https://github.com/cilium/cilium
- HEAD
- refs/heads/1.2.7-hotfix1-fqdn-regen
- refs/heads/EndpointPolicyEnformcement
- refs/heads/add_metrics_to_scale_test
- refs/heads/all-scalability-improvements
- refs/heads/beta/service-mesh
- refs/heads/bpf-metrics
- refs/heads/brb/brb-patch-2
- refs/heads/cilium-envoy-crd-pre-beta
- refs/heads/cilium-no-gopath
- refs/heads/cli-upgrade-v1.12-ci-test
- refs/heads/clustermesh511-upgrade-test
- refs/heads/committers-codeowners
- refs/heads/dev/joe/v1.8-with-hostfw-fixes
- refs/heads/encrypt-node-fixes
- refs/heads/encrypted-overlay-xfrm-policies
- refs/heads/ensure-macos-build-succeeds
- refs/heads/envoy-policy-precedence
- refs/heads/envoy-warnings-cleanup
- refs/heads/extension-mysql
- refs/heads/feature/cep-scalability
- refs/heads/feature/devices-and-addresses
- refs/heads/feature/devices-reconciliation-v1.16
- refs/heads/feature/main/svc-icmp-response
- refs/heads/feature/service-refactor
- refs/heads/feature/service-refactor-fresh
- refs/heads/feature/v1.11/beta-test
- refs/heads/feature/v1.11/k8s-ingress
- refs/heads/fix-error-wrapping-1.13
- refs/heads/fix-error-wrapping-1.14
- refs/heads/fix-error-wrapping-1.15
- refs/heads/fix-iphealth
- refs/heads/fqdn-fixl3-wildcard
- refs/heads/fristonio/iptables-manager-fix
- refs/heads/ft/main/chancez/push-dev-charts
- refs/heads/ft/main/push_chart_stable_branches_fix
- refs/heads/ft/main/test_push_chart_updates
- refs/heads/gce-example
- refs/heads/gh-readonly-queue/main/pr-27509-78a5f177693fb443cd946441f45826bf7fa2437a
- refs/heads/ginkgo-better-timeout
- refs/heads/graduation
- refs/heads/hf/main/ipam-pools-build-230605
- refs/heads/hf/master/v1.12-rc2-health-dbg-v1
- refs/heads/hf/master/wg-fix-ipam-k8s-v2
- refs/heads/hf/v1.10/cls-prio2
- refs/heads/hf/v1.10/debug-taint-removal
- refs/heads/hf/v1.10/v1.10.10-with-19452
- refs/heads/hf/v1.10/v1.10.2-fix-ipsec-ep-routes
- refs/heads/hf/v1.10/v1.10.5-with-identity-leak-fix
- refs/heads/hf/v1.10/v1.10.7-additional-logs
- refs/heads/hf/v1.10/v1.10.7-exclude-local
- refs/heads/hf/v1.10/v1.10.7-exclude-loopback
- refs/heads/hf/v1.10/v1.10.7-extra-logs
- refs/heads/hf/v1.10/v1.10.7-more-logs
- refs/heads/hf/v1.10/v1.10.8-deadlock-and-complexity-fix
- refs/heads/hf/v1.10/v1.10.8-deadlock-fix
- refs/heads/hf/v1.10/xdp-multidev-with-bpf-multihoming-and-egress-gw-fixes-v3
- refs/heads/hf/v1.10/xdp-multidev-with-bpf-multihoming-and-egress-gw-fixes-v4
- refs/heads/hf/v1.10/xdp-multidev-with-bpf-multihoming-and-egress-gw-fixes-v5
- refs/heads/hf/v1.10/xdp-multidev-with-bpf-multihoming-and-egress-gw-fixes-v6
- refs/heads/hf/v1.10/xdp-multidev-with-bpf-multihoming-and-egress-gw-fixes-v7
- refs/heads/hf/v1.11/1.11.4-custom-taint
- refs/heads/hf/v1.11/19247-custom-taint-key
- refs/heads/hf/v1.11/dbg-svc-restore
- refs/heads/hf/v1.11/v1.11.16-fix-xfrm-leak
- refs/heads/hf/v1.11/v1.11.16-fix-xfrm-leak-eni-attach-and-logging
- refs/heads/hf/v1.11/v1.11.16-fix-xfrm-leak-eni-attachment
- refs/heads/hf/v1.11/v1.11.3-with-19259
- refs/heads/hf/v1.11/v1.11.4-custom-taint
- refs/heads/hf/v1.11/v1.11.5-and-19247-eed5544
- refs/heads/hf/v1.11/xdp-multidev-v1
- refs/heads/hf/v1.11/xdp-multidev-v2-ipcache-fix
- refs/heads/hf/v1.12/next-net-v1
- refs/heads/hf/v1.12/v1.12.18-994
- refs/heads/hf/v1.12/v1.12.3-debug-k8s-heartbeat
- refs/heads/hf/v1.12/v1.12.3-debug-k8s-heartbeat-v2
- refs/heads/hf/v1.13/bpf-sock-l7-fix
- refs/heads/hf/v1.13/v1.13.2-with-24875
- refs/heads/hf/v1.13/v1.13.3-with-26242
- refs/heads/hf/v1.14/cidr-identity-refcnt-fix
- refs/heads/hf/v1.14/v1.14-with-27327
- refs/heads/hf/v1.7/v1.7.15-with-neighbor-fix
- refs/heads/hf/v1.7/v1.7.15-with-neighbor-fix-2
- refs/heads/hf/v1.8/v1.8.13-with-19452
- refs/heads/hf/v1.8/v1.8.6-eni-cidr-fix-1
- refs/heads/hf/v1.8/v1.8.6-eni-cidr-fix-15303
- refs/heads/hf/v1.8/v1.8.7-with-fqdn-underscore-fix
- refs/heads/hf/v1.8/v1.8.8-eni-cidr-fix-1
- refs/heads/hf/v1.8/v1.8.8-with-encrypt-fixes
- refs/heads/hf/v1.9/v1.9.8-azure-ipam-fix
- refs/heads/hf/v1.9/v1.9.9-azure-pod-egress-fix
- refs/heads/images/runtime/20210830
- refs/heads/ipc-demo
- refs/heads/ktls-tx-only
- refs/heads/ktls-tx-only-v2
- refs/heads/ktls-tx-rx
- refs/heads/ktls-tx-rx-v2
- refs/heads/ktls-tx-rx-v3
- refs/heads/ktls-tx-rx-v4
- refs/heads/ktls-tx-rx-v5
- refs/heads/ldelossa/feat/bgp-control-plane
- refs/heads/ldelossa/segment-makefiles
- refs/heads/ldelossa/segment-makefiles-v2
- refs/heads/ldelossa/srv6-encap-fib
- refs/heads/lizrice/pr/cli-confusion
- refs/heads/main
- refs/heads/marseel-modularize_scale_test
- refs/heads/marseel_scale_test_100_nodes
- refs/heads/multi-stack-dev-vm
- refs/heads/pr/1-9-ci-test
- refs/heads/pr/aanm-update-k8s-conformance
- refs/heads/pr/aanm/bisect
- refs/heads/pr/aanm/test-31027
- refs/heads/pr/add-controller-identity
- refs/heads/pr/aditighag/lrp-skip-lb
- refs/heads/pr/asauber/link-local-as-host
- refs/heads/pr/asauber/max-ifindex-metric
- refs/heads/pr/avoid-ct-for-dsr
- refs/heads/pr/backend-state
- refs/heads/pr/bbb-cpy
- refs/heads/pr/bimmlerd/modularize-bandwidth-manager
- refs/heads/pr/bimmlerd/v1.12-backport-quay-org-from-env
- refs/heads/pr/bounded-loops
- refs/heads/pr/bpf-based-masquerading
- refs/heads/pr/bpf-edt-proxy
- refs/heads/pr/brb/arping-nexthop
- refs/heads/pr/brb/arping-via-gw
- refs/heads/pr/brb/auto-multi-dev-v2
- refs/heads/pr/brb/backport-1.8.5-nat-gc
- refs/heads/pr/brb/bpf-host-routing-wg
- refs/heads/pr/brb/bpf-lxc-no-redirect
- refs/heads/pr/brb/bpf-masq-veth
- refs/heads/pr/brb/bpf-multihoming
- refs/heads/pr/brb/cgroup-v2-test
- refs/heads/pr/brb/check-errors-in-logs
- refs/heads/pr/brb/ci
- refs/heads/pr/brb/ci-1111
- refs/heads/pr/brb/ci-2
- refs/heads/pr/brb/ci-4.19
- refs/heads/pr/brb/ci-arping-flake
- refs/heads/pr/brb/ci-bigtcp
- refs/heads/pr/brb/ci-bpf-netdev-without-egress
- refs/heads/pr/brb/ci-cleanup-svc
- refs/heads/pr/brb/ci-dbg-conformance-kind
- refs/heads/pr/brb/ci-dbg-external
- refs/heads/pr/brb/ci-dbg-flake-from-outside
- refs/heads/pr/brb/ci-demo
- refs/heads/pr/brb/ci-disable-ces-for-egress-gw
- refs/heads/pr/brb/ci-dp-disable-bpf-host-routing
- refs/heads/pr/brb/ci-dp-hubble-flows
- refs/heads/pr/brb/ci-dp-more-diversity
- refs/heads/pr/brb/ci-dp-v1.13
- refs/heads/pr/brb/ci-dp-v6
- refs/heads/pr/brb/ci-dp-verifier
- refs/heads/pr/brb/ci-e2e-enable-debug-ipsec
- refs/heads/pr/brb/ci-e2e-helm-mode-v1.13
- refs/heads/pr/brb/ci-e2e-lvh-retry
- refs/heads/pr/brb/ci-e2e-more-nodes
- refs/heads/pr/brb/ci-e2e-new-cli
- refs/heads/pr/brb/ci-e2e-nft
- refs/heads/pr/brb/ci-e2e-unsafe
- refs/heads/pr/brb/ci-e2e-unsafe-v2
- refs/heads/pr/brb/ci-e2e-upgrade-tests
- refs/heads/pr/brb/ci-e2e-upgrade-tests-ipsec
- refs/heads/pr/brb/ci-eks-ipsec-upgrade
- refs/heads/pr/brb/ci-fix-ip-masq-dry-run
- refs/heads/pr/brb/ci-ipsec-upgrade-fix
- refs/heads/pr/brb/ci-ipsec-upgrade-missed-tail-calls
- refs/heads/pr/brb/ci-ipsec-upgrade-v1.13
- refs/heads/pr/brb/ci-ipsec-upgrade-vol2
- refs/heads/pr/brb/ci-keep-missed-tail-calls
- refs/heads/pr/brb/ci-l7-nodeport
- refs/heads/pr/brb/ci-lvh-4.19
- refs/heads/pr/brb/ci-lvh-5.4
- refs/heads/pr/brb/ci-lvh-5.4-v2
- refs/heads/pr/brb/ci-lvh-bpf-next
- refs/heads/pr/brb/ci-no-self-hosted
- refs/heads/pr/brb/ci-pass-kernel-env
- refs/heads/pr/brb/ci-prepull-l4lb
- refs/heads/pr/brb/ci-refactor-svc-suite
- refs/heads/pr/brb/ci-rm-smoke-tests
- refs/heads/pr/brb/ci-sanity
- refs/heads/pr/brb/ci-test
- refs/heads/pr/brb/ci-test-2
- refs/heads/pr/brb/ci-test-k8s-vsn-swap
- refs/heads/pr/brb/ci-test-large-runners
- refs/heads/pr/brb/ci-uffff
- refs/heads/pr/brb/ci-upgrade-vol-2
- refs/heads/pr/brb/ci-upgrade-vol-3
- refs/heads/pr/brb/cilium-host-v6-from-ipam
- refs/heads/pr/brb/cli-bump-test
- refs/heads/pr/brb/datapath-loop-dbg
- refs/heads/pr/brb/dbg-ci
- refs/heads/pr/brb/dbg-conformance-gke
- refs/heads/pr/brb/dbg-master-np-vxlan-ipcache-ci
- refs/heads/pr/brb/debug-nodeport-bpf-flake
- refs/heads/pr/brb/do-not-derive-pod-cidrs-from-dev
- refs/heads/pr/brb/do-not-query-dev-for-arping
- refs/heads/pr/brb/docs--wg-what-encrypted
- refs/heads/pr/brb/docs-clarify-egress-gw-ip-addr-dp
- refs/heads/pr/brb/drop-notify
- refs/heads/pr/brb/dsr
- refs/heads/pr/brb/dsr-v2
- refs/heads/pr/brb/dualstack-ci
- refs/heads/pr/brb/enable-ipv6-per-endpoint-routes
- refs/heads/pr/brb/fib-lookup-src
- refs/heads/pr/brb/fix-backend-id-u32
- refs/heads/pr/brb/fix-ci-dp-deprecation-warn
- refs/heads/pr/brb/fix-clang-vsn-regexp
- refs/heads/pr/brb/fix-egress-ip-16147
- refs/heads/pr/brb/fix-external-ip-dp
- refs/heads/pr/brb/fix-maglev-del
- refs/heads/pr/brb/fix-nodeport-hostnetns
