Skip to main content

Browse the archive

https://github.com/cilium/cilium
22 July 2024, 03:12:21 UTC
sort by:
Revision Author Date Message Commit Date
54cf381 André Martins 04 September 2020, 12:01:53 UTC Prepare for release v1.8.3 Signed-off-by: André Martins <andre@cilium.io> 04 September 2020, 12:30:57 UTC
48507a8 Thomas Graf 21 August 2020, 11:53:36 UTC connectivity-check: Use unprivileged ports [ upstream commit aacc6e76915b74a9380fbc02c89c8fc8d97ef7f5 ] Use of port 80 causes unnecessary requirements for k8s environments to allow pods to bind to privileged ports. Switch to port 8080 instead. Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: Alexandre Perrin <alex@kaworu.ch> 04 September 2020, 02:44:36 UTC
cad3a9c Tam Mach 09 August 2020, 07:26:38 UTC ci(smoketest): Add the step to check for drift for connectivity manifests [ upstream commit 16e8c78e035879072f052bc1a7efc05b97255750 ] There was one drift related pod-to-b-multi-node-nodeport in connectivity-check-internal.yaml file. In order to pass GA, hostService should be enabled, hence, I just changed the param kubeProxyReplacement to strict. Relates #12714 Signed-off-by: Tam Mach <sayboras@yahoo.com> Signed-off-by: Alexandre Perrin <alex@kaworu.ch> 04 September 2020, 02:44:36 UTC
87b3d9c Tam Mach 09 August 2020, 07:20:35 UTC refactor(connectivity): Update filtering logic and default value for traffic label. [ upstream commit 16d8034fbd508b780184121cd95c9bd01b3f7ddd ] This PR is related to comment[0]. Having default value for traffic as 'any' is sometimes ambiguous in k8s spec, the changes are to make default value as internal. Some related cases (such as 1.1.1.1 or www.google.com) are explicitly specified as `external`. [0]: https://github.com/cilium/cilium/pull/12671#discussion_r465920110 Relates #12671 Signed-off-by: Tam Mach <sayboras@yahoo.com> Signed-off-by: Alexandre Perrin <alex@kaworu.ch> 04 September 2020, 02:44:36 UTC
4eccafe Tam Mach 27 July 2020, 13:48:51 UTC test(conformance): Enable smoke test in ipv6 cluster [ upstream commit 00c3e004cbaa80a2158ef7221352a08c701608d8 ] To enable conformance test for ipv6-only cluster. Due the lack of ipv6 support in github actions, two related tests (1.1.1.1 and www.google.com FQDN) are skipped now. Add auto-generate scritpt for connectivity-check-internal.yaml Update generation Makefile target for connectivity check - Use ">>" instead of ">" to avoid header got overriden - Add $(ALL_TARGET) into .PHONY list - Use $@ annotation instead of repated variable to avoid potential mistake Signed-off-by: Tam Mach <sayboras@yahoo.com> Signed-off-by: Alexandre Perrin <alex@kaworu.ch> 04 September 2020, 02:44:36 UTC
929762d Quentin Monnet 05 August 2020, 17:27:25 UTC connectivity-check: re-introduce port-to-b NodePort checks [ upstream commit 5d3babd4de5302795c25a7a99ded5ce9d7155f01 ] Commit 8a03d54da11a ("Extend connectivity-check for HTTP policy validation via CUE (#12599)") introduced the usage of the CUE language to make the management of the connectivity checks easier and more consistent. But two deployments, "pod-to-b-intra-node-nodeport" and "pod-to-b-multi-node-nodeport", have accidentally been left out of the process. This commit reintroduces them. Only the cue file was hand-edited, the changes in the yaml files where generated by running "make". Fixes: 8a03d54da11a ("Extend connectivity-check for HTTP policy validation via CUE (#12599)") Fixes: #12599 Signed-off-by: Quentin Monnet <quentin@isovalent.com> Signed-off-by: Alexandre Perrin <alex@kaworu.ch> 04 September 2020, 02:44:36 UTC
9139849 Joe Stringer 31 July 2020, 18:56:02 UTC connectivity-check: Add DNS query tool for debugging [ upstream commit 62b4c2964aa1b1e1ea390ff1b230b72a831b50ee ] Add a new section to the connectivity checks specifically for manual debugging. These new tools will not fail by themselves so they are not appropriate for continuous integration testing. The new tool can be generated specifically via: $ cue cmd -t type=tool -t component=proxy dump Or by building the new generic connectivity-debug-tools.yaml target: $ make -C examples/kubernetes/connectivity-check connectivity-debug-tools.yaml To use the new tool, deploy it and follow the logs: $ kubectl logs -l name=query-dns-policy --timestamps -f Then take manual actions that may influence DNS proxy forwarding & observe how the output of the pod changes over time. Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Alexandre Perrin <alex@kaworu.ch> 04 September 2020, 02:44:36 UTC
