Skip to main content

Browse the archive

https://github.com/cilium/cilium
12 July 2024, 03:14:21 UTC
sort by:
Revision Author Date Message Commit Date
d37596c André Martins 01 December 2022, 13:37:11 UTC Prepare for release v1.13.0-rc3 Signed-off-by: André Martins <andre@cilium.io> 01 December 2022, 14:38:26 UTC
7f2cc7c André Martins 01 December 2022, 13:37:01 UTC update AUTHORS and Documentation Signed-off-by: André Martins <andre@cilium.io> 01 December 2022, 14:38:26 UTC
147c66e André Martins 22 November 2022, 12:50:38 UTC install/kubernetes: Re-order lines in Makefile.values This will prevent the release manager on missing any changes that need to be done in this file. Signed-off-by: André Martins <andre@cilium.io> 01 December 2022, 11:59:12 UTC
3cbfc34 Paul Chaignon 30 November 2022, 22:39:11 UTC option, datapath: Move AreDevicesRequired to option package This will make it easier to reuse that helper function in other places, such as the loader in this commit. Suggested-by: Julian Wiedmann <jwi@isovalent.com> Signed-off-by: Paul Chaignon <paul@cilium.io> 01 December 2022, 11:40:04 UTC
378da16 Sebastian Wicki 01 December 2022, 09:38:32 UTC hive: Fix CodeQL lints in regex The CodeQL workflow found two issues with the affected line: - https://github.com/cilium/cilium/security/code-scanning/78 - https://github.com/cilium/cilium/security/code-scanning/79 Tested by running `cilium-agent objects` locally. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> 01 December 2022, 10:26:13 UTC
0acfa24 dependabot[bot] 30 November 2022, 07:43:08 UTC build(deps): bump cilium/little-vm-helper Bumps [cilium/little-vm-helper](https://github.com/cilium/little-vm-helper) from 83d306aeb0b731c4d29f8762f576ff484aa7a69c to 0.0.2. This release includes the previously tagged commit. - [Release notes](https://github.com/cilium/little-vm-helper/releases) - [Commits](https://github.com/cilium/little-vm-helper/compare/83d306aeb0b731c4d29f8762f576ff484aa7a69c...76cb7b131c9fa60f697af29106b529c0a423a17e) --- updated-dependencies: - dependency-name: cilium/little-vm-helper dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> 01 December 2022, 09:44:31 UTC
3a15990 André Martins 30 November 2022, 14:50:19 UTC pkg/clustermesh: rewrite services_test to avoid flakes This commit removes some time.Sleep due to the inability to define lower SharedKeyDeleteDelay duration. As the SharedKeyDeleteDelay duration is now set to zero, the tests can be verify if the expected event right after the action performed in the KVStore. Signed-off-by: André Martins <andre@cilium.io> 01 December 2022, 00:28:52 UTC
88cbfdb André Martins 30 November 2022, 14:45:18 UTC pkg/clustermesh: expose configuration field to set key deletion delay Exposing this configuration field will allow to tune these deletion delays in unit tests as otherwise, if they are not set, they will default to 30 seconds (defaults.NodeDeleteDelay). Signed-off-by: André Martins <andre@cilium.io> 01 December 2022, 00:28:52 UTC
39bb5c3 Liz Rice 30 November 2022, 10:24:57 UTC docs: describe Cilium Feature Proposals Signed-off-by: Liz Rice <liz@lizrice.com> 30 November 2022, 21:08:59 UTC
b442b00 yanru.lv 29 November 2022, 03:18:04 UTC operator: Avoid spamming logs with entire identity object Printing the entire structure of the identity in the log makes the log hard to read, so only the uid of the identity object is printed Fixes: #21900 Signed-off-by: yanru.lv <yanru.lv@daocloud.io> 30 November 2022, 20:44:29 UTC
14f688b Bill Mulligan 30 November 2022, 10:09:36 UTC docs: Remove Google Season of Docs Signed-off-by: Bill Mulligan <billmulligan516@gmail.com> 30 November 2022, 19:18:58 UTC
1182ca9 Dylan Reimerink 04 November 2022, 14:38:52 UTC bgp: BGP Control Plane modularization This work converts the BGP Control Plane controller and BGP Route Manager into hive cells, leaving as much of the existing code intact. These cells are now hooked into the agent hive directly. The daemon now takes the Controller as parameter both to preserve the behavior of setting the controller as a field value on the daemon and so the BGP controllers lifecycle events are invoked. Follow up commits can break the package up into more discrete parts to aid in testing the individual components and or mocking them out. Signed-off-by: Dylan Reimerink <dylan.reimerink@isovalent.com> 30 November 2022, 16:54:40 UTC
ffef1a8 David Bimmler 28 November 2022, 14:15:22 UTC k8s: don't consider 4xx a successful interaction While a 404 Not Found or a 409 Conflict can be considered successful interactions with the k8s API, a blanket accept for all 4xx codes is problematic. Since LastSuccessInteraction is exclusively used as an optimisation, we should err on the cautious side: accept the potential increase in heartbeats to avoid missing being unable to effecticely communicate with the k8s API. As an example of how this can go wrong, in #20915 we have an issue around receiving 401 Unauthorized from the EKS control plane. At sufficient scale, we never see a need to run the heartbeat. Running the heartbeat, however, would close and reopen the connections on receiving a 401, and thus restore connectivity to the k8s API. We currently only use the LastSuccessInteraction to as an optimisation to not perform unnecessary k8s API heartbeats, this "metric" (possibly a misnomer) is not used or exposed and changing its semantics is acceptable. Fixes: f2998b0cc472290ec64068ec15510608778fb431 Signed-off-by: David Bimmler <david.bimmler@isovalent.com> Co-authored-by: Sebastian Wicki <gandro@gmx.net> 30 November 2022, 14:46:05 UTC