- refs/heads/pr/brb/fix-np-redir-l3-to-tunnel
- refs/heads/pr/brb/fix-stale-dsr
- refs/heads/pr/brb/fix-svc-backend-selection
- refs/heads/pr/brb/fix-third-host
- refs/heads/pr/brb/gh-action-cgr
- refs/heads/pr/brb/gh-action-lvh
- refs/heads/pr/brb/gh-install-cli-backup
- refs/heads/pr/brb/ginkgo-kpr-strict
- refs/heads/pr/brb/ginkgo-rm-update-tests
- refs/heads/pr/brb/go-crazy
- refs/heads/pr/brb/hubble-tcp-ack-seq-no
- refs/heads/pr/brb/improve-svc-restore
- refs/heads/pr/brb/istio-getsockopt
- refs/heads/pr/brb/it-cannot-be-truth
- refs/heads/pr/brb/kpr-svc-mesh
- refs/heads/pr/brb/kubeproxy-free-ci
- refs/heads/pr/brb/l7-np-bpf
- refs/heads/pr/brb/l7-rerevert
- refs/heads/pr/brb/lets-be-friends-with-ipsec
- refs/heads/pr/brb/lvh-kind-127
- refs/heads/pr/brb/lvh-kind-ipsec-upgrade
- refs/heads/pr/brb/meyskens/auth-ep-gc-locks
- refs/heads/pr/brb/multi-network
- refs/heads/pr/brb/no-cache-snat
- refs/heads/pr/brb/no-rev-nat-bpf-lxc-ingress
- refs/heads/pr/brb/node-id-per-fam
- refs/heads/pr/brb/nodeport-xlr-flag
- refs/heads/pr/brb/perf-wg
- refs/heads/pr/brb/pin-lvh
- refs/heads/pr/brb/push-ci-charts
- refs/heads/pr/brb/pwru
- refs/heads/pr/brb/rm-arping-l2-addr-check
- refs/heads/pr/brb/rm-no-redirect
- refs/heads/pr/brb/rm-np-deadcode
- refs/heads/pr/brb/rm-partial-host-svc
- refs/heads/pr/brb/rm-test-gke
- refs/heads/pr/brb/test-bpf-masq
- refs/heads/pr/brb/test-ci-e2e
- refs/heads/pr/brb/test-ci-e2e-v1.13
- refs/heads/pr/brb/test-kind
- refs/heads/pr/brb/third-host-more-pain
- refs/heads/pr/brb/timing-l4lb-gh-action
- refs/heads/pr/brb/triage-flake-v2
- refs/heads/pr/brb/triage-lb-flake
- refs/heads/pr/brb/unquarantine-svc
- refs/heads/pr/brb/v1.10-istio-snat
- refs/heads/pr/brb/v1.12-ci-e2e
- refs/heads/pr/brb/v1.12-ci-ipsec-upgrade
- refs/heads/pr/brb/v1.12-test-ipsec-upgrade
- refs/heads/pr/brb/v1.13-ci-e2e
- refs/heads/pr/brb/v1.13-remote-np
- refs/heads/pr/brb/v1.13-upgrade-fixes
- refs/heads/pr/brb/v1.14-ci-e2e-upgrade
- refs/heads/pr/brb/v1.14-drop-notify
- refs/heads/pr/brb/v1.6.9-iptables-W
- refs/heads/pr/brb/v1.8-fix-icmp-port-check
- refs/heads/pr/brb/wg-encrypt-node-test
- refs/heads/pr/brb/wg-hack
- refs/heads/pr/brb/wg-ipam-fix
- refs/heads/pr/brb/wg-kpr
- refs/heads/pr/brb/wg-test
- refs/heads/pr/brb/wip
- refs/heads/pr/brb/wip-ci
- refs/heads/pr/brb/wip-sync-policy-map
- refs/heads/pr/brb/xdp-egress-gw
- refs/heads/pr/brb/xdp-multidev-with-bpf-multihoming
- refs/heads/pr/brb/xdp-multidev-with-bpf-multihoming-v2
- refs/heads/pr/brlbil/ci-remove-unsupported-k8s-version-1.13
- refs/heads/pr/bruno/sleepy-pawn
- refs/heads/pr/bugtool-systemd
- refs/heads/pr/bwm-base2
- refs/heads/pr/bwm-priority
- refs/heads/pr/chancez/add_hubble_l7_dashboard_prometheus_example
- refs/heads/pr/chancez/fix_websocket_l7_policies
- refs/heads/pr/chancez/flow_filter_namespace
- refs/heads/pr/chancez/hubble_cel
- refs/heads/pr/chancez/hubble_plus_plus
- refs/heads/pr/chancez/static_peers_hubble_relay
- refs/heads/pr/christarazi/controlplane-fqdn
- refs/heads/pr/christarazi/ipcache-async-cep-pods-namedports
- refs/heads/pr/christarazi/k8s-1.30
- refs/heads/pr/christarazi/prep-from-cidr-tests
- refs/heads/pr/datapath-opt
- refs/heads/pr/dbkm/nodeport-lb
- refs/heads/pr/debug-dns-timeout
- refs/heads/pr/eproutes-redir
- refs/heads/pr/example/neigh-state-manager
- refs/heads/pr/fastdp
- refs/heads/pr/fastdp2
- refs/heads/pr/fib-consolidation
- refs/heads/pr/fix-aks-workflow
- refs/heads/pr/fix-k8s-all-sha1
- refs/heads/pr/fix-pod-pacing
- refs/heads/pr/fix-tail-call-replace
- refs/heads/pr/fristonio/feat-19038
- refs/heads/pr/fristonio/fix-istio-k8sT
- refs/heads/pr/fristonio/ipv6-masquerading
- refs/heads/pr/fristonio/test-dual-stack
- refs/heads/pr/fristonio/test-ipv6-dualstack
- refs/heads/pr/gandro+brb/fix-monitor-aggregation-np-v2
- refs/heads/pr/gandro+brb/mv-trace-point-to-rev-nodeport
- refs/heads/pr/gandro+brb/wg-host-encryption-v3
- refs/heads/pr/gandro+brb/wg-host2host
- refs/heads/pr/gandro+brb/wg-host2host-kind
- refs/heads/pr/gandro/bump-hubble-2020-03-25
- refs/heads/pr/gandro/ci-conformance-multicluster-fix-log-gathering
- refs/heads/pr/gandro/ci-delete-crds-in-cleanupcomponents
- refs/heads/pr/gandro/ci-fix-status-if-workflows-are-skipped
- refs/heads/pr/gandro/ci-wait-for-all-relevant-images-do-not-merge-test
- refs/heads/pr/gandro/enable-hubble-by-default
- refs/heads/pr/gandro/portmap-refcount
- refs/heads/pr/gandro/re-enable-wireguard-in-multicluster-ci
- refs/heads/pr/gandro/svc-healthchecknodeport
- refs/heads/pr/gc-on-svc-update
- refs/heads/pr/getname-hooks
- refs/heads/pr/giorio94/1.14/test-cilium-cli-2184
- refs/heads/pr/giorio94/main/gha-cluster-name
- refs/heads/pr/giorio94/main/gha-clustermesh-endpointslice-sync
- refs/heads/pr/giorio94/main/gha-fully-qualified-dns
- refs/heads/pr/giorio94/main/test-cilium-cli-2184
- refs/heads/pr/giorio94/main/tests-clustermesh-upgrade-interrupted
- refs/heads/pr/gray/30837-with-pwru
- refs/heads/pr/gray/pwru-action
- refs/heads/pr/health-data-path
- refs/heads/pr/hubble-tls-cert-gen-via-k8s-job
- refs/heads/pr/ianvernon/kvstore-client-type
- refs/heads/pr/ianvernon/kvstore-context
- refs/heads/pr/ianvernon/more-endpoint-cleanup
- refs/heads/pr/ianvernon/resolve-cidr-policy-perf-improvement
- refs/heads/pr/increase-verifier-test-build-timeout
- refs/heads/pr/ipip
- refs/heads/pr/ipip-encap
- refs/heads/pr/ipip-encap2
- refs/heads/pr/ipip2
- refs/heads/pr/ipip4
- refs/heads/pr/ipip6
- refs/heads/pr/jibi/fix-differentiate-udp-tcp-svc-upgrade
- refs/heads/pr/jibi/ip-list-contains-addr
- refs/heads/pr/joamaki/gather-network-info
- refs/heads/pr/joamaki/idless-service-restapi
- refs/heads/pr/joe/ariane-scheduled-cilium-only
- refs/heads/pr/joe/backport-28007-1.11
- refs/heads/pr/joe/bump-ginkgo-seed
- refs/heads/pr/joe/docker-build-log-tracing
- refs/heads/pr/joe/ipcache-cidr-policy
- refs/heads/pr/joe/lost-identity
- refs/heads/pr/joe/sw-quay
- refs/heads/pr/joe/test-lvh-fix
- refs/heads/pr/joe/v1.13-stability-check
- refs/heads/pr/joe/v1.7-dev-env
- refs/heads/pr/jrajahalme/gh-filter-test-files
- refs/heads/pr/jrfastab/backport-ooo-ipsec-fixes
- refs/heads/pr/jrfastab/backport-v111-loopback
- refs/heads/pr/jrfastab/backport-v115
- refs/heads/pr/jrfastab/dbgNodeId
- refs/heads/pr/jrfastab/dbgNodeId111
- refs/heads/pr/jrfastab/dbgNodeId111v2
- refs/heads/pr/jrfastab/dbgv114
- refs/heads/pr/jrfastab/eks-encrypt-ipamupdate
- refs/heads/pr/jrfastab/fix-encrypt-subnets
- refs/heads/pr/jrfastab/fix-ixsec-vxlan-remoteIP
- refs/heads/pr/jrfastab/fixes-ipsec-init
- refs/heads/pr/jrfastab/v1.8-fix-ipsec-vxlan-remoteIP
- refs/heads/pr/jrfastab/v1.9-fix-ipsec-vxlan-remoteIP
- refs/heads/pr/jrfastab/v111-debug-ooo
- refs/heads/pr/jrfastab/v111-debug-ooo-v2
- refs/heads/pr/jwi/main/ipsec-rhel8
- refs/heads/pr/jwi/main/test
- refs/heads/pr/jwi/v1.13/test
- refs/heads/pr/jwi/v1.14/test
- refs/heads/pr/jwi/v1.15/bpf-complexity
- refs/heads/pr/jwi/v1.15/test
- refs/heads/pr/k8s-nat46x64
- refs/heads/pr/k8s-nat46x64-2
- refs/heads/pr/kaworu/helm-hubble-cli.yaml
- refs/heads/pr/kkourt/azure-ipam-test-race
- refs/heads/pr/kkourt/bpftool-update
- refs/heads/pr/kkourt/ct-rst-timeout-wip
- refs/heads/pr/kkourt/v1.11-backport-2022-01-26
- refs/heads/pr/kkourt/v1.9-lxc-complexity
- refs/heads/pr/learnitall/add-pprofs-scale-tests
- refs/heads/pr/learnitall/ginkgo-race-workflow
- refs/heads/pr/marga/v1.11-without-deny-precedence
- refs/heads/pr/max/ci-clang-builder
- refs/heads/pr/max/llvm17-fixes-2
- refs/heads/pr/max/llvm17-fixes-3
- refs/heads/pr/max/upgrade-llvm-17-2
- refs/heads/pr/max/upgrade-llvm-17-3
- refs/heads/pr/max/upgrade-llvm-17-3-test
- refs/heads/pr/max/upgrade-llvm-17-3-test-alt
- refs/heads/pr/meyskens/renovate-gha
- refs/heads/pr/mhofstetter/guestbook-registry
- refs/heads/pr/mhofstetter/junit-fetch-nullglob
- refs/heads/pr/mhofstetter/ssh-store-consolelog
- refs/heads/pr/mhofstetter/test-ingress
- refs/heads/pr/michi/circular-struggle
- refs/heads/pr/michi/crdregister
- refs/heads/pr/michi/debug
- refs/heads/pr/michi/description
- refs/heads/pr/michi/dns-refactor12
- refs/heads/pr/michi/l7drop
- refs/heads/pr/michi/majestic-ketchup
- refs/heads/pr/michi/mega-ketchup
- refs/heads/pr/michi/peerapi
- refs/heads/pr/michi/sleep-on-it
- refs/heads/pr/michi/test
- refs/heads/pr/michi/weekly-bot
- refs/heads/pr/monitor-wait-ci
- refs/heads/pr/move-image-to-one-repo
- refs/heads/pr/nat-gw-tests
- refs/heads/pr/nathanjsweet/add-complex-allow-test-to-policy-map-tests
- refs/heads/pr/nathanjsweet/add-lockdown-mode-for-policy-map-overflows