3035609 Joe Stringer 03 August 2020, 19:54:42 UTC connectivity-check: Add tool type[=autocheck] [ upstream commit 7b0960ad316cf60a4dc5000690dc59812b8806df ] Add a new label, "type" which will have two settings, either autocheck (ie connectivity check script that fails based on certain conditions, suitable for automated runtime usage in CI), and "tool" which requires manual deployment & observation from a human. Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Alexandre Perrin <alex@kaworu.ch> 04 September 2020, 02:44:36 UTC
c0d2509 Joe Stringer 29 July 2020, 22:27:57 UTC Extend connectivity-check for HTTP policy validation via CUE (#12599) [ upstream commit 8a03d54da11a1c15302f4f90de8bf1e539252784 ] * connectivity-check: Add 'make clean' support Factor out the targets for all YAMLs so it can be reused by a new phony target, 'clean'. Signed-off-by: Joe Stringer <joe@cilium.io> * connectivity-check: Introduce cuelang framework CUE (https://cuelang.org/) is a data constraint language built defined as a superset of JSON which aims to "simplify tasks involving defining and using data". In context of the connectivity check YAMLs, CUE is useful to allow us to "evaporate" the boilerplate necessary to define Kubernetes YAMLs for Deployments, Services and CiliumNetworkPolicies and allow developers to specify various permutations for connectivity checks concisely. Why should we use it? * It's more concise: One template definition, multiple reuse. This is useful for introducing new connectivity checks as upcoming commits will demonstrate as the developer doesn't need to perform the tedious and error-prone process of copying and modifying the YAMLs to implement various permutations of a check. Furthermore this helps reviewers as they will not have to read through swathes of YAMLs but can instead focus on the diffs in the templating that are introduced and compare to existing data definitions. * Consolidate constant declaration. When a core change needs to be made to something like the readinessProbe for probes that expect a success or failure, we can update one definition in the main CUE file and all YAMLs will subsequently be generated with this change in mind. During the process of preparing these changes, I noticed inconsistencies between various existing YAMLs which appear to just be unintentional, where some YAMLs were improved with better timeoute behaviour or error rendering, but other YAMLs were left out. * The data is more structured. Upcoming commits will introduce simple CLI tools that allow matching on different classes of connectivity checks to generate the corresponding YAMLs. Previously we have depended upon file naming schemes and Makefile globbing magic to implement this which quickly reaches a limit in which checks should be selected for a specific check. What are the dangers? * It's relatively immature. At current version v0.2.2 it is subject to language changes. Upcoming commits will pin the CLI tool usage to a docker container derived from this version to ensure compatibility. * One more language in the tree to understand, review and interact with. Mitigating circumstances: This language comes out of the Golang community and as such brings some commonalities; furthermore it is beginning to be used in other Kubernetes projects, so there is some broader community alignment. * Its power allows you to hide as much or as little complexity as you want. It's tricky to strike a fine balance between explicitly declaring (and duplicating) relevant fields in the local file vs. hiding convenient templating language in common files. For examples, see defaults.cue which automatically derives connectivity check destinations based on object name declarations matching regexes of "pod-to-X", and applies affinity/anti-affinity via matches on "intra-host" or "multi-host". * All declarations are additive, ie there is no ordering based upon the layout in code; instead, data dependencies are determined using the declarations, and all data is arranged into a lattice to determine the evaluation ordering[0]. This can be counter-intuitive to reason about for the uninitiated. The general approach used in this commit was to `cue import` various existing YAML files to generate JSON equivalents, then iteratively combining & consolidating existing definitions using the language constructs provided by CUE. CUE also provides mechanisms to generate schemas and autogenerate the structures used here directly from API definitions (eg from k8s source or Cilium tree), however this area was not explored in this PR yet. While this doesn't take advantage of one major aspect of the language, upcoming commits will demonstrate the way that these changes were validated without the use of standardized schemas from the underlying Kubernetes resource definitions. (TL;DR: `kubectl diff ...