Skip to main content

Browse the archive

https://github.com/cilium/cilium
12 July 2024, 03:14:21 UTC
sort by:
Revision Author Date Message Commit Date
814ffce André Martins 04 May 2022, 15:35:03 UTC Prepare for release v1.12.0-rc2 Signed-off-by: André Martins <andre@cilium.io> 04 May 2022, 16:56:42 UTC
aad47b2 André Martins 04 May 2022, 15:34:26 UTC update AUTHORS and Documentation Signed-off-by: André Martins <andre@cilium.io> 04 May 2022, 16:56:42 UTC
21e6e6a Nate Sweet 25 January 2022, 23:00:36 UTC hubble/relay: Make Peer Service a K8s Service Currently Hubble-Relay builds its client list by querying the Peer Service over the local Hubble Unix domain socket. This goes against best security practices (sharing files across pods) and is not allowed on platforms that strictly enforce SELinux policies (e.g. OpenShift). This PR enables, by default, the creation of a Kubernetes Service that proxies the Hubble Peer Service so that Hubble-Relay can use it to build its client list, eliminating the need for a shared Unix domain socket completely. Helm values and configurations have been added to enable the service in a cilium deployment. Signed-off-by: Nate Sweet <nathanjsweet@pm.me> 04 May 2022, 15:16:15 UTC
69726e6 Tam Mach 29 March 2022, 07:00:28 UTC tools: Add maxVersion check for dev-doctor for ginkgo This commit is to add maxVersion check for dev-doctor tool. Also configure maxVersion as 2.0.0 for ginkgo to be consistent with related docs. ``` $ make dev-doctor ... error ginkgo found /home/tammach/go/bin/ginkgo, version 2.1.3, need less than 2.0.0 ``` Signed-off-by: Tam Mach <tam.mach@isovalent.com> 04 May 2022, 14:35:49 UTC
6a329d3 Tam Mach 29 March 2022, 05:47:22 UTC docs: Add requirement for ginkgo version Recently, ginkgo v2 is released, and has some breaking changes, such as the below. Hence, we should update development docs for the same. By default, go install github.com/onsi/gingko/ginkgo@latest will only install the latest v1 version, at the time of writing, this will be v1.16.5. Thanks to @thejosephstevens for highlighting this issue in development channel. ``` $ ginkgo -h Ginkgo Version 2.1.3 $ ginkgo --focus="Runtime" --tags=integration_tests level=info msg="environment variable \"K8S_VERSION\" was not set; setting to default value \"1.23\"" flag provided but not defined: -ginkgo.timeout Usage of /home/tammach/go/src/github.com/cilium/cilium/test/test.test ... ``` Signed-off-by: Tam Mach <tam.mach@isovalent.com> 04 May 2022, 14:35:49 UTC
f34d856 Jarno Rajahalme 09 April 2022, 10:25:39 UTC test: Revert sys-fs-bpf.mount rename Renaming `sys-fs-bpf.mount` to `cilium-sys-fs-bpf.mount` made the mount inoperable, but this surfaced only in backports. Revert the rename to fix this. Prior to the change to use docker for running Cilium in CI runtime tests all service files (*.*) in `contrib/systemd/` were listed to form a list of services and mounts that need to be enabled and started. As part of this change an alternative `cilium.service` (`cilium.service-with-docker`) was needed. `cilium-operator.service` had to be eliminated from the runtime test setup as well, but these changes should not have any effect on uses other than CI runtime tests. As such we could not delete the old files still needed to run cilium via systemd as before, and it was no longer possible to form the list of services to be enabled and started by listing files in `contrib/systemd`. Instead, the needed files are listed from `/etc/systemd/system/` after they are copied over from `contrib/systemd/` to `/etc/systemd/system/` (with `cilium.service-with-docker` copied over as `cilium.service` and `cilium-operator.service` deleted). We needed a simple way to only list Cilium files from there; this was attempted with making sure all Cilium files have `cilium-`prefix. The problem with this is that `sys-fs-bpf.mount` does not work when renamed as `cilium-sys-fs-bpf.mount`. As it turns out, systemd mounts encode the path in the name (`sys-fs-bpf.mount` corresponds to path `/sys/fs/bpf`, and `cilium-sys-fs-bpf.mount` would correspond to path `/cilium/sys/fs/bpf`), hence the renamed mount did not work: > Mount units must be named after the mount point directories they > control. Example: the mount point `/home/lennart` must be configured in a > unit file `home-lennart.mount`. For details about the escaping logic used > to convert a file system path to a unit name, see systemd.unit(5). Note > that mount units cannot be templated, nor is possible to add multiple > names to a mount unit by creating additional symlinks to it. Master branch CI does not need this mount file so this was noticed only in the backports. Fixes: 19310 Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> 04 May 2022, 14:34:49 UTC
9fef66e Julian Wiedmann 14 April 2022, 11:10:35 UTC bpf: fix selection of Nodeport XDP accel for IPv6 Fix a s/ENABLE_NODEPORT/ENABLE_NODEPORT_ACCELERATION typo, so that the XDP-based acceleration for IPv6 Nodeport only gets compiled when selected. This matches the IPv4 path. Only makes a difference if the XDP program gets loaded for some other feature. Right now that would only be XDP-based CIDR filtering. Fixes: 964c3fb9e609 ("bpf: initial datapath acceleration for nodeport in xdp") Signed-off-by: Julian Wiedmann <jwi@isovalent.com> 04 May 2022, 14:32:34 UTC
bb43425 André Martins 03 May 2022, 23:11:53 UTC docs: move sitemap-index.xml to static directory Since robots.txt file is now used in the 'html_extra_path' we will move the sitemap-index.xml to the static directory. That way we can robots can access the sitemap-index.xml file directly. Signed-off-by: André Martins <andre@cilium.io> 04 May 2022, 10:39:25 UTC
970b3da Nate Sweet 03 May 2022, 19:56:51 UTC ci: Update Uninstall Command For Cilium CLI The cilium-cli must use the chart directory to properly uninstall cilium. Signed-off-by: Nate Sweet <nathanjsweet@pm.me> 03 May 2022, 23:42:21 UTC
1c72198 Alexandre Perrin 02 May 2022, 10:44:34 UTC maglev: fix TestPermutations backend generation Before this patch, the backend generation code was buggy and would generate twice as many backend as wanted. Signed-off-by: Alexandre Perrin <alex@kaworu.ch> 03 May 2022, 15:37:08 UTC
85c2e3c dependabot[bot] 02 May 2022, 14:39:35 UTC build(deps): bump azure/login from 1.4.3 to 1.4.4 Bumps [azure/login](https://github.com/azure/login) from 1.4.3 to 1.4.4. - [Release notes](https://github.com/azure/login/releases) - [Commits](https://github.com/azure/login/compare/1f63701bf3e6892515f1b7ce2d2bf1708b46beaf...ec3c14589bd3e9312b3cc8c41e6860e258df9010) --- updated-dependencies: - dependency-name: azure/login dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> 03 May 2022, 14:28:02 UTC
