Skip to main content

Browse the archive

https://github.com/cilium/cilium
09 April 2024, 21:14:05 UTC
sort by:
Revision Author Date Message Commit Date
46ce2a6 Joe Stringer 15 December 2022, 23:56:23 UTC Prepare for release v1.10.18 Signed-off-by: Joe Stringer <joe@cilium.io> 16 December 2022, 10:14:24 UTC
4db9adb Tim Horner 25 November 2022, 02:53:39 UTC fix: correct parsing of multi-option 'key:value's for config options [ upstream commit 3c49e4ac12a3f3625bbf3e6ccbef02b72d669402 ] This fixes support for multi-option 'key:value's used for config options when only a single top-level key-value is provided, such as '--api-rate-limit endpoint-create=rate-limit:2/s,rate-burst:4'. Fixes: #22233 Fixes: 070ded019adb ("cmd: Allow more complicated patterns in map string type.") Signed-off-by: Tim Horner <timothy.horner@isovalent.com> Signed-off-by: David Bimmler <david.bimmler@isovalent.com> 15 December 2022, 22:52:34 UTC
0876732 dependabot[bot] 15 December 2022, 14:01:41 UTC build(deps): bump github/codeql-action from 2.1.36 to 2.1.37 Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.36 to 2.1.37. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/a669cc5936cc5e1b6a362ec1ff9e410dc570d190...959cbb7472c4d4ad70cdfe6f4976053fe48ab394) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> 15 December 2022, 22:50:56 UTC
38718a5 André Martins 01 December 2022, 23:55:44 UTC .github/workflows: use right event type for auto labeler [ upstream commit baeb276a952fd5cfd4507b29a7d9f5eb2a20f3b2 ] A pull_request_target workflow generates pull_request events and not issue events. This was causing all PRs to have the label 'kind/community-contribution' added to them. Also remove the 'synchronize' event type since it's not necessary to re-run this workflow for every push the PR author does. Fixes: 473ddda1e329 (".github: add PR labeler for external contributions") Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> 14 December 2022, 12:07:43 UTC
54b76fd André Martins 30 November 2022, 22:16:00 UTC .github: add PR labeler for external contributions [ upstream commit 473ddda1e3297e2b3af726c245726bb28eeea559 ] Filtering PRs from external contributors will allow committers of the Cilium project to give more attention to those PRs and avoid them to get stale. Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> 14 December 2022, 12:07:43 UTC
08d9fa3 David Bimmler 28 November 2022, 14:15:22 UTC k8s: don't consider 4xx a successful interaction [ upstream commit ffef1a85efe7f472b4d8f210cfd35e292d98be4a ] While a 404 Not Found or a 409 Conflict can be considered successful interactions with the k8s API, a blanket accept for all 4xx codes is problematic. Since LastSuccessInteraction is exclusively used as an optimisation, we should err on the cautious side: accept the potential increase in heartbeats to avoid missing being unable to effecticely communicate with the k8s API. As an example of how this can go wrong, in #20915 we have an issue around receiving 401 Unauthorized from the EKS control plane. At sufficient scale, we never see a need to run the heartbeat. Running the heartbeat, however, would close and reopen the connections on receiving a 401, and thus restore connectivity to the k8s API. We currently only use the LastSuccessInteraction to as an optimisation to not perform unnecessary k8s API heartbeats, this "metric" (possibly a misnomer) is not used or exposed and changing its semantics is acceptable. Fixes: f2998b0cc472290ec64068ec15510608778fb431 Signed-off-by: David Bimmler <david.bimmler@isovalent.com> Co-authored-by: Sebastian Wicki <gandro@gmx.net> Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> 14 December 2022, 12:07:43 UTC
552872f Tim Horner 03 November 2022, 15:33:39 UTC preflight: Fail 'validate-cnp' check for empty to/from endpoints selector [ upstream commit c2d690821b2ffbcdc90702e848c01244996ad9f1 ] Previously, 'validate-cnp' preflight check would log a verbose warning if it detected a CCNP with an empty toEndpoints/fromEndpoints selector and pass the check with the following output: time="2022-11-03T15:50:04Z" level=info msg="Validation OK!" CiliumClusterwideNetworkPolicy=test-empty-endpointselector time="2022-11-03T15:50:04Z" level=info msg="All CCNPs and CNPs valid!" This could be misleading and tempt the user to ignore the warning. The preflight check will now fail with the following output: time="2022-11-03T16:05:30Z" level=error msg="Unexpected validation error" CiliumClusterwideNetworkPolicy=test-empty-endpointselector error="use of empty toEndpoints/fromEndpoints selector" time="2022-11-03T16:05:30Z" level=error msg="Start hook failed" error="Found invalid CiliumClusterwideNetworkPolicy" function="cilium/cmd.validateCNPCmd.func1.1 (preflight_k8s_valid_cnp.go:41)" subsys=hive time="2022-11-03T16:05:30Z" level=info msg="Stop hook executed" duration="21.858µs" function="pkg/k8s/client.(*compositeClientset).onStop-fm (<autogenerated>:1)" subsys=hive time="2022-11-03T16:05:30Z" level=fatal msg="failed to start: Found invalid CiliumClusterwideNetworkPolicy" Fixes: #17471 Signed-off-by: Tim Horner <timothy.horner@isovalent.com> Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> 14 December 2022, 12:07:43 UTC
ef1b44d Fabio Falzoi 24 November 2022, 10:59:52 UTC chore: fix typo in enableCNPWatcher comment [ upstream commit 14babafa97a064d3eda4c9984c0c7f12c619a7dc ] Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com> Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> 14 December 2022, 12:07:43 UTC
7eca854 Fabio Falzoi 08 July 2022, 17:11:35 UTC operator: rate limit CNP nodes status clean up [ upstream commit f4ff2cece6ae5eb3b8229f88687a66575f22b684 ] When the option `disable-cnp-status-updates` is set to true, the operator, at startup, will garbage collect all stale status nodes updates in CNPs and CCNPs. To avoid an excessive requests rate to the API server, the clean up is rate limited. The requests rate per second and the maximum allowed burst of requests is controlled, respectively, by the two new options `cnp-status-cleanup-qps` and `cnp-status-cleanup-burst`. Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com> Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> 14 December 2022, 12:07:43 UTC
487a244 Fabio Falzoi 08 July 2022, 10:38:29 UTC operator: add a flag to skip CNP status cleaning at startup [ upstream commit c2c66a8ea22206a4fe32d7dc1609e9aeb5584208 ] When the option `disable-cnp-status-updates` is set to true, the operator, at startup, will garbage collect all stale status nodes updates in CNPs and CCNPs. This new option `skip-cnp-status-startup-cleaning` may be used to skip this clean up so to speed up the operator startup. Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com> Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> 14 December 2022, 12:07:43 UTC
ac953da Fabio Falzoi 05 July 2022, 15:12:31 UTC operator: clear CNP status nodes if updates disabled [ upstream commit 20bd519f2761e9a0235620a534886896014a44a0 ] When the option `disable-cnp-status-updates` is set to true, no policy enforcement update is tracked in CiliumNetworkPolicies. However, if the option was previously set to false, the field status.nodes still contains the last status of each node when the feature was turned off. Currently, the GC in the cilium operator removes status entries only if the relative node has been turned off. Given that these stale updates may hinder scalability for large clusters, we clean up all those entries at startup if `disable-cnp-status-updates` is set to true. Fixes #20231 Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com> Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> 14 December 2022, 12:07:43 UTC
79454f0 Fabio Falzoi 05 July 2022, 15:11:27 UTC operator: use GC controller context while patching CNPs [ upstream commit fdc6d39a68f502385b7055de3e763ff416b57f48 ] Use the context from the GC controller to execute the update queries. Doing so, possible pending queries will be cancelled as soon as the controller context is cancelled. Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com> Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> 14 December 2022, 12:07:43 UTC