5317243 Sahid Orentino Ferdjaoui 28 November 2022, 10:31:53 UTC bpf/tests: fix redundant usage of variable offset Signed-off-by: Sahid Orentino Ferdjaoui <sahid.ferdjaoui@industrialdiscipline.com> 30 November 2022, 14:43:35 UTC
920d898 Julian Wiedmann 06 October 2022, 16:08:41 UTC bpf: test: add TC per-packet LB test for service without backend Packets that are adressed to a VIP without any backend should be dropped. As the VIP doesn't get translated, this currently works "by accident" if no matching allow-policy for the VIP is installed. But we actually want to happen this indepedently of policy, with a proper drop reason. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> 30 November 2022, 14:42:51 UTC
c50fdb1 Julian Wiedmann 05 October 2022, 10:43:36 UTC bpf: test: add XDP LB test for service without backend Packets that are adressed to a VIP without any backend should be dropped. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> 30 November 2022, 14:42:51 UTC
1835011 Michael Aspinwall 30 September 2022, 23:40:03 UTC bpf: drop SVC traffic if no backend is available Resolve an issue where an outgoing packet destined for a service will not be dropped if it does not have any backends. Currently we will not return the service if there are no backends for it, meaning we will never drop a packet in this case and instead simply route it through the kernels default routes. Fixes: #21453 Signed-off-by: Michael Aspinwall <maspinwall@google.com> [jwi: wordsmith the patch description] Signed-off-by: Julian Wiedmann <jwi@isovalent.com> 30 November 2022, 14:42:51 UTC
9fcb306 Vishal Choudhary 27 November 2022, 19:17:35 UTC removed lb4_services_v2 Signed-off-by: Vishal Choudhary <contactvishaltech@gmail.com> 30 November 2022, 14:37:38 UTC
787647f Fabio Falzoi 26 October 2022, 10:43:36 UTC gateway-api/model: Refactor envoy virtual host Refactor the code to generate envoy virtual host routes from HTTPRoutes. The new code is functionally equivalent to the previous one, but relies on some helper functions to improve readability while taking into account every different scenario: - HTTPS routes - HTTP routes with Direct Response - HTTP routes with single backend - HTTP routes with multiple load-balanced backend Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com> 30 November 2022, 14:36:29 UTC
b8d9283 Jarno Rajahalme 29 November 2022, 12:28:18 UTC Revert "test: Remove flaking test" Reintroduce the TLS test without HTTP rules, as it turns out this test failed due to Cilium agent command line option breakage that is now fixed in master. This reverts commit a75e24b558703a4f66337ad28849c6a79240166f. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> 30 November 2022, 14:32:45 UTC
6a01c5e Jarno Rajahalme 29 November 2022, 13:45:10 UTC docs: Make ginkgo install line more specific Specify "v1.16.5 (latest ginkgo version < 2) instead of "latest", as required. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> 30 November 2022, 14:32:45 UTC
bbe6c85 Jarno Rajahalme 29 November 2022, 12:34:32 UTC bugtool: Add 'cilium policy get' and 'cilium endpoint list' Add output of 'cilium policy get' to bugtool to gain visibility to the state of the policy repository. This may help figure out if missing bpf policy map entries are due to translation from CNP to policy repository, or from policy repository to the bpf policy maps. Add 'cilium endpoint list' to get a concise summary of Cilium endpoints on the node, including their policy enforcement status. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> 30 November 2022, 14:32:45 UTC
672859a Sven Haardiek 28 November 2022, 14:07:52 UTC Helm: Resources option for apiserver etcd This patch adds the option to configure the resources of the init container and the container of etcd in the apiserver pods. Signed-off-by: Sven Haardiek <sven.haardiek@uni-muenster.de> 30 November 2022, 14:31:41 UTC
6cc0244 Tobias Klauser 30 November 2022, 09:18:08 UTC ci: update cilium-cli to v0.12.10 for master, v1.11 and v1.12 workflows v0.12.10 release notes: https://github.com/cilium/cilium-cli/releases/tag/v0.12.10 v0.12.9 release notes: https://github.com/cilium/cilium-cli/releases/tag/v0.12.9 Signed-off-by: Tobias Klauser <tobias@cilium.io> 30 November 2022, 13:18:05 UTC
fd014b1 Tobias Klauser 30 November 2022, 09:18:05 UTC ci: force deploy connectivity test pods in successive GKE test steps Use `cilium connectivity test --force-deploy` instead of manually deleting the pods in a separate step. This follows the suggestion given in the respective issue [1] and is also used successfully in other workflows (and even further down in the GKE workflow). [1] https://github.com/cilium/cilium-cli/issues/156#issuecomment-820808129 Ref. https://github.com/cilium/cilium-cli/issues/156 Signed-off-by: Tobias Klauser <tobias@cilium.io> 30 November 2022, 13:18:05 UTC
b235e91 dependabot[bot] 29 November 2022, 14:02:38 UTC build(deps): bump cilium/little-vm-helper Bumps [cilium/little-vm-helper](https://github.com/cilium/little-vm-helper) from 9bb7d6016e00968adff49dae192a0be87d9c3aef to 83d306aeb0b731c4d29f8762f576ff484aa7a69c. - [Release notes](https://github.com/cilium/little-vm-helper/releases) - [Commits](https://github.com/cilium/little-vm-helper/compare/9bb7d6016e00968adff49dae192a0be87d9c3aef...83d306aeb0b731c4d29f8762f576ff484aa7a69c) --- updated-dependencies: - dependency-name: cilium/little-vm-helper dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> 30 November 2022, 07:42:33 UTC