90c0d62 Adam Bocim 28 February 2022, 07:20:22 UTC clustermesh: fix: nil pointer dereference ... while clustermesh-apiserver is starting and new CEW with identity 0 is existing in etcd In original implementation clustermesh-apiserver and etcd are running in separate containers within one pod. So a new empty etcd is created while clustermesh-apiserver is starting. In our usecase we use an existing etcd which is shared with cilium-agent. An error below has been occurring when a new CEW resource was already applied into kubernetes and cilium-agent was already started on related external workload machine while clustermesh-apiserver was not deployed yet. $ ./clustermesh-apiserver --cluster-id=12 --cluster-name=uacl-test --k8s-kubeconfig-path ../../uacl/uacl-test.kubeconfig --kvstore-opt etcd.config=../../uacl/etcd.config level=info msg="Started gops server" address="127.0.0.1:9892" subsys=clustermesh-apiserver level=info msg="Starting clustermesh-apiserver..." cluster-id=12 cluster-name=uacl-test subsys=clustermesh-apiserver level=info msg="Establishing connection to apiserver" host="https://uacl-test-api.test:31243" subsys=k8s level=info msg="Connected to apiserver" subsys=k8s level=info msg="Waiting until all Cilium CRDs are available" subsys=k8s level=info msg="All Cilium CRDs have been found and are available" subsys=k8s level=info msg="Initializing identity allocator" subsys=identity-cache level=info msg="Creating etcd client" ConfigPath=../../uacl/etcd.config KeepAliveHeartbeat=15s KeepAliveTimeout=25s RateLimit=20 subsys=kvstore level=info msg="Started health API" subsys=clustermesh-apiserver level=info msg="Connecting to etcd server..." config=../../uacl/etcd.config endpoints="[https://uacl-test-api.test:30108]" subsys=kvstore level=info msg="Got lease ID 320f7d7b1f23bc32" subsys=kvstore level=info msg="Got lock lease ID 320f7d7b1f23bc34" subsys=kvstore level=info msg="Initial etcd session established" config=../../uacl/etcd.config endpoints="[https://uacl-test-api.test:30108]" subsys=kvstore level=info msg="Successfully verified version of etcd endpoint" config=../../uacl/etcd.config endpoints="[https://uacl-test-api.test:30108]" etcdEndpoint="https://uacl-test-api.test:30108" subsys=kvstore version=3.4.16 panic: runtime error: invalid memory address or nil pointer dereference [signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x1919aa3] goroutine 213 [running]: github.com/cilium/cilium/pkg/kvstore/store.(*SharedStore).keyPath(0x0, {0x7f349c122c38, 0xc000a7e240}) /home/abocim/go/src/github.com/cilium/cilium/pkg/kvstore/store/store.go:276 +0x43 github.com/cilium/cilium/pkg/kvstore/store.(*SharedStore).syncLocalKey(0x0, {0x2204f70, 0xc000050138}, {0x22051d8, 0xc000a7e240}) /home/abocim/go/src/github.com/cilium/cilium/pkg/kvstore/store/store.go:288 +0x87 github.com/cilium/cilium/pkg/kvstore/store.(*SharedStore).UpdateKeySync(...) /home/abocim/go/src/github.com/cilium/cilium/pkg/kvstore/store/store.go:375 main.(*VMManager).OnUpdate(0xc0005f6080, {0x21e9e10, 0xc000a7e0c0}) /home/abocim/go/src/github.com/cilium/cilium/clustermesh-apiserver/vmmanager.go:183 +0x3f4 github.com/cilium/cilium/pkg/kvstore/store.(*SharedStore).onUpdate(...) /home/abocim/go/src/github.com/cilium/cilium/pkg/kvstore/store/store.go:233 github.com/cilium/cilium/pkg/kvstore/store.(*SharedStore).updateKey(0xc000128780, {0xc00025e85d, 0x15}, {0xc0000f6a00, 0xf3, 0x100}) /home/abocim/go/src/github.com/cilium/cilium/pkg/kvstore/store/store.go:414 +0x102 github.com/cilium/cilium/pkg/kvstore/store.(*SharedStore).watcher(0xc000128780, 0xc000270a20) /home/abocim/go/src/github.com/cilium/cilium/pkg/kvstore/store/store.go:482 +0x73c created by github.com/cilium/cilium/pkg/kvstore/store.(*SharedStore).listAndStartWatcher /home/abocim/go/src/github.com/cilium/cilium/pkg/kvstore/store/store.go:447 +0x89 Signed-off-by: Adam Bocim <adam.bocim@seznam.cz> 03 May 2022, 12:41:41 UTC
6af9e7d Tobias Klauser 02 May 2022, 12:14:08 UTC go.mod, vendor: update cloud provider SDK Go modules Monthly update of the cloud provider SDK Go modules using contrib/scripts/go-mod-update-cloud-providers.sh Signed-off-by: Tobias Klauser <tobias@cilium.io> 03 May 2022, 12:38:48 UTC
019edbb dependabot[bot] 02 May 2022, 14:08:33 UTC build(deps): bump github.com/go-openapi/spec from 0.20.5 to 0.20.6 Bumps [github.com/go-openapi/spec](https://github.com/go-openapi/spec) from 0.20.5 to 0.20.6. - [Release notes](https://github.com/go-openapi/spec/releases) - [Commits](https://github.com/go-openapi/spec/compare/v0.20.5...v0.20.6) --- updated-dependencies: - dependency-name: github.com/go-openapi/spec dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> 03 May 2022, 12:38:31 UTC
3a43e63 dependabot[bot] 02 May 2022, 14:08:44 UTC build(deps): bump github.com/shirou/gopsutil/v3 from 3.22.3 to 3.22.4 Bumps [github.com/shirou/gopsutil/v3](https://github.com/shirou/gopsutil) from 3.22.3 to 3.22.4. - [Release notes](https://github.com/shirou/gopsutil/releases) - [Commits](https://github.com/shirou/gopsutil/compare/v3.22.3...v3.22.4) --- updated-dependencies: - dependency-name: github.com/shirou/gopsutil/v3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> 03 May 2022, 12:38:23 UTC
cb7a7d0 Tobias Klauser 03 May 2022, 09:41:19 UTC ci: set chart directory on `cilium uninstall` on AKS Signed-off-by: Tobias Klauser <tobias@cilium.io> 03 May 2022, 12:37:59 UTC
39b36c5 Tobias Klauser 02 May 2022, 12:49:59 UTC ci: update master workflows to cilium-cli v0.11.4 Suggested-by: André Martins <andre@cilium.io> Signed-off-by: Tobias Klauser <tobias@cilium.io> 03 May 2022, 12:37:59 UTC
5566f66 Tobias Klauser 02 May 2022, 12:49:03 UTC ci: consistently use .yaml file suffix for conformance tests Rename the exeternal workloads conformance test YAML files to match other conformance test files. Signed-off-by: Tobias Klauser <tobias@cilium.io> 03 May 2022, 12:37:59 UTC
d29221d Tam Mach 02 May 2022, 10:04:32 UTC build: Fix compilation issue for non-linux platform This commit is to make sure there is no compilation issue with windows for netlink and netns packages Relates to https://github.com/vishvananda/netlink/issues/146 Relates to https://github.com/vishvananda/netns/issues/23 Suggested-by: Tobias Klauser <tobias@cilium.io> Signed-off-by: Tam Mach <tam.mach@cilium.io> 02 May 2022, 15:05:16 UTC
6cdadc7 Tobias Klauser 13 April 2022, 20:27:47 UTC make: remove deprecated test targets The respective tests were removed by commit ef3768af8c6f ("test: Remove tests/ dir") and the targets are no longer functional: % make runtime-tests make -C tests runtime-tests make[1]: *** tests: No such file or directory. Stop. make: *** [Makefile:289: runtime-tests] Error 2 % make k8s-tests make -C tests k8s-tests make[1]: *** tests: No such file or directory. Stop. make: *** [Makefile:292: k8s-tests] Error 2 Also remove the integration of these tests from Vagrantfile via RUN_TEST_SUITE. Signed-off-by: Tobias Klauser <tobias@cilium.io> 02 May 2022, 14:41:42 UTC