f56bc55 Fabio Falzoi 28 June 2022, 15:26:42 UTC operator: fix typos in CNP node status gc [ upstream commit 22ba23e900d9181241c7e8c06123a952e3dab785 ] Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com> Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> 14 December 2022, 12:07:43 UTC
5574ffb Fabio Falzoi 28 June 2022, 15:24:28 UTC operator: preallocate cnp list backing array [ upstream commit 1b33eadb4990894cfe1c04f27c297c4a77c04cf7 ] The number of returned CiliumClusterwideNetworkPolicies is known in advance, so the preallocation of the backing array will avoid reallocations after the append. Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com> Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> 14 December 2022, 12:07:43 UTC
c5a33d6 André Martins 22 November 2022, 12:00:16 UTC docs: add instructions to build the base images from external forks [ upstream commit f3a22e809743c63dce0448195fde267c926ba19c ] When opening a PR to update the base images from external forks, the bot does not have necessary permissions to push the changes into the fork. For those cases the developer should amend the commit locally and push the changes themselves. Fixes: c5a778723a43 ("add auto-commit capability to build base images GH workflow") Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> 14 December 2022, 12:07:43 UTC
613b8c4 Chris Tarazi 21 November 2022, 17:31:39 UTC daemon/cmd: Fix error handling for getting proxy port [ upstream commit 366b968266dec387f009bde87ca40541726be0ac ] The error check handling should be done immediately after the GetProxyPort() call, in order to error out as soon as possible. This unchecked error can cascade to code integrations with the Agent and cause potentially difficult to track down behavior. Signed-off-by: Chris Tarazi <chris@isovalent.com> Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> 14 December 2022, 12:07:43 UTC
d99f3e5 cleverhu 04 November 2022, 10:58:58 UTC docs: fix deployment resource type output [ upstream commit d5ada3719579a56cd63959e06fc390f4e93742a0 ] Since k8s had remove support for extensions/v1beta1 API version after 1.16, we should update the docs to the latest and stable version. Signed-off-by: cleverhu <shouping.hu@daocloud.io> Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> 14 December 2022, 12:07:43 UTC
8bda2cd dependabot[bot] 13 December 2022, 14:02:05 UTC build(deps): bump actions/setup-go from 3.4.0 to 3.5.0 Bumps [actions/setup-go](https://github.com/actions/setup-go) from 3.4.0 to 3.5.0. - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](https://github.com/actions/setup-go/compare/d0a58c1c4d2b25278816e339b944508c875f3613...6edd4406fa81c3da01a34fa6f6343087c207a568) --- updated-dependencies: - dependency-name: actions/setup-go dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> 13 December 2022, 21:58:19 UTC
6421183 dependabot[bot] 13 December 2022, 14:02:04 UTC build(deps): bump helm/kind-action from 1.4.0 to 1.5.0 Bumps [helm/kind-action](https://github.com/helm/kind-action) from 1.4.0 to 1.5.0. - [Release notes](https://github.com/helm/kind-action/releases) - [Commits](https://github.com/helm/kind-action/compare/9e8295d178de23cbfbd8fa16cf844eec1d773a07...d8ccf8fb623ce1bb360ae2f45f323d9d5c5e9f00) --- updated-dependencies: - dependency-name: helm/kind-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> 13 December 2022, 21:54:56 UTC
193731b dependabot[bot] 09 December 2022, 00:51:45 UTC build(deps): bump github/codeql-action from 2.1.35 to 2.1.36 Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.35 to 2.1.36. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/b2a92eb56d8cb930006a1c6ed86b0782dd8a4297...a669cc5936cc5e1b6a362ec1ff9e410dc570d190) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> 09 December 2022, 13:24:52 UTC
3e2cc03 dependabot[bot] 07 December 2022, 14:02:26 UTC build(deps): bump KyleMayes/install-llvm-action from 1.6.0 to 1.6.1 Bumps [KyleMayes/install-llvm-action](https://github.com/KyleMayes/install-llvm-action) from 1.6.0 to 1.6.1. - [Release notes](https://github.com/KyleMayes/install-llvm-action/releases) - [Commits](https://github.com/KyleMayes/install-llvm-action/compare/v1.6.0...v1.6.1) --- updated-dependencies: - dependency-name: KyleMayes/install-llvm-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> 07 December 2022, 20:49:31 UTC
abc9d1d Anton Protopopov 28 November 2022, 15:14:40 UTC fqdn: dnsproxy: fix forwarding of the original security identity for TCP [ upstream commit cf3cc16289b7621c7b3aff93d7d6eab94b309921 ] In case of TCP this is not enough to do net.Dial + setsockopt(SO_MARK), as in this case TCP SYN will have a wrong identity, e.g.: Policy verdict log: flow 0x7a95a133 local EP ID 393, remote ID 14616, proto 6, egress, action redirect, match L3-L4, 10.244.1.122:42437 -> 10.244.1.120:53 tcp SYN Policy verdict log: flow 0x907eaa19 local EP ID 458, remote ID host, proto 6, ingress, action allow, match L3-Only, 172.19.0.2:56276 -> 10.244.1.120:53 tcp SYN Here the second message has wrong identity (host). We still allow the traffic, as the origin is local host and the coredns is running on the same host, but this will not work for a remote host if ingress policy doesn't allow remote-node identity.) To fix this we need to pass a Control parameter to Dial, so that setsockopt(2) is called before the connect(2). With such a change we now see the correct identity in case of TCP: Policy verdict log: flow 0xeb7902a9 local EP ID 393, remote ID 14616, proto 6, egress, action redirect, match L3-L4, 10.244.1.122:36661 -> 10.244.1.120:53 tcp SYN Policy verdict log: flow 0x4efbc5a0 local EP ID 458, remote ID 41903, proto 6, ingress, action allow, match L3-L4, 172.19.0.2:40508 -> 10.244.1.120:53 tcp SYN Fixes: 44c1def67854 ("fqdn: dnsproxy: forward the original security identity") Signed-off-by: Anton Protopopov <aspsk@isovalent.com> Signed-off-by: Tom Hadlaw <tom.hadlaw@isovalent.com> 02 December 2022, 00:33:34 UTC
d35f4e6 Tom Hadlaw 25 November 2022, 10:45:54 UTC fqdn: dnsproxy: fix forwarding of the security identity for cluster mesh [ upstream commit 8264fd4759612014a70fe8983d2defe0785efdae ] The commit 44c1def67854 wrongly forwarded only lower 16 bits of the original identity. This might corrupt identities when cluster-id is not zero (as the cluster-id is encoded in bits 16..23 of the identity) and leads to policy drops due to unknown identity, e.g. xx drop (Policy denied) flow 0xd1a7add4 to endpoint 3966, file bpf_lxc.c line 2032, , identity 47657->157516: 10.2.3.223:55853 -> 10.2.3.206:53 udp (Here the security identity 47657 doesn't exist, as it should actually be equal to 0x10000|47657 = 113193.) Fix this by also storing bits 16..23 of the identity in the skb mark according to the datapath ABI, i.e., skb mark should be equal to (id << 16) | (id >> 16). Fixes: 44c1def67854 ("fqdn: dnsproxy: forward the original security identity") Signed-off-by: Tom Hadlaw <tom.hadlaw@isovalent.com> Signed-off-by: Anton Protopopov <aspsk@isovalent.com> Signed-off-by: Tom Hadlaw <tom.hadlaw@isovalent.com> 02 December 2022, 00:33:34 UTC
b0cdf01 dependabot[bot] 01 December 2022, 17:59:47 UTC build(deps): bump github/codeql-action from 2.1.32 to 2.1.35 Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.32 to 2.1.35. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/4238421316c33d73aeea2801274dd286f157c2bb...b2a92eb56d8cb930006a1c6ed86b0782dd8a4297) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> 01 December 2022, 22:33:26 UTC
94698e2 dependabot[bot] 01 December 2022, 14:03:39 UTC build(deps): bump actions/setup-go from 3.3.1 to 3.4.0 Bumps [actions/setup-go](https://github.com/actions/setup-go) from 3.3.1 to 3.4.0. - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](https://github.com/actions/setup-go/compare/c4a742cab115ed795e34d4513e2cf7d472deb55f...d0a58c1c4d2b25278816e339b944508c875f3613) --- updated-dependencies: - dependency-name: actions/setup-go dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> 01 December 2022, 22:33:02 UTC
bd06591 André Martins 30 November 2022, 23:20:33 UTC images: update cilium-{runtime,builder} The image digests are not updated. This commit updates the images tags and digests to the right versions. Signed-off-by: André Martins <andre@cilium.io> 01 December 2022, 11:39:18 UTC
e5a3956 Cilium Imagebot 22 November 2022, 12:24:36 UTC images: update cilium-{runtime,builder} Signed-off-by: Cilium Imagebot <noreply@cilium.io> 26 November 2022, 00:02:25 UTC