a564d01 yulng 22 November 2022, 11:43:01 UTC Fix 'egressIP' field indentation Signed-off-by: yulng <wei.yang@daocloud.io> 30 November 2022, 00:13:00 UTC
39c3a43 AdamKorcz 07 November 2022, 22:14:17 UTC add policy fuzzers Adds fuzzers that test whether cilium can crash after sanitizing a rule. To test these fuzzers locally, run go test -fuzz=FuzzTestName, for example go test -fuzz=FuzzCiliumNetworkPolicyParse Signed-off-by: AdamKorcz <adam@adalogics.com> 29 November 2022, 22:15:02 UTC
2f1ea52 Joe Stringer 29 November 2022, 22:00:23 UTC Revert "bgp: BGP Control Plane modularization" This reverts commit ce075dcbe38df77ff94e3a525e0d97f322333199. Control plane tests fail reliably after this commit. Signed-off-by: Joe Stringer <joe@cilium.io> 29 November 2022, 22:06:55 UTC
d095e01 Bill Mulligan 29 November 2022, 13:55:08 UTC docs: update roadmap for graduation application Signed-off-by: Bill Mulligan <billmulligan516@gmail.com> Co-Authored-By: Aditi Ghag <aditi@cilium.io> 29 November 2022, 19:06:44 UTC
833320b Timur Solodovnikov 28 November 2022, 21:25:38 UTC generated eni limits for AWS Cilium does not have defined eni limits for some AWS instance types Signed-off-by: Timur Solodovnikov <tsolodov@gmail.com> 29 November 2022, 16:27:47 UTC
c8919a3 André Martins 26 November 2022, 00:06:14 UTC .github: pin alpine versions to 3.16 in stable branches We don't need to update alpine docker images in stable versions so we should keep with the 3.16 version. Signed-off-by: André Martins <andre@cilium.io> 29 November 2022, 16:27:24 UTC
5c3441b Jarno Rajahalme 29 November 2022, 15:43:29 UTC option: Fix Populate entries using "viper" package. option.DaemonConfig.Populate() must use the passed in '*viper.Viper' instead of 'viper' as a package. Otherwise populated values will be zeroes. This made Cilium Agent to not wait for FQDN proxy results to be plumbed into the datapath before returning the DNS response, which caused test flakes due to test traffic possibly hitting the datapath or Envoy before policy had reached there. Fixes: #22346 Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> 29 November 2022, 16:06:08 UTC
ce075dc Dylan Reimerink 04 November 2022, 14:38:52 UTC bgp: BGP Control Plane modularization This work converts the BGP Control Plane controller and BGP Route Manager into hive cells, leaving as much of the existing code intact. These cells are now hooked into the agent hive directly. The daemon now takes the Controller as parameter both to preserve the behavior of setting the controller as a field value on the daemon and so the BGP controllers lifecycle events are invoked. Follow up commits can break the package up into more discrete parts to aid in testing the individual components and or mocking them out. Signed-off-by: Dylan Reimerink <dylan.reimerink@isovalent.com> 29 November 2022, 12:26:13 UTC
0df5768 Nicolas Busseneau 29 November 2022, 08:31:21 UTC mlh: update Jenkins jobs following 1.26 support K8s 1.26 support was added in 70252f41788028bdfeeadef4b2ed5569106b42e5. We have rotated / expanded the Jenkins test jobs as follow: - Changed: Kernel 5.4 on K8s 1.24 (instead of 1.23, triggered on `/test`). - Changed: Kernel 4.19 on K8s 1.25 (instead of 1.24, triggered on `/test`). - Changed: Kernel net-next on K8s 1.26 (instead of 1.25, triggered on `/test`). - Added: Kernel 4.9 on K8s 1.24 (triggered on `/test-missed-k8s`). See the Table of Truth™️ for up to date status on all trigger phrases: https://docs.google.com/spreadsheets/d/1TThkqvVZxaqLR-Ela4ZrcJ0lrTJByCqrbdCjnI32_X0/edit#gid=0 Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> 29 November 2022, 10:41:28 UTC
6b58ed5 Chance Zibolski 23 November 2022, 23:42:53 UTC relay: Add Go runtime metrics and process metrics Currently the agent has a GoCollector and ProcessCollector but relay does not, this updates the relay for consistency and enhanced debuggability. Signed-off-by: Chance Zibolski <chance.zibolski@gmail.com> 29 November 2022, 03:02:48 UTC
0a5cc70 Tobias Klauser 28 November 2022, 11:05:04 UTC images: update cilium-{runtime,builder} Signed-off-by: Tobias Klauser <tobias@cilium.io> 29 November 2022, 03:02:21 UTC
d5d6a6f Tobias Klauser 28 November 2022, 10:57:53 UTC images/runtime, go.mod, vendor: update gops to v0.3.26 Release notes: https://github.com/google/gops/releases/tag/v0.3.26 Signed-off-by: Tobias Klauser <tobias@cilium.io> 29 November 2022, 03:02:21 UTC
4d02f4a Fabio Falzoi 25 November 2022, 13:58:06 UTC test/controlplane: add cnp nodes status updates gc test Add a controlplane unit test to verify that the stale policy enforcement updates are deleted from the Status section of CNPs and CCNPs when the related startup GC is enabled. Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com> 29 November 2022, 03:01:49 UTC