5bbbaa2 Tam Mach 25 April 2022, 02:42:32 UTC ingress: Set max stream duration as 0 This commit is to set maxStreamOption for both http and http2 in route level, mainly for gRPC API. Without this setting, the below error will occur for grpc stream request. ``` level=debug msg="[[C3][S4568171404048735839] Resetting stream due to upstream_response_timeout. Prior headers have already been sent" subsys=envoy-http threadID=794 level=debug msg="[[C3][S4568171404048735839] doEndStream() resetting stream" subsys=envoy-http threadID=794 level=debug msg="[[C3][S4568171404048735839] stream reset" subsys=envoy-http threadID=794 ``` Signed-off-by: Tam Mach <tam.mach@isovalent.com> 02 May 2022, 14:40:53 UTC
fa94cc8 Gilberto Bertin 28 April 2022, 17:06:29 UTC bpf: egressgw: don't redirect to tunnel dev if EP is running on gateway node When a client endpoint selected by an egress gateway policy is running on the egress gateway node itself, there's no need to redirect the endpoint traffic supposed to be forwarded to the gateway to the tunnel device: we can just let it go through bpf_lxc, as it will eventually reach the bpf_host program responsible for SNAT'ing it with the egress IP. Fixes: #15426 Signed-off-by: Gilberto Bertin <jibi@cilium.io> 02 May 2022, 14:40:20 UTC
48902c1 Tam Mach 02 May 2022, 02:24:02 UTC gha: Enable ingress controller in smoketest This commit is to enable ingress controller as part smoke test. While there is no actual test with Ingress resource right now, this still helps to catch any issue with helm charts, and make sure cilium pods (e.g. operator and agent) starts up successfully. Signed-off-by: Tam Mach <tam.mach@cilium.io> 02 May 2022, 14:38:47 UTC
cb7fb7b Tam Mach 02 May 2022, 05:34:30 UTC bpf: Fix complication issue when ENABLE_L7_LB is set This commit is to fix the below complication issue, when IPv6 only + L7 LB are enabled. ``` level=error msg="Failed to compile bpf_lxc.dbg.o: exit status 1" compiler-pid=3406 linker-pid=3407 subsys=datapath-loader level=debug msg="/var/lib/cilium/bpf/bpf_lxc.c:201:36: error: member reference type 'struct ipv6_ct_tuple' is not a pointer; did you mean to use '.'?" subsys=datapath-loader level=debug msg=" cilium_dbg3(ctx, DBG_L7_LB, tuple->daddr.p4, tuple->saddr.p4," subsys=datapath-loader level=debug msg=" ~~~~~^~" subsys=datapath-loader level=debug msg=" ." subsys=datapath-loader level=debug msg="/var/lib/cilium/bpf/bpf_lxc.c:201:53: error: member reference type 'struct ipv6_ct_tuple' is not a pointer; did you mean to use '.'?" subsys=datapath-loader level=debug msg=" cilium_dbg3(ctx, DBG_L7_LB, tuple->daddr.p4, tuple->saddr.p4," subsys=datapath-loader level=debug msg=" ~~~~~^~" subsys=datapath-loader level=debug msg=" ." subsys=datapath-loader level=debug msg="2 errors generated." subsys=datapath-loader ``` Signed-off-by: Tam Mach <tam.mach@cilium.io> 02 May 2022, 14:38:47 UTC
04e81bc Tam Mach 29 April 2022, 11:20:46 UTC helm: Correct typo for secret sync in ingress This commit is to correct wrong attribute in operator role, which causes missing permission for secret. Verification was done locally with below installation ``` cilium install \ --chart-directory ./install/kubernetes/cilium \ --version v1.12.0-rc1 \ --kube-proxy-replacement=strict \ --agent-image "${DOCKER_DEV_ACCOUNT}/cilium:${GIT_HASH}" \ --operator-image "${DOCKER_DEV_ACCOUNT}/operator-generic:${GIT_HASH}" \ --helm-set ingressController.enabled=true ``` Relates to ca375a92e13058301a1106489c4e26866b9f8879 Signed-off-by: Tam Mach <tam.mach@cilium.io> 02 May 2022, 14:38:47 UTC
a0d3c10 Amol Ambekar 14 April 2022, 22:23:25 UTC Select new backend if old connection from src port to cluster IP was closed Problem: On the egress of TCP syn packet, Cilium looks up conntrack table with 5-tuple (src IP, src port, dst IP, dst port, protocol). On a lookup miss, Cilium adds a new entry to the conntrack table. When the destination is a cluster IP, Cilium additionally also randomly picks a backend for this cluster IP. The selected backend is persisted with the CT entry. Next time a new connection from same src port is initiated, Cilium reuses the existing CT entry and thus reuses the same backend. This eliminates the possibility of rebalancing load across available backends for new connections if its the same src port and the same cluster IP. Fix: Instead of reusing the existing entry for a cluster IP as is, do new backend selection if the previous connection was closed for more than 30s. This doesn't add new entry to the conntrack table, instead performs backend selection and updates it for the existing entry. Note: While deciding when to select a new backend, we only take into consideration tx_closing because we don't see closing in RX direction for CT_SERVICE. Additionally we also check that this packet is a SYN packet to limit the context to new connection only and give a 30s grace period for any in-flight packets related to the old connection. Testing: Manually verified 1. If previous connection from same src port to the cluster IP was closed, a new backend is used (unless old backend got reselected as part of random selection). 2. If previous connection wasn't closed, same backend is used. Signed-off-by: Amol Ambekar <ambekara@google.com> 02 May 2022, 14:37:55 UTC
6154322 Louis DeLosSantos 18 March 2022, 12:59:46 UTC logging: do not swallow subsystem logs commit #16861 introduced a normalization of error handling into the daemon/cmd package. by doing so we swallowed useful error logs. this commit adds the error logs back and adds a few additional fmt.Errorf wrappers where logging is not adequate Signed-off-by: Louis DeLosSantos <louis.delos@isovalent.com> 30 April 2022, 18:45:05 UTC
af398b4 Michi Mutsuzaki 28 April 2022, 23:34:27 UTC test: Fix directory name for source archive - Define cilium_base_version as an environment variable so that there is a single place to update for each feature branch. - Set useDigest to false for all the images since the image digests in values.yaml do not match the ones for the CI images. Signed-off-by: Michi Mutsuzaki <michi@isovalent.com> 30 April 2022, 00:23:22 UTC
cb6ebfb dependabot[bot] 29 April 2022, 00:04:44 UTC build(deps): bump github.com/go-openapi/runtime from 0.23.3 to 0.24.0 Bumps [github.com/go-openapi/runtime](https://github.com/go-openapi/runtime) from 0.23.3 to 0.24.0. - [Release notes](https://github.com/go-openapi/runtime/releases) - [Commits](https://github.com/go-openapi/runtime/compare/v0.23.3...v0.24.0) --- updated-dependencies: - dependency-name: github.com/go-openapi/runtime dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> 29 April 2022, 21:14:30 UTC
6f9fedd André Martins 29 April 2022, 14:55:02 UTC operator: fix identity GC collection As the operator uses a different constructor for the GC of the allocator, this constructor was not being initialized with the min and max values of the identities that it should be GC. This commit adds those options making it possible for the Operator to GC those identities. Fixes: 0c0f96531286 ("operator: only GC identity keys of its own cluster") Signed-off-by: André Martins <andre@cilium.io> 29 April 2022, 21:03:50 UTC