a5a5bb4 renovate[bot] 21 November 2022, 14:49:06 UTC chore(deps): update base-images Signed-off-by: Renovate Bot <bot@renovateapp.com> 26 November 2022, 00:02:25 UTC
bb03d95 André Martins 22 November 2022, 12:13:41 UTC test: Fail on router IP mismatch warnings [ upstream commit ee4ea1ac21a7a24c46e499168aff1c5aa9d20322 ] We try to restore the router IP both from the filesystem (first) and from Kubernetes objects (as a fallback). If the two IP addresses don't match, we emit a warning. There is no good reason for this to happen in CI so we should fail the test if that warning ever shows up. Doing so would have prevented the flake fixed by the previous commit. Signed-off-by: Paul Chaignon <paul@cilium.io> 25 November 2022, 18:39:30 UTC
95191f5 André Martins 18 November 2022, 10:06:39 UTC pkg/nodediscovery: do not use Node annotations when mutating CiliumNode [ upstream commit 1e947e9233e981e257f72d8f54f42ac7b69680f2 ] When using CiliumNode, the agent's source of truth should be the agent itself and not k8s node annotations. Thus we will not use the annotations for the CiliumInternalIP address when generating a CiliumNode from the k8s Node resource. Signed-off-by: André Martins <andre@cilium.io> 25 November 2022, 18:39:30 UTC
93db24f André Martins 12 November 2022, 01:06:45 UTC pkg/k8s: do not read k8s node annotations if they are not written [ upstream commit 0696874a932a07f9a5ed2b7a5f7aeb2db0757379 ] When there is an annotation in the k8s node object, the annotation `io.cilium.network.ipv4-cilium-host` is used as the CiliumInternal IP address of the CiliumNode object in [1]. Whenever Cilium is updating any state into the CiliumNode it retrieves all IP address from k8s node, including the ones from annotations, and appends the local node's IP addresses, including the newly correct internal / router IP address, in [2]. Since this is a list, the annotation's IP address is always used first and all other Cilium agents will wrongly use it for any operation. [1] https://github.com/cilium/cilium/blob/927bd8c26904ff92e42c61cec6d00ea8ac062c05/pkg/nodediscovery/nodediscovery.go#L453-L459 [2] https://github.com/cilium/cilium/blob/927bd8c26904ff92e42c61cec6d00ea8ac062c05/pkg/nodediscovery/nodediscovery.go#L474-L489 Fixes: 73d6cae2c906 ("install: default AnnotateK8sNode to false") Signed-off-by: André Martins <andre@cilium.io> 25 November 2022, 18:39:30 UTC
8440619 Paul Chaignon 02 November 2022, 14:43:09 UTC bpf: Remove FIB lookup for IPsec [ upstream commit 3a650c32f2c36871bce4de8f461a996da1824132 ] When we know the encryption interface, we can jump directly from bpf_host to that interface using bpf_redirect. For that to work, we however need to rewrite the MAC addresses. This is currently done in bpf_host with a FIB lookup to retrieve the MAC addresses. The performance gain we get from that redirect is however expected to be negligible because we already traversed the stack several times for IPsec and we also spent a fair amount of cycles just encrypting the payloads. This commit therefore removes the redirect and related FIB lookup. This change makes the logic for IPsec a little simpler (less error cases without the FIB lookup). It also makes the logic more consistent across setups (the FIB lookup was currently only possible on AKS & GKE). Finally, a later change to IPsec will break the FIB lookup on AKS anyway. Signed-off-by: Paul Chaignon <paul@cilium.io> 25 November 2022, 18:39:30 UTC
99c3404 André Martins 16 November 2022, 14:45:38 UTC operator: fix CEP GC [ upstream commit 6c98f152ad9e9d9882bc02840474dd39c04bd1e0 ] When CEP was converted to an internal CEP structure, the UID field was not copied, causing the delete requests of CEPs to have their UID precondition set as empty. When kube-apiserver received this delete request it didn't delete the CEP because an empty CEP UID didn't match an existent UID. Fixes: 6f7bf6c51f7a ("Prevent CiliumEndpoint removal by non-owning agent") Reported-by: Bruno Custódio <bruno@isovalent.com> Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Tobias Klauser <tobias@cilium.io> 25 November 2022, 18:39:30 UTC
02d89e8 Tobias Klauser 28 March 2022, 12:52:53 UTC .github/workflows: install promtool from binary release [ upstream commit b5f4b7906247f4f71f12f5737fa4b4eb1bb88965 ] `go get` no longer works to install binaries with Go 1.18 and `go install` unfortunately doesn't work due to https://github.com/prometheus/prometheus/issues/8852 and related issues. Thus install promtool from the Prometheus binary release. While at it bump the version to v2.34.0. Signed-off-by: Tobias Klauser <tobias@cilium.io> 24 November 2022, 08:49:25 UTC
38df65d dependabot[bot] 18 November 2022, 23:29:02 UTC build(deps): bump actions/upload-artifact from 3.1.0 to 3.1.1 Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 3.1.0 to 3.1.1. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](https://github.com/actions/upload-artifact/compare/v3.1.0...83fd05a356d7e2593de66fc9913b3002723633cb) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> 23 November 2022, 22:54:52 UTC
8382b01 Julian Wiedmann 23 November 2022, 07:21:34 UTC .github: fix bpf-checks on ubuntu-latest runner [ upstream commit b27208ab092b337d95b29369483474d0fd7f01a1 ] Take the same approach as in 5f7aa03fcc7b (".github: Explicitly set build-commits job runner image version"). [ backporter note: resolved mionor merge conflict in build_all job ] Signed-off-by: Julian Wiedmann <jwi@isovalent.com> Signed-off-by: Tobias Klauser <tobias@cilium.io> 23 November 2022, 11:08:50 UTC
dc39aa2 Tam Mach 23 November 2022, 07:46:28 UTC gha: Pin ubuntu-20.04 for conformance-test-ipv6 [ upstream commit 5116f7a0bd178f7761b85341bb7334fc8b2cf902 ] This commit is to avoid ubuntu version drift for runner, till the proper version upgrade is done. Signed-off-by: Tam Mach <tam.mach@cilium.io> Signed-off-by: Tobias Klauser <tobias@cilium.io> 23 November 2022, 11:08:50 UTC
b64ed4f Chance Zibolski 22 November 2022, 20:17:32 UTC .github: Explicitly set build-commits job runner image version [ upstream commit 5f7aa03fcc7b91500a710da708b7273388685ec4 ] github: Install libtinfo5 for clang in build-commits CI job [ backporter note: resolved minor merge conflicts ] Signed-off-by: Chance Zibolski <chance.zibolski@gmail.com> Signed-off-by: Tobias Klauser <tobias@cilium.io> 23 November 2022, 11:08:50 UTC
e84b8d8 André Martins 18 November 2022, 15:40:34 UTC .github/workflows: split the image tag update in two steps [ upstream commit eafc6b189e253123040ec877df8c221b8da78a4f ] If the images are not created, because they are already available in the docker image repository, they will have an empty image digest set and the image tag replacement will wrongly use this empty digest. Fixes: c5a778723a43 ("add auto-commit capability to build base images GH workflow") Signed-off-by: André Martins <andre@cilium.io> 18 November 2022, 23:27:44 UTC
826ab55 Cilium Imagebot 18 November 2022, 15:01:16 UTC images: update cilium-{runtime,builder} Signed-off-by: Cilium Imagebot <noreply@cilium.io> 18 November 2022, 23:27:44 UTC
0cbb393 André Martins 15 November 2022, 09:42:54 UTC add auto-commit capability to build base images GH workflow [ upstream commit c5a778723a4394df4926ba37a64334d025f72ed5 ] This commit adds the ability to have automatic commits being pushed for the base images github workflow. This simplifies the build process of the base images as it will no longer require developers to wait and re-push changes. Resume of the changes: - Re-write documentation with the new process - Moved scripts to update tags in the git tree to the respective directories of the images. This is to prevent accidental or malicious changes by third-parties in the script files that could compromise the build process. If the files are modified, it will require an approval from the cilium/build team before the GH action is executed. - Changed CODEOWNERS file to request for a review from the cilium/github-sec team as the scripts are directly used in the GH workflow. - For future reference, this GH auto-committer workflow is using a token created by the machine-learning-apps/actions-app-token GH action and that GH action is using the auto-committer app [1] created exclusively for this purpose. [1] https://github.com/organizations/cilium/settings/apps/auto-committer/permissions Signed-off-by: André Martins <andre@cilium.io> 18 November 2022, 23:27:44 UTC