` with kubectl validation on a live cluster). This was sufficient to extend the connectivity checks and does not preclude future explanation of the use of schemas for these definitions. This commit introduces usage of CUE in a relatively minimal way into the tree which was useful for my goals of extending the connectivity checks. If we find that it is useful and powerful, we may consider whether to extend its usage to other areas of the code (such as for test manifest generation). [0] https://cuelang.org/docs/concepts/logic/#the-value-lattice Signed-off-by: Joe Stringer <joe@cilium.io> * connectivity-check: Add cue CLI tools Add some basic tooling around connectivity-check YAML generation: $ cue cmd help List connectivity-check resources specified in this directory Usage: cue [-t component=<component>] [-t name=<name>] [-t topology=<topology>] <command> Available Commands: dump Generate connectivity-check YAMLs from the cuelang scripts ls List connectivity-check resources specified in this directory List available connectivity-check components: $ cue cmd ls KIND COMPONENT TOPOLOGY NAME Service network-check any echo-a Service services-check any echo-b Service services-check any echo-b-headless Service services-check any echo-b-host-headless Deployment network-check any echo-a Deployment services-check any echo-b Deployment services-check any echo-b-host Deployment network-check any pod-to-a Deployment network-check any pod-to-external-1111 Deployment policy-check any pod-to-a-allowed-cnp Deployment policy-check any pod-to-a-denied-cnp Deployment policy-check any pod-to-external-fqdn-allow-google-cnp Deployment services-check multi-node pod-to-b-multi-node-clusterip Deployment services-check multi-node pod-to-b-multi-node-headless Deployment services-check intra-node pod-to-b-intra-node-clusterip Deployment services-check intra-node pod-to-b-intra-node-headless Deployment services-check multi-node host-to-b-multi-node-clusterip Deployment services-check multi-node host-to-b-multi-node-headless CiliumNetworkPolicy policy-check any pod-to-a-allowed-cnp CiliumNetworkPolicy policy-check any pod-to-a-denied-cnp CiliumNetworkPolicy policy-check any pod-to-external-fqdn-allow-google-cnp These can be filtered by component, topology or name. For example: $ cue cmd -t component=network ls KIND COMPONENT TOPOLOGY NAME Service network-check any echo-a Deployment network-check any echo-a Deployment network-check any pod-to-a Deployment network-check any pod-to-external-1111 Finally, to gather the (filtered) YAMLs for the specified resources: $ cue cmd dump | head -n 20 metadata: name: echo-a labels: name: echo-a topology: any component: network-check spec: ports: - port: 80 selector: name: echo-a type: ClusterIP apiVersion: v1 kind: Service --- ... Or with an upcoming commit you can just use the Makefile, which now depends on the cuelang/cue:v0.2.2 Docker image: $ make connectivity-check.yaml Signed-off-by: Joe Stringer <joe@cilium.io> * connectivity-check: Support generating YAMLs via cue Replace the existing YAML generation from individual YAML declarations for each service with generating YAMLs from the CUE definitions. Three new targets will assist in validating the migration from the existing definitions over to CUE: * make generate_all * For object declared in CUE, generate a file corresponding to that definition. For most of the existing YAMLs, this will overwrite the copy of the YAML in the tree. This can allow manual inspection of individual YAMLs, though the 'inspect' approach is broadly more useful for evaluating the overall diff. * make deploy * Deploy the hostport connectivity checks YAML into an existing cluster. * make inspect * Generate the YAML file for all connectivity checks, then use kubectl to diff these newly generated definitions against the running cluster (assuming it was deployed