- refs/heads/pr/nathanjsweet/add-packet-size-to-flow-structure
- refs/heads/pr/nathanjsweet/add-policy-port-range-mapping
- refs/heads/pr/nathanjsweet/backport-fix-fqdn-proxy-restore-check-to-1-13
- refs/heads/pr/nathanjsweet/backport-fix-fqdn-proxy-restore-check-to-1-14
- refs/heads/pr/nathanjsweet/backport-fix-fqdn-proxy-restore-check-to-1-15
- refs/heads/pr/nathanjsweet/differentiate-protocol-in-services
- refs/heads/pr/nathanjsweet/document-test-and-fix-descendants-bug
- refs/heads/pr/nathanjsweet/node-port-addresses
- refs/heads/pr/nathanjsweet/refactor-mapstate
- refs/heads/pr/nathanjsweet/update-k8s-control-plane-tests-to-1-27
- refs/heads/pr/nebril/add-dns-concurrency-limit
- refs/heads/pr/nebril/fix-precheck
- refs/heads/pr/nebril/fqdn-proxy-ha
- refs/heads/pr/nebril/fqdn-proxy-interface
- refs/heads/pr/nebril/gke-workflow-migrate-from-cli
- refs/heads/pr/nebril/quarantine-1.14-nodeport
- refs/heads/pr/nebril/test-bottlerocket
- refs/heads/pr/nebril/test-helm-gke-fix
- refs/heads/pr/nebril/test-our-ghaction-shenanigans
- refs/heads/pr/nebril/test-rebase-helm
- refs/heads/pr/nebril/trololo
- refs/heads/pr/nebril/update-cli-9.1-test
- refs/heads/pr/netkit
- refs/heads/pr/netns-switch
- refs/heads/pr/netns-switch-no-peer
- refs/heads/pr/nodeport-fix
- refs/heads/pr/nodeport-improvements2
- refs/heads/pr/nodeport-nat-improvements
- refs/heads/pr/nodeport-nat-improvements2
- refs/heads/pr/nodeport-retry-sport
- refs/heads/pr/pchaigno/deprecate-bpf_network-f
- refs/heads/pr/pchaigno/fix-4.19-bpf-program-size
- refs/heads/pr/pchaigno/hotfix1-ipsec-fix
- refs/heads/pr/pchaigno/hotfix1-ipsec-fix-brb-v0
- refs/heads/pr/pchaigno/ipsec-kpr
- refs/heads/pr/pchaigno/optim-complexity-ipcache-lookup
- refs/heads/pr/pchaigno/rework-config-probes
- refs/heads/pr/pchaigno/tmp-base-branch
- refs/heads/pr/pin-1.10-workflows-k8s-version
- refs/heads/pr/pin-1.11-workflows-k8s-version
- refs/heads/pr/pin-1.12-workflows-k8s-version
- refs/heads/pr/pin-1.13-workflows-k8s-version
- refs/heads/pr/pin-cloud-provider-master-workflows
- refs/heads/pr/pr/fix-ipam-node-manager-semaphore-error-handling
- refs/heads/pr/publish-test-images
- refs/heads/pr/qmonnet/docs-20230224
- refs/heads/pr/qmonnet/docs-bump
- refs/heads/pr/qmonnet/ipsec/no-missed-tail-call-1.13
- refs/heads/pr/qmonnet/ipsec/test-1.13
- refs/heads/pr/qmonnet/ipsec/test-1.14
- refs/heads/pr/qmonnet/ipsec/test-1.15
- refs/heads/pr/qmonnet/ipsec/test-main
- refs/heads/pr/qmonnet/standalone-lb-docs
- refs/heads/pr/qmonnet/sync-joblists
- refs/heads/pr/ray/late-dns-proxy
- refs/heads/pr/rgo3/1.12-run-no-unexpected-drops-for-patch
- refs/heads/pr/rgo3/fix-k8s-vm-provisioning-1.13
- refs/heads/pr/rolinh/better-policy-verdict
- refs/heads/pr/rolinh/hubble-dump-all
- refs/heads/pr/rolinh/hubble-fix-maxflows-rounding
- refs/heads/pr/rolinh/mitchellh
- refs/heads/pr/route-test
- refs/heads/pr/run-tests-in-parallel
- refs/heads/pr/scalability-crd-only
- refs/heads/pr/squeed/make-ccache
- refs/heads/pr/squeed/per-node-config
- refs/heads/pr/squeed/remote-cluster-leak
- refs/heads/pr/stacy/docs-update
- refs/heads/pr/tammach/ci-tunnel
- refs/heads/pr/tammach/cni-logging-improvement
- refs/heads/pr/tammach/envoy-1.28.2
- refs/heads/pr/tammach/fun-with-flake-xds
- refs/heads/pr/tammach/sync-up-gwapi
- refs/heads/pr/tc-np-test
- refs/heads/pr/test-419-ci
- refs/heads/pr/test-increase-update-delete-timeout
- refs/heads/pr/test-k8s-all-tests
- refs/heads/pr/test-lb-super-netperf
- refs/heads/pr/test-nightly
- refs/heads/pr/test-upstream-timeout
- refs/heads/pr/tgraf/chaos-testing
- refs/heads/pr/tgraf/clustermesh-stale-state
- refs/heads/pr/tgraf/eni-ipam
- refs/heads/pr/tgraf/new-endpoint-state
- refs/heads/pr/tgraf/new-policy
- refs/heads/pr/tgraf/remove-tunnel-map
- refs/heads/pr/tgraf/scoped-ipam
- refs/heads/pr/tgraf/sctp
- refs/heads/pr/tgraf/split-lxc-prog
- refs/heads/pr/thorn3r/clustermesh511
- refs/heads/pr/tklauser/labelsfilter-silence-logs
- refs/heads/pr/tklauser/rm-contexthelper
- refs/heads/pr/tklauser/rm-safe-rand
- refs/heads/pr/tommyp1ckles/debugging-aks-conformance
- refs/heads/pr/tp/add-logging-for-wait-for-pods-term-condition
- refs/heads/pr/tp/backport-31380
- refs/heads/pr/tp/bump-cilium-cli
- refs/heads/pr/tp/complexity-issue-verifier-case-main
- refs/heads/pr/tp/eps-modular-health
- refs/heads/pr/tp/fix-stuck-ginko-pod-v2
- refs/heads/pr/tp/forward-hubble-for-e2e
- refs/heads/pr/tp/forward-hubble-for-e2e-v2
- refs/heads/pr/tp/switch-1.24-eks-region
- refs/heads/pr/tp/switch-1.24-eks-region-v1.13
- refs/heads/pr/tp/use-helm-default-vars-for-clustermesh-downgrade-c1
- refs/heads/pr/tweak-github-action-ref
- refs/heads/pr/twpayne/hubble-recent-events-buffer
- refs/heads/pr/twpayne/hubble-ring-buffer-benchmarks
- refs/heads/pr/update-tm-network
- refs/heads/pr/v1.10-backport-2022-06-13
- refs/heads/pr/v1.10-backport-2022-10-03
- refs/heads/pr/v1.10-eni-stability-improvements-v1
- refs/heads/pr/v1.10-neigh-clean
- refs/heads/pr/v1.11-backport-2022-10-03
- refs/heads/pr/v1.11-test/issue-692
- refs/heads/pr/v1.12-backport-2023-10-10
- refs/heads/pr/v1.12-test/issue-692
- refs/heads/pr/v1.13-backport-2023-10-31
- refs/heads/pr/v1.13-test/issue-692
- refs/heads/pr/v1.14.1
- refs/heads/pr/v1.7-stability-test
- refs/heads/pr/v1.7.9-hf-13205
- refs/heads/pr/v3-cpu
- refs/heads/pr/v6-host-addr2
- refs/heads/pr/vk/azure/oidc
- refs/heads/pr/vk/doc/ipsec
- refs/heads/pr/vk/ipsec/key/rotate
- refs/heads/regex_improved
- refs/heads/renovate/main-all-dependencies
- refs/heads/renovate/main-all-go-deps-main
- refs/heads/renovate/main-patch-all-lvh-images-main
- refs/heads/renovate/main-patch-go
- refs/heads/renovate/v1.13-all-github-action
- refs/heads/renovate/v1.13-patch-stable-lvh-images
- refs/heads/renovate/v1.14-patch-stable-lvh-images
- refs/heads/renovate/v1.15-patch-stable-lvh-images
- refs/heads/revert-29086-2023-11-09-backport-1.14
- refs/heads/rib
- refs/heads/run-ci-wihout-building-cilium
- refs/heads/sh-dep-test-l4lb
- refs/heads/sidecar-http-proxy
- refs/heads/sockmap-v5
- refs/heads/sockops-build-fix
- refs/heads/tam/integration-tests
- refs/heads/tam/more-ingress-tests
- refs/heads/tam/proxy-tunnel
- refs/heads/tb/bpf-remove-bear
- refs/heads/test-branch
- refs/heads/test-ipsec
- refs/heads/test-sig-bgp-notifs
- refs/heads/test/brlbil/upload
- refs/heads/test/skip-workflows
- refs/heads/test_scale
- refs/heads/testing_envoy_default
- refs/heads/tgraf/process-policy
- refs/heads/tklauser+brb/wip/multi-homing
- refs/heads/unit-test-ipsec
- refs/heads/v0.10
- refs/heads/v0.11
- refs/heads/v0.12
- refs/heads/v0.13
- refs/heads/v0.8
- refs/heads/v0.9
- refs/heads/v1.0
- refs/heads/v1.0.0-rc2
- refs/heads/v1.0.0-rc3
- refs/heads/v1.1
- refs/heads/v1.10
- refs/heads/v1.11
- refs/heads/v1.12
- refs/heads/v1.12.11-base
- refs/heads/v1.13
- refs/heads/v1.14
- refs/heads/v1.15
- refs/heads/v1.2
- refs/heads/v1.3
- refs/heads/v1.3.1
- refs/heads/v1.3.1-release
- refs/heads/v1.3.7-release
- refs/heads/v1.4
- refs/heads/v1.4.5-release
- refs/heads/v1.5
- refs/heads/v1.5.2-rc1-with-clusterip-fix
- refs/heads/v1.5.4-release
- refs/heads/v1.6
- refs/heads/v1.7
- refs/heads/v1.7.9-1
- refs/heads/v1.7.9.1
- refs/heads/v1.8
- refs/heads/v1.9
- refs/heads/verify-external-workload-dns-setup-redux
- refs/heads/vladu/identity-type-metrics
- refs/heads/weavescope
- refs/heads/wip-ktls-tx-rx
- refs/heads/wip-sockmap
- refs/heads/wip-sockmap-v2
- refs/heads/wip-sockmap-v3
- refs/heads/wip-sockmap-v4
- refs/heads/xfrm-subnet-test
- refs/heads/yutaro/bgp-cplane-etp-local/doc
- refs/heads/yutaro/oss/eni-overlapping-mark
- refs/remotes/bruno/hf/v1.10/v1.10.3-bpf-snat-and-masq-fixes
- refs/remotes/joe/submit/quarantine-etcd
- refs/remotes/origin/1.2-backports-18-09-12
- refs/remotes/origin/ipvlan3
- refs/remotes/origin/pr/add-reserved-health
- refs/remotes/origin/pr/brb/nodeport-lb
- refs/remotes/origin/pr/ianvernon/5859
- refs/remotes/origin/pr/ianvernon/dynamic-ep-cfg
- refs/remotes/origin/pr/tgraf/kube-dns-fixed-identity
- refs/semaphoreci/6384f501b324813e55cfbe818c04a40f2a923765
- refs/semaphoreci/7f69b285bac8a1be414e8769799962ae1408d9e1
- refs/semaphoreci/b5eb6622da121ad36b8f375a084392f7feeec64a
- refs/semaphoreci/d9e7e28f39d34a7050a9c1cad2a26d84f5f4eff1
- refs/semaphoreci/f55ec535d85f387ef981265967fabb3c1b5f1ec6
- refs/tags/0.10.1
- refs/tags/1.1.1
- refs/tags/1.9.0-rc0
- refs/tags/v0.11
- refs/tags/v0.12.0
- refs/tags/v0.13.1
- refs/tags/v0.8.0
- refs/tags/v0.8.1
- refs/tags/v0.8.2
- refs/tags/v0.9.0
- refs/tags/v0.9.0-rc1
- refs/tags/v1.0.0-rc2
- Branches list truncated to 652 entries, 4 were omitted.