f4d5195 André Martins 15 November 2022, 09:17:05 UTC .github/workflows: remove parallelization in image base builds [ upstream commit 2046ce1788cdf799a242a0c0a6e2f45dfb60507c ] Since the builder image depends on the runtime image we should remove the parallelization of those builds and make them sequential instead. Signed-off-by: André Martins <andre@cilium.io> 18 November 2022, 23:27:44 UTC
47b17ec Michi Mutsuzaki 17 November 2022, 22:09:33 UTC install: Update image digests for v1.10.17 Generated from https://github.com/cilium/cilium/actions/runs/3490980871. `docker.io/cilium/cilium:v1.10.17@sha256:679bb5db8da669e9ff50574d62e44190563cfff0031c51328bb6c3d7eb222e78` `quay.io/cilium/cilium:v1.10.17@sha256:679bb5db8da669e9ff50574d62e44190563cfff0031c51328bb6c3d7eb222e78` `docker.io/cilium/clustermesh-apiserver:v1.10.17@sha256:d37eca396204d12d99484acdf1fff6adb532af2f056d1e0c4d633c2e57ef0de0` `quay.io/cilium/clustermesh-apiserver:v1.10.17@sha256:d37eca396204d12d99484acdf1fff6adb532af2f056d1e0c4d633c2e57ef0de0` `docker.io/cilium/docker-plugin:v1.10.17@sha256:42156f4cd550a55e64e0b431c700282ed725638fbf82279137f341fe06b2cbd7` `quay.io/cilium/docker-plugin:v1.10.17@sha256:42156f4cd550a55e64e0b431c700282ed725638fbf82279137f341fe06b2cbd7` `docker.io/cilium/hubble-relay:v1.10.17@sha256:70e71697e6c8b5f3d956b5c8f49517aa5ff1a949ca0f1ed44eb88916f00a93cb` `quay.io/cilium/hubble-relay:v1.10.17@sha256:70e71697e6c8b5f3d956b5c8f49517aa5ff1a949ca0f1ed44eb88916f00a93cb` `docker.io/cilium/operator-alibabacloud:v1.10.17@sha256:e8f17fac11e07f11c74ef0f56ebece095bebec5c5233248c34eceb6f18b35d9d` `quay.io/cilium/operator-alibabacloud:v1.10.17@sha256:e8f17fac11e07f11c74ef0f56ebece095bebec5c5233248c34eceb6f18b35d9d` `docker.io/cilium/operator-aws:v1.10.17@sha256:8c07992e6d3c67f5a2ef9f6df5b2f191a938dfe522c8456460cc416303c2e009` `quay.io/cilium/operator-aws:v1.10.17@sha256:8c07992e6d3c67f5a2ef9f6df5b2f191a938dfe522c8456460cc416303c2e009` `docker.io/cilium/operator-azure:v1.10.17@sha256:81eaafaff001145f877909fde3b5199503e2286b8a09fd2b3169b02d5bdb36d0` `quay.io/cilium/operator-azure:v1.10.17@sha256:81eaafaff001145f877909fde3b5199503e2286b8a09fd2b3169b02d5bdb36d0` `docker.io/cilium/operator-generic:v1.10.17@sha256:39775f2f10369298656e2a18e1ace3836665515e0e461b57fc2c34faed0331b1` `quay.io/cilium/operator-generic:v1.10.17@sha256:39775f2f10369298656e2a18e1ace3836665515e0e461b57fc2c34faed0331b1` `docker.io/cilium/operator:v1.10.17@sha256:3016232d124e54c837df6d7a3c08bf9c93dda638f217cd4005967424d721b76b` `quay.io/cilium/operator:v1.10.17@sha256:3016232d124e54c837df6d7a3c08bf9c93dda638f217cd4005967424d721b76b` Signed-off-by: Michi Mutsuzaki <michi@isovalent.com> 17 November 2022, 22:47:06 UTC
856d1a7 Michi Mutsuzaki 16 November 2022, 01:03:54 UTC images: update cilium-{runtime,builder} Signed-off-by: Michi Mutsuzaki <michi@isovalent.com> 16 November 2022, 05:13:46 UTC
e3bbd8b Michi Mutsuzaki 15 November 2022, 05:10:04 UTC Prepare for release v1.10.17 Signed-off-by: Michi Mutsuzaki <michi@isovalent.com> 15 November 2022, 16:43:35 UTC
798dab7 Will Daly 26 October 2022, 19:38:53 UTC docs: Reword note in Azure CNI chaining documentation [ upstream commit b3cd077f711de5d33d0320cd67e1f9487478a383 ] Clarify that Azure CNI chaining is different than Azure CNI Powered by Cilium. Signed-off-by: Will Daly <widaly@microsoft.com> Signed-off-by: Paul Chaignon <paul@cilium.io> 15 November 2022, 04:11:58 UTC
d3dfcc2 Bruno M. Custódio 24 August 2022, 08:23:11 UTC Add a section with distro-specific considerations [ upstream commit e121b5d89a65aacc24f01b154afd7c2944557d5b ] Over time we've been accumulating some knowledge about particular Linux distributions and groups of distributions that has gone largely unnoted in our documentation. A good understanding and implementation of these considerations are extremely important to ensure that Cilium runs properly, so this commit attempts at adding a subsection containing this information. Signed-off-by: Bruno M. Custódio <brunomcustodio@gmail.com> Signed-off-by: Paul Chaignon <paul@cilium.io> 15 November 2022, 04:11:58 UTC
cdf3de1 Paul Chaignon 21 October 2022, 09:01:26 UTC docs: Remove autoDirectNodeRoutes where not needed [ upstream commit 34127e6acef82c007a3c492a180c20561d769d6d ] The KPR guide contains the autoDirectNodeRoutes option in most Helm commands, but that option isn't a requirement for KPR subfeatures and may even fail if Kubernetes nodes are not L2-connected. Signed-off-by: Paul Chaignon <paul@cilium.io> 15 November 2022, 04:11:58 UTC
369a3f6 renovate[bot] 15 November 2022, 01:12:33 UTC chore(deps): update docker.io/library/alpine docker tag to v3.16.3 Signed-off-by: Renovate Bot <bot@renovateapp.com> 15 November 2022, 04:06:02 UTC
5ac8e2e renovate[bot] 15 November 2022, 00:56:52 UTC chore(deps): update module go to 1.16 Signed-off-by: Renovate Bot <bot@renovateapp.com> 15 November 2022, 01:16:40 UTC
989ef6a renovate[bot] 15 November 2022, 00:20:57 UTC chore(deps): update docker.io/library/ubuntu:20.04 docker digest to 450e066 Signed-off-by: Renovate Bot <bot@renovateapp.com> 15 November 2022, 01:07:38 UTC
5272ec4 renovate[bot] 15 November 2022, 00:20:49 UTC chore(deps): update docker.io/library/golang:1.16.15 docker digest to 5f6a466 Signed-off-by: Renovate Bot <bot@renovateapp.com> 15 November 2022, 00:53:59 UTC
f592e57 dependabot[bot] 14 November 2022, 14:05:08 UTC build(deps): bump github/codeql-action from 2.1.30 to 2.1.32 Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.30 to 2.1.32. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/18fe527fa8b29f134bb91f32f1a5dc5abb15ed7f...4238421316c33d73aeea2801274dd286f157c2bb) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> 15 November 2022, 00:12:07 UTC
7c1076f dependabot[bot] 11 November 2022, 14:08:25 UTC build(deps): bump golangci/golangci-lint-action from 3.3.0 to 3.3.1 Bumps [golangci/golangci-lint-action](https://github.com/golangci/golangci-lint-action) from 3.3.0 to 3.3.1. - [Release notes](https://github.com/golangci/golangci-lint-action/releases) - [Commits](https://github.com/golangci/golangci-lint-action/compare/07db5389c99593f11ad7b44463c2d4233066a9b1...0ad9a0988b3973e851ab0a07adf248ec2e100376) --- updated-dependencies: - dependency-name: golangci/golangci-lint-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> 14 November 2022, 08:49:48 UTC
9503aa4 dependabot[bot] 02 November 2022, 14:17:46 UTC build(deps): bump github/codeql-action from 2.1.29 to 2.1.30 Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.29 to 2.1.30. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/ec3cf9c605b848da5f1e41e8452719eb1ccfb9a6...18fe527fa8b29f134bb91f32f1a5dc5abb15ed7f) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> 03 November 2022, 13:48:00 UTC
03cdb64 dependabot[bot] 26 October 2022, 14:20:16 UTC build(deps): bump github/codeql-action from 2.1.28 to 2.1.29 Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.28 to 2.1.29. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/cc7986c02bac29104a72998e67239bb5ee2ee110...ec3cf9c605b848da5f1e41e8452719eb1ccfb9a6) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> 28 October 2022, 13:47:42 UTC
4c47595 Casey Callendrello 17 October 2022, 20:54:54 UTC EndpointManager: fix deadlock when releasing an endpoint [ upstream commit 061e55f3fe7f9e0028c7fa779997c22ce9670ae7 ] In high-churn clusters, there can be a three-party deadlock between the EndpointManager, the PolicyRepository, and a given Endpoint. One of the "links in the chain" is merely trying to get the container ID and namespace+name of an Endpoint for logging. Which we already have. So, rather than trying to lock an Endpoint to get it's identifiers again, just use the copy we already have. Fixes: dae07b58 (endpointmanager: Remove goroutine for ID release) Signed-off-by: Casey Callendrello <cdc@isovalent.com> Signed-off-by: Quentin Monnet <quentin@isovalent.com> 26 October 2022, 16:43:31 UTC
9b8137e Joe Stringer 11 October 2022, 17:56:32 UTC docs: Update k8s NetworkPolicy descriptions [ upstream commit 6fbbbb9469a86d9b5458d995b775d192cd862d8a ] Add some additional notes to highlight how Cilium's k8s NetworkPolicy support works, including: - Egress policies have not been beta for several years. - Port Ranges. [ Backport note: File Documentation/concepts/kubernetes/policy.rst has been renamed into Documentation/network/kubernetes/policy.rst in master branch. ] Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Quentin Monnet <quentin@isovalent.com> 26 October 2022, 16:43:31 UTC
