Skip to main content

Browse the archive

https://github.com/cilium/cilium
12 July 2024, 03:14:21 UTC
sort by:
Revision Author Date Message Commit Date
761a810 Cilium Release Bot 10 July 2024, 19:10:40 UTC Prepare for release v1.14.13 Signed-off-by: Cilium Release Bot <noreply@cilium.io> 11 July 2024, 15:36:14 UTC
8acae59 cilium-renovate[bot] 08 July 2024, 14:14:38 UTC chore(deps): update stable lvh-images Signed-off-by: cilium-renovate[bot] <134692979+cilium-renovate[bot]@users.noreply.github.com> 09 July 2024, 15:30:26 UTC
3b0aab5 Robin Gögge 05 July 2024, 10:41:09 UTC socketlb: tolerate cgroupv1 when detaching bpf programs [ upstream commit 4db2be8df0eb5ce5473ef691949c7403994c47f1 ] This fixes a regression where Cilium fails to start because it fails to detach socketlb progs from a cgroupv1. This happens because QueryPrograms will fail with EBADF on a cgroupv1. To cleanup remaining programs from socketlb, we always try to remove these programs from the root cgroup. This commit ensures we don't fail to detach socketlb programs from a cgroupv1, as we would never succeed to attach any programs here in the first place. Signed-off-by: Robin Gögge <r.goegge@isovalent.com> Signed-off-by: Gilberto Bertin <jibi@cilium.io> 09 July 2024, 15:21:10 UTC
9643967 chaunceyjiang 03 July 2024, 17:01:45 UTC Fix too many open Unix sockets [ upstream commit d4a4faff529e9665428bab3f227dfd052c745b7c ] Fixes: #33542 Signed-off-by: chaunceyjiang <chaunceyjiang@gmail.com> Signed-off-by: Gilberto Bertin <jibi@cilium.io> 09 July 2024, 15:21:10 UTC
b166db2 Julian Wiedmann 03 July 2024, 07:17:10 UTC bpf: lxc: fix up reporting of drop reason in drop_for_direction() [ upstream commit 83fa353200d4576fd0fa8a706be70e0af3644f86 ] [ backporter's notes: minor conflict due to different function signature ] DROP_* reasons are negative values. Reported-by: Nikita V. Shirokov <tehnerd@tehnerd.com> Relates: https://github.com/cilium/cilium/issues/32473 Signed-off-by: Julian Wiedmann <jwi@isovalent.com> Signed-off-by: Gilberto Bertin <jibi@cilium.io> 09 July 2024, 15:21:10 UTC
8de785f Jason Aliyetti 01 July 2024, 20:15:11 UTC ipsec: do not nil out EncryptInterface when using IPAM ENI [ upstream commit 9343a62c9e3b0af18ce1fc50983e598a48f20897 ] [ backporter's note: minor conflict in imported packages ] netlink.LinkList() can return a transient kernel interrupt error. This commit adds a retry when this occurs in loader.reinitializeIPSec() to prevent nilling out or misconfiguring EncryptInterface. Additionally, it will now surface an error instead of swallowing it. Signed-off-by: Jason Aliyetti <jaliyetti@gmail.com> Signed-off-by: Gilberto Bertin <jibi@cilium.io> 09 July 2024, 15:21:10 UTC
5de49f1 Jason Aliyetti 30 June 2024, 06:00:23 UTC Update ipsec to handle larger psk values [ upstream commit 866829248fe718776c21f59be9013c24f0f7baea ] [ backporter's note: minor conflict with unit tests ] For psk values <= 32 bytes use SHA256 to compute the node key. Otherwise use SHA512. This is needed to support GCM-256-AES since a PSK for this would require a 36 bytes as per RFC 4106. Fixes: #33457 Fixes: c28e046d4c6 ("ipsec: Compute per-node-pair IPsec keys") Signed-off-by: Jason Aliyetti <jaliyetti@gmail.com> Signed-off-by: Gilberto Bertin <jibi@cilium.io> 09 July 2024, 15:21:10 UTC
dea7511 Julian Wiedmann 01 July 2024, 16:12:24 UTC gh: ipsec: clarify check for leaked proxy traffic during key rotation [ upstream commit fb55ad6a1bfee262b3f15d9b4319017b05e456d7 ] Add a comment to explain why we need to disable the check for proxy traffic when running the bpftrace leak detection during key rotation. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> Signed-off-by: Gilberto Bertin <jibi@cilium.io> 09 July 2024, 15:21:10 UTC
81e6eb2 cilium-renovate[bot] 08 July 2024, 17:18:45 UTC chore(deps): update cilium/cilium-cli action to v0.16.11 Signed-off-by: cilium-renovate[bot] <134692979+cilium-renovate[bot]@users.noreply.github.com> 09 July 2024, 07:58:05 UTC
f74b346 André Martins 08 July 2024, 15:26:44 UTC github: fix concurrency groups for push events Due to bb6783020701, the concurrency groups aren't working properly for 'push' events. This commit fixes the concurrency group so that pushes to a branch don't stop runs from other branch pushes. Fixes: bb6783020701 (".github: fix workflows for on push") Signed-off-by: André Martins <andre@cilium.io> 09 July 2024, 02:29:20 UTC
7dbc9ed André Martins 05 July 2024, 19:18:58 UTC renovate: add auto-approve bot for renovate PRs [ upstream commit d65f9afb57fb176b9f073a3a6745c241c9525153 ] Enable the GitHub "auto-merge" feature in the repository settings at https://github.com/<org>/<repo>/settings. If Renovate detects this feature, it allows PRs to be auto-merged by GitHub. GitHub will auto-merge a PR if all required checks pass and CODEOWNERS have reviewed it. If these conditions are unmet, GitHub won't merge the PR. To allow Renovate to auto-approve its own PRs, configure Renovate to request a review from the bot `ciliumbot` for PRs with trusted dependencies. The `reviewers` configuration in Renovate will ensure `ciliumbot` is the sole reviewer of Renovate's PRs. Create a GitHub Action triggered by a review request event, ensuring the PR review was requested by the Renovate bot, the PR was created by Renovate, and the review request is for `ciliumbot`. Ensure `ciliumbot` belongs to some teams of the CODEOWNERS file but is not auto-assigned reviews by GitHub. This setup allows `ciliumbot` to provide the necessary approvals without manual intervention, enabling seamless integration of Renovate to auto-approve PRs. The teams that `ciliumbot` will belong to are the ones that usually are selected to review renovate PRs when a trusted dependency is updated. Signed-off-by: André Martins <andre@cilium.io> 08 July 2024, 18:12:30 UTC
8056064 cilium-renovate[bot] 08 July 2024, 14:14:46 UTC chore(deps): update all github action dependencies Signed-off-by: cilium-renovate[bot] <134692979+cilium-renovate[bot]@users.noreply.github.com> 08 July 2024, 16:12:23 UTC
a7f1f67 Sebastian Wicki 27 June 2024, 09:08:28 UTC daemon: Allow DNS transparent mode to be turned off with encryption [ oss commit 6cb07c19ddcef5f8e8d2c24c943a6dd963b540cf ] [ Backporter's notes: Dropped change in config_test.go since TestDaemonConfig_StoreInFile is missing in v1.14 ] DNS transparent mode was introduced to make sure that DNS traffic is always encrypted if the user is running with transparent encryption. If DNS proxy transparent mode is turned off, proxied DNS traffic will be leaked. However, DNS transparent mode is suffering from various bugs, e.g. - https://github.com/cilium/cilium/issues/31535 - https://github.com/cilium/cilium/issues/31197 - https://github.com/cilium/cilium/issues/33144 While we are working on addressing these bugs, some users might be fine with proxied DNS traffic being leaked. Therefore, this commit introduces a hidden and undocumented flag which requires DNS proxy transparent mode to be enabled with IPSec. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com> 08 July 2024, 08:42:40 UTC