3b551b8 Fabio Falzoi 25 November 2022, 13:49:47 UTC operator: move API server shutdown channel to cell constructor The operator API server requires a channel parameter to be used for cancellation. This channel is currently declared as a package-level variable and thus it is initialized only once at package import time. Instead, the channel is closed in a clenup function, every time the operator is about to stop. This beahvior leads to a panic when running controlplane unit tests that need to start and stop the operator repeatedly: panic: close of closed channel [recovered] panic: close of closed channel goroutine 73 [running]: testing.tRunner.func1.2({0x2e1e240, 0x396b1e0}) /usr/local/go/src/testing/testing.go:1396 +0x24e testing.tRunner.func1() /usr/local/go/src/testing/testing.go:1399 +0x39f panic({0x2e1e240, 0x396b1e0}) /usr/local/go/src/runtime/panic.go:884 +0x212 github.com/cilium/cilium/operator/cmd.doCleanup() /home/pippolo/go/src/github.com/cilium/cilium/operator/cmd/root.go:189 +0x3a github.com/cilium/cilium/operator/cmd.registerOperatorHooks.func2({0x7fbf9059f2e0?, 0xc0018dd940}) /home/pippolo/go/src/github.com/cilium/cilium/operator/cmd/root.go:130 +0x65 github.com/cilium/cilium/pkg/hive.Hook.Stop(...) /home/pippolo/go/src/github.com/cilium/cilium/pkg/hive/lifecycle.go:41 github.com/cilium/cilium/pkg/hive.(*DefaultLifecycle).Stop(0xc0005286c0, {0x39add48?, 0xc0000780a8?}) /home/pippolo/go/src/github.com/cilium/cilium/pkg/hive/lifecycle.go:128 +0x2ba github.com/cilium/cilium/pkg/hive.(*Hive).Stop(0xc000594380, {0x39add48, 0xc0000780a8}) /home/pippolo/go/src/github.com/cilium/cilium/pkg/hive/hive.go:247 +0x85 github.com/cilium/cilium/test/controlplane/suite.(*operatorHandle).tearDown(0xc000841500) /home/pippolo/go/src/github.com/cilium/cilium/test/controlplane/suite/operator.go:19 +0x33 github.com/cilium/cilium/test/controlplane/suite.(*ControlPlaneTest).StopOperator(...) /home/pippolo/go/src/github.com/cilium/cilium/test/controlplane/suite/testcase.go:190 To solve the issue, the commit moves the initialization of the channel in the operator cell constructor. Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com> 29 November 2022, 03:01:49 UTC
3c49e4a Tim Horner 25 November 2022, 02:53:39 UTC fix: correct parsing of multi-option 'key:value's for config options This fixes support for multi-option 'key:value's used for config options when only a single top-level key-value is provided, such as '--api-rate-limit endpoint-create=rate-limit:2/s,rate-burst:4'. Fixes: #22233 Fixes: 070ded019adb ("cmd: Allow more complicated patterns in map string type.") Signed-off-by: Tim Horner <timothy.horner@isovalent.com> 29 November 2022, 03:00:45 UTC
4b75829 Chance Zibolski 22 November 2022, 21:45:34 UTC helm: Configure node label in cilium/hubble relabelings by default Signed-off-by: Chance Zibolski <chance.zibolski@gmail.com> 29 November 2022, 00:37:02 UTC
309103d Chance Zibolski 21 November 2022, 19:49:37 UTC helm: Add relabelings config to ServiceMonitors This is needed to add the node as a label to metrics, or other service discovery meta labels. Signed-off-by: Chance Zibolski <chance.zibolski@gmail.com> 29 November 2022, 00:37:02 UTC
c21c1ee Daniel Borkmann 25 November 2022, 15:34:20 UTC bpf: For stateless nat both src and dst IPv6 addresses must have prefix Extend the check for both src and dst to require the prefix, and only then perform stateless NAT46x64. Reason is that when just the IPv6 dst has it, then we want to perform stateful NAT instead. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> 28 November 2022, 23:40:35 UTC
aa7558c Daniel Borkmann 25 November 2022, 10:30:23 UTC bpf: Also include ICMP traffic for L3-based NAT46/64 Our NAT46x64 engine can handle ICMP/ICMP6 packets for certain types like ICMP_ECHO, ICMP_ECHOREPLY, ICMP_DEST_UNREACH, ICMP_TIME_EXCEEDED and ICMP_PARAMETERPROB. Therefore, consider them under stateless NAT. Example with GW under XDP and tc BPF: [...] 12:13:26.269252 IP6 64:ff9b::101:102 > 64:ff9b::c0a8:20c: ICMP6, echo request, seq 1, length 64 12:13:26.269916 IP 1.1.1.2 > 192.168.2.12: ICMP echo request, id 9, seq 1, length 64 12:13:26.269950 IP 192.168.2.12 > 1.1.1.2: ICMP echo reply, id 9, seq 1, length 64 12:13:26.270582 IP6 64:ff9b::c0a8:20c > 64:ff9b::101:102: ICMP6, echo reply, seq 1, length 64 [...] Reported-by: Julian Wiedmann <jwi@isovalent.com> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> 28 November 2022, 23:40:35 UTC
1203d9e Daniel Borkmann 25 November 2022, 10:18:56 UTC cilium, monitor: Add regenerated flow api code Generated code around NAT46/64 drop reason from `make generate-hubble-api`. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> 28 November 2022, 23:40:35 UTC
51ee963 Daniel Borkmann 25 November 2022, 09:54:08 UTC cilium, monitor: Add nat46 and nat64 drop reason Both were missing, so lets fix that. Reported-by: Joe Stringer <joe@cilium.io> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> 28 November 2022, 23:40:35 UTC
e8407ba Liz Rice 24 November 2022, 17:55:15 UTC docs: clarifications about CNCF maintainer status Signed-off-by: Liz Rice <liz@lizrice.com> 28 November 2022, 23:08:11 UTC
a75e24b Jarno Rajahalme 28 November 2022, 19:18:35 UTC test: Remove flaking test Remove new part of TLS test that keeps flaking in most PRs. Will be added back when flaking is resolved. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> 28 November 2022, 19:48:37 UTC