4bc72e4 Andrey Klimentyev 22 September 2022, 06:55:54 UTC Fixed CCNP garbage collection [ upstream commit 694892c74c1e204ac63cc5e639cda35269367794 ] CCNPs are converted internally into CNPs, but metadata.name has been forgotten Fixes #21393 [ Backport note: operator/k8s_node.go has been renamed into operator/cilium_node.go, and then into operator/cmd/cilium_node.go in master branch. ] Signed-off-by: Andrey Klimentyev <andrey.klimentyev@flant.com> Signed-off-by: Quentin Monnet <quentin@isovalent.com> 26 October 2022, 16:43:31 UTC
52c84b4 dependabot[bot] 24 October 2022, 14:16:35 UTC build(deps): bump KyleMayes/install-llvm-action from 1.5.5 to 1.6.0 Bumps [KyleMayes/install-llvm-action](https://github.com/KyleMayes/install-llvm-action) from 1.5.5 to 1.6.0. - [Release notes](https://github.com/KyleMayes/install-llvm-action/releases) - [Commits](https://github.com/KyleMayes/install-llvm-action/compare/v1.5.5...v1.6.0) --- updated-dependencies: - dependency-name: KyleMayes/install-llvm-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> 25 October 2022, 09:28:05 UTC
9ef9318 dependabot[bot] 21 October 2022, 20:51:50 UTC build(deps): bump actions/upload-artifact from 3.1.0 to 3.1.1 Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 3.1.0 to 3.1.1. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](https://github.com/actions/upload-artifact/compare/3cea5372237819ed00197afe530f5a7ea3e805c8...83fd05a356d7e2593de66fc9913b3002723633cb) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> 21 October 2022, 22:55:06 UTC
e7ba9ec dependabot[bot] 22 September 2022, 14:22:17 UTC build(deps): bump KyleMayes/install-llvm-action from 1.5.4 to 1.5.5 Bumps [KyleMayes/install-llvm-action](https://github.com/KyleMayes/install-llvm-action) from 1.5.4 to 1.5.5. - [Release notes](https://github.com/KyleMayes/install-llvm-action/releases) - [Commits](https://github.com/KyleMayes/install-llvm-action/compare/v1.5.4...v1.5.5) --- updated-dependencies: - dependency-name: KyleMayes/install-llvm-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> 21 October 2022, 22:43:45 UTC
7f02761 dependabot[bot] 18 October 2022, 14:13:09 UTC build(deps): bump github/codeql-action from 2.1.27 to 2.1.28 Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.27 to 2.1.28. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/807578363a7869ca324a79039e6db9c843e0e100...cc7986c02bac29104a72998e67239bb5ee2ee110) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> 21 October 2022, 22:02:29 UTC
b1ccb34 dependabot[bot] 21 October 2022, 14:15:38 UTC build(deps): bump golangci/golangci-lint-action from 3.2.0 to 3.3.0 Bumps [golangci/golangci-lint-action](https://github.com/golangci/golangci-lint-action) from 3.2.0 to 3.3.0. - [Release notes](https://github.com/golangci/golangci-lint-action/releases) - [Commits](https://github.com/golangci/golangci-lint-action/compare/537aa1903e5d359d0b27dbc19ddd22c5087f3fbc...07db5389c99593f11ad7b44463c2d4233066a9b1) --- updated-dependencies: - dependency-name: golangci/golangci-lint-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> 21 October 2022, 20:51:27 UTC
7920635 dependabot[bot] 21 October 2022, 14:15:33 UTC build(deps): bump actions/download-artifact from 3.0.0 to 3.0.1 Bumps [actions/download-artifact](https://github.com/actions/download-artifact) from 3.0.0 to 3.0.1. - [Release notes](https://github.com/actions/download-artifact/releases) - [Commits](https://github.com/actions/download-artifact/compare/fb598a63ae348fa914e94cd0ff38f362e927b741...9782bd6a9848b53b110e712e20e42d89988822b7) --- updated-dependencies: - dependency-name: actions/download-artifact dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> 21 October 2022, 20:51:00 UTC
afa01b8 dependabot[bot] 18 October 2022, 14:13:19 UTC build(deps): bump actions/setup-go from 3.3.0 to 3.3.1 Bumps [actions/setup-go](https://github.com/actions/setup-go) from 3.3.0 to 3.3.1. - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](https://github.com/actions/setup-go/compare/268d8c0ca0432bb2cf416faae41297df9d262d7f...c4a742cab115ed795e34d4513e2cf7d472deb55f) --- updated-dependencies: - dependency-name: actions/setup-go dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> 18 October 2022, 17:49:30 UTC
f2d624a dependabot[bot] 18 October 2022, 14:13:12 UTC build(deps): bump docker/setup-buildx-action from 2.2.0 to 2.2.1 Bumps [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action) from 2.2.0 to 2.2.1. - [Release notes](https://github.com/docker/setup-buildx-action/releases) - [Commits](https://github.com/docker/setup-buildx-action/compare/c74574e6c82eeedc46366be1b0d287eff9085eb6...8c0edbc76e98fa90f69d9a2c020dcb50019dc325) --- updated-dependencies: - dependency-name: docker/setup-buildx-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> 18 October 2022, 17:09:14 UTC
c4b175d dependabot[bot] 17 October 2022, 14:41:57 UTC build(deps): bump docker/setup-buildx-action from 2.1.0 to 2.2.0 Bumps [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action) from 2.1.0 to 2.2.0. - [Release notes](https://github.com/docker/setup-buildx-action/releases) - [Commits](https://github.com/docker/setup-buildx-action/compare/95cb08cb2672c73d4ffd2f422e6d11953d2a9c70...c74574e6c82eeedc46366be1b0d287eff9085eb6) --- updated-dependencies: - dependency-name: docker/setup-buildx-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> 18 October 2022, 00:28:55 UTC
5951ce0 Quentin Monnet 17 October 2022, 15:36:50 UTC install: Update image digests for v1.10.16 Generated from https://github.com/cilium/cilium/actions/runs/3265642329. `docker.io/cilium/cilium:v1.10.16@sha256:2906afd6fb63e5b0e6746dd3ec8273fd3b0154db1cad3daf7c397e7172e7935e` `quay.io/cilium/cilium:v1.10.16@sha256:2906afd6fb63e5b0e6746dd3ec8273fd3b0154db1cad3daf7c397e7172e7935e` `docker.io/cilium/clustermesh-apiserver:v1.10.16@sha256:9340d9c5cf803e5e7f3e9092cd4737c88077b9fa045772946f2affcb34502f73` `quay.io/cilium/clustermesh-apiserver:v1.10.16@sha256:9340d9c5cf803e5e7f3e9092cd4737c88077b9fa045772946f2affcb34502f73` `docker.io/cilium/docker-plugin:v1.10.16@sha256:39f19823fd586631cfca52f16bec08034b440f3539269cf9a27833b813bd86b1` `quay.io/cilium/docker-plugin:v1.10.16@sha256:39f19823fd586631cfca52f16bec08034b440f3539269cf9a27833b813bd86b1` `docker.io/cilium/hubble-relay:v1.10.16@sha256:673264a0eb53b8b7ae00d697dec1999d16e5065e2b0b6e31baa88e22401a2c02` `quay.io/cilium/hubble-relay:v1.10.16@sha256:673264a0eb53b8b7ae00d697dec1999d16e5065e2b0b6e31baa88e22401a2c02` `docker.io/cilium/operator-alibabacloud:v1.10.16@sha256:ba1c37261ba83f34f11addc6e76479d275c25504b401455b5216e02835cf726a` `quay.io/cilium/operator-alibabacloud:v1.10.16@sha256:ba1c37261ba83f34f11addc6e76479d275c25504b401455b5216e02835cf726a` `docker.io/cilium/operator-aws:v1.10.16@sha256:a44736e1ad08f26a43721687cddce74a59614d99d2f4bdd48e9bcf04462ecdb7` `quay.io/cilium/operator-aws:v1.10.16@sha256:a44736e1ad08f26a43721687cddce74a59614d99d2f4bdd48e9bcf04462ecdb7` `docker.io/cilium/operator-azure:v1.10.16@sha256:b10bc5d246803dc8deae52400a7aa73ab67847d814fa8b02cb96812029d962b8` `quay.io/cilium/operator-azure:v1.10.16@sha256:b10bc5d246803dc8deae52400a7aa73ab67847d814fa8b02cb96812029d962b8` `docker.io/cilium/operator-generic:v1.10.16@sha256:7fe246a59599b37a33d815eb5069223a0713ec751803cfb674176c0438816c69` `quay.io/cilium/operator-generic:v1.10.16@sha256:7fe246a59599b37a33d815eb5069223a0713ec751803cfb674176c0438816c69` `docker.io/cilium/operator:v1.10.16@sha256:be052d4f0ec5df53d589dafbe2ee5c2f5249e2bd949d8455a672af9aa257c25c` `quay.io/cilium/operator:v1.10.16@sha256:be052d4f0ec5df53d589dafbe2ee5c2f5249e2bd949d8455a672af9aa257c25c` Signed-off-by: Quentin Monnet <quentin@isovalent.com> 17 October 2022, 16:38:15 UTC
38cc825 dependabot[bot] 13 October 2022, 17:21:40 UTC build(deps): bump actions/cache from 3.0.10 to 3.0.11 Bumps [actions/cache](https://github.com/actions/cache) from 3.0.10 to 3.0.11. - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](https://github.com/actions/cache/compare/56461b9eb0f8438fd15c7a9968e3c9ebb18ceff1...9b0c1fce7a93df8e3bb8926b0d6e9d89e92f20a7) --- updated-dependencies: - dependency-name: actions/cache dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> 13 October 2022, 20:16:16 UTC
