cilium.io> 24 November 2020, 18:09:04 UTC
625f82d Ilya Dmitrichenko 23 November 2020, 17:21:15 UTC helm: fix and improve `extraHostPathMounts` for agent and operator - fix reference for host-side path, use `hostPath` instead of `mountPath` - add `type` Fixes: #14132 Signed-off-by: Ilya Dmitrichenko <errordeveloper@gmail.com> 24 November 2020, 15:19:31 UTC
6b14c73 Maciej Kwiek 23 November 2020, 15:49:16 UTC ci: Check gke cluster state before selecting it This change adds a check that confirms that GKE cluster is in running state, which prevents build from failing when apiserver is already up, but cluster is still being provisioned. Signed-off-by: Maciej Kwiek <maciej@isovalent.com> 24 November 2020, 12:01:57 UTC
5a089ae Joe Stringer 23 November 2020, 20:40:05 UTC endpoint: Fix typo in CT clean logic This is a purely cosmetic change. The IPs of the endpoint will only be scrubbed if the CT map already exists, but the variable was named 'created' which is misleading (the opposite meaning). Signed-off-by: Joe Stringer <joe@cilium.io> 23 November 2020, 21:27:43 UTC
f665152 Paul Chaignon 19 November 2020, 14:15:06 UTC test: Use stable tags instead of :latest We use the latest tag for several of the Docker images in tests. That has two drawbacks: (1) unless imagePullPolicy is specified, we always attempts to pull the image and (2) we will start using new latest images as soon as they are available, which can cause our tests to flake. This commit avoids such use of latest to prefer an equivalent stable tag. When a stable tag did not already exist, 1.0 was created. When a source code repository existed for the image, a 1.0 GitHub release was created. When the source code wasn't available, the 1.0 image tag is simply a copy of current latest tag. Signed-off-by: Paul Chaignon <paul@cilium.io> 23 November 2020, 12:30:20 UTC
0d578a8 Chris Tarazi 20 November 2020, 22:31:23 UTC docs: Clarify best methods to limit sysdump This commit clarifies the cilium-sysdump methods of limiting the size of the sysdump to ensure the user is aware of the most effective approach. Signed-off-by: Chris Tarazi <chris@isovalent.com> 23 November 2020, 09:52:31 UTC
3631267 Chris Tarazi 20 November 2020, 22:23:48 UTC docs: Update docs for --since arg for sysdumps Now that https://github.com/cilium/cilium-sysdump/pull/96 has been merged, we no longer have a 30m default for --since. Instead, cilium-sysdump will no longer have time-based default limits; it will default to collecting the entire history. Signed-off-by: Chris Tarazi <chris@isovalent.com> 23 November 2020, 09:52:31 UTC
0611e22 Chris Tarazi 20 November 2020, 22:22:58 UTC docs: Document --size-limit from cilium-sysdump Signed-off-by: Chris Tarazi <chris@isovalent.com> 23 November 2020, 09:52:31 UTC
00bc0c0 Aditi Ghag 20 November 2020, 18:20:17 UTC docs: Update testing docs with instruction to run specific tests Signed-off-by: Aditi Ghag <aditi@cilium.io> 23 November 2020, 09:45:52 UTC
f3eacfb Joe Stringer 18 November 2020, 01:35:29 UTC .github: Add nilness to GHA checks Suggested-by: Tam Mach <sayboras@yahoo.com> Signed-off-by: Joe Stringer <joe@cilium.io> 23 November 2020, 09:18:17 UTC
2282e3f Joe Stringer 18 November 2020, 00:31:06 UTC certmanager: Report errors when local read fails nilness complains that the local secret error is hidden: pkg/crypto/certificatemanager/certificate_manager.go:81:33: impossible condition: nil != nil Fix it by unhiding the outer ioErr variable. CC: Jarno Rajahalme <jarno@covalent.io> Fixes: cabf83c70b4c ("crypto: Add local GetSecrets().") Signed-off-by: Joe Stringer <joe@cilium.io> 23 November 2020, 09:18:17 UTC