cf3cc16 Anton Protopopov 28 November 2022, 15:14:40 UTC fqdn: dnsproxy: fix forwarding of the original security identity for TCP In case of TCP this is not enough to do net.Dial + setsockopt(SO_MARK), as in this case TCP SYN will have a wrong identity, e.g.: Policy verdict log: flow 0x7a95a133 local EP ID 393, remote ID 14616, proto 6, egress, action redirect, match L3-L4, 10.244.1.122:42437 -> 10.244.1.120:53 tcp SYN Policy verdict log: flow 0x907eaa19 local EP ID 458, remote ID host, proto 6, ingress, action allow, match L3-Only, 172.19.0.2:56276 -> 10.244.1.120:53 tcp SYN Here the second message has wrong identity (host). We still allow the traffic, as the origin is local host and the coredns is running on the same host, but this will not work for a remote host if ingress policy doesn't allow remote-node identity.) To fix this we need to pass a Control parameter to Dial, so that setsockopt(2) is called before the connect(2). With such a change we now see the correct identity in case of TCP: Policy verdict log: flow 0xeb7902a9 local EP ID 393, remote ID 14616, proto 6, egress, action redirect, match L3-L4, 10.244.1.122:36661 -> 10.244.1.120:53 tcp SYN Policy verdict log: flow 0x4efbc5a0 local EP ID 458, remote ID 41903, proto 6, ingress, action allow, match L3-L4, 172.19.0.2:40508 -> 10.244.1.120:53 tcp SYN Fixes: 44c1def67854 ("fqdn: dnsproxy: forward the original security identity") Signed-off-by: Anton Protopopov <aspsk@isovalent.com> 28 November 2022, 18:10:19 UTC
8264fd4 Tom Hadlaw 25 November 2022, 10:45:54 UTC fqdn: dnsproxy: fix forwarding of the security identity for cluster mesh The commit 44c1def67854 wrongly forwarded only lower 16 bits of the original identity. This might corrupt identities when cluster-id is not zero (as the cluster-id is encoded in bits 16..23 of the identity) and leads to policy drops due to unknown identity, e.g. xx drop (Policy denied) flow 0xd1a7add4 to endpoint 3966, file bpf_lxc.c line 2032, , identity 47657->157516: 10.2.3.223:55853 -> 10.2.3.206:53 udp (Here the security identity 47657 doesn't exist, as it should actually be equal to 0x10000|47657 = 113193.) Fix this by also storing bits 16..23 of the identity in the skb mark according to the datapath ABI, i.e., skb mark should be equal to (id << 16) | (id >> 16). Fixes: 44c1def67854 ("fqdn: dnsproxy: forward the original security identity") Signed-off-by: Tom Hadlaw <tom.hadlaw@isovalent.com> Signed-off-by: Anton Protopopov <aspsk@isovalent.com> 28 November 2022, 18:10:19 UTC
b8a6791 Carlos Castro 24 November 2022, 10:27:53 UTC Some tofqdn flags not being parsed Signed-off-by: Carlos Castro <carlos.castro@jumo.world> 28 November 2022, 16:23:25 UTC
bb28996 Jarno Rajahalme 25 October 2022, 12:28:39 UTC ctmap: Add missing FromL7LB flag 'FromL7LB' was not added for string conversion when it was added to the map, do it now. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> 28 November 2022, 16:18:54 UTC
f59df85 Tim Horner 22 November 2022, 21:42:30 UTC ignore auto-generated pkg/k8s/client directories for PR reviews and codeownership Signed-off-by: Tim Horner <timothy.horner@isovalent.com> 28 November 2022, 11:26:38 UTC
70252f4 Tim Horner 16 November 2022, 18:16:05 UTC Update k8s tests and libraries to v1.26.0-rc.0 Upstream changes included changing Ingress.LoadBalancerStatus from corev1.LoadBalancerStatus to networkingv1.IngressLoadBalancerStatus. This required the addition of 2 new factory funcs to convert slim.LoadBalancerIngress to networkingv1.IngressLoadBalancerIngress and another to convert LoadBalancerStatus to IngressLoadBalancerStatus in the slim client. See: https://github.com/kubernetes/kubernetes/pull/106242 Signed-off-by: Tim Horner <timothy.horner@isovalent.com> 28 November 2022, 11:26:38 UTC
f09610e Tam Mach 27 November 2022, 17:29:17 UTC ingestion/gateway-api: Map backend weight to model This commit is to make sure the weightage value is propagated to internal model. Relates: 58c8aff11062f944e9f3a18569c647c64edd1bc9 Reported-by: Nico Vibert <nicolas.vibert@isovalent.com> Signed-off-by: Tam Mach <tam.mach@cilium.io> 28 November 2022, 10:05:45 UTC
15baaec Sandipan Panda 25 November 2022, 18:19:57 UTC .clomonitor: Update CLOMonitor checks exemptions Add dangerous workflow, signed releases and token permissions checks to CLOMonitor exemptions. Signed-off-by: Sandipan Panda <samparksandipan@gmail.com> 28 November 2022, 10:05:01 UTC
93ed15d dependabot[bot] 24 November 2022, 14:02:55 UTC build(deps): bump google.golang.org/grpc from 1.50.1 to 1.51.0 Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.50.1 to 1.51.0. - [Release notes](https://github.com/grpc/grpc-go/releases) - [Commits](https://github.com/grpc/grpc-go/compare/v1.50.1...v1.51.0) --- updated-dependencies: - dependency-name: google.golang.org/grpc dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> 28 November 2022, 10:02:07 UTC
d895d08 Julian Wiedmann 28 October 2022, 09:30:35 UTC bpf: lb: remove direction argument in lb*_extract_key() It's always CT_EGRESS. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> 28 November 2022, 10:01:36 UTC
1a2fb11 Julian Wiedmann 23 November 2022, 12:33:57 UTC bpf: nodeport: fine-tune path for delivery to local backend When delivering a packet to its selected backend, we already have a check for whether the backend is local. Also use this path when deciding whether the packet should be passed up to the stack. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> 28 November 2022, 10:01:36 UTC
79ea936 Julian Wiedmann 03 November 2022, 06:54:46 UTC bpf: nodeport: reduce scope of macaddr variables The macaddr variables are only needed when updating the neighbour map. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> 28 November 2022, 10:01:36 UTC
e20e925 Julian Wiedmann 31 October 2022, 15:09:16 UTC datapath: remove unused ENCRYPT_NODE macro It's safe to remove this unused macro. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> 28 November 2022, 09:58:33 UTC
5b573c3 yanggang 20 November 2022, 01:06:55 UTC Make fsnotify event more readable. Signed-off-by: yanggang <gang.yang@daocloud.io> 28 November 2022, 09:57:51 UTC