53b844c dependabot[bot] 12 October 2022, 14:11:40 UTC build(deps): bump docker/setup-buildx-action from 2.0.0 to 2.1.0 Bumps [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action) from 2.0.0 to 2.1.0. - [Release notes](https://github.com/docker/setup-buildx-action/releases) - [Commits](https://github.com/docker/setup-buildx-action/compare/dc7b9719a96d48369863986a06765841d7ea23f6...95cb08cb2672c73d4ffd2f422e6d11953d2a9c70) --- updated-dependencies: - dependency-name: docker/setup-buildx-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> 13 October 2022, 17:22:42 UTC
f71fe5d dependabot[bot] 12 October 2022, 14:11:22 UTC build(deps): bump docker/login-action from 2.0.0 to 2.1.0 Bumps [docker/login-action](https://github.com/docker/login-action) from 2.0.0 to 2.1.0. - [Release notes](https://github.com/docker/login-action/releases) - [Commits](https://github.com/docker/login-action/compare/49ed152c8eca782a232dede0303416e8f356c37b...f4ef78c080cd8ba55a85445d5b36e214a81df20a) --- updated-dependencies: - dependency-name: docker/login-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> 13 October 2022, 17:21:59 UTC
b1d0d9e dependabot[bot] 12 October 2022, 14:11:30 UTC build(deps): bump docker/build-push-action from 3.1.1 to 3.2.0 Bumps [docker/build-push-action](https://github.com/docker/build-push-action) from 3.1.1 to 3.2.0. - [Release notes](https://github.com/docker/build-push-action/releases) - [Commits](https://github.com/docker/build-push-action/compare/c84f38281176d4c9cdb1626ffafcd6b3911b5d94...c56af957549030174b10d6867f20e78cfd7debc5) --- updated-dependencies: - dependency-name: docker/build-push-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> 13 October 2022, 17:21:37 UTC
2b89b72 dependabot[bot] 12 October 2022, 14:11:34 UTC build(deps): bump docker/setup-qemu-action from 2.0.0 to 2.1.0 Bumps [docker/setup-qemu-action](https://github.com/docker/setup-qemu-action) from 2.0.0 to 2.1.0. - [Release notes](https://github.com/docker/setup-qemu-action/releases) - [Commits](https://github.com/docker/setup-qemu-action/compare/8b122486cedac8393e77aa9734c3528886e4a1a8...e81a89b1732b9c48d79cd809d8d81d79c4647a18) --- updated-dependencies: - dependency-name: docker/setup-qemu-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> 13 October 2022, 17:20:45 UTC
80f0ef2 dependabot[bot] 12 October 2022, 20:37:09 UTC build(deps): bump dorny/paths-filter from 2.10.2 to 2.11.1 Bumps [dorny/paths-filter](https://github.com/dorny/paths-filter) from 2.10.2 to 2.11.1. - [Release notes](https://github.com/dorny/paths-filter/releases) - [Changelog](https://github.com/dorny/paths-filter/blob/master/CHANGELOG.md) - [Commits](https://github.com/dorny/paths-filter/compare/b2feaf19c27470162a626bd6fa8438ae5b263721...4512585405083f25c027a35db413c2b3b9006d50) --- updated-dependencies: - dependency-name: dorny/paths-filter dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> 13 October 2022, 17:09:08 UTC
dda367e Quentin Monnet 11 October 2022, 14:04:21 UTC Prepare for release v1.10.16 Signed-off-by: Quentin Monnet <quentin@isovalent.com> 11 October 2022, 20:46:52 UTC
fb9bb0d Quentin Monnet 11 October 2022, 10:14:12 UTC images: update cilium-{runtime,builder} Signed-off-by: Quentin Monnet <quentin@isovalent.com> 11 October 2022, 12:04:17 UTC
4c12076 Paul Chaignon 05 October 2022, 21:55:38 UTC ipsec: Simplify UpsertIPsecEndpoint prototype [ upstream commit b1d7882b05556a7f80c39e4e046bb50246586ad3 ] The `fwd` argument of the UpsertIPsecEndpoitn function is used as the matching CIDR for the destination in the FWD XFRM policy. That CIDR should always be equal to the local CIDR and we already have that as the first argument of UpsertIPsecEndpoint. Therefore, we don't need the third, `fwd`, argument. This commit removes it. Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Tam Mach <tam.mach@cilium.io> 11 October 2022, 01:30:12 UTC
c5ef404 Paul Chaignon 05 October 2022, 21:00:48 UTC ipsec: Remove superfluous FWD XFRM policy [ upstream commit acd24a10e4bed9c21e025b295939dedd91bb748d ] We currently install two FWD XFRM policies: one as part of UpsertIPsecEndpoint when called for the In direction and another one as part of enableIPsec, even though that function already calls UpsertIPsecEndpoint. Only one FWD XFRM policy is needed to match all forward traffic. This commit removes one of the policies. Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Tam Mach <tam.mach@cilium.io> 11 October 2022, 01:30:12 UTC
bfc15b3 Paul Chaignon 05 October 2022, 20:43:56 UTC ipsec: Set 0/0 as source of FWD XFRM policy [ upstream commit 49ef791e3f6b04aa3873481e07038f0b9bcf39bb ] We want the FWD XFRM policy to allow all traffic through so we can simply set its source CIDR to 0.0.0.0/0. Similarly, the source IP used in the template doesn't matter so we can set it to 0.0.0.0 to clarify that to the kernel. Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Tam Mach <tam.mach@cilium.io> 11 October 2022, 01:30:12 UTC
6243b2c Paul Chaignon 05 October 2022, 16:29:00 UTC ipsec: Fix incorrect CIDR in XFRM IN policy for proxy [ upstream commit 3650e7b89d5d7ccf3822be600fdb82bd60a07469 ] When IPsec is enabled, we have one XFRM IN policy with mark 0x200 (proxy redirect) configured to allow proxy traffic through. That is needed because that traffic is redirected through the INPUT netfilter chains and the XFRM lookup as part of TPROXY. In EKS & AKS, the CIDR to match destination IP addresses of those packets is incorrect. Instead of being the CIDR(s) encompassing all pod IP addresses, it's the CIDR for the encryption interface. The IP address from the encryption interface should only be used as the outer destination IP address of IPsec encapsulation, as shown below (/16 to match packets in dst; 116.92 IP address as tmpl dst). Before: src 0.0.0.0/0 dst 192.168.116.92/19 dir in priority 0 ptype main mark 0x200/0xf00 tmpl src 0.0.0.0 dst 192.168.116.92 proto esp reqid 1 mode tunnel level use After: src 0.0.0.0/0 dst 192.168.0.0/16 dir in priority 0 ptype main mark 0x200/0xf00 tmpl src 0.0.0.0 dst 192.168.116.92 proto esp reqid 1 mode tunnel level use This bug was causing packet drops when using IPsec with L7 policies (including FQDN policies). It was introduced by a9f18f36e ("datapath/linux/ipsec: Insert additional In rule when tunneling") which introduced this XFRM IN policy for proxy traffic. This new policy was copied from the XFRM IN policy used to decrypt traffic. But in the XFRM IN policy for decryption it's okay to use this /19 CIDR because it's before decryption & decapsulation so that CIDR will match the outer destination IP address (even a /32 would). That's not the case for the inner packet, after decryption. Fixes: a9f18f36e ("datapath/linux/ipsec: Insert additional In rule when tunneling") Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Tam Mach <tam.mach@cilium.io> 11 October 2022, 01:30:12 UTC
cddb982 Paul Chaignon 03 October 2022, 21:49:32 UTC ipsec: Fix slightly incorrect assumption [ upstream commit ec66f947a57eddc49fb6a447a16db22783da1fe7 ] Commit 592ff13a ("ipsec: Simplify XFRM IN policies") simplified the XFRM IN policies on the assumption that only one of a matching IN policy or IN state is needed (requirement 1 below). Things are actually a bit more complicated: we do need an XFRM IN policy matching incoming packets even if we have an XFRM IN state for that, but any XFRM policy with a template matching the XFRM state is good enough. Said another way, there are two requirements: 1. Either an XFRM IN policy or an XFRM IN state matches the incoming packet. AND 2. If an XFRM IN state matches the packet, that state must also match an existing XFRM IN policy's template. (If the first requirement isn't satisfied, we get XfrmInNoPols. If the second isn't, we get XfrmInTmplMismatch.) Despite the incorrect assumption, commit 592ff13a ("ipsec: Simplify XFRM IN policies") didn't introduce any bug. In 592ff13a, we removed one of the two XFRM policies we had because an XFRM IN state was already matching packets for the second policy. That didn't break requirement 2 because the first policy, which was not removed, has a template that matches the XFRM IN state. Even if there are currently no bugs introduced, a latter change may bring a bug because of this incorrect assumption. This commit therefore partially revert 592ff13a. We keep some of the simplification (setup doesn't depend on tunneling) and revert the rest. We will have two XFRM IN policies again. Fixes: 592ff13a ("ipsec: Simplify XFRM IN policies") Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Tam Mach <tam.mach@cilium.io> 11 October 2022, 01:30:12 UTC