4e3c339 André Martins 27 June 2024, 09:09:05 UTC Documentation: accept ORG and REPO [ oss commit 1267ff92b0831aa24b1286afcf800b996eb537e6 ] By default, the check-crd-compat-table script will get the remote from cilium/cilium. This script won't work if there isn't a remote under these names. As a workaround, and to avoid many refactoring, the script will detect if ORG and / or REPO environment variables are set and use those as inputs to get the remote name. Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com> 08 July 2024, 08:42:40 UTC
c5ec43f Martynas Pumputis 28 June 2024, 06:03:47 UTC gh/workflows: Skip no-frag in IPsec for some key rotation [ oss commit 5c09c9227500518fbc9395e3fff4b26f1332db37 ] https://github.com/cilium/cilium/issues/29480 Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com> 08 July 2024, 08:42:40 UTC
70edde4 Martynas Pumputis 28 June 2024, 06:00:13 UTC gh/workflows: Bump Cilium CLI to v0.16.11 [ oss commit 09ba861cb38e0d9d36ff2c254b181d70f1322e95 ] Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com> 08 July 2024, 08:42:40 UTC
d0b1da1 Aditi Ghag 27 June 2024, 16:27:28 UTC pkg/service: Remove stale TODO [ oss commit ec881da9d20b9a5593b6b5c5f5c08bc9615d51a0 ] LRP documentation describes the behavior [1] with existing connections, so this code comment is incorrect. Furthermore, commit ea9ace6337 introduced changes to terminate connections to deleted LRP backends. [1] https://docs.cilium.io/en/stable/network/kubernetes/local-redirect-policy/#limitations Signed-off-by: Aditi Ghag <aditi@cilium.io> Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com> 08 July 2024, 08:42:40 UTC
b3dd23e Aditi Ghag 27 June 2024, 16:15:36 UTC docs: Fix typo in LRP guide [ oss commit 4f08910533715c5053f1c1862211a02f17d25fe8 ] Signed-off-by: Aditi Ghag <aditi@cilium.io> Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com> 08 July 2024, 08:42:40 UTC
d393dfa Jarno Rajahalme 22 June 2024, 07:04:50 UTC policy: Fix parsing of CIDR labels [ oss commit 66059986095fa157432ec4a1c34417f1921480bb ] [ Backporter's notes: changed the test code to use LocalIdentityFlag instead of IdentityScopeLocal. ] labels.maskedIPToLabel() replaces colons in a IPv6 CIDR with dashes due to label name character set limitations. We need to reverse this transformation when parsing a CIDR label to a prefix. Allow for 0 prefix length CIDR to be properly parsed as well. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com> 08 July 2024, 08:42:40 UTC
ade0d16 Marcel Zieba 27 June 2024, 11:23:39 UTC install/kubernetes: update nodeinit image to latest version [ oss commit ea393843824ef59c1767bb2605206af17e5bd595 ] [ Backporter's notes: trivial conflicts due to different pullPolicy, solved keeping "IfNotPresent". ] Renovate does not pick up new version as tag is in sha format rather than regular semver. Related: #32181 Signed-off-by: Marcel Zieba <marcel.zieba@isovalent.com> Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com> 08 July 2024, 08:42:40 UTC
0b2b561 Sebastian Wicki 25 June 2024, 12:18:52 UTC docs: Improve note on kube-apiserver entity limitations [ oss commit 3a669e931e894c7c7c54d894daaa17bcb243ffe1 ] Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com> 08 July 2024, 08:42:40 UTC
9045be3 André Martins 04 July 2024, 09:25:55 UTC Makefile.values: re-add etcd back This was accidentally removed by d7d2e9dc1936 Fixes: d7d2e9dc1936 ("renovate: add all dependencies of Makefile.values") Signed-off-by: André Martins <andre@cilium.io> 04 July 2024, 11:54:52 UTC
91fa36e Cilium Imagebot 03 July 2024, 13:14:58 UTC images: update cilium-{runtime,builder} Signed-off-by: Cilium Imagebot <noreply@cilium.io> 03 July 2024, 18:32:03 UTC
3c5cfcc cilium-renovate[bot] 03 July 2024, 13:10:30 UTC chore(deps): update go to v1.21.12 Signed-off-by: cilium-renovate[bot] <134692979+cilium-renovate[bot]@users.noreply.github.com> 03 July 2024, 18:32:03 UTC
4896ea6 Tam Mach 03 July 2024, 09:44:51 UTC envoy: Bump golang version to v1.22.5 Relates: https://github.com/cilium/proxy/pull/827 Signed-off-by: Tam Mach <tam.mach@cilium.io> 03 July 2024, 18:27:16 UTC
4273b81 André Martins 02 July 2024, 09:31:36 UTC renovate: remove concurrency group from renovate's Base Image Release Build [ oss commit 1a33ff0d12653cabc27b95066bba64bf33121e44 ] The "Base Image Release Build - Renovate" workflow doesn't need a concurrency group has it will use the concurrency group of the workflow that it uses, the "./.github/workflows/build-images-base.yaml". Using the concurrency groups on both workflows will result in the following error: Canceling since a deadlock for concurrency group 'Base Image Release Build - Renovate-refs/heads/renovate/main-all-dependencies' was detected between 'top level workflow' and 'build-base-images-from-renovate' Fixes: f054f94b24b9 (".github: add workflow for renovate to build base images") Signed-off-by: André Martins <andre@cilium.io> 03 July 2024, 12:23:52 UTC
d7d2e9d André Martins 07 August 2023, 19:07:52 UTC renovate: add all dependencies of Makefile.values [ oss commit 99846fd67db870f4d6ff2ae0e9f73df43e2a4e7b ] Now we can let renovate update the dependencies of all images from Makefile.values. Signed-off-by: André Martins <andre@cilium.io> 03 July 2024, 12:23:52 UTC
c7e088a Tam Mach 26 June 2024, 10:31:46 UTC envoy: Avoid short circuit BE filtering [ upstream commit 2123732670cc43989fb895df0f7d81c44f96b5f7 ] The same service can be used with multiple port types (e.g number and name), so we should continue matching port values for both. Signed-off-by: Tam Mach <tam.mach@cilium.io> 03 July 2024, 09:49:57 UTC
b131ca8 cilium-renovate[bot] 01 July 2024, 11:06:58 UTC chore(deps): update all github action dependencies Signed-off-by: cilium-renovate[bot] <134692979+cilium-renovate[bot]@users.noreply.github.com> 01 July 2024, 13:16:49 UTC
acc436f Tam Mach 01 July 2024, 04:20:48 UTC envoy: Update envoy 1.28.x to v1.28.5 This is mainly to pick up the below CVE fix from the upstream. Related CVE: https://github.com/envoyproxy/envoy/security/advisories/GHSA-fp35-g349-h66f Relates: https://github.com/cilium/proxy/pull/819 Relates: https://github.com/envoyproxy/envoy/releases/tag/v1.28.5 Signed-off-by: Tam Mach <tam.mach@cilium.io> 01 July 2024, 12:10:52 UTC