- v1.11.0-rc0
- v1.11.0
- v1.10.9
- v1.10.8
- v1.10.7
- v1.10.6
- v1.10.5
- v1.10.4
- v1.10.3
- v1.10.20
- v1.10.2
- v1.10.19
- v1.10.18
- v1.10.17
- v1.10.16
- v1.10.15
- v1.10.14
- v1.10.13
- v1.10.12
- v1.10.11
- v1.10.10
- v1.10.1
- v1.10.0-rc2
- v1.10.0-rc1
- v1.10.0-rc0
- v1.10.0
- v1.1.6
- v1.1.5
- v1.1.4
- v1.1.3
- v1.1.2
- v1.1.1
- v1.1.0-rc4
- v1.1.0-rc3
- v1.1.0-rc2
- v1.1.0-rc1
- v1.1.0-rc0
- v1.1.0
- v1.0.7
- v1.0.6
- v1.0.5
- v1.0.4
- v1.0.3
- v1.0.2
- v1.0.1
- v1.0.0-rc9
- v1.0.0-rc8
- v1.0.0-rc7
- v1.0.0-rc6
- v1.0.0-rc5
- v1.0.0-rc4
- v1.0.0-rc14
- v1.0.0-rc13
- v1.0.0-rc11
- v1.0.0-rc10
- v1.0.0-rc1
- v1.0.0
- v0.13.9
- v0.13.8
- v0.13.7
- v0.13.6
- v0.13.5
- v0.13.4
- v0.13.3
- v0.13.28
- v0.13.25
- v0.13.24
- v0.13.23
- v0.13.22
- v0.13.21
- v0.13.20
- v0.13.2
- v0.13.19
- v0.13.18
- v0.13.17
- v0.13.16
- v0.13.15
- v0.13.14
- v0.13.13
- v0.13.12
- v0.13.11
- v0.13.10
- v0.10.0
- 1.9.9
- 1.9.8
- 1.9.7
- 1.9.6
- 1.9.5
- 1.9.4
- 1.9.3
- 1.9.2
- 1.9.18
- 1.9.17
- 1.9.16
- 1.9.15
- 1.9.14
- 1.9.13
- 1.9.12
- 1.9.11
- 1.9.10
- 1.9.1
- 1.9.0-rc3
- 1.9.0-rc2
- 1.9.0-rc1
- 1.9.0
- 1.8.9
- 1.8.8
- 1.8.7
- 1.8.6
- 1.8.5
- 1.8.4
- 1.8.3
- 1.8.2
- 1.8.13
- 1.8.12
- 1.8.11
- 1.8.10
- 1.8.1
- 1.8.0-rc4
- 1.8.0-rc3
- 1.8.0-rc2
- 1.8.0-rc1
- 1.8.0
- 1.7.9
- 1.7.8
- 1.7.7
- 1.7.6
- 1.7.5
- 1.7.4
- 1.7.3
- 1.7.2
- 1.7.16
- 1.7.15
- 1.7.14
- 1.7.13
- 1.7.12
- 1.7.11
- 1.7.10
- 1.7.1
- 1.7.0-rc4
- 1.7.0-rc3
- 1.7.0
- 1.6.9
- 1.6.8
- 1.6.7
- 1.6.6
- 1.6.5
- 1.6.4
- 1.6.3
- 1.6.2
- 1.6.12
- 1.6.11
- 1.6.10
- 1.6.1
- 1.6.0
- 1.5.9
- 1.5.8
- 1.5.7
- 1.5.6
- 1.5.5
- 1.5.4
- 1.5.3
- 1.5.2
- 1.5.13
- 1.5.12
- 1.5.11
- 1.5.10
- 1.5.1
- 1.5.0-rc6
- 1.5.0-rc5
- 1.5.0-rc4
- 1.5.0-rc3
- 1.5.0-rc2
- 1.5.0
- 1.4.9
- 1.4.8
- 1.4.7
- 1.4.6
- 1.4.5
- 1.4.4
- 1.4.3
- 1.4.2
- 1.4.10
- 1.4.1
- 1.4.0-rc9
- 1.4.0-rc8
- 1.4.0-rc7
- 1.4.0-rc6
- 1.4.0-rc5
- 1.4.0-rc2
- 1.4.0
- 1.3.8
- 1.3.7
- 1.3.6
- 1.3.5
- 1.3.4
- 1.3.3
- 1.3.2
- 1.3.1
- 1.3.0-rc5
- 1.3.0-rc4
- 1.3.0
- 1.2.8
- 1.2.7
- 1.2.6
- 1.2.5
- 1.2.4
- 1.2.3
- 1.2.2
- 1.2.1
- 1.2.0-rc3
- 1.2.0-rc2
- 1.2.0-rc1
- 1.2.0
- 1.16.0-pre.1
- 1.16.0-pre.0
- 1.15.3
- 1.15.2
- 1.15.1
- 1.15.0-rc.1
- 1.15.0-rc.0
- 1.15.0-pre.3
- 1.15.0-pre.2
- 1.15.0-pre.1
- 1.15.0-pre.0
- 1.15.0
- 1.14.9
- 1.14.8
- 1.14.7
- 1.14.6
- 1.14.5
- 1.14.4
- 1.14.3
- 1.14.2
- 1.14.1
- 1.14.0-snapshot.4
- 1.14.0-snapshot.3
- 1.14.0-snapshot.2
- 1.14.0-snapshot.1
- 1.14.0-snapshot.0
- 1.14.0-rc.1
- 1.14.0-rc.0
- 1.14.0-pre.2
- 1.14.0
- 1.13.9
- 1.13.8
- 1.13.7
- 1.13.6
- 1.13.5
- 1.13.4
- 1.13.3
- 1.13.2
- 1.13.14
- 1.13.13
- 1.13.12
- 1.13.11
- 1.13.10
- 1.13.1
- 1.13.0-rc5
- 1.13.0-rc4
- 1.13.0-rc3
- 1.13.0-rc2
- 1.13.0-rc1
- 1.13.0-rc0
- 1.13.0
- 1.12.9
- 1.12.8
- 1.12.7
- 1.12.6
- 1.12.5
- 1.12.4
- 1.12.3
- 1.12.2
- 1.12.19
- 1.12.18
- 1.12.17
- 1.12.16
- 1.12.15
- 1.12.14
- 1.12.13
- 1.12.12
- 1.12.11
- 1.12.10
- 1.12.1
- 1.12.0-rc3
- 1.12.0-rc2
- 1.12.0-rc1
- 1.12.0-rc0
- 1.12.0
- 1.11.9
- 1.11.8
- 1.11.7
- 1.11.6
- 1.11.5
- 1.11.4
- 1.11.3
- 1.11.20
- 1.11.2
- 1.11.19
- 1.11.18
- 1.11.17
- 1.11.16
- 1.11.15
- 1.11.14
- 1.11.13
- 1.11.12
- 1.11.11
- 1.11.10
- 1.11.1
- 1.11.0-rc3
- 1.11.0-rc2
- 1.11.0-rc1
- 1.11.0-rc0
- 1.11.0
- 1.10.9
- 1.10.8
- 1.10.7
- 1.10.6
- 1.10.5
- 1.10.4
- 1.10.3
- 1.10.20
- 1.10.2
- 1.10.19
- 1.10.18
- 1.10.17
- 1.10.16
- 1.10.15
- 1.10.14
- 1.10.13
- 1.10.12
- 1.10.11
- 1.10.10
- 1.10.1
- 1.10.0-rc2
- 1.10.0-rc1
- 1.10.0-rc0
- 1.10.0
- 1.1.6
- 1.1.5
- 1.1.4
- 1.1.3
- 1.1.2
- 1.1.0
- 1.0.7
- 1.0.6
- 1.0.5
- 1.0.4
- Releases list truncated to 348 entries, 258 were omitted.
Take a new snapshot of a software origin
If the archived software origin currently browsed is not synchronized with its upstream version (for instance when new commits have been issued), you can explicitly request Software Heritage to take a new snapshot of it.
Use the form below to proceed. Once a request has been submitted and accepted, it will be processed as soon as possible. You can then check its processing state by visiting this dedicated page.
Processing "take a new snapshot" request ...
Permalinks
To reference or cite the objects present in the Software Heritage archive, permalinks based on SoftWare Hash IDentifiers (SWHIDs) must be used.
Select below a type of object currently browsed in order to display its associated SWHID and permalink.
| Revision | Author | Date | Message | Commit Date |
|---|---|---|---|---|
| de22bfd | Joe Stringer | 12 February 2020, 23:54:15 UTC | Prepare for release v1.7.0-rc4 Signed-off-by: Joe Stringer <joe@cilium.io> | 13 February 2020, 00:21:13 UTC |
| 24ad899 | Thomas Graf | 11 February 2020, 13:59:21 UTC | ipcache: Add probe to check for dump capability to support delete [ upstream commit 69a6fcea473487c08ccc9701c99c79ff944118d3 ] Besides the ability to delete, the ipcache garbage collector also requires the ability to dump the table. Add this to the existing probe which feeds `SupportsDelete()`. level=debug msg="Detected IPCache delete operation support: true" subsys=map-ipcache level=debug msg="Detected IPCache dump operation support: true" subsys=map-ipcache Fixes: #10080 Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: Jarno Rajahalme <jarno@covalent.io> | 12 February 2020, 11:25:28 UTC |
| 1742391 | Sebastian Wicki | 10 February 2020, 16:34:59 UTC | test/k8s: Test IPv6 ClusterIP service connectivity across nodes [ upstream commit a6c62bae969c43b87a0c160c18b4fdabdbb4a326 ] This tests the ClusterIP IPv6 reachability for the service tests across nodes. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> Signed-off-by: Jarno Rajahalme <jarno@covalent.io> | 12 February 2020, 11:25:28 UTC |
| 5f23c39 | Sebastian Wicki | 10 February 2020, 16:52:03 UTC | test/k8s: Bump cilium/echoserver to 1.10.1 [ upstream commit aee3c0a67d1b2a708b3b399e6f9bd727784e938c ] The new tag listens on IPv4 and IPv6 connections, used in subsequent service tests for IPv6 connectivity. Since the server can observe the client addresses now in the 4-in-6 format, we make sure to compare the parsed IP addresses in the source IP test. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> Signed-off-by: Jarno Rajahalme <jarno@covalent.io> | 12 February 2020, 11:25:28 UTC |
| 731b983 | Sebastian Wicki | 10 February 2020, 14:21:53 UTC | test/k8s: Add tests for same-node IPv6 service connectivity [ upstream commit d1a61479eae3e1d3d83d598f3e7bfbbceaebac3b ] This adds tests for Kubernetes ClusterIP services with IPv6. It mirrors the existing IPv4 versions. Because the deployed Kubernetes is not running in IPv4/IPv6 dual-stack mode, we are using the Cilium CLI to install the service rules for the services deployed in the existing IPv4 tests. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> Signed-off-by: Jarno Rajahalme <jarno@covalent.io> | 12 February 2020, 11:25:28 UTC |
| 8b7b8ba | Sebastian Wicki | 10 February 2020, 14:14:29 UTC | test/k8s: Bump cilium/json-mock to 1.2 [ upstream commit fefff1f01f17856fc3ee971876b3ebcdf4c60ef9 ] The new version listens to both IPv4 and IPv6 connections. This is required for the IPv6 tests added in a subsequent commit. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> Signed-off-by: Jarno Rajahalme <jarno@covalent.io> | 12 February 2020, 11:25:28 UTC |
| 2e2a561 | Sebastian Wicki | 10 February 2020, 14:09:46 UTC | test/k8s: Add helper to get IPv6 addresses of Cilium endpoints [ upstream commit afb38e86b9092bea7e88fc163f6e9791a7ee4f80 ] This is will be used to fetch the IPv6 backends for endpoints with a certain Kubernetes or Cilium label. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> Signed-off-by: Jarno Rajahalme <jarno@covalent.io> | 12 February 2020, 11:25:28 UTC |
| 677d725 | Sebastian Wicki | 10 February 2020, 14:06:22 UTC | test/k8s: Add helpers to create Cilium services via CLI [ upstream commit 08e4d14e4624df6ca8150e05a5c12cbb1aa939c0 ] This adds helpers to invoke `cilium service update` and `cilium service delete` via kubectl. It will be used to install IPv6 services for tests on Kubernetes deployments that have not yet dual-stack mode enabled. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> Signed-off-by: Jarno Rajahalme <jarno@covalent.io> | 12 February 2020, 11:25:28 UTC |
| 2367453 | Thomas Graf | 11 February 2020, 13:03:26 UTC | doc: Update guides to include new connectivity check [ upstream commit cf516592a7de38fc4ca172d8c256dc693e74efc4 ] Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: Jarno Rajahalme <jarno@covalent.io> | 12 February 2020, 11:25:28 UTC |
| 76eb53d | Thomas Graf | 11 February 2020, 13:09:18 UTC | connectivity-check: Generate all-in-one connectivity-check.yaml [ upstream commit 2ac5f30bc9f1f88695da9e524289cb090ae616c3 ] Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: Jarno Rajahalme <jarno@covalent.io> | 12 February 2020, 11:25:28 UTC |
| 2f42a47 | Thomas Graf | 11 February 2020, 12:56:05 UTC | connectivity-check: Add additional test cases [ upstream commit ea35e2695040cde6349c2a501bcfcb5d26e8fded ] * Add host to pod via clusterIP * Add host to pod via headless service * Add pod to pod via headless service Also use a more optimized base image for all clients which will not run a HTTP server and thus won't listen to any ports. Doing so complicates running hostNetworking pods to simulate host traffic. Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: Jarno Rajahalme <jarno@covalent.io> | 12 February 2020, 11:25:28 UTC |
| 8efa088 | Jarno Rajahalme | 11 February 2020, 00:30:41 UTC | ginkgo: Bump all timeouts [ upstream commit adfa9e7c915bbb0f18a391be59929ca9a98d2424 ] Have been hit by back to back provisioning failures due to timeouts being hit on processes that seem to have been progressing, albeit maybe slower than normal. After timeout VM provisioning is tried again, but overall we seem to be using more time due to cutting progressing processes off too eagerly. Signed-off-by: Jarno Rajahalme <jarno@covalent.io> | 12 February 2020, 11:25:28 UTC |
| 4da20d6 | Jarno Rajahalme | 10 February 2020, 23:33:38 UTC | Address review comments (round 2) [ upstream commit 565dca4d9bb8e998f739cbd8adee414aea2deba0 ] Addressing Joe's review comments. Signed-off-by: Jarno Rajahalme <jarno@covalent.io> | 12 February 2020, 11:25:28 UTC |
| 97065f8 | Jarno Rajahalme | 10 February 2020, 18:09:20 UTC | policy: Skip generating L3/L4 keys in some cases [ upstream commit 3dc57685e1146aed401a7a26c1bc84181d0b518d ] Skip generating L3/L4 keys if L4-only key (for the same L4 port and protocol) has the same effect w.r.t. redirecting to the proxy or not, considering that L3/L4 key should redirect if L4-only key does. In summary, if have both L3/L4 and L4-only keys: L3/L4 L4-only Skip generating L3/L4 key redirect no redirect no (redirection is not needed for the L4 port in general) no redirect no redirect yes (same entry in both keys) redirect redirect yes (same entry in both keys) no redirect redirect yes (redirection is needed for the L4 port) Signed-off-by: Jarno Rajahlame <jarno@covalent.io> Signed-off-by: Jarno Rajahalme <jarno@covalent.io> | 12 February 2020, 11:25:28 UTC |
| 48a8d15 | Jarno Rajahalme | 10 February 2020, 18:08:28 UTC | policy: Add wildcard member to L4Filter [ upstream commit 5bfae92885ef9f2c053b8bd3d1956eaeac74c5a4 ] Keep track if the L4Filter has a wildcard (cached) selector. Signed-off-by: Jarno Rajahalme <jarno@covalent.io> | 12 February 2020, 11:25:28 UTC |