fd50b8d Raphaël Pinson 22 April 2022, 07:29:05 UTC feat(command): add OutputOptionString() Signed-off-by: Raphaël Pinson <raphael@isovalent.com> 29 April 2022, 19:33:56 UTC
73c8603 Raphaël Pinson 19 April 2022, 14:29:16 UTC feat(command): rename JSON functions as OutputOption Signed-off-by: Raphaël Pinson <raphael@isovalent.com> 29 April 2022, 19:33:56 UTC
71138e5 Raphaël Pinson 19 April 2022, 13:24:36 UTC fix(command): typo in error message Signed-off-by: Raphaël Pinson <raphael@isovalent.com> 29 April 2022, 19:33:56 UTC
c4825ab Raphaël Pinson 19 April 2022, 13:22:18 UTC feat(command): allow to dump as YAML Signed-off-by: Raphaël Pinson <raphael@isovalent.com> 29 April 2022, 19:33:56 UTC
c15fbde Gilberto Bertin 29 April 2022, 08:29:08 UTC egressgw: emit a warning rather than a fatal error when L7 proxy is enabled The egress gateway feature is only partially incompatible with --enable-l7-proxy as traffic will not be forwarded to an egress gateway only if there's an L7 policy selecting the same endpoint selected by an egress gateway policy. Because of this, just logging a warning should be sufficient as in most cases both features can be enabled and used at the same time. Signed-off-by: Gilberto Bertin <jibi@cilium.io> 29 April 2022, 19:30:04 UTC
916765b Jarno Rajahalme 28 April 2022, 16:07:02 UTC daemon: Initialize k8sCachesSynced channel before Initk8sSubsystem() InitK8sSubsystem() starts all k8s watchers concurrently, some of which do call into K8sCacheIsSynced() via ipcache/metadata.InjectLabels(), and possibly also from elsewhere. Initialize k8sCachesSynced before any watchers are started to make this access safe. This fixes data race detected by race detection builds. Fixes: #19614 Fixes: #19556 Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> 29 April 2022, 17:38:27 UTC
8bb6c85 dependabot[bot] 28 April 2022, 22:28:49 UTC build(deps): bump actions/checkout from 3.0.1 to 3.0.2 Bumps [actions/checkout](https://github.com/actions/checkout) from 3.0.1 to 3.0.2. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/dcd71f646680f2efd8db4afa5ad64fdcba30e748...2541b1294d2704b0964813337f33b291d3f8596b) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> 29 April 2022, 15:28:42 UTC
ce9583d Chris Tarazi 11 April 2022, 21:46:42 UTC dameon: Change the default FQDN regex LRU to be 1024 Following the previous commit's benchmark result, let's update the LRU default size to be 1024, given that it only results in a few 10's of MBs increase when the cache nears full. Signed-off-by: Chris Tarazi <chris@isovalent.com> 29 April 2022, 15:28:02 UTC
38c0036 Chris Tarazi 11 April 2022, 21:38:40 UTC dnsproxy: Add benchmark for large FQDN-based CNPs When comparing efficieny of increasing the LRU size from 128 to 1024 with ~22k CNPs, we see the following results: ``` \# LRU size 128. $ go test -tags privileged_tests -v -run '^$' -bench Benchmark_perEPAllow_setPortRulesForID_large -benchmem -benchtime 1x -memprofile memprofile.out ./pkg/fqdn/dnsproxy > old.txt \# LRU size 1024. $ go test -tags privileged_tests -v -run '^$' -bench Benchmark_perEPAllow_setPortRulesForID_large -benchmem -benchtime 1x -memprofile memprofile.out ./pkg/fqdn/dnsproxy > new.txt $ benchcmp old.txt new.txt benchcmp is deprecated in favor of benchstat: https://pkg.go.dev/golang.org/x/perf/cmd/benchstat benchmark old ns/op new ns/op delta Benchmark_perEPAllow_setPortRulesForID_large-8 3954101340 3010934555 -23.85% benchmark old allocs new allocs delta Benchmark_perEPAllow_setPortRulesForID_large-8 26480632 24167742 -8.73% benchmark old bytes new bytes delta Benchmark_perEPAllow_setPortRulesForID_large-8 2899811832 1824062992 -37.10% ``` Here's the raw test run with LRU size at 128: ``` Before (N=1) Alloc = 31 MiB HeapInuse = 45 MiB Sys = 1260 MiB NumGC = 15 After (N=1) Alloc = 445 MiB HeapInuse = 459 MiB Sys = 1260 MiB NumGC = 40 ``` Here's the raw test run with LRU size at 1024: ``` Before (N=1) Alloc = 31 MiB HeapInuse = 48 MiB Sys = 1177 MiB NumGC = 17 After (N=1) Alloc = 78 MiB HeapInuse = 93 MiB Sys = 1177 MiB NumGC = 53 ``` We can see that it's saving ~300MB. Furthermore, if we compare the memprofiles from the benchmark run via ``` go tool pprof -http :8080 -diff_base memprofile.out memprofile.1024.out ``` we see an ~800MB reduction in the regex compilation. Signed-off-by: Chris Tarazi <chris@isovalent.com> 29 April 2022, 15:28:02 UTC
5fa7ae2 Chris Tarazi 08 April 2022, 23:52:41 UTC daemon, fqdn: Add flag to control FQDN regex LRU size Advanced users can configure the LRU size for the cache holding the compiled regex expressions of FQDN match{Pattern,Name}. This is useful if users are experiencing high memory usage spikes with many FQDN policies that have repeated matchPattern or matchName across many different policies. Signed-off-by: Chris Tarazi <chris@isovalent.com> 29 April 2022, 15:28:02 UTC
769ae73 André Martins 29 April 2022, 00:55:36 UTC docs: set right path for robots.txt Accordingly to some examples found on google the path pointed by html_extra_path should contain the direct path for the robots.txt file. Signed-off-by: André Martins <andre@cilium.io> 29 April 2022, 10:28:44 UTC
ad4a900 Martynas Pumputis 27 April 2022, 07:33:43 UTC datapath: Allow egress GW with XDP The XDP-based NodePort acceleration currently can't be used in combination with EgressGW. The underlying reason is that bpf_xdp has no support for tunnel encapsulation, so it can't redirect the EgressGW's return traffic. The EgressGW processing is done in nodeport_lb4() and rev_nodeport_lb4() from lib/nodeport.h (tech debt). Improve this situation by skipping the tunnel-forward in rev_nodeport_lb4() when called from XDP context. Thus return traffic for the EgressGW gets reverse-SNATed inside XDP, and is then passed up to bpf_host with XFER_PKT_NO_SVC. It bypasses the NodePort processing, and enters the kernel stack where it gets forwarded to the tunnel netdev due to an IP route in the host netns stack (i.e., "pod cidr on node X via cilium_vxlan"). This lets users run with the NodePort acceleration and EgressGW enabled at the same time. Note that the approach of letting the kernel forward the traffic into the tunnel can fail (if the iptables' default policy for the FORWARD chain is DROP). Long-term we want to cleanly handle this with tunneling support inside bpf_xdp [1]. [1]: https://github.com/cilium/cilium/issues/17770 The commit message was suggested by Julian Wiedmann. Signed-off-by: Martynas Pumputis <m@lambda.lt> 29 April 2022, 07:24:34 UTC
9febe6b Timo Beckers 20 April 2022, 07:42:41 UTC dependabot: hold prometheus/client_golang until NaN values are gone Signed-off-by: Timo Beckers <timo@isovalent.com> 29 April 2022, 00:02:59 UTC