366a6c2 André Martins 24 June 2024, 12:54:08 UTC build-images-base: push to branch if pull request ref doesn't exist [ upstream commit 56494b13a40a768f8069ce85bec404351deaf3bd ] With the introduction of workflow_call by f054f94b24b9, pushing changes to the branch was not possible when the event was type "workflow_call" as the github.event.pull_request.head.ref does not exist. Fixes: f054f94b24b9 (".github: add workflow for renovate to build base images") Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Yutaro Hayakawa <yutaro.hayakawa@isovalent.com> 27 June 2024, 02:15:14 UTC
781b82c Ryan Drew 20 June 2024, 22:43:40 UTC cni: Revert "cni: Use correct route MTU for various cloud cidrs" [ upstream commit a31dcbd5d90d6c2507d09e78ae72d1de0b60427d ] The PR #32244, that was merged with commit 29a340e, was intended to fix IP fragmentation with WireGuard deployments, causing poor network throughput and increased network latency. Unfortunately, after this PR was merged, users began reporting issues with Cilium modifying the MTU of the default interface of the node. This commit reverts the blamed commit in an attempt to fix said issues. The surfaced side-effect is tracked in issue #33303. Fixes: #33258 Signed-off-by: Ryan Drew <ryan.drew@isovalent.com> Signed-off-by: Yutaro Hayakawa <yutaro.hayakawa@isovalent.com> 27 June 2024, 02:15:14 UTC
26e72dd André Martins 24 June 2024, 12:54:08 UTC build-images-base: cancel github runs based on branch name [ upstream commit de873916584ce98164a869a6a2db714d9fbcaffb ] With the introduction of workflow_call by f054f94b24b9, the concurrency group started to cancel jobs based on the workflow name alone which has caused workflow runs created by this workflow were canceled even if they were opened from different branches. Fixes: f054f94b24b9 (".github: add workflow for renovate to build base images") Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Yutaro Hayakawa <yutaro.hayakawa@isovalent.com> 27 June 2024, 02:15:14 UTC
a703b28 Joe Stringer 20 June 2024, 19:03:19 UTC examples: Fix subject selector in ingress policy [ upstream commit d97069c74c96b272fa6b4b7ea09af584d60515ca ] This policy example selected *all* Endpoints rather than just the Ingress Endpoint. Since the policy is intended to allow traffic to the Ingress and not other managed Endpoints, restrict the selector. CC: Tam Mach <tam.mach@cilium.io> Fixes: b68cf99c3bb5 ("ingress: Update docs with network policy example") Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Yutaro Hayakawa <yutaro.hayakawa@isovalent.com> 27 June 2024, 02:15:14 UTC
dd000dd Cilium Imagebot 18 June 2024, 10:22:55 UTC ci: update docs-builder [ upstream commit 97f4e25b9093ab19aadd2a60f4ee73c5d4e80f22 ] [ backporter's note: Take upstream image version change. ] Signed-off-by: Cilium Imagebot <noreply@cilium.io> 27 June 2024, 02:15:14 UTC
046f006 dependabot[bot] 17 June 2024, 22:18:52 UTC build(deps): bump urllib3 from 2.0.7 to 2.2.2 in /Documentation [ upstream commit 0378d78af1e8c3c1498aa59b1f8181e4410bea8a ] [ backporter's note: Fix minor conflict and apply urllib change. ] Bumps [urllib3](https://github.com/urllib3/urllib3) from 2.0.7 to 2.2.2. - [Release notes](https://github.com/urllib3/urllib3/releases) - [Changelog](https://github.com/urllib3/urllib3/blob/main/CHANGES.rst) - [Commits](https://github.com/urllib3/urllib3/compare/2.0.7...2.2.2) --- updated-dependencies: - dependency-name: urllib3 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> 27 June 2024, 02:15:14 UTC
db7aa28 André Martins 17 June 2024, 20:47:10 UTC build-images: fetch artifacts with specific pattern [ upstream commit 112a16db227093f490ba07f557261378da331145 ] It seems that docker/build-push-action started to store artifacts on GitHub. This sort of affected the digests of the image build process as it timeout while trying to download these artifacts. To fix this issue we will only download the artifacts with the pattern "*image-digest *" which are the only artifacts relevant for the image digests. Fixes: b86d5fc1aa64 ("chore(deps): update docker/build-push-action action to v6") Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Yutaro Hayakawa <yutaro.hayakawa@isovalent.com> 27 June 2024, 02:15:14 UTC
29ab63f Marco Iorio 06 June 2024, 16:31:24 UTC cilium-dbg: improve troubleshoot clustermesh output for local cluster [ upstream commit c46e6be716d1c283b0fb908a2bfdd97413cfc00a ] [ backporter's note: Remove all documents don't exist in v1.14. ] Users may additionally configure a clustermesh entry for the local cluster as well, to reuse the same configuration in all clusters, as Cilium then automatically ignores it. Let's improve the output of the cilium-dbg troubleshoot clustermesh (and kvstoremesh-dbg troubleshoot) commands in this situation, removing the usage of the term "remote", and displaying a note for the entry matching the local cluster name. The retrieval of the local cluster name is performed in a best effort fashion, and may not always work. Suggested-by: Bruno M. Custódio <bruno@isovalent.com> Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> 27 June 2024, 02:15:14 UTC
756af48 Marco Iorio 06 June 2024, 14:43:37 UTC cilium-dbg: minor clarifications to the clustermesh status output [ upstream commit ab579235446ad2f77146f61a85dc2c8201554122 ] [ backporter's note: Fixed some minor conflicts. failures -> reconnects. ] Add the term remote to clarify that the number of clusters reported by the cilium-dbg and kvstoremesh-dbg status commands do not include the local one, regardless of whether it is included in the clustermesh configuration or not. Similarly, let's replace the term failures with reconnections, as failures has a negative connotation, but they are actually expected to happen when the clustermesh-apiserver in the given remote cluster is restarted. Suggested-by: Bruno M. Custódio <bruno@isovalent.com> Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> 27 June 2024, 02:15:14 UTC
a70bdac Feroz Salam 12 July 2023, 08:52:01 UTC ci: use env variable to store branch name [ upstream commit 22e066d7b1825d338cf78bda7a4a5fe8c69e9235 ] Instead of using the branch name directly in the run command. Signed-off-by: Feroz Salam <feroz.salam@isovalent.com> Signed-off-by: Yutaro Hayakawa <yutaro.hayakawa@isovalent.com> 27 June 2024, 02:15:14 UTC
623445e cilium-renovate[bot] 25 June 2024, 15:06:27 UTC chore(deps): update docker.io/library/alpine docker tag to v3.18.7 Signed-off-by: cilium-renovate[bot] <134692979+cilium-renovate[bot]@users.noreply.github.com> 25 June 2024, 19:13:43 UTC
36ef547 cilium-renovate[bot] 25 June 2024, 10:05:43 UTC chore(deps): update stable lvh-images Signed-off-by: cilium-renovate[bot] <134692979+cilium-renovate[bot]@users.noreply.github.com> 25 June 2024, 18:54:03 UTC