2e06e25 Joe Stringer 18 November 2020, 00:26:12 UTC k8s: Fix version validation function nilness reports: # github.com/cilium/cilium/pkg/k8s/version pkg/k8s/version/version.go:278:9: impossible condition: nil != nil Fix it by reusing the outer err variable. CC: Deepesh Pathak <deepshpathak@gmail.com> Fixes: fb101dfc04dd ("k8s: add coordinationv1 capability check to k8s version package") Signed-off-by: Joe Stringer <joe@cilium.io> 23 November 2020, 09:18:17 UTC
ad865cd Joe Stringer 20 November 2020, 19:29:26 UTC helm: Link logo via CDN based on git branch Signed-off-by: Joe Stringer <joe@cilium.io> 21 November 2020, 01:31:56 UTC
e363b4a Joe Stringer 20 November 2020, 01:42:38 UTC helm: Fix documentation URL for v1.10 v1.10 will need more than the first 3 digits of the version semver, it will need the full $major.$minor. Fix this up. Signed-off-by: Joe Stringer <joe@cilium.io> 21 November 2020, 01:31:56 UTC
cb98323 Joe Stringer 19 November 2020, 02:47:58 UTC helm: Add artifacthub CRD annotations. Artifact Hub suggests that if we add such annotations to our charts, then they will show up in the Artifact Hub UI somewhere: https://artifacthub.io/docs/topics/annotations/helm/ Signed-off-by: Joe Stringer <joe@cilium.io> 21 November 2020, 01:31:56 UTC
25f45b5 Joe Stringer 19 November 2020, 02:08:47 UTC helm: Remove wellKnownIdentities This option was too specific and doesn't make sense to expose as a user-visible flag in the helm charts. Remove it. Signed-off-by: Joe Stringer <joe@cilium.io> 21 November 2020, 01:31:56 UTC
e2b3707 Joe Stringer 19 November 2020, 02:06:28 UTC helm: Remove 'kvstore' option. This was not referenced anywhere else, remove it. Signed-off-by: Joe Stringer <joe@cilium.io> 21 November 2020, 01:31:56 UTC
3f0b81a Joe Stringer 19 November 2020, 04:56:46 UTC helm: Fix autogeneration of helm value descriptions These mostly needed '--' at the start for the helm-docs container to pick up the descriptions and render them into the README.md. While we're at it, Remove stuttering via the old go style of typing the variable at the start of the sentence, use full sentences, and remove any comments that were named exactly the same as the variable. Signed-off-by: Joe Stringer <joe@cilium.io> 21 November 2020, 01:31:56 UTC
476133a Joe Stringer 19 November 2020, 01:16:48 UTC helm: Improve Cilium helm charts Expand the charts to include other common fields so that external systems can pull & use icons, tags, k8s version support, etc. Furthermore, flesh out the readme so it renders better. While we're at it, add an SVG without the cilium word so that it's more likely to render correctly in a square on external sites. Signed-off-by: Joe Stringer <joe@cilium.io> 21 November 2020, 01:31:56 UTC
b8a9c79 Joe Stringer 19 November 2020, 02:32:15 UTC helm: Add LICENSE to charts This should allow external sites to better represent Cilium in artifacts generated from the Helm charts. Signed-off-by: Joe Stringer <joe@cilium.io> 21 November 2020, 01:31:56 UTC
5a12dfc Chris Tarazi 09 November 2020, 19:07:15 UTC ipam: Remove unnecessary deep copies As a followup from https://github.com/cilium/cilium/pull/13865, this commit removes the unnecessary deep copies and reduces the number of return values. Instead, the copies are replaced by directly dereferencing the pointers, which also takes care of reducing the number of return values as the args are updated directly. Signed-off-by: Chris Tarazi <chris@isovalent.com> 20 November 2020, 20:06:21 UTC