c4da7a7 Timo Beckers 20 April 2022, 07:02:56 UTC Downgrade prometheus/client_golang to v1.11.1 This reverts commit d8e3f28c01f04b4c314b65e090a21c2aaf235207. --- See https://github.com/cilium/cilium/issues/19425. Extra Go metrics were added to the Prometheus client, some having NaN values, breaking json marshaling on the server side of `cilium metrics list`: msg="Cilium API handler panicked" panic_message="json: unsupported value: NaN" url=/v1/metrics/ ... Signed-off-by: Timo Beckers <timo@isovalent.com> 29 April 2022, 00:02:59 UTC
aae5416 Hemanth Malla 28 April 2022, 14:47:23 UTC Add ENI limits for i4i and x2i instance types Signed-off-by: Hemanth Malla <hemanth.malla@datadoghq.com> 28 April 2022, 22:26:52 UTC
12c5927 dependabot[bot] 28 April 2022, 11:32:01 UTC build(deps): bump docker/setup-buildx-action from 1.6.0 to 1.7.0 Bumps [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action) from 1.6.0 to 1.7.0. - [Release notes](https://github.com/docker/setup-buildx-action/releases) - [Commits](https://github.com/docker/setup-buildx-action/compare/94ab11c41e45d028884a99163086648e898eed25...f211e3e9ded2d9377c8cadc4489a4e38014bc4c9) --- updated-dependencies: - dependency-name: docker/setup-buildx-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> 28 April 2022, 22:26:38 UTC
467c3f4 dependabot[bot] 28 April 2022, 14:08:02 UTC build(deps): bump github.com/containernetworking/cni from 1.0.1 to 1.1.0 Bumps [github.com/containernetworking/cni](https://github.com/containernetworking/cni) from 1.0.1 to 1.1.0. - [Release notes](https://github.com/containernetworking/cni/releases) - [Commits](https://github.com/containernetworking/cni/compare/v1.0.1...v1.1.0) --- updated-dependencies: - dependency-name: github.com/containernetworking/cni dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> 28 April 2022, 22:26:32 UTC
0790e07 Chris Tarazi 12 April 2022, 06:39:41 UTC pkg/labels: Optimize SortedList() and FormatForKVStore() FormatForKVStore() previously returned a string for no reason as every caller converted the return value to a byte slice. This allows us to eliminate string concatenation entirely and use the bytes.Buffer directly. Building on the above, given that SortedList() returns a byte slice and calls FormatForKVStore() for its output, we can optimize it with the same technique to eliminate string concatenation. Here are the benchmark comparisons: ``` $ go test -v -run '^$' -bench 'BenchmarkLabels_SortedList|BenchmarkLabel_FormatForKVStore' -benchmem ./pkg/labels > old.txt $ go test -v -run '^$' -bench 'BenchmarkLabels_SortedList|BenchmarkLabel_FormatForKVStore' -benchmem ./pkg/labels > new.txt $ benchcmp old.txt new.txt benchcmp is deprecated in favor of benchstat: https://pkg.go.dev/golang.org/x/perf/cmd/benchstat benchmark old ns/op new ns/op delta BenchmarkLabels_SortedList-8 2612 1120 -57.12% BenchmarkLabel_FormatForKVStore-8 262 54.5 -79.18% benchmark old allocs new allocs delta BenchmarkLabels_SortedList-8 35 13 -62.86% BenchmarkLabel_FormatForKVStore-8 4 1 -75.00% benchmark old bytes new bytes delta BenchmarkLabels_SortedList-8 1112 664 -40.29% BenchmarkLabel_FormatForKVStore-8 96 48 -50.00% ``` Signed-off-by: Chris Tarazi <chris@isovalent.com> 28 April 2022, 22:26:05 UTC
351c5d8 Chris Tarazi 12 April 2022, 06:36:20 UTC pkg/labels: Add benchmark for hot labels code SortedList() and FormatForKVStore() can be very hot code in environments where there's constant policy churn, especially CIDR policies where there can be a large number of CIDR labels. This commit adds benchmarks for later commits to use as a baseline. Signed-off-by: Chris Tarazi <chris@isovalent.com> 28 April 2022, 22:26:05 UTC
1b291d5 Michi Mutsuzaki 28 April 2022, 18:39:30 UTC test: Pin eksctl version The latest version of eksctl [0] uses Kubernetes 1.22 by default. This broke the CI because CustomResourceDefinition is no longer v1beta1, and aws-k8s-cni.yaml [1] uses v1beta1. [0]: https://github.com/weaveworks/eksctl/releases/tag/v0.95.0 [1]: https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/v1.7.10/config/v1.7/aws-k8s-cni.yaml Signed-off-by: Michi Mutsuzaki <michi@isovalent.com> 28 April 2022, 21:05:21 UTC
1ff63b1 Joe Stringer 28 April 2022, 16:22:07 UTC k8s-conformance: Improve skipped tests format/links The previous listing was harder to read because the individual tests weren't listed in a markdown style. Furthermore, there are additional issues to track each of the limitations which we can add to the listing to help find/resolve them in future. Improve the comments in the test script by adding bullet syntax and adding these links. Signed-off-by: Joe Stringer <joe@cilium.io> 28 April 2022, 20:32:12 UTC
e015b19 Paul Chaignon 28 April 2022, 08:23:38 UTC vagrant: Update the net-next VM image The new image includes a new Ubuntu 20.04.4 version, updated prepulled Docker images, and the new Go version. Signed-off-by: Paul Chaignon <paul@cilium.io> 28 April 2022, 20:31:30 UTC
2d7af3a André Martins 25 April 2022, 12:56:57 UTC .github: add support for cilium-cli in aws-cni conformance tests Signed-off-by: André Martins <andre@cilium.io> 28 April 2022, 20:28:55 UTC
195dc35 Oilbeater 28 April 2022, 05:38:03 UTC Add Kube-OVN to USERS Signed-off-by: Mengxin Liu <mengxin@alauda.io> 28 April 2022, 19:35:30 UTC
f834c42 Tam Mach 23 April 2022, 15:28:44 UTC ingress: Add SocketOptions configuration This commit is to add related TCP keep-alive confiugration in envoy via SocketOptions attribute. End users can still override values with respective annotations. Signed-off-by: Tam Mach <tam.mach@isovalent.com> 28 April 2022, 18:18:32 UTC
7a457ec Hemslo Wang 14 April 2022, 13:38:00 UTC Expose hubble-ui security context in helm chart This change exposes the security context for Hubble UI pods. Backward compatibility is maintained. `enabled` is deprecated, can be deleted once using default security context object. The default security context object moved to values.yaml. Fixes: #18440 Signed-off-by: Hemslo Wang <hemslo.wang@gmail.com> 28 April 2022, 18:15:47 UTC
e6a66e5 Alexandre Perrin 08 April 2022, 15:17:24 UTC hubble/filters: strict number check for full HTTP status code Before this patch, the Hubble HTTP status code filter would accept any string containing a HTTP status code. Signed-off-by: Alexandre Perrin <alex@kaworu.ch> 28 April 2022, 18:15:17 UTC
29ac66f Louis DeLosSantos 30 March 2022, 14:30:21 UTC docs: add documentation for adding CRDs into cilium This commit introduces a new documentation page for adding Kubernetes custom resource definitions for use in Cilium Signed-off-by: Louis DeLosSantos <louis.delos@isovalent.com> 28 April 2022, 18:14:51 UTC