f060ffc David Bimmler 04 October 2022, 09:43:04 UTC contrib: avoid reviews from non-collaborators [ upstream commit 5520be196693d7fce495a91fbf21e3838d5e7343 ] submit-backport tried to create a backport PR with reviews from all contributors whose fixes are being backported, including people who do not have collaborator status in the repository. GitHub only allows reviews to be assigned to collaborators, and thus rejected the review assignments. This commit changes submit-backport to filter the review assignments to only include collaborators. Fixes: #21548 Signed-off-by: David Bimmler <david.bimmler@isovalent.com> Signed-off-by: Tam Mach <tam.mach@cilium.io> 10 October 2022, 11:30:25 UTC
ae812c4 Paul Chaignon 26 September 2022, 16:50:03 UTC ipsec: Simplify UpsertIPsecEndpoint CIDR arguments [ upstream commit 645da8065170baf7933c18b1b565e02757416e3a ] The previous commit changed the UpsertIPsecEndpoint function as follows: - UpsertIPsecEndpoint(local, remote, fwd *net.IPNet, ... + UpsertIPsecEndpoint(local, remote, fwd *net.IPNet, outerLocal, outerRemote net.IP, ... The first two CIDR arguments, `local` and `remote`, now don't need to carry the outer IP addresses (moved to `outerLocal` and `outerRemote`). We can therefore change calls to this function so that those two first arguments carry only the CIDR (i.e., changed from e.g. 192.168.56.11/24 to 192.168.56.0/24). As a result, we also don't need to mask those two arguments when we want only the CIDR part. Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Tam Mach <tam.mach@cilium.io> 10 October 2022, 11:30:25 UTC
9d8ebd6 Paul Chaignon 26 September 2022, 15:41:21 UTC ipsec: New arguments for UpsertIPsecEndpoint [ upstream commit 91fdc20faa8496fc57b157db87aad760418329df ] This commit adds two new arguments to UpsertIPsecEndpoint to specify the outer source and destination IP address for IPsec. It doesn't include any functional changes. - UpsertIPsecEndpoint(local, remote, fwd *net.IPNet, ... + UpsertIPsecEndpoint(local, remote, fwd *net.IPNet, outerLocal, outerRemote net.IP, ... Until now, those two outer IP addresses were carried as part of the first two CIDR arguments, `local` and `remote`. For example, `local` would be equal to 192.168.56.11/24 where 192.168.56.0/24 would be used to match packets in XFRM policies and 192.168.56.11 as the outer IP address in XFRM states. The outer IPs are now in separate arguments and the next commit will change the local and remote arguments to not carry the IPs. Why this change? Because in a subsequent commit, I will need the CIDR and IP arguments to diverge. For example, we will have UpsertIPsecEndpoint calls with `local=0.0.0.0/0` and `outerLocal=192.168.56.11`. Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Tam Mach <tam.mach@cilium.io> 10 October 2022, 11:30:25 UTC
66f06ff Paul Chaignon 26 September 2022, 14:30:06 UTC ipsec: Rename variables in enableIPsec [ upstream commit 3fe791905a098ca5f729933d0a5593c812dc218f ] This commit has no functional changes. It simply renames a few variables in enableIPsec to make their relationships clearer. Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Tam Mach <tam.mach@cilium.io> 10 October 2022, 11:30:25 UTC
fd36012 Paul Chaignon 26 September 2022, 14:10:37 UTC ipsec: Simplify DeleteIPsecEndpoint parameter [ upstream commit 8ae15622379b2b2614eee0864c714f46b3cf66cd ] Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Tam Mach <tam.mach@cilium.io> 10 October 2022, 11:30:25 UTC
bec4a62 dependabot[bot] 07 October 2022, 14:08:40 UTC build(deps): bump github/codeql-action from 2.1.26 to 2.1.27 Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.26 to 2.1.27. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/e0e5ded33cabb451ae0a9768fc7b0410bad9ad44...807578363a7869ca324a79039e6db9c843e0e100) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> 08 October 2022, 10:28:53 UTC
f72fa32 Anton Protopopov 10 August 2022, 15:17:00 UTC fqdn: dnsproxy: properly forward the original security identity [ upstream commit: afa968b111cd9701520b6ebb8f24c0bdfaa62d3d ] [ Backporter's notes: resolved conflicts in pkg/datapath/iptables/iptables.go ] The recent commit 44c1def67854 ("fqdn: dnsproxy: forward the original security identity") wrongly assumed that setting the (SecID << 16 | 0x0F00) magic mark is enough to pass the original identity from the DNS proxy to the tunnel. However, if iptables are installed, this is not the case: the socket mark will be set to 0X0C00 by an iptable rule. Add an exception to this rule to pass the identity. Signed-off-by: Anton Protopopov <aspsk@isovalent.com> 08 October 2022, 04:27:27 UTC
dd733ee Anton Protopopov 29 July 2022, 12:29:30 UTC fqdn: dnsproxy: forward the original security identity (tunnel case) [ upstream commit: 44c1def67854cd1c4e575828c0824394cbeebb67 ] [ Backporter's notes: conflicts in pkg/fqdn/dnsproxy/proxy.go; besides that had to patch a function due to updated API, nothing functional ] Consider a situation in which a pod, which is also a subject to an egress policy, performs a DNS request. This request is redirected to the DNS proxy, which performs address resolutoin. The DNS proxy runs in the host network namespace, and thus the DNS request has the host identity. In case when the DNS server is a subject to an ingress policy, this request may be denied, because the DNS server will see a request from a 'remote-node' identity. Here is an example configuration wich will not let pods labeled woo=hoo to access DNS servers running on a different host, while this should be allowed: apiVersion: "cilium.io/v2" kind: CiliumClusterwideNetworkPolicy metadata: name: "egress-dns" spec: endpointSelector: matchLabels: woo: hoo egress: - toEndpoints: - matchLabels: io.kubernetes.pod.namespace: kube-system k8s-app: kube-dns toPorts: - ports: - port: "53" protocol: UDP rules: dns: - matchPattern: "*" --- apiVersion: "cilium.io/v2" kind: CiliumNetworkPolicy metadata: name: "ingress-dns" namespace: kube-system spec: endpointSelector: matchLabels: k8s-app: kube-dns ingress: - fromEndpoints: - {} toPorts: - ports: - port: "53" protocol: UDP Patch the DNS proxy to pass the original security identity with the DNS request using the SO_MARK socket option. Signed-off-by: Anton Protopopov <aspsk@isovalent.com> 08 October 2022, 04:27:27 UTC
0653403 Anton Protopopov 28 September 2022, 14:51:53 UTC vendor: update github.com/miekg/dns to v1.1.50 [ upstream commit 8f377e819b79b2087e0ca4d7ec5ca150c511973e ] [ Backporter's notes: this is not a cherry-pick, but the same process as is described in the description below ] Update the github.com/miekg/dns repository to v1.1.50 (= rebase our fork of the miekg/dns and point to the result in the replace section of the go.mod). Update process: * replace github.com/miekg/dns => github.com/cilium/dns v1.1.51-0.20220729113855-5b94b11b46fc * go mod tidy * go mod vendor Updating the source code breaks build, so patch the pkg/fqdn/dnsproxy/udp.go correspondingly. Signed-off-by: Anton Protopopov <aspsk@isovalent.com> 08 October 2022, 04:27:27 UTC
3ca56c4 Joe Stringer 29 July 2022, 20:35:55 UTC fqdn: Upsert all identities to ipcache [ upstream commit e6ad7438357da93e5c5dbf823e71ae349adde61d ] [ Backporter's notes: Conflicts were mostly to convert the methods on (ipc *IPIdentityCache) to the global IPIdentityCache. ] Previously, the logic would only upsert identities into the IPCache if the identity was newly allocated. Logically this makes sense, as the relationship between a CIDR identity and the ipcache should be tightly coupled. However, we have observed in some user environments that ipcache entries may end up being removed from the datapath and the corresponding identity would remain allocated in userspace. As a result, the next time a DNS request arrives which intends to make use of that identity for subsequent connection attempts, it would not populate the ipcache with the identity, leading to packet loss on the connection allowed by ToFQDNs policy. In order to mitigate this issue, ensure that all identities used in DNS responses are populated into the datapath, and track a metric for any cases where this occurs for identities that we expect to already be present in the IPCache. This way, active issues should be mitigated, but we also still have a way to detect whether this mitigation is necessary and whether we need to further investigate the root cause of this issue. Signed-off-by: Joe Stringer <joe@cilium.io> 06 October 2022, 16:27:23 UTC