e6fb48a Tam Mach 18 November 2022, 11:53:41 UTC helm: Add secret permission for agent This commit is to make sure that cilium agent has required secret permission if gateway api (but not Ingress) is enabled. The original commit 759f7161a925b4e837338bd5c667c1abd8e59452 added the same logic for operator, but missed out agent part. The end-goal is to have ingress and gateway api as independent features, so that users can just enable only what they need. Without this change, gateway API will only work if and only if ingressController.enabled is set and default secret namespace is used (e.g. cilium-secrets). Relates: 759f7161a925b4e837338bd5c667c1abd8e59452 Signed-off-by: Tam Mach <tam.mach@cilium.io> 28 November 2022, 09:55:59 UTC
c057af2 dependabot[bot] 26 November 2022, 01:23:31 UTC build(deps): bump golang.org/x/tools from 0.2.0 to 0.3.0 Bumps [golang.org/x/tools](https://github.com/golang/tools) from 0.2.0 to 0.3.0. - [Release notes](https://github.com/golang/tools/releases) - [Commits](https://github.com/golang/tools/compare/v0.2.0...v0.3.0) --- updated-dependencies: - dependency-name: golang.org/x/tools dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> 28 November 2022, 09:54:12 UTC
b9f7292 Jarno Rajahalme 26 November 2022, 10:29:21 UTC envoy: Do not set AutoSNI options Cilium filters already set SNI when available, and Envoy may crash if auto_sni option is used in this case. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> 26 November 2022, 15:03:24 UTC
18a2b2c Jarno Rajahalme 24 November 2022, 17:58:15 UTC proxylib: Do not log raw policies Policies may contain large sets of TLS certificates, avoid polluting the logs with them. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> 26 November 2022, 15:03:24 UTC
663f7c0 Jarno Rajahalme 24 November 2022, 15:19:16 UTC envoy: Add TLS filter chains for TCP proxy Add TLS filter chains so that TLS can be used also with TCP proxy. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> 26 November 2022, 15:03:24 UTC
c733439 Jarno Rajahalme 02 June 2022, 21:48:34 UTC policy: Allow TLS termination and origination without L7 rules Add new L7ParserType "tls" to be used when TLS termination and/or origination is needed, and when no L7 policy is to be used. Use Envoy TCP proxy for TLS termination and/or origination in this case. artii.herokuapp.com is no more, so tests against it fail. Remove them and unquarantine the TLS test. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> 26 November 2022, 15:03:24 UTC
86a6445 Jarno Rajahalme 02 June 2022, 19:45:59 UTC policy: Fix comments Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> 26 November 2022, 15:03:24 UTC
ec4f132 Jarno Rajahalme 02 June 2022, 14:58:21 UTC policy: Factor out L7ParserType.Merge() Factor out the merging logic of L7ParserTypes and add a unit test. This makes adding new types with more complex merging logic easier in the future. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> 26 November 2022, 15:03:24 UTC
d9471a0 Jarno Rajahalme 02 June 2022, 14:49:41 UTC policy: Use generated DeepEqual() in PerSelectorPolicy.Equal() Use generated DeepEqual() in PerSelectorPolicy.Equal() instead of reflection. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> 26 November 2022, 15:03:24 UTC
ca801ee Jarno Rajahalme 17 May 2022, 23:26:47 UTC policy-api: Use Len for IsEmpty Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> 26 November 2022, 15:03:24 UTC
c43a02d Jarno Rajahalme 16 May 2022, 13:07:41 UTC Envoy: Upgrade for SNI enforcement Update Envoy image with: - websocket filters (cilium.network.websocket.client and cilium.network.websocket.server) - use upstream destination address for egress policy enforcement only if listener is an L7 LB listener. This allows listener to tunnel pod traffic while the original destination address is used for policy enforcement rather than the tunnel destination address. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> 26 November 2022, 15:03:24 UTC
c892dbb dependabot[bot] 22 November 2022, 11:04:26 UTC build(deps): bump github.com/hashicorp/consul/api from 1.15.3 to 1.17.0 Bumps [github.com/hashicorp/consul/api](https://github.com/hashicorp/consul) from 1.15.3 to 1.17.0. - [Release notes](https://github.com/hashicorp/consul/releases) - [Changelog](https://github.com/hashicorp/consul/blob/main/CHANGELOG.md) - [Commits](https://github.com/hashicorp/consul/compare/api/v1.15.3...api/v1.17.0) --- updated-dependencies: - dependency-name: github.com/hashicorp/consul/api dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> 26 November 2022, 01:21:15 UTC
cf6b274 dependabot[bot] 24 November 2022, 14:03:28 UTC build(deps): bump go.etcd.io/etcd/client/v3 from 3.5.5 to 3.5.6 Bumps [go.etcd.io/etcd/client/v3](https://github.com/etcd-io/etcd) from 3.5.5 to 3.5.6. - [Release notes](https://github.com/etcd-io/etcd/releases) - [Changelog](https://github.com/etcd-io/etcd/blob/main/Dockerfile-release.amd64) - [Commits](https://github.com/etcd-io/etcd/compare/v3.5.5...v3.5.6) --- updated-dependencies: - dependency-name: go.etcd.io/etcd/client/v3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> 26 November 2022, 01:18:40 UTC