1fad7b3 Yutaro Hayakawa 11 April 2022, 15:46:06 UTC bgpv1: Set nexthop of locally originated routes to 0.0.0.0 (or ::) In current implementation, nexthop of the paths (e.g. PodCIDRs) are fixed to CiliumNode's ExternalIP. However, it is technically possible to establish BGP peer from another IP address if users specify the neighbor which belongs to different network. For example, when k8s node connects to two IP address 10.0.0.1/24 and 10.0.1.1/24 assigned to different network interface, it is possible that the ExternalIP is 10.0.0.1 and the user makes a peering policy to establish peer between 10.0.1.2. In that case, nexthop should be 10.0.1.1 which is different not an ExternalIP. What we should do in here is basically always set IP address used for peering as a nexthop. For locally originated routes, it always works IIUC (please see section 5.1.3 of RFC4271 for source of truth). GoBGP has a feature that automatically implements this behavior. All we need to do is just setting 0.0.0.0 (IPv4) or :: (IPv6) as a nexthop. Note that this shouldn't break any existing settings. If users are using Cilium Node's ExternalIP for peering, it sets ExternalIP as a nexthop as usual. Signed-off-by: Yutaro Hayakawa <yutaro.hayakawa@isovalent.com> 28 April 2022, 18:13:42 UTC
78f1409 Tam Mach 22 April 2022, 03:51:25 UTC helm: Create cilium IngressClass Some environments might already have another ingress controllers such as nginx, we need to create dedicated IngressClass for cilium, otherwise IngressClass webhook validation might fail. Signed-off-by: Tam Mach <tam.mach@isovalent.com> 28 April 2022, 18:13:10 UTC
2c1b5e3 Bill Mulligan 28 April 2022, 13:23:43 UTC add roadmap section and fix governance link Signed-off-by: Bill Mulligan <bill@isovalent.com> 28 April 2022, 17:08:07 UTC
84ae8cc Neil Seward 28 April 2022, 14:17:09 UTC Add Elastic Path to USERS.md Signed-off-by: Neil Seward <neil.seward@elasticpath.com> 28 April 2022, 15:32:26 UTC
140e82a André Martins 28 April 2022, 03:39:09 UTC docs: fix version warning banner Currently, the version warning banner on the Cilium documentation is broken. The version warning library that checks if there is a new version released performs a HTTP request to readthedocs.org [1]. This request is not allowed due CORS policy since the docs are available under a different domain than readthedocs.org. As a workaround we will keep a minimal version of the response that would be returned by readthedocs.org in the Cilium repository. This will work since the versionwarning_api_url points to the same domain where the docs are available: https://docs.cilium.io and readthedocs.org is configured with a redirect from "https://docs.cilium.io/version/" that points to https://docs.cilium.io/en/latest/_static/stable-version.json [1] https://readthedocs.org/api/v2/version?active=true&project__slug=cilium Signed-off-by: André Martins <andre@cilium.io> 28 April 2022, 13:48:17 UTC
af8151d André Martins 28 April 2022, 11:13:23 UTC docs: set the right url for API version check The right format for this field should contain the protocol and a trailing "/" to work properly. Fixes: b3b05029e4c9 ("docs: fix version warning URL to point to docs.cilium.io") Signed-off-by: André Martins <andre@cilium.io> 28 April 2022, 13:48:03 UTC
528131e Nate Sweet 27 April 2022, 21:05:45 UTC ci: Update Cilium CLI to v0.11.3 Signed-off-by: Nate Sweet <nathanjsweet@pm.me> 28 April 2022, 13:44:52 UTC
0bc13e9 André Martins 28 April 2022, 10:59:03 UTC .github/workflows: install the right helm chart version for stable branches In stable branches we should not use the 'master' version of the helm charts but instead we should use the same version of the base branch being tested. Signed-off-by: André Martins <andre@cilium.io> 28 April 2022, 11:31:09 UTC
4ffec23 Tam Mach 12 April 2022, 03:09:55 UTC ingress: Remove inline tls secret in CEC This commit is to remove inline plain-text tls secret in CEC, only secret name is specified, this will get resolved with the help of SDS in xDS. If secrets sync is disabled, user needs to manage them manually in ingress-secrets-namespace flag with a naming convention as <ingress-namespace>-<secret-name> to avoid any potential conflict. Signed-off-by: Tam Mach <tam.mach@isovalent.com> 28 April 2022, 01:07:04 UTC
ca375a9 Tam Mach 12 April 2022, 08:02:01 UTC ingress: Fan-in TLS secrets to one single namespace Cilium Operator will watch all TLS secrets across namespaces, and perform replication for those tls secrets used in IngressSpec into provided namespace (e.g. cilium-secrets). Additionally, the operator makes sure that any Ingress operation (e.g. add, update, delete) will trigger secret sync to this namespace accordingly. As one TLS secrets can be used by multiple Ingresses (e.g. wildcard secrets), cleaning up is only done if the original secret is removed. Signed-off-by: Tam Mach <tam.mach@isovalent.com> 28 April 2022, 01:07:04 UTC
d97bd1d Tam Mach 12 April 2022, 02:57:11 UTC envoy: Add SDS implementation for xDS This commit is to add the k8s watcher for secrets (only for tls type) for a given namespace, and propagate values to envoy SDS. RBAC permissions for secret (e.g. list, get, and watch) are granted only for such namespace. Signed-off-by: Tam Mach <tam.mach@isovalent.com> 28 April 2022, 01:07:04 UTC
8bb6f83 Tam Mach 25 March 2022, 10:36:20 UTC k8s: Add secret slim type This commit is to add slim version of k8s secrets. Signed-off-by: Tam Mach <tam.mach@isovalent.com> 28 April 2022, 01:07:04 UTC
9014253 André Martins 27 April 2022, 12:30:32 UTC pkg/k8s: use subresource "nodes/status" to update node annotations We can use the "status" subresource to update node annotations which also allow us to reduce the clusterrole's permissions of the cilium DaemonSet even further. Signed-off-by: André Martins <andre@cilium.io> 28 April 2022, 01:05:00 UTC
d469ea4 Hemanth Malla 01 March 2022, 22:02:26 UTC Making operator aware of pending pod backlog on nodes for IP allocations On large clusters with really low pre-allocate values, IP allocations can be very slow. Especially in scenarios like replacement of a node with high pod density. This is because everytime maintenance is performed on a node only pre-allocate number of IPs are allocated in a batch even though there might be a higher backlog of pending pods scheduled on the node. This commit adds a new indexer to the pod informer cache which allows for querying the cache by node name. This allows the operator to look at the backlog and allocate more IPs up-to what's available on the interface. Max above watermark could be used to achieve a similar effect, but it can result in IP wastage. Signed-off-by: Hemanth Malla <hemanth.malla@datadoghq.com> 27 April 2022, 20:57:23 UTC
3bc8a8d dependabot[bot] 25 April 2022, 14:09:32 UTC build(deps): bump google.golang.org/grpc from 1.45.0 to 1.46.0 Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.45.0 to 1.46.0. - [Release notes](https://github.com/grpc/grpc-go/releases) - [Commits](https://github.com/grpc/grpc-go/compare/v1.45.0...v1.46.0) --- updated-dependencies: - dependency-name: google.golang.org/grpc dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> 27 April 2022, 19:49:03 UTC