via make deploy). This commit is purely the makefile changes for easier review & inspection. Upcoming commits will use these targets to demonstrate that there is no meaningful change in the generated YAMLs for existing YAMLs in the tree. In particular, `make inspect` can be used in an iterative manner by initially deploying the current version of the YAMLs from the tree, then making changes to the CUE files and inspecting each time a change is made. When the diff in the cluster represents the changes that the developer intends to make, the developer can commit the changes to the CUE files and re-generate the tree versions of the YAMLs. Signed-off-by: Joe Stringer <joe@cilium.io> * connectivity-check: Replace YAMLs with cue-generated YAMLs Prior commits introduced CUE definitions that are equivalent to these YAML files, so we can now: * Remove the individual declarations which were previously source-of-truth for the connectivity checks * Update the overall connectivity-check YAMLs to reflect the minor changes that the CUE definitions represent. To validate this, heavy use of `make inspect` was used. As described in the prior commit message where this was introduced, this allows diffing the latest CUE-based YAML definitions against a running copy of the YAMLs in a cluster. There are few meaningful changes in this commit which are hard to assess directly from the git diff, but are easier using `make inspect`: * All containers are converted to use readinessProbe and not livenessProbe. * All readiness probes now specify --connect-timeout of 5s. * Readiness probes access `/public` or `/private` per the underlying container HTTP server paths rather than just accessing `/`. * DNS allow policies are converted to consistently allow both TCP and UDP-based DNS. * Container names are derived from pod names. * The new YAMLs declare additional labels for all resourcess, such as 'component' and 'topology'. Signed-off-by: Joe Stringer <joe@cilium.io> * connectivity-check: Introduce proxy checks These new checks configure various L7 proxy paths to validate connectivity via L7 proxies, in the following dimensions: - Apply policy on egress; ingress; or both (proxy-to-proxy) - Intra-node / Multi-node - Allow / Deny Note that proxy-to-proxy always configures egress allow policy to ensure that the traffic goes via the proxy and in the drop case the requests are only rejected at the destination. This is because applying egress deny at the source would prevent proxy-to-proxy connectivity, meaning the test would be equivalent to the egress-only reject policy case. This way, we ensure that the path via the egress proxy to the destination is tested in the reject case. These are implemented partially through a new 'echo-c' pod which always has ingress policy applied to allow GET requests to '/public'. Depending on whether ingress policy is needed to check the particular permutation the new checks may connect to 'echo-a' or 'echo-c'. These are implemented by adding pods for each permutation of policy apply point and topology; then by adding allow / deny containers within that pod to test the allow/deny cases. The 'connectivity-check-proxy.yaml' includes all of the above. Finally, the omissions: This commit does not attempt to address variations in datapath configuration. This includes IPv4 vs. IPv6; tunnel/direct-routing; endpoint config; kube proxy/free; encryption. These are left up to the cluster operator configuring Cilium in specific modes and subsequently deploying these YAMLs. Signed-off-by: Joe Stringer <joe@cilium.io> * connectivity-check: Minor naming fixups Make some of these resource names a bit more consistent. Signed-off-by: Joe Stringer <joe@cilium.io> * connectivity-check: Add quarantine label to metadata This new label will be used during YAML generation to ensure that resources which we are still working on fixes for are kept in a separate category apart from the regular connectivity checks, to allow us to check them in & distribute them without causing CI to instantly fail. Signed-off-by: Joe Stringer <joe@cilium.io> * connectivity-check: Add hostport + proxy checks Introduces checks for egress proxy policy when accessing a hostport on a remote node. These are added as part of the component=hostport-check to ensure they are not pulled in when running connectivity checks in environments without hostport support. Additionally, these