9dcd6a6 Cilium Imagebot 17 June 2024, 02:49:04 UTC images: update cilium-{runtime,builder} Signed-off-by: Cilium Imagebot <noreply@cilium.io> Signed-off-by: André Martins <andre@cilium.io> 25 June 2024, 14:26:29 UTC
91aa2af cilium-renovate[bot] 24 June 2024, 11:07:24 UTC chore(deps): update docker.io/library/golang:1.21.11 docker digest to b405b62 Signed-off-by: cilium-renovate[bot] <134692979+cilium-renovate[bot]@users.noreply.github.com> 25 June 2024, 14:26:29 UTC
ee5ec91 cilium-renovate[bot] 24 June 2024, 16:06:14 UTC chore(deps): update all github action dependencies Signed-off-by: cilium-renovate[bot] <134692979+cilium-renovate[bot]@users.noreply.github.com> 25 June 2024, 09:20:43 UTC
bb67830 André Martins 24 June 2024, 19:03:24 UTC .github: fix workflows for on push Due to a bad backport from 75e043b3efa7 the workflows got badly configured which prevented their execution. This commit adds the push event on the right place. Fixes: 75e043b3efa7 ("run CI automatically for renovate") Signed-off-by: André Martins <andre@cilium.io> 25 June 2024, 07:33:40 UTC
105a342 Casey Callendrello 13 June 2024, 11:33:32 UTC ipcache: Fix orphaned ipcache entries when mixing Upsert and Inject [ upstream commit ae3db3da36487d688eb753110a9d5de9dc9e0646 ] [ upstream commit b30a3a941c54d5f74d0d1100936a74d340553476 ] When a prefix is initially created by the synchronous Upsert() API, it is flagged as such so that InjectLabels() knows it is shared. However, this flag is not removed if the legacy caller releases all references to this prefix. Thus, the timeline 1. AllocateCIDRs("1.1.1.1/32") 2. UpsertPrefixes("1.1.1.1/32") 3. ReleaseCIDRIdentities("1.1.1.1/32") 4. RemovePrefixes("1.1.1.1/32") leaves us with the prefix still in the ipcache, but the identity fully released. This leads to traffic drops, as the identity is unknown to the policy system and thus not present in the BPF policymaps. The fix is to forcibly remove the prefix if the identity reference reaches zero and the prefix is not in the metadata layer. Signed-off-by: Casey Callendrello <cdc@isovalent.com> 24 June 2024, 13:05:32 UTC
c892a53 André Martins 21 June 2024, 12:26:11 UTC .github: add workflow for renovate to build base images [ upstream commit f054f94b24b9c242611b956ba3f3698e8394c884 ] As renovate can automate a lot of our dependency updates it will also be possible for it to trigger the workflow to build base images. For this to happen we need to create a new workflow that reuses the existing workflow by using a different environment. This environment is protected to only be executed on the branches that are created by renovate. Signed-off-by: André Martins <andre@cilium.io> 24 June 2024, 10:50:03 UTC
34fd55d André Martins 21 June 2024, 13:02:49 UTC .github: fix cloud workflows for renovate Ensure consistency by sanitizing the 'OWNER' field in these workflows. This matches the approach used in other workflows. Fixes: 6f461ea592ca ("run CI automatically for renovate") Signed-off-by: André Martins <andre@cilium.io> 24 June 2024, 06:56:55 UTC
5714073 André Martins 21 June 2024, 07:16:12 UTC .github: fix worfklows used by renovate With the introduction of 6f461ea592ca, some of the workflows were not prepared to handle concurrency for "push" events so we had to add the group for these type of events. Also, some of the workflows were not running the "commit-status-final" as this step was only running for events that were not type "push". As the list of required workflows are based on the name created by this step, we also need to run this step for the "push" events. Some existing workflows already push "commit-status-final" for pushes as well so the introduction for these workflows will be consistent with existing ones. Finally, the push events should only be triggered for pushes done respective to the "main" branch, thus we will be using the prefix "renovate/main-**" instead of "renovate/**" to avoid triggering the GH main workflows from stable branches and vice-versa. Fixes: 6f461ea592ca ("run CI automatically for renovate") Signed-off-by: André Martins <andre@cilium.io> 21 June 2024, 11:07:27 UTC
75e043b André Martins 20 June 2024, 11:28:06 UTC run CI automatically for renovate Renovate is a trusted contributor of Cilium. We can skip the need to run the CI manually by the triager if the CI is automatically ran after a push to renovate's branches. [ upstream commit 6f461ea592ca00115c82b91520d8951b2529d1eb ] Signed-off-by: André Martins <andre@cilium.io> 21 June 2024, 11:07:27 UTC
1f2b76d Julian Wiedmann 08 April 2024, 03:52:51 UTC bpf: test: add LB test for terminating backend [ upstream commit 7ece278d42cca541b2e8e862e717f2536935af11 ] [ backporter's notes: open-code all the non-existent helpers ] Once a LB connection has been established, we expect to continue using its CT entry to obtain the backend. Even if the backend is in terminating state, and the service has lost all of its backends. Keeping this separate from the fix, in case we can't easily backport. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> 21 June 2024, 07:27:03 UTC
5e0c414 Julian Wiedmann 04 April 2024, 14:12:45 UTC bpf: lb: un-break terminating backends for service without backend [ upstream commit 0de6f0f230be10e084f30fb3128c215edde1611f ] [ backporter's notes: add the ->count checks in slightly different locations, as we're missing a bunch of LB cleanup PRs. ] Continue to forward traffic for established connections, even when a service loses its last active backends. This needs a small adjustment in a BPF test that was relying on this behaviour. Fixes: 183501124869 ("bpf: drop SVC traffic if no backend is available") Signed-off-by: Julian Wiedmann <jwi@isovalent.com> 21 June 2024, 07:27:03 UTC
53e0136 cilium-renovate[bot] 17 June 2024, 06:05:42 UTC chore(deps): update stable lvh-images Signed-off-by: cilium-renovate[bot] <134692979+cilium-renovate[bot]@users.noreply.github.com> 19 June 2024, 08:17:51 UTC
6c58ab5 Dmitry Kharitonov 03 June 2024, 15:09:41 UTC ui: v0.13.1 release [ upstream commit f5129a22d3ddf96fb11c9a2aa5b6c62265604470 ] [ backporter's note: ran `make -C Documentation update-helm-values` ] Signed-off-by: Dmitry Kharitonov <dmitry@isovalent.com> Signed-off-by: gray <gray.liang@isovalent.com> 19 June 2024, 08:00:22 UTC
184607b cilium-renovate[bot] 17 June 2024, 20:06:13 UTC chore(deps): update cilium/scale-tests-action digest to 511e3d9 Signed-off-by: cilium-renovate[bot] <134692979+cilium-renovate[bot]@users.noreply.github.com> 18 June 2024, 07:10:58 UTC