982b2f9 dependabot[bot] 27 April 2022, 14:07:21 UTC build(deps): bump github.com/fsnotify/fsnotify from 1.5.1 to 1.5.4 Bumps [github.com/fsnotify/fsnotify](https://github.com/fsnotify/fsnotify) from 1.5.1 to 1.5.4. - [Release notes](https://github.com/fsnotify/fsnotify/releases) - [Changelog](https://github.com/fsnotify/fsnotify/blob/main/CHANGELOG.md) - [Commits](https://github.com/fsnotify/fsnotify/compare/v1.5.1...v1.5.4) --- updated-dependencies: - dependency-name: github.com/fsnotify/fsnotify dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> 27 April 2022, 19:47:54 UTC
a2f1b6b dependabot[bot] 27 April 2022, 14:07:05 UTC build(deps): bump github.com/google/go-cmp from 0.5.7 to 0.5.8 Bumps [github.com/google/go-cmp](https://github.com/google/go-cmp) from 0.5.7 to 0.5.8. - [Release notes](https://github.com/google/go-cmp/releases) - [Commits](https://github.com/google/go-cmp/compare/v0.5.7...v0.5.8) --- updated-dependencies: - dependency-name: github.com/google/go-cmp dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> 27 April 2022, 19:47:47 UTC
954b38c dependabot[bot] 27 April 2022, 19:01:01 UTC build(deps): bump github/codeql-action from 2.1.8 to 2.1.9 Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.8 to 2.1.9. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/1ed1437484560351c5be56cf73a48a279d116b78...7502d6e991ca767d2db617bfd823a1ed925a0d59) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> 27 April 2022, 19:47:11 UTC
a253af4 André Martins 26 April 2022, 21:20:13 UTC .github/workflow: revert cilium-cli changes in stable workflows The cilium-cli changes on the old workflows seem to be broken. This commit reverts any changes done into these files to unblock the broken CI on those branches. Signed-off-by: André Martins <andre@cilium.io> 27 April 2022, 19:00:17 UTC
2e5f35b Jarno Rajahalme 25 April 2022, 12:52:03 UTC identity: Initialize local identity allocator early Move local identity allocator initialization to NewCachingIdentityAllocator() so that it is initialized when the allocator is returned to the caller. Also make the events channel and start the watcher in NewCachingIdentityAllocator(). Close() will no longer GC the local identity allocator or stop the watcher. Now that the locally allocated identities are persisted via the bpf ipcache map across restarts, recycling them at runtime via Close() would be inappropriate. This is then used in daemon bootstrap to restore locally allocated identities before new policies can be received via Cilium API or k8s API. This fixes the issue where CIDR policies were received from k8s before locally allocated (CIDR) identities were restored, causing the identities derived from the received policy to be newly allocated with different numeric identity values, ultimately causing policy drops during Cilium restart. Fixes: #19360 Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> 27 April 2022, 18:40:45 UTC
1db91ca Quentin Monnet 27 April 2022, 13:13:08 UTC docs: Update max MTU value for Nodeport XDP on AWS The documentation for setting up Nodeport XDP acceleration on AWS mentions that the MTU for the ena interface must be lower down so that XDP can work. It is indeed necessary; but the value which is provided as the maximal possible MTU is outdated, and not working. After installing the latest kernel through the RPM package kernel-ng (as prescribed in the documentation), the EKS nodes currently end up with Linux 5.10: $ uname -r 5.10.106-102.504.amzn2.x86_64 If we keep on following the docs and lower the MTU to 3818, the Cilium pods fail to get ready, and tell in their logs that the XDP program cannot be set due to the MTU. This is also confirmed from the dmesg of the nodes: [ 3617.059219] ena 0000:00:05.0 eth0: Failed to set xdp program, the current MTU (3818) is larger than the maximum allowed MTU (3498) while xdp is on The value 3818 comes from the legacy definition of ENA_XDP_MAX_MTU, in drivers/net/ethernet/amazon/ena/ena_netdev.h, which used to be defined as such: #define ENA_XDP_MAX_MTU (ENA_PAGE_SIZE - ETH_HLEN - ETH_FCS_LEN - \ VLAN_HLEN - XDP_PACKET_HEADROOM) Where ETH_LEN is 14, ETH_FCS_LEN and VLAN_HLEN are both 4, and XDP_PACKET_HEADROOM is 256. But after Linux commit 08fc1cfd2d25 ("ena: Add XDP frame size to amazon NIC driver"), from Linux 5.8, the definition changed to: #define ENA_XDP_MAX_MTU (ENA_PAGE_SIZE - ETH_HLEN - ETH_FCS_LEN - \ VLAN_HLEN - XDP_PACKET_HEADROOM - \ SKB_DATA_ALIGN(sizeof(struct skb_shared_info))) As a result, the maximum value for the MTU for kernels 5.8+ is 3498 bytes. This is indeed the maximum value that I could use when setting up XDP on an EKS cluster. Let's update the documentation accordingly. Signed-off-by: Quentin Monnet <quentin@isovalent.com> 27 April 2022, 18:17:07 UTC
4c2c244 Chris Tarazi 26 April 2022, 00:39:09 UTC pkg/policy/api: Optimize FQDNSelector String() Use strings.Builder instead of fmt.Sprintf() and preallocate the size of the string so that Go doesn't need to over-allocate if the string ends up longer than what the buffer growth algorithm predicts. Results: ``` $ go test -v -run '^$' -bench 'BenchmarkFQDNSelectorString' -benchmem ./pkg/policy/api > old.txt $ go test -v -run '^$' -bench 'BenchmarkFQDNSelectorString' -benchmem ./pkg/policy/api > new.txt $ benchcmp old.txt new.txt benchmark old ns/op new ns/op delta BenchmarkFQDNSelectorString-8 690 180 -73.97% benchmark old allocs new allocs delta BenchmarkFQDNSelectorString-8 9 4 -55.56% benchmark old bytes new bytes delta BenchmarkFQDNSelectorString-8 288 208 -27.78% ``` Signed-off-by: Chris Tarazi <chris@isovalent.com> 27 April 2022, 17:40:14 UTC
afa2f4c Liz Rice 25 April 2022, 11:18:16 UTC Consistent title casing Signed-off-by: Liz Rice <liz@lizrice.com> 27 April 2022, 16:29:31 UTC
a0a4f69 Liz Rice 25 April 2022, 11:00:56 UTC Once more, with feeling: another update to CODEOWNERS Signed-off-by: Liz Rice <liz@lizrice.com> 27 April 2022, 16:29:31 UTC
02ffb20 Liz Rice 25 April 2022, 10:52:33 UTC Update CODEOWNERS to match changes to Documentation files Signed-off-by: Liz Rice <liz@lizrice.com> 27 April 2022, 16:29:31 UTC
5a85235 Liz Rice 25 April 2022, 10:45:36 UTC Corrections to spellings and links Signed-off-by: Liz Rice <liz@lizrice.com> 27 April 2022, 16:29:31 UTC
1834b7b Liz Rice 22 April 2022, 14:32:09 UTC Docs: add public roadmap Helps new users understand the direction of the project, and potential contributors see where they might be able to get involved Signed-off-by: Liz Rice <liz@lizrice.com> Co-authored-by: Quentin Monnet <quentin@isovalent.com> 27 April 2022, 16:29:31 UTC
371af5a Liz Rice 22 April 2022, 14:13:51 UTC Docs: move Governance under Community Since Governance doesn't just concern code development it makes more sense for it to live in the Community section of the docs Signed-off-by: Liz Rice <liz@lizrice.com> 27 April 2022, 16:29:31 UTC