e9eb48c Joe Stringer 29 July 2022, 19:39:41 UTC ipcache: Fix race in identity/ipcache release [ upstream commit 40e13ea2a5a944a45761fc433c4c971536957f4b ] [ Backporter's notes: Conflicts were mostly to convert the methods on (ipc *IPIdentityCache) to the global IPIdentityCache. Also included a lock leak fix (9238841856, "ipcache: Fix lock leak") not in the original commit. ] Create a critical section for identity release + removal from ipcache. Otherwise, it's possible to trigger the following race condition: Goroutine 1 | Goroutine 2 ---------------------------+-------------------------------------- releaseCIDRIdentities() | AllocateCIDRs() -> Release(..., id, ...) | | -> allocate(...) | -> ipc.UpsertGeneratedIdentities(...) -> ipc.deleteLocked(...) | In this case, the expectation from Goroutine 2 is that a new identity is allocated and that identity is inserted into the ipcache, but the result is that the identity is allocated but the ipcache entry is missing. This is partly because the identity released in goroutine 1 is different from the newly allocated identity in goroutine 2, however goroutine 1 will delete the ipcache entry based on the prefix and not the identity. Therefore it's possible for goroutine 1 to delete the ipcache entry corresponding to the identity allocated in goroutine 2. Note that for balancing the upsert / release, we perhaps should cover the entire allocation + ipcache push in Upsert() with the same locking. However, on upsert there is an optional feature of the API to defer the ipcache upsert to a later point, governed by the caller. There is currently no way to extend the locking over that much longer time period, so we only cover the allocation step there. This should still be safe, as one of the following cases should occur: Goroutine 1 | Goroutine 2 ---------------------------+-------------------------------------- Lock | Release() | deleteLocked() | Unlock | | Lock | ipc.allocate() | Unlock | .... (repeat below) | Lock | Upsert | Unlock Goroutine 1 | Goroutine 2 ---------------------------+-------------------------------------- | Lock | ipc.allocate() (increment refcount) | Unlock Lock | Release() | (no deleteLocked()() due | to refcount from (2)) | Unlock | | .... (repeat below) | Lock | Upsert | Unlock Found by code inspection. Suggested-by: Jarno Rajahalme <jarno@isovalent.com> Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Chris Tarazi <chris@isovalent.com> 06 October 2022, 16:27:23 UTC
8637430 Joe Stringer 29 July 2022, 21:01:42 UTC ipcache: Add metrics for upsert/delete/recover [ upstream commit 044cd8f23cc531d7441127a15832c39fc43d159d ] [ Backporter's notes: Minor conflict in pkg/ipcache/ipcache.go ] These errors, total metrics will help users and developers to gather understanding about ipcache operations at runtime. One specific "recover" error that will occur at runtime will be measured in an upcoming commit. This is the primary motivation for introducing these metrics. Signed-off-by: Joe Stringer <joe@cilium.io> 06 October 2022, 16:27:23 UTC
68bd301 dependabot[bot] 04 October 2022, 10:21:13 UTC build(deps): bump actions/checkout from 3.0.2 to 3.1.0 Bumps [actions/checkout](https://github.com/actions/checkout) from 3.0.2 to 3.1.0. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/2541b1294d2704b0964813337f33b291d3f8596b...93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> 05 October 2022, 09:48:42 UTC
7e8da0a Tobias Klauser 27 September 2022, 14:53:04 UTC daemon: avoid nil pointer dereference on invalid endpoint state [ upstream commit 2e36f12f7e23fea5377764c2ff9c969d8ebf34d6 ] In case the call to endpoint.NewEndpointFromChangeModel in (*Daemon).createEndpoint fails (e.g. due to invalid data in the request), the returned *endpoint.Endpoint is nil while err is non-nil. However, invalidDataError is called with ep=nil, leading to a nil pointer dereference in ep.SetState. Fixes: 0d6b7ade8d3f ("endpoint: Add Invalid state") Signed-off-by: Tobias Klauser <tobias@cilium.io> Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> 04 October 2022, 10:21:36 UTC
0c1d3ca Paul Chaignon 20 September 2022, 12:28:34 UTC ipsec: Simplify XFRM IN policies [ upstream commit 592ff13ae8f93f18fe78180d91f5b4cb4be02562 ] **TL;DR.** We only need one of an XFRM IN policy or an XFRM IN state to match each packet. This commit removes one superfluous XFRM IN policy and enables some additional simplification as a result. What XFRM IN policy we install currently depends of whether we are running in tunneling mode and with or without endpoint routes: In tunneling mode: XFRM IN policy matching on mark 0x200/0xf00 (for proxy) XFRM IN policy matching on mark 0xd00/0xf00 (for decrypt.) In native routing mode with endpoint routes: XFRM IN policy matching on mark 0x200/0xf00 (for proxy) In all cases, we also have: XFRM IN state matching on mark 0xd00/0xf00 (for decrypt.) The two policies in tunneling mode were introduced by a9f18f36 ("datapath/linux/ipsec: Insert additional In rule when tunneling"). The additional case for endpoint routes was introduced by 3ffe49e1 ("ipsec: Fix L7 with endpoint routes"). Now, I got to wonder how 3ffe49e1 even worked as it was missing an XFRM IN policy for 0xd00 which a9f18f36 suggested was necessary. After some local testing, it turns out that the two XFRM IN policies for tunneling mode are not required. All we need is to have either (1) an XFRM IN policy or (2) an XFRM IN state matching the packets. The XFRM state is needed if we want to decrypt packets; the XFRM policy is needed to not drop packets that don't match an XFRM state. Given we always have an XFRM IN state for packets coming with the decryption mark, we don't need an XFRM IN policy for that. We only need an XFRM IN policy for packets coming with the proxy mark because we don't have a state for those, rightly so as we don't want to decrypt them. This commit therefore removes the XFRM IN policy for decryption. It also removes any dependency on particular options: we will always install the XFRM IN policy for the proxy. It doesn't hurt to have that policy even if not required (e.g., in native routing mode without endpoint routes). **How was this tested?** This change was tested with our Jenkins IPsec tests (including the quarantined one for VXLAN), as well as with GKE and EKS clusters of 3 nodes. In all cases, the connectivity tests were executed and L7 policies were thus covered. Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> 04 October 2022, 10:21:36 UTC
714bbd3 Aditi Ghag 23 September 2022, 15:24:58 UTC cmd/bpf: Log if no policy maps found [ upstream commit 41d14997a270faf9a7917e66fcda27776be2bdb8 ] Explicitly log if no policy maps are found to improve debuggability. Signed-off-by: Aditi Ghag <aditi@cilium.io> Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> 04 October 2022, 10:21:36 UTC
1f795c8 Vladimir Pouzanov 22 September 2022, 12:12:58 UTC Fix a typo in the comment example [ upstream commit 3e0d6796c251fb5b671f2ff87e8b9c9b62982137 ] It's `log` in the [config.go](https://github.com/cilium/cilium/blob/master/pkg/option/config.go#L988). Also fix the delimeter (the actual cli acceps the space but not a comma). Signed-off-by: Vladimir Pouzanov <farcaller@gmail.com> Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> 04 October 2022, 10:21:36 UTC
5bc3160 Tom Hadlaw 08 September 2022, 23:41:59 UTC makefile: use versioned go container when formatting after api generate. [ upstream commit 563787ebb318d8cbd756784fbad940ff67c3f368 ] Signed-off-by: Tom Hadlaw <tom.hadlaw@isovalent.com> Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> 04 October 2022, 10:21:36 UTC
back to top