| 5a5aca4 | Jarno Rajahalme | 08 February 2020, 01:21:00 UTC | policy: Add on-demand wildcarding for generic L7 [ upstream commit 5c7344e1338229df7b57ba52dceffce45f3d1248 ] Generic L7 also needs to be wildcarded with an empty key-value map if an L3/L4 rule is merged with a generic L7 rule. Signed-off-by: Jarno Rajahalme <jarno@covalent.io> | 12 February 2020, 11:25:28 UTC |
| b475f9e | Jarno Rajahalme | 11 February 2020, 14:01:22 UTC | bpf: Look up L4 before L3 and redirect to proxy if either L4 result redirects [ upstream commit d3edaec1978939dd57314d6e637bbda186ba110a ] Always look up both L3/L4 and L4-only to find out if either of them redirects to proxy. This allows elimination of additionally generated policy map entries that would otherwise needed to ensure L4-only policy redirects to the proxy in the presence of L3/L4 policies that do not redirect. This implementation is somewhat constrained by the bpf verifier not being able to handle two policy lookup results at the same time. This is why the packet is accounted towards both rules if it matches both an L3/L4 rule that does not redirect and an L4-only rule. This double-accounting could be eliminated by repeating the first policy map lookup, but that would add otherwise unnecessary overhead. Signed-off-by: Jarno Rajahalme <jarno@covalent.io> | 12 February 2020, 11:25:28 UTC |
| 5140097 | Jarno Rajahalme | 11 February 2020, 13:58:44 UTC | Address review comments (round 1) [ upstream commit 872b3b53988d4b0c2aa35c3f8325a13fbf895efd ] Signed-off-by: Jarno Rajahalme <jarno@covalent.io> | 12 February 2020, 11:25:28 UTC |
| cbe3bd7 | Ray Bejjani | 11 February 2020, 13:58:44 UTC | Apply all full-path-dependence rules at the same time. [ upstream commit 9c61db741d70e8ab870a27b4b9a9c31a1fd525a7 ] Signed-off-by: Ray Bejjani <ray@isovalent.com> Signed-off-by: Jarno Rajahalme <jarno@covalent.io> | 12 February 2020, 11:25:28 UTC |
| 97f9887 | Jarno Rajahalme | 11 February 2020, 13:58:44 UTC | policy: Give priotity for L7 redirect entries [ upstream commit 015d90ce1066c5843c65cc86928fb8516ffa3725 ] Two selectors can select the same security identity, and the policy can specify L7-rules for one of them, but not the other. While L7 enforcement would make this policy inconsistent, such a policy is valid for L7 visibility. To ensure consistent behavior give priority to redirect in the case the same map key has both a redirect and non-redirect. The implementation requires updates on a given security ID to happen atomically. To achive this ConsumeMapChanges() is moved to the endpoint policy, which can lock the selectorcache to guarantee that concurrent updates on any new security ID have completed. Signed-off-by: Jarno Rajahalme <jarno@covalent.io> | 12 February 2020, 11:25:28 UTC |
| 63927d6 | Jarno Rajahalme | 11 February 2020, 13:58:44 UTC | test: Add test with multiple ingress rules on the same port [ upstream commit c8c311840a249117291a1f9c7ba8bd0765e84d2b ] Signed-off-by: Jarno Rajahalme <jarno@covalent.io> | 12 February 2020, 11:25:28 UTC |
| 7e529fc | Jarno Rajahalme | 11 February 2020, 13:58:43 UTC | policy: Rename PerEpData to PerSelectorPolicy [ upstream commit 3c4095f3c5dcd7eb9cd241d9b8d010ed7e83dd4e ] This data has never been per Endpoint, renaming should clarify this. Signed-off-by: Jarno Rajahalme <jarno@covalent.io> | 12 February 2020, 11:25:28 UTC |
| 2144150 | Jarno Rajahalme | 11 February 2020, 13:58:43 UTC | policy: Remove AllowsAllAtL3() and HasL3DependentL7Rules() [ upstream commit 88a73248a6dba5328189fb96240e17589518c00f ] These are no longer needed so remove them. Signed-off-by: Jarno Rajahalme <jarno@covalent.io> | 12 February 2020, 11:25:28 UTC |
| ff76dd2 | Jarno Rajahalme | 11 February 2020, 13:58:43 UTC | test: Make FQDN runtime tests more robust. [ upstream commit 00f151ff66e5cbf90a1fbfd8cfd2352ac783ab4e ] Allow docker network "world" to exist in advance. This is helpful when focus testing different test on the same VM. Do not expect FQDN selectors to have selected any IDs right after the policy is first imported. It is common to have no IDs when the policy is first imported, but no IPs have yet been resoved via the DNS proxy. Signed-off-by: Jarno Rajahalme <jarno@covalent.io> | 12 February 2020, 11:25:28 UTC |
| 68ff5d3 | Jarno Rajahalme | 11 February 2020, 13:58:43 UTC | policy: Change ToKeys() to ToMapState() [ upstream commit cb4c1df37ea949eb8e3fac623f032e1934bd4be6 ] Rename ToKeys() to ToMapState() and return a map instead just the keys. A map value with 0 port number means no redirection, while a map value with any other port number signifies proxy redirection. The port value returned (for entires that need proxy redirection) will be replaced by the actual proxy listening port numbers by the caller of ToMapState(). This allows different bpf policy map entiries derived from the same L4 filter redirect to the proxy or not. To help separate these two cases we have to remove the mass wildcarding of policy rules by removing the calls to wildcardL3L4Rule() and wildcardL3L4Rules(). These changes revealed a policy evaluation bug in cilium-envoy. Use a new Envoy image to address this. Note that this bug does not trigger with the provious "mass wildcarding" behavior of cilium-agent. Signed-off-by: Jarno Rajahalme <jarno@covalent.io> | 12 February 2020, 11:25:28 UTC |
| 36fb5da | Jarno Rajahalme | 11 February 2020, 13:58:42 UTC | policy: Always pass CachedSelectors as the implmenation type. [ upstream commit d84ee5215c7a695a8c23bcfa41098d8860de58e5 ] The CachedSelector interface values passed from the selector cache are used as map keys in the policy implementation. To properly function as map keys, they must always be passed as the pointer to the implementation of the same type. 'notifyUsers' was implemented by the "base class" (selectorManager), so when it passed pointer to itself as a CachedSelector, the type inside the interface pointed to the selectorManager type, not the original fqdnSelector or labelIdentitySelector, causing map lookup failures. The CachedSelector passed by 'notifyUsers' was not previously used as a map key, so this error did not surface earlier. Signed-off-by: Jarno Rajahalme <jarno@covalent.io> | 12 February 2020, 11:25:28 UTC |
| 147a438 | Jarno Rajahalme | 11 February 2020, 13:58:42 UTC | policy: Unify CachedSelectors and L7RulesPerEp [ upstream commit ba98f0ea3ead15c9a0816ea65166cb741b6daa72 ] Currently all selectors used by a policy are stored in 'CachedSelectors', while a subset of them having L7 rules are present in the L7RulesPerEp. Moving to an on-demand L7 wildcarding sceme requires keeping track of selectors without L7 rules (as those need wildcarding if merged with a filter with L7 rules). Do this by placing all selectors into L7RulesPerEp, while renaming it to 'L7RulesPerSelector'. Selectors without L7 rules have a value 'nil' in this map, which now represents "L7 wildcard". Remove 'CachedSelectors' as it is now fully redundant. Proxies (DNS, Kafka, Envoy) are updated to accept 'nil' as a wildcard rule. Signed-off-by: Jarno Rajahalme <jarno@covalent.io> | 12 February 2020, 11:25:28 UTC |
| d597869 | Jarno Rajahalme | 11 February 2020, 13:58:42 UTC | daemon: Add L3-dependent L7 policy test [ upstream commit 55be11b58e72cc7745042b0cafffffe08627c49f ] Signed-off-by: Jarno Rajahalme <jarno@covalent.io> | 12 February 2020, 11:25:28 UTC |
| be75b4a | Jarno Rajahalme | 11 February 2020, 13:58:42 UTC | policy: Fix test combining of L4 and L7. [ upstream commit aff13556af9aa8c62138d54dc6d2d0de91bf97b4 ] Specify slice size as 0 when making it so that it is not full of zero entries to begin with. This has no effect on test results, but fixing this reduces confusion in reading the test output. Signed-off-by: Jarno Rajahalme <jarno@covalent.io> | 12 February 2020, 11:25:28 UTC |
| d8c2916 | Thomas Graf | 11 February 2020, 13:29:49 UTC | doc: Mark encryption as stable for direct-routing and ENI mode [ upstream commit 3fd7a6a25125d7d1f1c8e9025539e206f7add2e3 ] Fixes: #10123 Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: Jarno Rajahalme <jarno@covalent.io> | 12 February 2020, 11:25:28 UTC |
| 263efea | André Martins | 08 February 2020, 16:03:14 UTC | docs: reclarify upgrade guide for deprecated label [ upstream commit dd534bc55947d54b8071ae067238ae9cdbe1b66b ] As removing the labels is an operation extreamly complex we should warn the users that the label was removed but still give them the option to keep the label to upgrade from older versions to v1.7. During testing it was found that following the existing upgrade guide could leave 2 Cilium pods running per each node when performing a downgrade. Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Jarno Rajahalme <jarno@covalent.io> | 12 February 2020, 11:25:28 UTC |
| 32bead2 | André Martins | 08 February 2020, 09:55:40 UTC | test: fix upgrade-downgrade test with helm instalation [ upstream commit 25ee77eb9c3e524ff6001d79cd2b566e30d2d124 ] Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Jarno Rajahalme <jarno@covalent.io> | 12 February 2020, 11:25:28 UTC |
| 44e8afe | Dmitry Kharitonov | 11 February 2020, 13:51:43 UTC | fixed padding after code blocks [ upstream commit 5f62b560e64843492423be0fd297019571b7207d ] Signed-off-by: Dmitry Kharitonov <geakstr@me.com> Signed-off-by: Jarno Rajahalme <jarno@covalent.io> | 12 February 2020, 11:25:28 UTC |
| ce63b88 | Sebastian Wicki | 11 February 2020, 15:32:46 UTC | docs: Mention direct routing mode requirement for DSR [ upstream commit 02aba8bff4356c664c61bb15ce1f8eeca9a67a29 ] Direct Server Return (DSR) currently requires Cilium to be deployed in direct routing mode. This patch updates the kube-proxy-free documentation to reflect this. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> Signed-off-by: Jarno Rajahalme <jarno@covalent.io> | 12 February 2020, 11:25:28 UTC |
| 8837798 | Thomas Graf | 11 February 2020, 08:57:03 UTC | doc: Document L7 limitation in azure-cni chaining mode [ upstream commit 6b9559ecf021ef2a73025243fa1833fbfdc6b1b1 ] Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: Jarno Rajahalme <jarno@covalent.io> | 12 February 2020, 11:25:28 UTC |
| 9ddda6d | Maciej Kwiek | 11 February 2020, 14:47:03 UTC | Add required etcd version for external etcd guide [ upstream commit 7b03642caeb64fc00d02e0a7c2c586b0f7c6498a ] Signed-off-by: Maciej Kwiek <maciej@isovalent.com> Signed-off-by: Jarno Rajahalme <jarno@covalent.io> | 12 February 2020, 11:25:28 UTC |
| e973565 | Thomas Graf | 10 February 2020, 12:59:47 UTC | bpf: Fix proxy redirection for egress programs [ upstream commit c58d749816d943c4f9426f67738013f4e8778463 ] * Handling of the proxy redirection was missing entirely in the to-container section for IPv6. Add it. * The to-container section case was assuming that any proxy redirection is indicated by ipv{46}_policy() returning a non-zero proxy port. This is no longer true since commit 830adba. Fix this by using a separate return code to indicate proxy redirection and treating the proxy port as optional. The above deficits lead to proxy redirection being ineffective when the setting EnableEndpointRoutes was set. Fixes: 830adba1c02 ("bpf: Support proxy using original source address and port.") Fixes: 25a80dfdd5e ("bpf: Add to-container section to bpf_lxc") Fixes: #10105 Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: Jarno Rajahalme <jarno@covalent.io> | 12 February 2020, 11:25:28 UTC |