b68fd38 dependabot[bot] 27 April 2022, 00:33:31 UTC build(deps): bump go.etcd.io/etcd/client/v3 from 3.5.3 to 3.5.4 Bumps [go.etcd.io/etcd/client/v3](https://github.com/etcd-io/etcd) from 3.5.3 to 3.5.4. - [Release notes](https://github.com/etcd-io/etcd/releases) - [Changelog](https://github.com/etcd-io/etcd/blob/main/Dockerfile-release.amd64) - [Commits](https://github.com/etcd-io/etcd/compare/v3.5.3...v3.5.4) --- updated-dependencies: - dependency-name: go.etcd.io/etcd/client/v3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> 27 April 2022, 05:21:25 UTC
f20ccf7 dependabot[bot] 26 April 2022, 12:37:10 UTC build(deps): bump nick-invision/retry from 2.6.0 to 2.7.0 Bumps [nick-invision/retry](https://github.com/nick-invision/retry) from 2.6.0 to 2.7.0. - [Release notes](https://github.com/nick-invision/retry/releases) - [Changelog](https://github.com/nick-fields/retry/blob/master/.releaserc.js) - [Commits](https://github.com/nick-invision/retry/compare/7f8f3d9f0f62fe5925341be21c2e8314fd4f7c7c...e88a9994b039653512d697de1bce46b00bfe11b5) --- updated-dependencies: - dependency-name: nick-invision/retry dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> 27 April 2022, 00:32:45 UTC
dad3511 dependabot[bot] 26 April 2022, 23:30:29 UTC build(deps): bump go.etcd.io/etcd/client/pkg/v3 from 3.5.3 to 3.5.4 Bumps [go.etcd.io/etcd/client/pkg/v3](https://github.com/etcd-io/etcd) from 3.5.3 to 3.5.4. - [Release notes](https://github.com/etcd-io/etcd/releases) - [Changelog](https://github.com/etcd-io/etcd/blob/main/Dockerfile-release.amd64) - [Commits](https://github.com/etcd-io/etcd/compare/v3.5.3...v3.5.4) --- updated-dependencies: - dependency-name: go.etcd.io/etcd/client/pkg/v3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> 27 April 2022, 00:19:41 UTC
5a4720a dependabot[bot] 25 April 2022, 14:09:22 UTC build(deps): bump go.etcd.io/etcd/api/v3 from 3.5.3 to 3.5.4 Bumps [go.etcd.io/etcd/api/v3](https://github.com/etcd-io/etcd) from 3.5.3 to 3.5.4. - [Release notes](https://github.com/etcd-io/etcd/releases) - [Changelog](https://github.com/etcd-io/etcd/blob/main/Dockerfile-release.amd64) - [Commits](https://github.com/etcd-io/etcd/compare/v3.5.3...v3.5.4) --- updated-dependencies: - dependency-name: go.etcd.io/etcd/api/v3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> 26 April 2022, 23:28:04 UTC
df1eab7 André Martins 26 April 2022, 13:51:44 UTC .github/workflows: fix hubble-relay cilium-cli installation When using the hubble-relay installation we need to set the image SHA as part of the 'relay-image' option since this is used in the helm option 'hubble.relay.image.override' which should contain the image tag. Fixes: 27590a95dc26 (".github: enable cilium-cli helm based installation") Signed-off-by: André Martins <andre@cilium.io> 26 April 2022, 18:48:59 UTC
7d30daf André Martins 26 April 2022, 13:41:26 UTC add robots.txt to Cilium documentation It looks that we can't do a Page redirect from 'robots.txt' in readthedocs settings. This commit is another attempt of having a manually defined robots.txt file. Signed-off-by: André Martins <andre@cilium.io> 26 April 2022, 13:57:53 UTC
ec4a3c3 André Martins 25 April 2022, 17:15:11 UTC docs: add robots.txt in a static directory With a self-generated robots.txt search engines will stop indexing old versions of the Cilium documentation. A redirect was also configured in the readthedocs.org to redirect /robots.txt to _static/robots.txt. Signed-off-by: André Martins <andre@cilium.io> 26 April 2022, 13:28:34 UTC
d2b83be André Martins 26 April 2022, 11:32:22 UTC .github/workflows: do not use pre-defined image digests When setting a specific image tag, we should set the option image.useDigest to false otherwise we will install Cilium with a pre-defined digests that are available on the git tree of stable branches. Those pre-defined digests point to the last stable release. Signed-off-by: André Martins <andre@cilium.io> 26 April 2022, 12:36:16 UTC
641654b André Martins 25 April 2022, 20:48:20 UTC .github/workflows: fix hubble installation using cilium-cli 'cilium hubble enable` needs to specify the base-version that is going to be deployed. Fixes: 27590a95dc26 (".github: enable cilium-cli helm based installation") Signed-off-by: André Martins <andre@cilium.io> 25 April 2022, 21:24:55 UTC
b61a347 Jarno Rajahalme 20 April 2022, 10:55:08 UTC daemon: Do not try to detect Dump support ipcache SupportDump() and SupportsDelete() open the map to probe for the support if the map is not already open and also schedule the bpf-map-sync-cilium_ipcache controller. If the controller is run before initMaps(), initMaps will fail as the controller will leave the map open and initMaps() assumes this not be the case. Solve this by not trying to detect dump support, but try dump and see if it succeeds. This fixes Cilium Agent crash on kernels that do not support ipcache dump operations and when certain Cilium features are enabled on slow machines that caused the scheduled controller to run too soon. Fixes: 19360 Fixes: 19495 Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> 25 April 2022, 20:14:43 UTC
6a7af5f Aditi Ghag 22 April 2022, 22:51:46 UTC testutils/mockmaps: Add duplicate backend calls check back Commit d7bcc0aac9 rendered the duplicate calls to add a backend check ineffective. Until we have a better mock code to differentiate between v4 and v6 backend maps, let's bring back the original check with some special checks with respect to NAT46/64 policies. Fixes: d7bcc0aac9 ("cilium, tests: Add NAT46 and NAT64 upsert test cases") Signed-off-by: Aditi Ghag <aditi@cilium.io> 25 April 2022, 16:41:40 UTC
b3b0502 André Martins 25 April 2022, 15:26:43 UTC docs: fix version warning URL to point to docs.cilium.io Due to some CORS policy, the requests being performed from docs.cilium.io to readthedocs.org were being denied. This was causing the warning banner to never show up in the documentation. To avoid this problem a page redirect was configured in readthedocs settings to redirect docs.cilium.io/version to readthedocs.org/api/v2/version which will hopefully fix the issue and the API endpoint was set to docs.cilium.io. Signed-off-by: André Martins <andre@cilium.io> 25 April 2022, 16:25:24 UTC
8846643 Gilberto Bertin 15 April 2022, 16:40:10 UTC egressgw: require L7 proxy to be disabled When support for L7 policies is enabled, traffic is redirected to the proxy before the logic in bpf_lxc can inspect it to determine if it should be forwarded, resulting in no traffic being forwarded to the egress gateway node. This commit adds an additional check to make sure egressgw can't be enabled with L7 policies. Signed-off-by: Gilberto Bertin <jibi@cilium.io> 25 April 2022, 15:05:21 UTC
d63273a Gilberto Bertin 04 April 2022, 13:04:03 UTC cilium: remove bpf egress {get, update, delete} commands These commands were useful for debugging purposes, but now it doesn't really make sense to configure a policy manually through the CLI Signed-off-by: Gilberto Bertin <jibi@cilium.io> 25 April 2022, 15:05:21 UTC
back to top