4776872 cilium-renovate[bot] 17 June 2024, 14:09:49 UTC chore(deps): update docker/build-push-action action to v6 Signed-off-by: cilium-renovate[bot] <134692979+cilium-renovate[bot]@users.noreply.github.com> 17 June 2024, 19:04:07 UTC
4a75d84 cilium-renovate[bot] 17 June 2024, 08:13:03 UTC chore(deps): update all github action dependencies Signed-off-by: cilium-renovate[bot] <134692979+cilium-renovate[bot]@users.noreply.github.com> 17 June 2024, 13:40:26 UTC
9087be8 Cilium Imagebot 17 June 2024, 04:15:58 UTC images: update cilium-{runtime,builder} Signed-off-by: Cilium Imagebot <noreply@cilium.io> 17 June 2024, 07:32:45 UTC
4ed6c73 cilium-renovate[bot] 17 June 2024, 04:05:15 UTC chore(deps): update docker.io/library/golang:1.21.11 docker digest to 2eb85b8 Signed-off-by: cilium-renovate[bot] <134692979+cilium-renovate[bot]@users.noreply.github.com> 17 June 2024, 07:32:45 UTC
8c8232f cilium-renovate[bot] 17 June 2024, 04:05:24 UTC chore(deps): update quay.io/cilium/certgen docker tag to v0.1.13 Signed-off-by: cilium-renovate[bot] <134692979+cilium-renovate[bot]@users.noreply.github.com> 17 June 2024, 05:21:24 UTC
e2d6955 Julian Wiedmann 16 January 2024, 13:50:18 UTC conformance-ipsec-e2e: run leak check before/after key rotation [ upstream commit: 4e2a66d131243bad2daff58dd4e9deab87b776ec ] This is because we saw a racing issue if leak detection covers the whole rotation + conn-disrupt-check: cilium connectivity will remove conn-disrupt pods in the end of connectivity test, leaving some linger packets recognized as leaked traffic. This commit avoids the issue by running leak checks separately for key rotation and after-rotation test. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> Signed-off-by: gray <gray.liang@isovalent.com> 14 June 2024, 08:39:05 UTC
5a77d74 gray 06 June 2024, 06:58:18 UTC ci: check-ipsec-leaks.bt can tolerate proxy traffic not found [ upstream commit: 230c200353f2c647d9b21774cf177706f919ad23 ] Add an argument to tell check-ipsec-leaks.bt whether to report errors if proxy traffic not found. Signed-off-by: gray <gray.liang@isovalent.com> 14 June 2024, 08:39:05 UTC
0bcd752 Marco Iorio 11 October 2023, 09:49:45 UTC conformance-ipsec-e2e: add leaked unencrypted packets check [ upstream commit: e3fe4bc5bb8073eb7d52f95b367ce6470d5e3ade ] Extend the conformance-ipsec-e2e GHA workflow to additionally check that we don't leak any unencrypted packets during the connectivity test. This aims to complement the validation already performed as part of the connectivity tests by the Cilium CLI. Specifically, we leverage bpftrace to analyze the packets forwarded by the bridge device (used by kind), and report those that are not encrypted. We flag packets with both the source and the destination belonging to the IPv4/6 PodCIDR, and we consider the inner headers if packets are encapsulated. In this case, we additionally skip packets originating or targeting CiliumInternalIP addresses (as these are used for node-to-pod traffic when running in tunnel mode, which is not encrypted by design). Extra checks are finally added to always include packets originating from the L7 and DNS proxies, as their source IP is not that of a pod. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> Signed-off-by: gray <gray.liang@isovalent.com> 14 June 2024, 08:39:05 UTC
4b88403 gray 11 June 2024, 09:41:50 UTC ci: Delete deprecated conn-disrupt-test action [ upstream commit: ec1b79628d0e9af6ce689505e4b1415537363481 ] Signed-off-by: gray <gray.liang@isovalent.com> 14 June 2024, 08:39:05 UTC
f277878 gray 11 June 2024, 10:15:29 UTC ci: Use conn-disrupt-test-{setup,check} for ci-ipsec-upgrade [ upstream commit: 364ff9e ] Signed-off-by: gray <gray.liang@isovalent.com> 14 June 2024, 08:39:05 UTC
ef879f5 gray 11 June 2024, 10:06:01 UTC ci: Decouple ipsec-key-rotate action from conn-disrupt-test action [ upstream commit: c430572 ] So in future we can add encryption leak detection right after key rotation to avoid certain issues. ci-ipsec-e2e and ci-eks also has been adjusted to use conn-disrupt-test-* actions before and after ipsec-key-rotate action. Signed-off-by: gray <gray.liang@isovalent.com> 14 June 2024, 08:39:05 UTC
7882894 gray 30 May 2024, 09:35:24 UTC ci: Add conn-disrupt-test-{setup,check} actions [ upstream commit: 0f957a7a4644211202465de878dd2bd4c35463d3 ] They are to replace conn-disrupt-test action for better flexibility. Please note the new conn-disrupt-test-check doesn't run full tests by default. Signed-off-by: gray <gray.liang@isovalent.com> 14 June 2024, 08:39:05 UTC
f459f69 André Martins 13 June 2024, 12:26:21 UTC remove tracking of backports with MLH With the sunset of GH projects by GH [1], we will now create organization-projects to track which PR is available on which release after a CHANGELOG of a release is performed. Thus, we can also sunset this feature from MLH. [1] https://github.blog/changelog/2024-05-23-sunset-notice-projects-classic/ Signed-off-by: André Martins <andre@cilium.io> 13 June 2024, 19:39:20 UTC
6e76663 Julian Wiedmann 11 June 2024, 14:28:11 UTC docs: ipsec: mention dependency on transparent mode for DNS proxy [ upstream commit 26325a8b9c94c731c54111e87b903c2c2f6a189f ] For connections that are established by the DNS proxy, this is required to detect the original source IP and apply IPsec policy accordingly. The agent fatals if IPsec and L7 proxy are enabled, but the DNS proxy is not set to transparent mode. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> 13 June 2024, 11:54:37 UTC
7678219 Yutaro Hayakawa 04 June 2024, 07:11:06 UTC helm: Decouple sysctlfix from cgroup.autoMount [ upstream commit 99f887179ba3aa0dbd52a0c4ac11623fb784ec57 ] [ backporter's notes: fixed trivial conflict in values.yaml.tmpl and dropped the values.schema.json hunk, as not relevant. ] Currently, the sysctlfix is only enabled when cgroup.autoMount is enabled which is not a directly-related feature. This dependency is introduced because the host procfs mount is only enabled when cgroup.autoMount is enabled. Due to this limitation, we recently observed the issue that disabling cgroup.autoMount in the environment that runs systemd 245+ makes a connectivity loss between nodes in tunnel mode due to the rp_filter. To fix the above issue, introduce a new configuration knob to enable/disable sysctlfix individually. It is enabled by default. Fixes: #20643 Co-authored-by: Nick Young <inocuo@gmail.com> Signed-off-by: Yutaro Hayakawa <yhayakawa3720@gmail.com> Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> 13 June 2024, 11:54:37 UTC