| 1cb5650 | Thomas Graf | 09 February 2020, 22:07:44 UTC | kubernetes: Updated connectivity check [ upstream commit 54d9254abba5b4bb76df58f7074a0aaa4895253b ] Improved connectivity check with the ability to test various connectivity and policy variations. Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: Jarno Rajahalme <jarno@covalent.io> | 12 February 2020, 11:25:28 UTC |
| a659819 | Martynas Pumputis | 07 February 2020, 11:16:17 UTC | test: Do not remove tc filter from native dev [ upstream commit 7fc73b855d9198a3cdf76232b65096c9aee45a4b ] The programs will be removed by cilium-agent during its bootstrap. Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Ray Bejjani <ray@isovalent.com> | 11 February 2020, 15:57:55 UTC |
| e63ff1e | Martynas Pumputis | 07 February 2020, 11:14:18 UTC | bpf: Remove bpf_netdev.o from previously used devices [ upstream commit 1239278985e54d21c1ce38712e6bd811d46e1f5d ] This commit makes cilium-agent to remove bpf_netdev.o from devices which no longer suppose to have the program attached. This can happen when e.g. a user has specified a different device for NodePort via `--device` or they switched from the direct routing mode to the tunnel mode. Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Ray Bejjani <ray@isovalent.com> | 11 February 2020, 15:57:55 UTC |
| 81f4dd7 | Daniel Borkmann | 10 February 2020, 17:37:28 UTC | bpf, sock: fix post-bind-sock{4,6} not found in ELF file [ upstream commit 022673fa29dc19a42800694d1d2e8f1442df1a5e ] If kube-proxy replacement is in partial mode and only host-reachable services are enabled, the agent will bail out with the following error: [...] level=warning msg="+ tc exec bpf pin /sys/fs/bpf/tc/globals/cilium_cgroups_post_bind4 obj bpf_sock.o type sock attach_type post_bind4 sec post-bind-sock4" subsys=datapath-loader level=warning msg="Program section 'post-bind-sock4' not found in ELF file!" subsys=datapath-loader [...] Given externalIPs depends on NodePort, we can reuse $NODE_PORT in init.sh. Also fix up some small code nits in bpf_sock in bind sections. Fixes: #10120 Fixes: b25663e65d31 ("bpf: Add post_bind{4,6} programs to block NodePorts") Reported-by: Paul Chaignon <paul@isovalent.com> Reported-by: Quentin Monnet <quentin@isovalent.com> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: Ray Bejjani <ray@isovalent.com> | 11 February 2020, 15:57:55 UTC |
| f45fff5 | André Martins | 08 February 2020, 10:15:30 UTC | install/kubernetes: add option to hold cilium agent on clean [ upstream commit a86c3a1ffa81482500eec0868aa3ad089a8e9cc7 ] In the upgrade test we clean up all Cilium state to perform a clean upgrade test. Since that clean up requires that a Cilium agent is not running we need to change the arguments of the Cilium container image to avoid running Cilium at the same time we are clean its state. Thus, this commit introduces a new helm option that changes the Cilium container image cmd argument to not perform any action in the node while cleaning up its state. Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Ray Bejjani <ray@isovalent.com> | 11 February 2020, 15:57:55 UTC |
| 88f72ce | Thomas Graf | 10 February 2020, 17:55:50 UTC | Documentation: Switch EKS documentation to default to ENI [ upstream commit 074b092685aff1797ed0224d060b6997f82aabc5 ] ENI has been rock-solid and it is time to point the default EKS documentation to use ENI mode. Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: Ray Bejjani <ray@isovalent.com> | 11 February 2020, 15:57:55 UTC |
| aa3bc88 | Daniel Borkmann | 10 February 2020, 12:26:21 UTC | daemon, probe: whether CONFIG_CGROUP_BPF is compiled in [ upstream commit abf5366a5d4418f01432563d8e402fb957cd12e7 ] Given for new deployments, we probe the kernel and selectivly disable kube-proxy replacement features, we need to dig a bit deeper to check whether CONFIG_CGROUP_BPF is compiled in as otherwise we'd try to proceed with host-reachable services and will later fail to start-up in init.sh given we cannot attach: [...] level=warning msg="+ bpftool cgroup attach /var/run/cilium/cgroupv2 post_bind6 pinned /sys/fs/bpf/tc/globals/cilium_cgroups_post_bind6" subsys=datapath-loader level=warning msg="Error: failed to attach program" subsys=datapath-loader I went improving TestDummyProg() rather than relying on a .config to determine availability of CONFIG_CGROUP_BPF since a config may not necessarily be available on the underlying system. I've explicitly used an invalid fd as target cgroup fd to probe on EBADFD code. When compiled out, we'll simply always get an EINVAL for all kernels. Fixes: #10097 Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: Ray Bejjani <ray@isovalent.com> | 11 February 2020, 15:57:55 UTC |
| 8764e7c | Daniel Borkmann | 10 February 2020, 09:35:48 UTC | bpf: fix incompatible pointer type warning on mac addr [ upstream commit 211883c85c45f65d76c3e2f81c5b2d283f115278 ] [...] level=warning msg="In file included from /var/lib/cilium/bpf/bpf_netdev.c:52:" subsys=datapath-loader level=warning msg="/var/lib/cilium/bpf/lib/nodeport.h:1057:26: warning: incompatible pointer types passing 'uint8_t (*)[6]' to parameter of type 'uint8_t *' (aka 'unsigned char *') [-Wincompatible-pointer-types]" subsys=datapath-loader level=warning msg=" if (eth_load_saddr(skb, &smac.addr, 0) < 0)" subsys=datapath-loader level=warning msg=" ^~~~~~~~~~" subsys=datapath-loader level=warning msg="/var/lib/cilium/bpf/lib/eth.h:63:63: note: passing argument to parameter 'mac' here" subsys=datapath-loader level=warning msg="static inline int eth_load_saddr(struct __sk_buff *skb, __u8 *mac, int off)" subsys=datapath-loader level=warning msg=" ^" subsys=datapath-loader level=warning msg="In file included from /var/lib/cilium/bpf/bpf_netdev.c:52:" subsys=datapath-loader level=warning msg="/var/lib/cilium/bpf/lib/nodeport.h:1151:32: warning: incompatible pointer types passing 'uint8_t (*)[6]' to parameter of type 'uint8_t *' (aka 'unsigned char *') [-Wincompatible-pointer-types]" subsys=datapath-loader level=warning msg=" if (eth_store_daddr(skb, &dmac->addr, 0) < 0)" subsys=datapath-loader level=warning msg=" ^~~~~~~~~~~" subsys=datapath-loader level=warning msg="/var/lib/cilium/bpf/lib/eth.h:78:64: note: passing argument to parameter 'mac' here" subsys=datapath-loader level=warning msg="static inline int eth_store_daddr(struct __sk_buff *skb, __u8 *mac, int off)" subsys=datapath-loader level=warning msg=" ^" subsys=datapath-loader level=warning msg="In file included from /var/lib/cilium/bpf/bpf_netdev.c:52:" subsys=datapath-loader level=warning msg="/var/lib/cilium/bpf/lib/nodeport.h:1153:32: warning: incompatible pointer types passing 'uint8_t (*)[6]' to parameter of type 'uint8_t *' (aka 'unsigned char *') [-Wincompatible-pointer-types]" subsys=datapath-loader level=warning msg=" if (eth_store_saddr(skb, &mac->addr, 0) < 0)" subsys=datapath-loader level=warning msg=" ^~~~~~~~~~" subsys=datapath-loader level=warning msg="/var/lib/cilium/bpf/lib/eth.h:68:64: note: passing argument to parameter 'mac' here" subsys=datapath-loader level=warning msg="static inline int eth_store_saddr(struct __sk_buff *skb, __u8 *mac, int off)" subsys=datapath-loader level=warning msg=" ^" subsys=datapath-loader [...] Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: Ray Bejjani <ray@isovalent.com> | 11 February 2020, 15:57:55 UTC |
| 4f4f77a | Daniel Borkmann | 10 February 2020, 09:19:53 UTC | bpf, daemon: fix CT_REPORT_FLAGS truncation warning [ upstream commit 5c8537cb09aad56ad0f1774c1a6ce5e1651a2d32 ] The value really needs to be 0xff. We got that correct in the shipped bpf/node_config.h file, but not for the go generated header where it is currently ^uint16(0). Therefore fix up TCPFlags. [...] level=warning msg="+ clang -O2 -g -target bpf -emit-llvm -Wno-address-of-packed-member -Wno-unknown-warning-option -I. -I/run/cilium/state/globals -I/var/lib/cilium/bpf -I/var/lib/cilium/bpf/include -D__NR_CPUS__=2 -DENABLE_ARP_RESPONDER -DHANDLE_NS -DSECLABEL=2 -DLB_L3 -DLB_L4 -DBPF_PKT_DIR=0 '-DNODE_MAC={.addr={0x42,0x09,0x4d,0x59,0x33,0xe9}}' -DCALLS_MAP=cilium_calls_netdev_2 -c /var/lib/cilium/bpf/bpf_netdev.c -o -" subsys=datapath-loader level=warning msg="In file included from /var/lib/cilium/bpf/bpf_netdev.c:50:" subsys=datapath-loader level=warning msg="In file included from /var/lib/cilium/bpf/lib/nat.h:32:" subsys=datapath-loader level=warning msg="/var/lib/cilium/bpf/lib/conntrack.h:178:8: warning: implicit conversion from 'int' to 'uint8_t' (aka 'unsigned char') changes value from 65535 to 255 [-Wconstant-conversion]" subsys=datapath-loader level=warning msg=" CT_REPORT_FLAGS);" subsys=datapath-loader level=warning msg=" ^~~~~~~~~~~~~~~" subsys=datapath-loader level=warning msg="/run/cilium/state/globals/node_config.h:28:25: note: expanded from macro 'CT_REPORT_FLAGS'" subsys=datapath-loader level=warning msg="#define CT_REPORT_FLAGS 0xffff" subsys=datapath-loader level=warning msg=" ^~~~~~" subsys=datapath-loader level=warning msg="In file included from /var/lib/cilium/bpf/bpf_netdev.c:50:" subsys=datapath-loader level=warning msg="In file included from /var/lib/cilium/bpf/lib/nat.h:32:" subsys=datapath-loader level=warning msg="/var/lib/cilium/bpf/lib/conntrack.h:296:22: warning: implicit conversion from 'int' to 'uint8_t' (aka 'unsigned char') changes value from 65535 to 255 [-Wconstant-conversion]" subsys=datapath-loader level=warning msg=" seen_flags, CT_REPORT_FLAGS);" subsys=datapath-loader level=warning msg=" ^~~~~~~~~~~~~~~" subsys=datapath-loader level=warning msg="/run/cilium/state/globals/node_config.h:28:25: note: expanded from macro 'CT_REPORT_FLAGS'" subsys=datapath-loader level=warning msg="#define CT_REPORT_FLAGS 0xffff" subsys=datapath-loader level=warning msg=" ^~~~~~" subsys=datapath-loader [...] Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: Ray Bejjani <ray@isovalent.com> | 11 February 2020, 15:57:55 UTC |
| bfe0676 | Maciej Kwiek | 10 February 2020, 12:45:27 UTC | Fix path to print-node-ip script in jenkinsfile [ upstream commit 20f7a79b53ad16b467b41e9e0a3c8f86d72e64d3 ] Signed-off-by: Maciej Kwiek <maciej@isovalent.com> Signed-off-by: Ray Bejjani <ray@isovalent.com> | 11 February 2020, 15:57:55 UTC |
| a1dfaf9 | Martynas Pumputis | 07 February 2020, 15:49:05 UTC | test: Refactor deleteCiliumDS() usage [ upstream commit 2a8cbab0e6a9e8847abf15fc81643ee3383ffee0 ] - Move the function to helpers/kubectl.go. - Make sure that the function is called in AfterAll() of each suite. - Remove redundant deleteCiliumDS() calls. Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Ray Bejjani <ray@isovalent.com> | 11 February 2020, 15:57:55 UTC |
| f58408a | Martynas Pumputis | 04 February 2020, 10:08:50 UTC | test: Remove cilium DS before installing a new one [ upstream commit 39b243aea095807f60fb51a1e109a9c6e84dad65 ] Previously, when installing Cilium via "ciliumInstallHelm()", changes to ConfigMap were not applied if Cilium DaemonSet had already been installed. An example of such occurrence in test logs: time="2020-02-01T21:01:58Z" level=debug msg="running command: kubectl apply --force=true -f cilium-15ef6310fc44caf0.yaml -n kube-system" cmd: "kubectl apply --force=true -f cilium-15ef6310fc44caf0.yaml -n kube-system" exitCode: 0 duration: 118.450977ms stdout: configmap/cilium-config configured serviceaccount/cilium unchanged serviceaccount/cilium-operator unchanged clusterrole.rbac.authorization.k8s.io/cilium unchanged clusterrole.rbac.authorization.k8s.io/cilium-operator unchanged clusterrolebinding.rbac.authorization.k8s.io/cilium unchanged clusterrolebinding.rbac.authorization.k8s.io/cilium-operator unchanged daemonset.apps/cilium unchanged deployment.apps/cilium-operator configured Missing removal of the Cilium DS were causing some flakes, e.g. when the test suite k8sT/external_ips.go was ran before k8sT/Services.go. The former in some test cases were using `--device=enp0s9` instead of `--device=enp0s8`, and k8sT/Services.go required the latter device setting. Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Ray Bejjani <ray@isovalent.com> | 11 February 2020, 15:57:55 UTC |