9d3bf0e Deepesh Pathak 17 November 2020, 20:37:51 UTC kvstore: add tests for etcd kvstore ratelimiter Signed-off-by: Deepesh Pathak <deepshpathak@gmail.com> 20 November 2020, 12:37:53 UTC
948dfcf Deepesh Pathak 17 November 2020, 20:37:22 UTC kvstore: fix ratelimiting for DeleteIfLocked backend operation Signed-off-by: Deepesh Pathak <deepshpathak@gmail.com> 20 November 2020, 12:37:53 UTC
c0b6841 Aditi Ghag 19 November 2020, 17:08:06 UTC agent: Make intent of signaling channels clear and optimize memory When channels are used merely for signalling purposes, use an empty struct as the channel type since the value of the channel is never read. Also, this can help with memory optimizations since the empty struct occupies 0 bytes of storage. Signed-off-by: Aditi Ghag <aditi@cilium.io> 20 November 2020, 10:20:40 UTC
4857e44 Aditi Ghag 19 November 2020, 16:58:17 UTC cleanup: Removed the unused function and channel Suggested-by: Tobias Klauser <tklauser@distanz.ch> Suggested-by: Sebastian Wicki <sebastian@isovalent.com> Signed-off-by: Aditi Ghag <aditi@cilium.io> 20 November 2020, 10:20:40 UTC
5495005 Joe Stringer 18 November 2020, 19:38:07 UTC docs: Improve visibility limitations docs Signed-off-by: Joe Stringer <joe@cilium.io> 20 November 2020, 10:12:35 UTC
040d79d Paul Chaignon 18 November 2020, 21:29:09 UTC CODEOWNERS: Split codeowners for the documentation With recent changes to the review process, @cilium/docs was renamed to @cilium/docs-structure to clarify that reviews from that team should focus on the documentation's structure rather than its technical content. Of course, we still need reviews for the technical content. So the next step, implemented in this commit, is to assign each of the different reviewer team their own pages in the documentation. Signed-off-by: Paul Chaignon <paul@cilium.io> 20 November 2020, 10:08:46 UTC
ddb2423 Joe Stringer 20 November 2020, 06:12:26 UTC install: Disable operator HA for quick/experimental installs Users who have HA as a requirement can deploy more explicitly via helm and specify the number of replicas they require (--set operator.replicas). Set the default to 1 for the quick installs for trying Cilium out. Fixes: #14089 Signed-off-by: Joe Stringer <joe@cilium.io> 20 November 2020, 09:04:59 UTC
b052272 Chris Tarazi 19 November 2020, 23:24:16 UTC daemon: Disable parts of Cilium API in LB mode The reason for this commit is to avoid exposing an API for entities that do not exist in LB-only mode such as endpoints and identity. Otherwise, the logs will get polluted with useless messages such as: ``` level=info msg="Delete endpoint request" id="container-id:905e9520571d56b77fb01c8ab01f4f306092f2b6234fa8c5b7538dcfa0a03d11" subsys=daemon level=info msg="API call has been processed" error="endpoint not found" name=endpoint-delete processingDuration="12.37µs" subsys=rate totalDuration="68.216µs" uuid=34c79b54-298f-11eb-969d-0cc47a03f925 waitDurationTotal="41.669µs" level=info msg="Processing API request with rate limiter" name=endpoint-delete parallelRequests=4 subsys=rate uuid=34d60724-298f-11eb-969d-0cc47a03f925 level=info msg="API request released by rate limiter" name=endpoint-delete parallelRequests=4 subsys=rate uuid=34d60724-298f-11eb-969d-0cc47a03f925 waitDurationTotal="39.987µs" ``` Fixes: https://github.com/cilium/cilium/issues/14086 Signed-off-by: Chris Tarazi <chris@isovalent.com> 20 November 2020, 07:50:06 UTC