09f72f7 Jussi Maki 25 November 2022, 09:14:47 UTC resource: Fix queue entry coalescing The entries added to the resource's workqueue were added as pointers which messes up the comparisons causing coalescing to not happen. This causes TestResource_Retries to flake sometimes with: Error: Not equal: expected: 5 actual : 10 Test: TestResource_Retries Messages: expected to see 5 retries for update What happens is that the key gets requeued as &updateEntry{key}, which doesn't match with the previous one &updateEntry{key}, so it's effectively a new entry with it's own rate limiting and retry count state and thus we end up seeing more retries than expected. This fixes the issue by adding the entries by value. The comparisons of syncEntry and updateEntry are now trivially correct. The deleteEntry carries the pointer to the last known state of the deleted object, but this is fine since there can only be one such object. Signed-off-by: Jussi Maki <jussi@isovalent.com> 26 November 2022, 01:17:30 UTC
0d2c2a8 David Calvert 26 November 2022, 00:53:24 UTC doc: fixed broken doc link in helm chart Signed-off-by: David Calvert <david@0xdc.me> 26 November 2022, 01:11:16 UTC
c2d6908 Tim Horner 03 November 2022, 15:33:39 UTC preflight: Fail 'validate-cnp' check for empty to/from endpoints selector Previously, 'validate-cnp' preflight check would log a verbose warning if it detected a CCNP with an empty toEndpoints/fromEndpoints selector and pass the check with the following output: time="2022-11-03T15:50:04Z" level=info msg="Validation OK!" CiliumClusterwideNetworkPolicy=test-empty-endpointselector time="2022-11-03T15:50:04Z" level=info msg="All CCNPs and CNPs valid!" This could be misleading and tempt the user to ignore the warning. The preflight check will now fail with the following output: time="2022-11-03T16:05:30Z" level=error msg="Unexpected validation error" CiliumClusterwideNetworkPolicy=test-empty-endpointselector error="use of empty toEndpoints/fromEndpoints selector" time="2022-11-03T16:05:30Z" level=error msg="Start hook failed" error="Found invalid CiliumClusterwideNetworkPolicy" function="cilium/cmd.validateCNPCmd.func1.1 (preflight_k8s_valid_cnp.go:41)" subsys=hive time="2022-11-03T16:05:30Z" level=info msg="Stop hook executed" duration="21.858µs" function="pkg/k8s/client.(*compositeClientset).onStop-fm (<autogenerated>:1)" subsys=hive time="2022-11-03T16:05:30Z" level=fatal msg="failed to start: Found invalid CiliumClusterwideNetworkPolicy" Fixes: #17471 Signed-off-by: Tim Horner <timothy.horner@isovalent.com> 26 November 2022, 00:44:07 UTC
0101700 Anna Kapuscinska 20 October 2022, 18:45:04 UTC hubble/metrics: Fix label ordering in Hubble TCP metrics The code setting the flag label value assumes that it's the first label in the slice. If context options are enabled, then it's not true, so one of the context labels incorrectly gets the flag value, and the flag label gets discarded. Fixes: d4d73681026b ("hubble/metrics: Replace panic in contextLabels with error log") Signed-off-by: Anna Kapuscinska <anna@isovalent.com> 26 November 2022, 00:42:58 UTC
faa0135 Paul Chaignon 25 November 2022, 12:17:37 UTC test: Move log-gatherer image to Quay Some CI jobs are failing because we are getting rate-limited on docker.io for the log-gatherer image. André copied it to Quay and we can now use that instead of docker.io. Signed-off-by: Paul Chaignon <paul@cilium.io> 26 November 2022, 00:40:40 UTC
655ed8d Dylan Reimerink 16 November 2022, 14:53:43 UTC docs: Add LB-IPAM documentation This commit adds documentation for the LB-IPAM feature. Signed-off-by: Dylan Reimerink <dylan.reimerink@isovalent.com> 26 November 2022, 00:39:59 UTC
8df3d1e Dylan Reimerink 02 November 2022, 09:08:56 UTC operator: Add LB-IPAM This commit adds the LB-IPAM feature. LB-IPAM allows users to specify a set of pools containing one or more CIDRs. Services of type LoadBalancer will receive Ingress IPs from these pools. LB-IPAM is part of the ongoing work to add service announcements to the BGP Control Plane. However, the component is designed to be generic so it can be used by other features as well. Co-authored-by: Jussi Maki <jussi@isovalent.com> Signed-off-by: Dylan Reimerink <dylan.reimerink@isovalent.com> 26 November 2022, 00:39:59 UTC
c278055 Dylan Reimerink 07 October 2022, 11:44:03 UTC k8s: Rename and reuse BGP IP Pool This commit renames the CiliumBGPLoadBalancerIPPool CRD to the CiliumLoadBalancerIPPool so it may be used for load balancers other than those who use BGP. The IP Pool will be used by the operators LB IPAM component, and the contents of the CRD have been updated to match the new requirements. Signed-off-by: Dylan Reimerink <dylan.reimerink@isovalent.com> 26 November 2022, 00:39:59 UTC
86e41f1 Jussi Maki 26 October 2022, 15:43:48 UTC k8s/resource: Expose the underlying cache.Store in Store[T] To make it easier to partially transition to using Resource[T], expose the underlying cache.Store. Hopefully temporary :fingerscrossed:. Signed-off-by: Jussi Maki <jussi@isovalent.com> 26 November 2022, 00:39:59 UTC
ebb9a78 Jussi Maki 26 October 2022, 13:25:00 UTC k8s/slim: Add missing fields needed by LB-IPAM This adds: - metav1.Condition, metav1.ConditionStatus - metav1.ObjectMeta.Generation - corev1.IPFamilyPolicy - corev1.IPFamilyPolicyType - corev1.LoadBalancerClass - corev1.Service.{IPFamilyPolicy, LoadBalancerClass} - corev1.ServiceStatus.Condition Signed-off-by: Jussi Maki <jussi@isovalent.com> 26 November 2022, 00:39:59 UTC
ec41c3d André Martins 24 November 2022, 23:10:07 UTC test: remove kube-proxy-replacement: probe from upstream tests This option was removed by 691f1c33c9ad and broke all upstream tests. This commit removes this setting as well to make the tests pass. As some tests are failing because KPR is now disabled we need to set the sessionAffinity=true to make the relevant session affinity conformance tests to pass. Fixes: 691f1c33c9ad ("daemon: Remove KPR=probe") Signed-off-by: André Martins <andre@cilium.io> 25 November 2022, 21:27:59 UTC