| e65fbb3 | Dan Sexton | 07 February 2020, 12:32:25 UTC | ServiceMonitor should default to release namespace [ upstream commit 629db726d96d8dddc5206b021170510d8ab0fc6d ] Signed-off-by: Dan Sexton <dan.b.sexton@gmail.com> Signed-off-by: Ray Bejjani <ray@isovalent.com> | 11 February 2020, 15:57:55 UTC |
| a639ad4 | Joe Stringer | 07 February 2020, 22:16:46 UTC | ipcache: Fix ipcache pod IP update [ upstream commit 3526d4efb0138e60774eeb333c42ab50f703deea ] If an IP was reused by another pod, then a bug in the pod/namespace comparison logic would prevent the ipcache being updated for the pod. Fix it. Reported-at: https://lgtm.com/projects/g/cilium/cilium/alerts Fixes: 348051e7aaaf ("ipcache: Associate IPs with K8s namespace and pod name") Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Ray Bejjani <ray@isovalent.com> | 11 February 2020, 15:57:55 UTC |
| 776e60a | Joe Stringer | 05 February 2020, 23:27:17 UTC | client: Print detailed redirect info in status [ upstream commit cad36abc7e67c704936186b275525527d05207e9 ] Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Ray Bejjani <ray@isovalent.com> | 11 February 2020, 15:57:55 UTC |
| 773900f | Joe Stringer | 05 February 2020, 23:26:29 UTC | proxy: Populate proxy redirects in status model [ upstream commit 2ec34864cd0a47e41e987cf6d7d68e8b48b1167a ] Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Ray Bejjani <ray@isovalent.com> | 11 February 2020, 15:57:55 UTC |
| 4dcf521 | Joe Stringer | 05 February 2020, 23:22:39 UTC | api: Extend proxy redirect status [ upstream commit b2271f74c0fafdd0bbef2cdf95a1ca69d4b0b1bc ] Extend the proxy redirect status to include more useful debugging information including a detailed breakdown of each redirect. Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Ray Bejjani <ray@isovalent.com> | 11 February 2020, 15:57:55 UTC |
| 3a9f97b | Daniel Borkmann | 06 February 2020, 23:03:43 UTC | docs: add setup validation howto to kube-proxy-free guide [ upstream commit 1130d454a35e62774ad43ddbbf182dd657700ae5 ] Also moved all the configuration which goes beyond regular quick-start into 'Advanced Configuration' section for now to make this more clear to readers. We can still discuss whether we would want to have this sit in a completely new page or not. Also, add a 'Validate the Setup' step. Suggested-by: Joe Stringer <joe@cilium.io> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: Ray Bejjani <ray@isovalent.com> | 11 February 2020, 15:57:55 UTC |
| 93e91d5 | Martynas Pumputis | 07 February 2020, 09:08:08 UTC | docs: Update docs to reflect kubeProxyReplacement status change [ upstream commit d9f01ca13a6d3432ee59e9e29b01d4b9f0107936 ] Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Ray Bejjani <ray@isovalent.com> | 11 February 2020, 15:57:55 UTC |
| b2f1ffe | Martynas Pumputis | 06 February 2020, 18:36:23 UTC | daemon, cli: Extend kubeProxyReplacement status [ upstream commit 18bd0eb0371ed0fc8772cf6c79c4c58de1d673b7 ] - Add NodePort mode and port range. - Reformat the host-reachable services output. The example: $ cilium status KVStore: Ok Disabled Kubernetes: Ok 1.17 (v1.17.2) [linux/amd64] Kubernetes APIs: ["CustomResourceDefinition", "cilium/v2::CiliumClusterwideNetworkPolicy", "cilium/v2::CiliumEndpoint", "cilium/v2::CiliumNetworkPolicy", "cilium/v2::CiliumNode", "core/v1::Endpoint", "core/v1::Namespace", "core/v1::Pods", "core/v1::Service", "networking.k8s.io/v1::NetworkPolicy"] KubeProxyReplacement: Probe [NodePort (SNAT, 30000-32767), ExternalIPs, HostReachableServices (TCP, UDP)] Cilium: Ok OK NodeMonitor: Disabled Cilium health daemon: Ok IPAM: IPv4: 2/65535 allocated from 10.1.0.0/16, Controller Status: 11/11 healthy Proxy Status: OK, ip 10.1.178.143, port-range 10000-20000 Cluster health: 0/1 reachable (2020-02-07T10:01:53+01:00) Name IP Reachable Endpoints reachable ceuse (localhost) 10.5.57.1 false false Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Ray Bejjani <ray@isovalent.com> | 11 February 2020, 15:57:55 UTC |
| 06d55c6 | Martynas Pumputis | 05 February 2020, 15:04:55 UTC | cli: Remove nodePort BPF prog from netdev upon cleanup [ upstream commit 4836b2ab7639abbecb783a9be449e350c2358636 ] This commit extends "cilium cleanup" by making it to remove tc filters (bpf_netdev.o) from a nodeport netdev. The iface of the netdev is obtained from /var/run/cilium/state/globals/node_config.h (NATIVE_DEV_IFINDEX) which is set by bpf/init.sh. Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> | 07 February 2020, 16:19:57 UTC |
| f70e249 | Ray Bejjani | 04 February 2020, 16:40:49 UTC | CI: PolicyTest toEntities All [ upstream commit 08927bb92f66a6aa17da4d9916747d77b8788a55 ] Queries via host were iterating through the search list. This meant that the first few attempts would always fail, and this seemed to fail outright sometimes. This change forces 3 retries on the domain without using the search list. This should mean that NXDomain should never be returned as kubernetes.default.svc.cluster.local. is always defined. Signed-off-by: Ray Bejjani <ray@isovalent.com> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> | 07 February 2020, 16:19:57 UTC |
| b3b1972 | Daniel Borkmann | 06 February 2020, 13:19:59 UTC | docs: add description of dsr to kube-proxy free guide [ upstream commit 0c3660f859820ca9e08471a8ee2d11af32c1f6d7 ] ... and move all the NodePort related settings into its own section along with that. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> | 07 February 2020, 16:19:57 UTC |
| b9e7989 | Daniel Borkmann | 06 February 2020, 09:14:22 UTC | docs: add description of hybrid modes to kube-proxy free guide [ upstream commit 4edbcad66f7445f50cc77a31c2c11e6ff555c640 ] Elaborate on the various kubeProxyReplacement options. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> | 07 February 2020, 16:19:57 UTC |
| 9192216 | Daniel Borkmann | 06 February 2020, 09:43:02 UTC | docs: add link to cilium upgrade guide for stable release section [ upstream commit cf6c890fb6f837a861552daf0694c5c38e11302e ] Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> | 07 February 2020, 16:19:57 UTC |
| 4daa3b3 | Daniel Borkmann | 06 February 2020, 10:56:53 UTC | helm: add externalIPs configuration option to Cilium's helm chart [ upstream commit aa9f90f2d5a34de0a16ddaf7554774b28864ae3b ] Also group all kube-proxy replacement settings together. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> | 07 February 2020, 16:19:57 UTC |
| b8b8a4f | Daniel Borkmann | 06 February 2020, 09:13:30 UTC | helm, docs: fix typo in cni-chaining in values.yaml [ upstream commit 6be80f4c3b791a011bd28a17d490489e533fb8e6 ] Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> | 07 February 2020, 16:19:57 UTC |
| 8d5ce3e | Martynas Pumputis | 05 February 2020, 13:13:19 UTC | daemon: Disable kube-proxy replacement sub-features in flags [ upstream commit a54cbecaa19b14b31c17321884dd2745221e1b63 ] This commit: - Disables option.Config.EnableExternalIP if NodePort is disabled - Disables option.EnableHostServices{TCP,UDP} if host-lb is disabled Otherwise, "cilium status" when --kube-proxy-replacement=partial will misleadingly report that ExternalIP and HostServices{TCP,UDP} are enabled even if NodePort and host-lb is disabled. Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> | 07 February 2020, 16:19:57 UTC |
| 3e6aeb6 | Martynas Pumputis | 05 February 2020, 10:18:04 UTC | daemon, cli: Add KubeProxyReplacement to cilium status [ upstream commit 500bad1420f286d3e6f221dea1387e891d0a3131 ] This commit adds kube-proxy-replacement configuration to "cilium status" cmd output, so that users could better detect which kube-proxy replacement features are enabled. The example of such output: $ cilium status KVStore: Ok Disabled Kubernetes: Ok 1.17 (v1.17.2) [linux/amd64] Kubernetes APIs: ["CustomResourceDefinition", "cilium/v2::CiliumClusterwideNetworkPolicy", "cilium/v2::CiliumEndpoint", "cilium/v2::CiliumNetworkPolicy", "cilium/v2::CiliumNode", "core/v1::Endpoint", "core/v1::Namespace", "core/v1::Pods", "core/v1::Service", "networking.k8s.io/v1::NetworkPolicy"] KubeProxyReplacement: Strict [NodePort, ExternalIPs, HostReachableServicesTCP, HostReachableServicesUDP] Cilium: Ok OK NodeMonitor: Disabled Cilium health daemon: Ok IPAM: IPv4: 4/65535 allocated from 10.1.0.0/16, Controller Status: 17/17 healthy Proxy Status: OK, ip 10.1.28.236, port-range 10000-20000 Cluster health: 0/1 reachable (2020-02-05T14:02:54+01:00) Name IP Reachable Endpoints reachable ceuse (localhost) 10.5.57.1 true false Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> | 07 February 2020, 16:19:57 UTC |
| 14c2343 | Martynas Pumputis | 05 February 2020, 09:10:45 UTC | api: Add KubeProxyReplacement field to StatusResponse [ upstream commit 06add2d8ba7281aa74df838e9ed5e7b75fb15ecf ] It's going to be used when reporting kube-proxy replacement state in "cilium status" output. Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> | 07 February 2020, 16:19:57 UTC |
| 0e0cbf3 | Sebastian Wicki | 30 January 2020, 13:04:25 UTC | test/K8sServices: Test UDP node ports are blocked [ upstream commit 9943a660f84685147d52c1d3b4de8546b44f030c ] Extends the failBind tests to also test for UDP ports. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> | 07 February 2020, 16:19:57 UTC |
| 4f5bd0e | Sebastian Wicki | 30 January 2020, 09:12:05 UTC | test/K8sServices: Tests for UDP connectivity [ upstream commit 59263d29c6a7fd0024b287578cb5d0531c56f77f ] Adds an additional UDP echoserver to the pods and service definitions, allowing us to check UDP connectivity alongside the existing TCP tests. The new echoserver uses the TFTP protocol to serve a status page similar to the existing HTTP server used for TCP tests. This allows us to reuse the existing test infrastructure, i.e. curl has built-in support for TFTP. The deployed cilium/echoserver-udp is using the so-called "single-port" mode of TFTP, where the server will always answer on the UDP port on which it received the request. This is required for NAT to work. Fixes: #9363 Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> | 07 February 2020, 16:19:57 UTC |
| 63e2825 | Sebastian Wicki | 30 January 2020, 08:57:03 UTC | test/K8sServices: Add test-k8s2 to waitPodsDs [ upstream commit 7dd756e5a0c4d7dfe0b9e177c764c7c5286d2d84 ] Previously, test-k8s2 was missing from the list of DaemonSet pods which have to be ready before the test is started. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> | 07 February 2020, 16:19:57 UTC |
| 84f69f4 | Daniel Borkmann | 05 February 2020, 13:46:11 UTC | docs: rework nodeport and kube-proxy free guide [ upstream commit 8ee881587bf763583d9e45cf5aeb590e6ec1c57c ] Consolidate and rework the nodeport and kube-proxy free guides into a single one, move it out of beta and reflect recent updates. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> | 07 February 2020, 16:19:57 UTC |