b6e7600 Tam Mach 12 June 2024, 14:41:21 UTC gha: Only retrieve IPv4 CIDR from docker network [ upstream commit b49f9128cb8916b56b5b218dabc11820df79d2b3 ] [ backporter's notes: hit conflicts due to the usage of MetalLB rather than Cilium LB. Preserved the main hunk, and adapted the debug output. ] It seems like github runner is enabled with docker dual stack, so the current docker network inspect command might return IPv6 instead of IPv6 CIDR, which breaks LB IPPool configuration. Sample output of `docker network inspect kind` command can be found as per below. This commit is to make sure that we only retrieve IPv4 CIDR in docker network inspect command. Additionally, some echo/cat statement are added to make similar issue more visible in the future. ``` [ { "Name": "kind", "Id": "43e3b3267092150f5f2e6f2053157d912ad6b5a4ce20f700e1e9be547a437f75", "Created": "2024-06-12T14:18:17.733107881Z", "Scope": "local", "Driver": "bridge", "EnableIPv6": true, "IPAM": { "Driver": "default", "Options": {}, "Config": [ { "Subnet": "fc00:f853:ccd:e793::/64" }, { "Subnet": "172.18.0.0/16", "Gateway": "172.18.0.1" } ] }, "Internal": false, "Attachable": false, "Ingress": false, "ConfigFrom": { "Network": "" }, "ConfigOnly": false, "Containers": { "748d7161857ca5e610f196299828eacafcbdb069d38c00e4e6c14cdeefada9c5": { "Name": "chart-testing-control-plane", "EndpointID": "0f1a5bbeb14929200ed13cb289afd6bf5f9f455d4ed75bb3a26e167e67bf7784", "MacAddress": "02:42:ac:12:00:02", "IPv4Address": "172.18.0.2/16", "IPv6Address": "fc00:f853:ccd:e793::2/64" }, "c2030425e24a11ea208b87c5d70e194b0f51eee133f09b67404fd2bf97410f13": { "Name": "chart-testing-worker", "EndpointID": "81489bd101e483be7270e2b5dd7e0bf3a0163b89650d7ef69cc4ce43454479e3", "MacAddress": "02:42:ac:12:00:03", "IPv4Address": "172.18.0.3/16", "IPv6Address": "fc00:f853:ccd:e793::3/64" } }, "Options": { "com.docker.network.bridge.enable_ip_masquerade": "true", "com.docker.network.driver.mtu": "1500" }, "Labels": {} } ] ``` Signed-off-by: Tam Mach <tam.mach@cilium.io> Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> 13 June 2024, 07:21:09 UTC
1d0de94 Feroz Salam 11 June 2024, 17:33:30 UTC Disable release SBOM asset uploads We are not using this feature, and it requires extra workflow permissions. Signed-off-by: Feroz Salam <feroz.salam@isovalent.com> 12 June 2024, 08:13:30 UTC
399e6dc Feroz Salam 11 June 2024, 11:35:47 UTC Generate SBOM from the correct release image Signed-off-by: Feroz Salam <feroz.salam@isovalent.com> 11 June 2024, 12:25:56 UTC
bc2e387 cilium-renovate[bot] 10 June 2024, 15:06:25 UTC chore(deps): update docker/build-push-action action to v5.4.0 Signed-off-by: cilium-renovate[bot] <134692979+cilium-renovate[bot]@users.noreply.github.com> 11 June 2024, 07:29:47 UTC
a29e9b7 cilium-renovate[bot] 10 June 2024, 11:05:25 UTC chore(deps): update stable lvh-images Signed-off-by: cilium-renovate[bot] <134692979+cilium-renovate[bot]@users.noreply.github.com> 11 June 2024, 05:25:10 UTC
f366c12 Quentin Monnet 10 June 2024, 14:51:14 UTC install: Update image digests for v1.14.12 Generated from https://github.com/cilium/cilium/actions/runs/9449873804. Docker Manifests ================ cilium - docker.io/cilium/cilium:v1.14.12@sha256:9c9612ed763a9ff823aca5e56aff6bb1e8ca36516282ed7f5c1b8866d011752c - quay.io/cilium/cilium:v1.14.12@sha256:9c9612ed763a9ff823aca5e56aff6bb1e8ca36516282ed7f5c1b8866d011752c clustermesh-apiserver - docker.io/cilium/clustermesh-apiserver:v1.14.12@sha256:39e4ddad59cc3a4c05e7f44333fcbc8e1e64ee5eed8b9614916ed9673bb10a92 - quay.io/cilium/clustermesh-apiserver:v1.14.12@sha256:39e4ddad59cc3a4c05e7f44333fcbc8e1e64ee5eed8b9614916ed9673bb10a92 docker-plugin - docker.io/cilium/docker-plugin:v1.14.12@sha256:7f358167a6c57fab052c524ee9b638784f90f904631423c7cf51f8fe301e1107 - quay.io/cilium/docker-plugin:v1.14.12@sha256:7f358167a6c57fab052c524ee9b638784f90f904631423c7cf51f8fe301e1107 hubble-relay - docker.io/cilium/hubble-relay:v1.14.12@sha256:63749d9af901846b8a9229e01210afce2f9b1769419deaf55571dd16b7864574 - quay.io/cilium/hubble-relay:v1.14.12@sha256:63749d9af901846b8a9229e01210afce2f9b1769419deaf55571dd16b7864574 kvstoremesh - docker.io/cilium/kvstoremesh:v1.14.12@sha256:c46f1939edd78d38f537e52b12ea051bafc591611b75e197bebb1e508764b565 - quay.io/cilium/kvstoremesh:v1.14.12@sha256:c46f1939edd78d38f537e52b12ea051bafc591611b75e197bebb1e508764b565 operator-alibabacloud - docker.io/cilium/operator-alibabacloud:v1.14.12@sha256:e01302d3c00ce5b8e29703d4fdafefb0e9f4e65d1849a5551e0ad4d45a7af42c - quay.io/cilium/operator-alibabacloud:v1.14.12@sha256:e01302d3c00ce5b8e29703d4fdafefb0e9f4e65d1849a5551e0ad4d45a7af42c operator-aws - docker.io/cilium/operator-aws:v1.14.12@sha256:a922c610fbc6e3e8bfda1876c6b2644f605b0cdec78f49854b9ce02213dc0abe - quay.io/cilium/operator-aws:v1.14.12@sha256:a922c610fbc6e3e8bfda1876c6b2644f605b0cdec78f49854b9ce02213dc0abe operator-azure - docker.io/cilium/operator-azure:v1.14.12@sha256:416a39117ab7d261aacafc6e70e58bb0979c81c3c9d5cc4769f626de3f8015dd - quay.io/cilium/operator-azure:v1.14.12@sha256:416a39117ab7d261aacafc6e70e58bb0979c81c3c9d5cc4769f626de3f8015dd operator-generic - docker.io/cilium/operator-generic:v1.14.12@sha256:0dd45f29aadeca7b9ef9f42991130ca135e54801c65416bd727add19e4727ba6 - quay.io/cilium/operator-generic:v1.14.12@sha256:0dd45f29aadeca7b9ef9f42991130ca135e54801c65416bd727add19e4727ba6 operator - docker.io/cilium/operator:v1.14.12@sha256:5e1552ebb3e95655ec301637b2a9f90669e214d0d2f4c5397e867f4ae36bf262 - quay.io/cilium/operator:v1.14.12@sha256:5e1552ebb3e95655ec301637b2a9f90669e214d0d2f4c5397e867f4ae36bf262 Signed-off-by: Quentin Monnet <qmo@qmon.net> 10 June 2024, 15:52:54 UTC
d687f8f cilium-renovate[bot] 10 June 2024, 04:05:15 UTC chore(deps): update dependency cilium/cilium-cli to v0.16.10 Signed-off-by: cilium-renovate[bot] <134692979+cilium-renovate[bot]@users.noreply.github.com> 10 June 2024, 14:31:05 UTC
f1de64c Michi Mutsuzaki 08 June 2024, 22:34:32 UTC Prepare for release v1.14.12 Signed-off-by: Michi Mutsuzaki <michi@isovalent.com> 10 June 2024, 10:37:40 UTC
5ea546a Joe Stringer 07 June 2024, 04:35:06 UTC ci: l4lb: Don't hang on gathering logs forever [ upstream commit 84013315bdc3167dfb2f33d074403170c8bacebe ] It doesn't make sense to pass `--follow` when the container is still running, this will hang forever and fail to complete the remaining steps in the workflow. Remove the follow flag. Fixes: 93927457779d ("ci: l4lb: gather more infos about docker-in-docker issues") Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: viktor-kurchenko <viktor.kurchenko@isovalent.com> 07 June 2024, 21:58:22 UTC
ce7d61e André Martins 06 June 2024, 12:12:31 UTC remove release scripts [ upstream commit df03e886bcddc4f3f94d31ad443d922b0f9fd2f5 ] [ backporter notes: trivial deletion conflict. ] These scripts will only be available under github.com/cilium/release to avoid any confusion when performing releases. Signed-off-by: André Martins <andre@cilium.io> 07 June 2024, 21:58:22 UTC