fe39350 Chance Zibolski 14 November 2022, 18:09:07 UTC helm: Do not create Grafana dashboards by default The default in #21181 was true, but not everyone uses Grafana and this was already brought up in a comment in the previous PR that it can cause troubles with the cilium upgrade preflight manifest. Signed-off-by: Chance Zibolski <chance.zibolski@gmail.com> 25 November 2022, 11:27:36 UTC
14babaf Fabio Falzoi 24 November 2022, 10:59:52 UTC chore: fix typo in enableCNPWatcher comment Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com> 25 November 2022, 11:27:22 UTC
f4ff2ce Fabio Falzoi 08 July 2022, 17:11:35 UTC operator: rate limit CNP nodes status clean up When the option `disable-cnp-status-updates` is set to true, the operator, at startup, will garbage collect all stale status nodes updates in CNPs and CCNPs. To avoid an excessive requests rate to the API server, the clean up is rate limited. The requests rate per second and the maximum allowed burst of requests is controlled, respectively, by the two new options `cnp-status-cleanup-qps` and `cnp-status-cleanup-burst`. Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com> 25 November 2022, 11:27:22 UTC
c2c66a8 Fabio Falzoi 08 July 2022, 10:38:29 UTC operator: add a flag to skip CNP status cleaning at startup When the option `disable-cnp-status-updates` is set to true, the operator, at startup, will garbage collect all stale status nodes updates in CNPs and CCNPs. This new option `skip-cnp-status-startup-cleaning` may be used to skip this clean up so to speed up the operator startup. Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com> 25 November 2022, 11:27:22 UTC
20bd519 Fabio Falzoi 05 July 2022, 15:12:31 UTC operator: clear CNP status nodes if updates disabled When the option `disable-cnp-status-updates` is set to true, no policy enforcement update is tracked in CiliumNetworkPolicies. However, if the option was previously set to false, the field status.nodes still contains the last status of each node when the feature was turned off. Currently, the GC in the cilium operator removes status entries only if the relative node has been turned off. Given that these stale updates may hinder scalability for large clusters, we clean up all those entries at startup if `disable-cnp-status-updates` is set to true. Fixes #20231 Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com> 25 November 2022, 11:27:22 UTC
fdc6d39 Fabio Falzoi 05 July 2022, 15:11:27 UTC operator: use GC controller context while patching CNPs Use the context from the GC controller to execute the update queries. Doing so, possible pending queries will be cancelled as soon as the controller context is cancelled. Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com> 25 November 2022, 11:27:22 UTC
22ba23e Fabio Falzoi 28 June 2022, 15:26:42 UTC operator: fix typos in CNP node status gc Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com> 25 November 2022, 11:27:22 UTC
1b33ead Fabio Falzoi 28 June 2022, 15:24:28 UTC operator: preallocate cnp list backing array The number of returned CiliumClusterwideNetworkPolicies is known in advance, so the preallocation of the backing array will avoid reallocations after the append. Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com> 25 November 2022, 11:27:22 UTC
ee428c8 Gilberto Bertin 25 November 2022, 09:18:12 UTC workflows: aks: bump timeout to 60m Some test runs are timing out as each of the 2 connectivity test runs takes about 18/19 minutes. So bump the timeout to 1 hour. Signed-off-by: Gilberto Bertin <jibi@cilium.io> 25 November 2022, 11:27:06 UTC
a447012 Vincent Li 21 October 2022, 19:04:54 UTC bugtool: add missing bpftool vtep map dump add missing bpftool vtep map dump in cilium bugtool Signed-off-by: Vincent Li <v.li@f5.com> 24 November 2022, 19:32:28 UTC
0ded29b Paul Chaignon 15 November 2022, 18:12:19 UTC daemon: Deprecate force-local-policy-eval-at-source This should never have been exposed to users in the first place. It also causes issues when set to true, as explained in the previous commit. There are other ways to control if policy enforcement happens at the source or not (enable-endpoint-routes). Signed-off-by: Paul Chaignon <paul@cilium.io> 24 November 2022, 17:07:41 UTC
3277400 Paul Chaignon 01 September 2021, 10:57:43 UTC options: Disable force-local-policy-eval-at-source by default The force-local-policy-eval-at-source flag was introduced in commit c525c755 ("bpf: Continue to enforce policy at source endpoint unless disabled"). It is enabled by default and causes Cilium to always enforce policies at the source when the destination is a local pod. Unfortunately, this flag is also causing issues when both endpoint routes and tunneling are enabled [1] (a configuration that was not possible at the time the flag was introduced). We have enough test coverage (L7 on multiple cloud providers) now to be able to safely disable this flag by default. We can remove it after a couple releases. 1 - https://github.com/cilium/cilium/issues/14657 Signed-off-by: Paul Chaignon <paul@cilium.io> 24 November 2022, 17:07:41 UTC
b332f4b Gilberto Bertin 24 November 2022, 13:01:16 UTC workflows: aks: collect sysdumps for each failing test Signed-off-by: Gilberto Bertin <jibi@cilium.io> 24 November 2022, 14:32:56 UTC
back to top