| c4a3571 | Daniel Borkmann | 05 February 2020, 13:32:18 UTC | docs: remove beta from host-reachable services and improve doc [ upstream commit 714a56e67425e0e53a30737dd22648eb9b21e8ed ] For Cilium 1.7, we move host-reachable services out of the beta state therefore update the doc. Also document that libceph is a known issue with getpeername hook. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> | 07 February 2020, 16:19:57 UTC |
| f6c797f | Martynas Pumputis | 04 February 2020, 15:47:22 UTC | test: Do not skip kube-proxy free tests when running w/o third host [ upstream commit aa1a5a98c83e66b4a8a4cd5589b4c08c40ab3dff ] Instead, skip individual test cases which require the third host. Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> | 07 February 2020, 16:19:57 UTC |
| 3ac3402 | Martynas Pumputis | 04 February 2020, 15:19:46 UTC | test: Skip kube-proxy SVC tests when running w/o kube-proxy [ upstream commit 7ef9f87476ca49a08f76d757649187a1dfbed457 ] This commit makes the kube-proxy (NodePort) tests to be skipped when running without kube-proxy. Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> | 07 February 2020, 16:19:57 UTC |
| dba9a02 | Martynas Pumputis | 04 February 2020, 15:17:31 UTC | test: Skip traffic policy test case from third host [ upstream commit 65cddbece18b6c32e0e1cf340d22ba76f054a93e ] Skip the externalTrafficPolicy=Local test case from the third (external) host when such does not exist. This will allow us to avoid skipping the whole Context() or It() if the third host does not exist. Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> | 07 February 2020, 16:19:57 UTC |
| 23d0609 | Thomas Graf | 05 February 2020, 15:34:55 UTC | ipam: Protect release from releasing alive IP [ upstream commit 4890a1552786b250111c81365198ea721169f340 ] It has been observed that kubelet calls CNI DELETE multiple times with potentially stale CNI result information. This can lead to a race condition where the initial CNI DELETE properly releases the IP in use which then gets reused by a different pod. Any subsequent CNI DELETE with the stale IP will then cause the IP of the live pod to be released. While the pod will continue to function, the next scheduled pod will attempt to use that IP and continuously fail to be scheduled due to a IP in use error. This is a regression of commit ab61853 which introduced the ability for CNI DELETE to release an IP even if the endpoint deletion fails which is required to fix the race condition when the CNI binary gets killed in between allocating an IP and creating the endpoint. Fixes: ab61853ca3 ("cni: Release IP even when endpoint deletion fails") Fixes: #10065 Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> | 07 February 2020, 16:19:57 UTC |
| 9b50f6a | Daniel Borkmann | 05 February 2020, 12:55:18 UTC | bpf: compile out service lookup entirely on kubeProxyReplacement=disabled [ upstream commit cb2f13534c92ab1c9f5528ed63ac9a92b189d0f9 ] Since in case of option.Config.DisableK8sServices=true we don't listen to service updates, there is also no point in doing service lookups in the fast-path. Therefore, compile the code out. Similarly, if the user opts into DisableK8sServices=true, then set kubeProxyReplacement=disabled. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> | 07 February 2020, 16:19:57 UTC |
| 6666165 | Maciej Kwiek | 05 February 2020, 13:55:17 UTC | add release name to helm template calls [ upstream commit 161fcd49340561363521f71e76d4408dcae9fe5c ] Signed-off-by: Maciej Kwiek <maciej@isovalent.com> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> | 07 February 2020, 16:19:57 UTC |
| a586a8d | Dan Wendlandt | 06 January 2020, 06:58:34 UTC | Docs: Getting started guide for TLS-visibility [ upstream commit eb01fe70b13ddedba23402a00aee6844185d052d ] Signed-off-by: Dan Wendlandt <dan@covalent.io> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> | 07 February 2020, 16:19:57 UTC |
| 6b8df3f | Thomas Graf | 04 February 2020, 15:55:30 UTC | kubernetes: Disable LocalNodeRoute while chaining [ upstream commit 403d20acf0d7d139c622524e63dbf69a9d1a6efb ] While chaining, a route covering the AllocCIDR was still being installed pointing to the cilium_host interface. Ideally the k8s node resource populates the PodCIDR information in which case this is harmless. If the PodCIDR is not known, Cilium would fall back to allocate a PodCIDR using the standard 10.x.0.0/16 template which then had the potential to conflict witha PodCIDR of another node. In case of a conflict, the rp_filter protection could cause packet loss due to conflicting routes. Related: #9794 Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> | 07 February 2020, 16:19:57 UTC |
| b48efeb | Daniel Borkmann | 04 February 2020, 15:14:07 UTC | tests: test nodeport connectivity via v4-in-v6 sockets [ upstream commit d432ea6e134b6d0259fd6ec663a79f04cfa8e03c ] Make sure these tests pass as well on v6 sockets where we end up processing v4 socket hooks. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> | 07 February 2020, 16:19:57 UTC |
| 71047c0 | Zhiyuan Hou | 01 February 2020, 08:21:30 UTC | policy: clean a duplicated code [ upstream commit 909021c9a9cebf96c4a94d5d6db24c3fb32b6146 ] Signed-off-by: Zhiyuan Hou <zhiyuan2048@linux.alibaba.com> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> | 07 February 2020, 16:19:57 UTC |
| 961d910 | Robin Hahling | 03 February 2020, 15:12:40 UTC | doc: update instructions about restarting pods after deployment [ upstream commit 20c39223f6a070a3f428adbde81646545e040e6a ] On GKE/EKS, pods are automatically restarted when the `--set global.restartPods=true` switch is passed to `helm` when deploying Cilium. If not, pods need to be manually restarted to ensure that they are managed by Cilium. Signed-off-by: Robin Hahling <robin.hahling@gw-computing.net> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> | 07 February 2020, 16:19:57 UTC |
| 700f5cc | Sebastian Wicki | 27 January 2020, 16:06:43 UTC | docs: Remove HealthCheckNodePort limitation [ upstream commit e07e8cebab8f0c958fafed81d9a1ba5cb813fcc6 ] Support for HealthCheckNodePort in NodePort BPF was added in #9906. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> | 07 February 2020, 16:19:57 UTC |
| 63b4d35 | Sebastian Wicki | 27 January 2020, 15:43:59 UTC | test: Add test for HealthCheckNodePort [ upstream commit 2134e62ff085d901ac55b9e15d4044c60ddebea2 ] This tests that the HTTP server running on HealthCheckNodePort returns the correct HTTP code. We add a new service for this, since only services with Type=LoadBalancer and externalTrafficPolicy=Local will have the HealthCheckNodePort field set. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> | 07 February 2020, 16:19:57 UTC |
| f0b023a | André Martins | 04 February 2020, 14:41:30 UTC | Prepare for release v1.7.0-rc3 Signed-off-by: André Martins <andre@cilium.io> | 04 February 2020, 18:39:29 UTC |
| e206b7e | André Martins | 04 February 2020, 14:13:47 UTC | update github actions for the v1.7 branch Signed-off-by: André Martins <andre@cilium.io> | 04 February 2020, 18:39:29 UTC |
| 5f6b395 | André Martins | 04 February 2020, 14:05:57 UTC | VERSION: set version to 1.7.0-rc3 Signed-off-by: André Martins <andre@cilium.io> | 04 February 2020, 18:39:29 UTC |
| fd3b9ac | André Martins | 04 February 2020, 13:47:34 UTC | update CODEOWNERS Signed-off-by: André Martins <andre@cilium.io> | 04 February 2020, 13:54:08 UTC |
| bcdbd0c | Maciej Kwiek | 23 January 2020, 17:25:12 UTC | Add curl retry to Basic TLS Policy test Signed-off-by: Maciej Kwiek <maciej@isovalent.com> | 04 February 2020, 13:30:22 UTC |
| a950f18 | Daniel Borkmann | 04 February 2020, 10:23:30 UTC | bpf: fix NAT_MIN_EGRESS to NODEPORT_PORT_MIN_NAT When a regular server process was running in the defined nodeport range, then we would wrongly NAT replies upon EGRESS due to incorrect NAT_MIN_EGRESS setting. This really needs to be NODEPORT_PORT_MIN_NAT in order for the snat_v4_can_skip() check to properly work. Future work needs a better detection wrt processes binding ports. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> | 04 February 2020, 12:47:08 UTC |
| 3464056 | Daniel Borkmann | 04 February 2020, 09:53:35 UTC | bpf: clean up to use ctx_{dst,src}_port in sock progs Make it consistent such that in bind hooks we use ctx_src_port() and in connect et al we ue ctx_dst_port(). Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> | 04 February 2020, 12:47:08 UTC |
| 00e4474 | Daniel Borkmann | 04 February 2020, 08:59:47 UTC | bpf: clean up unreachable nodeport_nat_ipv{4,6}_needed return The return is unreachable, so just remove it. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> | 04 February 2020, 12:47:08 UTC |
| f1a3af7 | Tom Hadlaw | 29 November 2019, 23:52:08 UTC | Add restartPodsEKS Add default value and documentation Move eks restart logic to restartPods Signed-off-by: Tom Hadlaw <thomas.hadlaw@hootsuite.com> Reverted default helm chart values Signed-off-by: Tom Hadlaw <thomas.hadlaw@hootsuite.com> Generalize aws cni container regex Signed-off-by: Tom Hadlaw <thomas.hadlaw@hootsuite.com> | 04 February 2020, 09:40:46 UTC |
| e5768c5 | Martynas Pumputis | 03 February 2020, 10:27:19 UTC | docs: Mention kube-proxy-replacement in upgrade docs Signed-off-by: Martynas Pumputis <m@lambda.lt> | 04 February 2020, 09:39:41 UTC |
| afc0e0e | Martynas Pumputis | 03 February 2020, 15:03:24 UTC | test: Set kubeProxyReplacement=strict when running w/o kube-proxy To avoid cilium-agent silently not enabling all features, which we want to test when running w/o kube-proxy. Signed-off-by: Martynas Pumputis <m@lambda.lt> | 04 February 2020, 09:39:41 UTC |
| 5f36674 | Martynas Pumputis | 30 January 2020, 17:00:04 UTC | helm: Add kubeProxyReplacement It controls the agent's --kube-proxy-replacement flag. Signed-off-by: Martynas Pumputis <m@lambda.lt> | 04 February 2020, 09:39:41 UTC |
| 3c33f52 | Martynas Pumputis | 30 January 2020, 16:32:58 UTC | daemon: Add --kube-proxy-replacement flag The flag controls what / how datapath features required for kube-proxy replacement enabled. The possible outcomes depending on a value of the flag are the following: - "probe": auto-enable all available features for kube-proxy replacement (agent probes for features and tries to enable them without panicking if any cannot be enabled). - "strict": enable all features (panic if any cannot be enabled). - "partial": enable only selected by a user features (panic if any of the selected ones cannot be enabled). - "disabled": disable all kube-proxy replacement features (even those which user has enabled). Signed-off-by: Martynas Pumputis <m@lambda.lt> | 04 February 2020, 09:39:41 UTC |
| 6ad44b5 | Martynas Pumputis | 29 January 2020, 13:56:17 UTC | probes: Probe for BPF helpers This commit adds GetHelpers() method which returns available helper functions for the given program type. Signed-off-by: Martynas Pumputis <m@lambda.lt> | 04 February 2020, 09:39:41 UTC |
| dabea8c | Martynas Pumputis | 29 January 2020, 12:18:10 UTC | daemon: Move validation of svc related flags into function For the sake of readability. Signed-off-by: Martynas Pumputis <m@lambda.lt> | 04 February 2020, 09:39:41 UTC |