38e243b André Martins 06 June 2024, 12:03:42 UTC remove unused files [ upstream commit 129a20004a8ac32b055d97cef5e9c4cc64399cad ] Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: viktor-kurchenko <viktor.kurchenko@isovalent.com> 07 June 2024, 21:58:22 UTC
9eb25ba Tam Mach 05 June 2024, 04:11:54 UTC bugtool: Add post-processing masking function for Envoy [upstream commit 48a9976a09015a0e411997780c8b260d59593071] This commit is to explicitly mask the below fields from Envoy config dump: - api_key (used in kafka L7 policy) - TLSContext (used in Cilium NetworkPolicy) One round of scanning on existing Cilium protobuf was done. Related docs: https://www.envoyproxy.io/docs/envoy/latest/operations/admin#get--config_dump Signed-off-by: Tam Mach <tam.mach@cilium.io> 07 June 2024, 17:23:46 UTC
224e288 Tam Mach 05 June 2024, 05:01:04 UTC bugtool: Add json masking function [upstream commit 568dbc5ad884e37614992f59ceb89ad89feb9135] This commit is to add a generic json field masking based on the field name. Signed-off-by: Tam Mach <tam.mach@cilium.io> 07 June 2024, 17:23:46 UTC
1862ab4 Julian Wiedmann 05 June 2024, 10:01:21 UTC docs: ipsec: remove limitation for native-routing with L7 egress policy [ upstream commit 5f18d88b973c20490e923c5312caf3afc516e5f2 ] This was addressed by https://github.com/cilium/cilium/pull/32683. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> 07 June 2024, 10:52:52 UTC
6e88475 cilium-renovate[bot] 07 June 2024, 06:05:11 UTC chore(deps): update dependency cilium/hubble to v0.13.5 Signed-off-by: cilium-renovate[bot] <134692979+cilium-renovate[bot]@users.noreply.github.com> 07 June 2024, 09:12:14 UTC
cfdfcf8 gray 06 June 2024, 11:43:32 UTC proxy/routes: Also routes egress proxy's return traffic to 2005 [ upstream commit: 1ce4c7f31844c0577fdd9bff324ba6bead422b91 ] [ backporter's note: v1.14 still uses bpf/init.sh to install routing rules, we have to re-implement the logic in bash. ] This commit installs "0xb00/0xf00 lookup 2005" routing rule when IPsec is enabled with native routing and envoy. This is a necessary step towards fixing encryption leaks, otherwise egress proxy's return traffic gets no chance to be set IPsec mark. The new routing rule ensures these packets are routed to cilium_host, where we have bpf_host to handle encryption datapath. This patch uses a different condition from requireFromProxyRoutes() to determine whether to install the new routing rule, otherwise we will see breakage on IPsec=off + envoy=on. Specially, the new routing rule is isolated to IPsec only. Signed-off-by: gray <gray.liang@isovalent.com> 07 June 2024, 09:11:18 UTC
ef2986d gray 13 May 2024, 09:51:31 UTC iptables: Ensure iptables masquerading works for proxy traffic [ upstream commit: 3384d73c12ea8bc9e24fc4c30193f95775b23005 ] After https://github.com/cilium/proxy/pull/742, proxy traffic keeps original pod IP as source IP for to-world packets, which must be masqueraded to eth0 IP. There is no issue for now, but the new routing rule (0xb00 lookup 2005) to be added for https://github.com/cilium/cilium/issues/31984 will cause a side effect breaking masquerading. This patch fixes the that side effect as a precaution, otherwise git-bisect breaks. The new routing rule (0xb00 lookup 2005) will cause proxy packets going through POSTROUTING for twice: first time happens when proxy sends packets which are routed to cilium_host, these are hitting OUTPUT + **POSTROUTING**; the second time takes place after packets ingressed from cilium_net, these skbs will traverse PREROUTING + FORWARD + **POSTROUTING**. However, due to kernel's implementation details, an skb won't be processed by nat POSTROUTING for twice: after the first POSTROUTING check, skb's ct `(struct nf_conn*)(skb->_nfct & ~7)` has a status IPS_SRC_NAT_DONE to skip the further traversal at all. [1] To avoid being set the IPS_SRC_NAT_DONE flag, this patch adds an iptables rule `--mark 0xb00 -j CT --notrack` at OUTPUT to skip the first round iptables ct, just for proxy traffic which is characterized by 0xb00 mark. [1] https://elixir.bootlin.com/linux/v6.6.2/source/net/netfilter/nf_nat_core.c#L825 [1] https://elixir.bootlin.com/linux/v6.6.2/source/include/net/netfilter/nf_nat.h#L111 Signed-off-by: gray <gray.liang@isovalent.com> 07 June 2024, 09:11:18 UTC
788a1ac gray 28 May 2024, 07:57:23 UTC Don't set 0x200 mark for proxy to world traffic in iptables PREROUTING [ upstream commit: f93a40c7283b2b60acbcbad3819dd0ea18204190 ] We have an iptables rule to set 0x200 mark for transparent socket: ``` *mangle -A PREROUTING -m comment --comment "cilium-feeder: CILIUM_PRE_mangle" -j CILIUM_PRE_mangle -A CILIUM_PRE_mangle -m socket --transparent -m mark ! --mark 0xe00/0xf00 -m comment --comment "cilium: any->pod redirect proxied traffic to host proxy" -j MARK --set-xmark 0x200/0xffffffff ``` This rule is in the mangle PREROUTING which checks packets ingressed from a netdev. Let's then focus on the pod to world traffic when IPsec=on + proxy=on + tunnel=off. Currently, a pod-to-world packet will go through the path: 1. from_lxc@lxc: skb->mark is set to 0x200 and returned to stack 2. iptables: skb is hijacked by tproxy (due to 0x200), to be accepted by proxy 3. proxy process: the old skb is consumed by proxy, an new skb is sent to upstream (world) 4. stack routing: the new skb is routed to eth0 5. stack iptables: the new skb is traversing OUTPUT chain and POSTROUTING chain 6. to_netdev@eth0: the new skb is going to world Please note the new skb won't hit PREROUTING chain, where there is a rule setting skb->mark=0x200. To fix https://github.com/cilium/cilium/issues/31984, we are going to change the routing for packets from egress proxy; consequently, on the step 4 above, the new skb will be routed to cilium_host instead: 4. stack routing: the new skb is routed to cilium_host 5. from_host@cilium_host: the new skb is returned to stack 6. to_host@cilium_net: the new skb is returned to stack 7. stack: PREROUTING, routing, FORWARD, POSTROUTING Look at step 7, we are hitting PREROUTING! Because of https://github.com/cilium/proxy/pull/742, this to-world skb is also linked to a transparent socket, matching the "-m socket --transparent" condition, the packet will fortunately have the 0x200 mark. If we do nothing, this to-world skb marked with 0x200 will then hit routiong rule "from all fwmark 0x200/0xf00 lookup 2004" and be routed to local. It should have gone to the world. This patch fixes this future issue as a precaution (otherwise we'll break git-bisect). This patch provides a straightforward solution: at step 5 from_host@cilium_host, we set a specical mark 0x800 (MARK_MAGIC_PROXY_TO_WORLD), then iptables can exclude this mark using "-m mark ! --mark 0x800/0xf00". Signed-off-by: gray <gray.liang@isovalent.com> 07 June 2024, 09:11:18 UTC