589bfe9 Vigneshwaren Sunder 19 November 2020, 12:35:07 UTC Update README with jsdelivr for Images Signed-off-by: Vigneshwaren Sunder <vickymailed@gmail.com> 20 November 2020, 00:51:24 UTC
57784e3 ArthurChiao 18 November 2020, 07:59:25 UTC metrics: add cilium_datapath_nat_gc_entries Signed-off-by: ArthurChiao <arthurchiao@hotmail.com> 19 November 2020, 22:50:37 UTC
e4bf8ca ArthurChiao 19 November 2020, 03:54:26 UTC metrics: replace replicated "direction" strings with LabelDirection constant Signed-off-by: ArthurChiao <arthurchiao@hotmail.com> 19 November 2020, 22:50:37 UTC
d43d79d Tom Payne 19 November 2020, 16:03:08 UTC pkg/hubble/filters: Remove unnecessary escape Signed-off-by: Tom Payne <tom@isovalent.com> 19 November 2020, 22:49:27 UTC
bbd156a Tom Payne 18 November 2020, 17:36:28 UTC pkg/hubble/filters: Allow underscores in FQDN and node name patterns Signed-off-by: Tom Payne <tom@isovalent.com> 19 November 2020, 22:49:27 UTC
cb9f9eb Tom Payne 16 November 2020, 14:53:08 UTC pkg/hubble: Add NodeNameFilter Signed-off-by: Tom Payne <tom@isovalent.com> 19 November 2020, 22:49:27 UTC
46d979b Tom Payne 09 November 2020, 10:37:30 UTC api/v1/flow: Add node_name field to FlowFilter Signed-off-by: Tom Payne <tom@isovalent.com> 19 November 2020, 22:49:27 UTC
b32d8ff Tom Payne 09 November 2020, 10:10:18 UTC pkg/hubble/filters: Make FQDN filter patterns more robust This commit fixes the following problems in the FQDN pattern compiler: * Only a single trailing dot was stripped. It also refactors the code to make FQDN patterns useable elsewhere and compiles multiple patterns to a single regular expression. Signed-off-by: Tom Payne <tom@isovalent.com> 19 November 2020, 22:49:27 UTC
8835bfa Kornilios Kourtis 16 November 2020, 22:09:12 UTC test/Makefile: fix registryCredentials typo Signed-off-by: Kornilios Kourtis <kornilios@isovalent.com> 19 November 2020, 19:23:51 UTC
c5ed9ae Martynas Pumputis 17 November 2020, 13:10:45 UTC node: Add unit test for node arpinging The unit test checks whether permanent arp entries for a remote node are properly handled, i.e. added upon node update and removed upon node removal. Signed-off-by: Martynas Pumputis <m@lambda.lt> 19 November 2020, 16:05:21 UTC
c6198b1 Martynas Pumputis 30 October 2020, 14:30:10 UTC node: Clean up insertNeighbor() logging * Add missing logfields * Inline neighborLog and get rid of debug statement * Convert the code to be more idiomatic Signed-off-by: Martynas Pumputis <m@lambda.lt> 19 November 2020, 16:05:21 UTC
e3d019d Paul Chaignon 18 November 2020, 21:12:24 UTC test: Don't wait for network to schedule test-verifier The test-verifier pod needs to run when Cilium is uninstall and therefore shouldn't wait for the network to be ready to be scheduled to a node. Fixes: 417cded ("test: Move RuntimeVerifier to K8sVerifier") Signed-off-by: Paul Chaignon <paul@cilium.io> 19 November 2020, 16:00:43 UTC
7b041c2 Rahul Jadhav 31 October 2020, 02:22:45 UTC hubble/filters: filter hubble observe TCP flow packets by TCP flags Allows setting filter parameters based on TCP flags. Hubble observe allows one to filter based on several L4/L7 protocols, TCP been one. However, on applying a TCP filter the amount of output from observe is overwhelming since TCP packets are too frequent. This commit allows one to use TCP flags to filter the observed output. This patch allows one to filter TCP flow packets using TCP flags such as SYN, ACK, FIN, RST, URG, CWR, NS, ECE, PSH. ```release-note TCP flags based filter for hubble. ``` Fixes: #12827 Signed-off-by: Rahul Jadhav <nyrahul@gmail.com> 19 November 2020, 13:53:21 UTC
back to top