8700843 Cilium Imagebot 05 June 2024, 21:39:15 UTC images: update cilium-{runtime,builder} Signed-off-by: Cilium Imagebot <noreply@cilium.io> 06 June 2024, 08:44:38 UTC
8c724eb renovate[bot] 05 June 2024, 21:31:48 UTC chore(deps): update docker.io/library/ubuntu:22.04 docker digest to 19478ce Signed-off-by: renovate[bot] <bot@renovateapp.com> 06 June 2024, 08:44:38 UTC
8e2d347 renovate[bot] 05 June 2024, 21:32:00 UTC chore(deps): update all github action dependencies Signed-off-by: renovate[bot] <bot@renovateapp.com> 06 June 2024, 06:57:45 UTC
5710a4f Tam Mach 05 June 2024, 12:25:19 UTC envoy: Bump envoy version to v1.28.4 This commit is to bump envoy version to v1.28.4 for below CVEs: - [CVE-2024-34362: Crash (use-after-free) in EnvoyQuicServerStream](https://togithub.com/envoyproxy/envoy/security/advisories/GHSA-hww5-43gv-35jv) - [CVE-2024-34363: Crash due to uncaught nlohmann JSON exception](https://togithub.com/envoyproxy/envoy/security/advisories/GHSA-g979-ph9j-5gg4) - [CVE-2024-34364: Envoy OOM vector from HTTP async client with unbounded response buffer for mirror response, and other components](https://togithub.com/envoyproxy/envoy/security/advisories/GHSA-xcj3-h7vf-fw26) - [CVE-2024-32974: Crash in EnvoyQuicServerStream::OnInitialHeadersComplete()](https://togithub.com/envoyproxy/envoy/security/advisories/GHSA-mgxp-7hhp-8299) - [CVE-2024-32975: Crash in QuicheDataReader::PeekVarInt62Length()](https://togithub.com/envoyproxy/envoy/security/advisories/GHSA-g9mq-6v96-cpqc) - [CVE-2024-32976: Endless loop while decompressing Brotli data with extra input](https://togithub.com/envoyproxy/envoy/security/advisories/GHSA-7wp5-c2vq-4f8m) - [CVE-2024-23326: Envoy incorrectly accepts HTTP 200 response for entering upgrade mode](https://togithub.com/envoyproxy/envoy/security/advisories/GHSA-vcf8-7238-v74c) Additionally, this build also includes a couple of Cilium fixes, more details can be found in #786. Upstream release: https://github.com/envoyproxy/envoy/releases/tag/v1.28.4 Relates: https://github.com/cilium/proxy/pull/786 Signed-off-by: Tam Mach <tam.mach@cilium.io> 05 June 2024, 14:49:12 UTC
ccec355 Marcel Zieba 21 May 2024, 09:32:09 UTC background-sync: fix bootstrap issue and edge-case with 1 node [ upstream commit 2019ebebc816a0b095b6afcdbd5e30bb081a3e64 ] During bootrstrap, we don't know number of nodes and new implementation essentially was hot looping till fetched nodes. Also, in case of cluster with single node, rate-limiter was not rate-limiting. Fixes #32577 Signed-off-by: Marcel Zieba <marcel.zieba@isovalent.com> 05 June 2024, 09:44:55 UTC
e2b58a9 Marcel Zieba 16 May 2024, 12:03:30 UTC background-sync: spread node updates over time. [ upstream commit 3e12e02d04a33aa8ea36f463d26c2ffa3804a01a ] [ Backporter's notes: no error handling in v1.14, different m.Iter part, no health module ] Before, depending on cluster-size we were triggering node update for each node at fixed intervals depending on cluster-size. This resulted in high cpu usage spike in agent. While the intent is to fix state that got stale and shouldn't be the primary source of updates, it makes sense to spread these updates over time to average out cpu usage. Also, reenable backgroundSync test. Signed-off-by: Marcel Zieba <marcel.zieba@isovalent.com> 05 June 2024, 09:44:55 UTC
00ada47 Marcel Zieba 16 May 2024, 14:46:02 UTC ipsec: cache xfrm state list [ upstream commit 3a4c57f12b61d336de26c24ac2b9b15dc4fc0368 ] [ Backporter's notes: switch default to false - so not enabled by default. Switch from testing package to checkmate in unit tests. Flags use Vp instead of vp. Minor conflicts with netlink.XfrmState* calls ] Reduces GC CPU usage and memory allocations coming from XfrmStateList. To ensure we have up-to-date cache, wrap all XfrmState related functions inside cache, which is invalidated whenever XfrmState changes. This is follow-up to #32577 While that PR averages out CPU usage over time, in large cluster 100+ nodes amount of allocations coming from netlink.XfrmStateList() is high due to backgroundSync where we usually don't change any Xfrm states. This becomes more and more expensive as number of nodes increases. Added CI test to make sure that we accidentally don't add calls that modify XFRMState without going through cache. Also, added hidden option that allows to turn of caching. Signed-off-by: Marcel Zieba <marcel.zieba@isovalent.com> 05 June 2024, 09:38:42 UTC
9e15fd5 André Martins 03 June 2024, 22:37:41 UTC .github/workflows: fix digests file creation [ upstream commit deee47cac2f7c56d376e1877d1fb4bd9f3c9fd84 ] With the introduction of 57db22b2029c, Syft creates the sbom files under the same directory the image digest files are created. This resulted on image-digest-output.txt file to contain all the SBOMs unexpectedly. Thus, using find, we will make sure that only the files that start with the "image-digests" are used to by copied into the image-digest-output.txt file. Tested in https://github.com/aanm/cilium/actions/runs/9358191181 Fixes: 57db22b2029c ("Generate SBOMs using Syft instead of bom") Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: viktor-kurchenko <viktor.kurchenko@isovalent.com> 05 June 2024, 09:30:33 UTC
0c47e8c Lukas Stehlik 03 May 2024, 07:56:25 UTC Remove `hubble.ui.securityContext.enabled` from hubble-ui helm template [ upstream commit 4b81d22f4c2ba2dcad3068d25e15ef74bff8e36d ] Signed-off-by: Lukas Stehlik <stehlik.lukas@gmail.com> Signed-off-by: viktor-kurchenko <viktor.kurchenko@isovalent.com> 05 June 2024, 09:30:33 UTC
96d8b2d Marcel Zieba 02 May 2024, 11:13:28 UTC ci: Filter supported versions of EKS [ upstream commit 720927534b26477002d7fe320b389a19d6dd5664 ] Whenever EKS stopped supporting a particular version of EKS, we had to manually remove it from all stable branches. Now instead of that, we will dynamically check if it's supported and only then run the test. This implementation is not great as supported versions are hard-coded in eksctl until EKS fixes it: https://github.com/aws/containers-roadmap/issues/982#issuecomment-2050635472 Because of that, we always fetch newest eksctl version. Signed-off-by: Marcel Zieba <marcel.zieba@isovalent.com> Signed-off-by: viktor-kurchenko <viktor.kurchenko@isovalent.com> 05 June 2024, 09:30:33 UTC
1198e28 Cilium Imagebot 05 June 2024, 01:42:33 UTC images: update cilium-{runtime,builder} Signed-off-by: Cilium Imagebot <noreply@cilium.io> 05 June 2024, 07:34:45 UTC
back to top