new tests are quarantined for now as they are known to fail in some environments. Signed-off-by: Joe Stringer <joe@cilium.io> * connectivity-check: Expand readme for latest checks Signed-off-by: Joe Stringer <joe@cilium.io> * connectivity-check: Re-add liveness probes It appears that some of these checks require liveness probes rather than readiness probes to pass on the github actions smoke-test, so ensure all containers are checked with both. Signed-off-by: Joe Stringer <joe@cilium.io> * smoke-test: Improve state gathering upon failure Commit bb91571ea497 ("smoke-test: Print pod/deploy state on failure") attempted to improve the information available during a failure from the smoke-tests, but only added it to the quick-install test and not the conformance test. Add the same output also to the conformance test so we can more easily debug failures there. Signed-off-by: Joe Stringer <joe@cilium.io> * smoke-test: Disable bpf masquerading In the smoke test, we are relying on kube-proxy for service connectivity so it doesn't make sense to enable BPF masquerading. In fact, this causes issues for connectivity from a node to a pod on a remote node via ClusterIP (see related issue). For the moment, disable BPF masquerading while we figure out the longer-term solution to that issue. Related: #12699 Signed-off-by: Joe Stringer <joe@cilium.io> * docs: Update connectivity-check examples Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Alexandre Perrin <alex@kaworu.ch> 04 September 2020, 02:44:36 UTC
e0609b0 Tam Mach 20 July 2020, 07:34:38 UTC chore(docker): Bump json-mock version to 1.2 for dual stack [ upstream commit d3b3ce8ca73faebf60da3ed0b4b7c6a911b606d5 ] Bump json-mock version to 1.2 for dual stack Signed-off-by: Tam Mach <sayboras@yahoo.com> Signed-off-by: Alexandre Perrin <alex@kaworu.ch> 04 September 2020, 02:44:36 UTC
4a8487d Ole Markus With 14 August 2020, 08:05:22 UTC Update kops installation documentation [ upstream commit 06dbc52d6edb6a0d2f24b150e96c513f5815ae0e ] Removes references to things like CoreOS and old etcd versions. Also added some further reading links for those who want to configure cilium on kops further. Signed-off-by: Ole Markus With <o.with@sportradar.com> Signed-off-by: Chris Tarazi <chris@isovalent.com> 03 September 2020, 20:29:31 UTC
0bf6bb1 Paul Chaignon 28 August 2020, 06:47:27 UTC test: Fix GuestBook test [ upstream commit 8aba1c195ec96f8696ef354c65874be8e6b7d088 ] ae9e4be updated the GuestBook images and labels, but failed to make the same label update in the test itself. Thus, since then, we have not been running any connectivity check in the GuestBook test. That went unnoticed because we didn't check that the set of pods returned (from which we run connectivity checks) was not empty. This commit fixes it by: 1. Updating the label in the test itself to app=guestbook. 2. Adding a check that the set of pods selected isn't empty. However, the nc utility we were using to check connectivity from the frontend pods to the Redis backend isn't available in the new images. Therefore, we also need to: 3. Use curl instead inside the frontend pods to check that the PHP frontend works as expected and is able to contact the Redis backend. That's it? No. Turns out some of the pod labels and names have also been hardcoded in the Docker images and have been updated (mostly to use more neutral terms). 4. Update the YAML file to better match [1]. We however can't update the 'redis-master' name because our v6 frontend image has it hardcoded. The v5 frontend image at [1] has 'redis-leader' as the name, but somehow not the v6. We want to use the v6 image because it is a lot bigger (cf. dffb450fe7). 5. And finally, Bob's our uncle! 1 - https://cloud.google.com/kubernetes-engine/docs/tutorials/guestbook Fixes: #12994 Fixes: ae9e4be ("test: replace guestbook test docker image") Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Chris Tarazi <chris@isovalent.com> 03 September 2020, 20:29:31 UTC
0ec5539 Alexandre Perrin 25 August 2020, 16:12:35 UTC doc: fix the installation validation on AKS [ upstream commit 86b5d54112b7d22f798e089397e78b85e734e4ce ] Before this patch, the installation validation for Installation on Azure AKS would try to find cilium in the kube-system namespace when it was installed in the cilium namespace. Signed-off-by: Alexandre Perrin <alex@kaworu.ch> Signed-off-by: Chris Tarazi <chris@isovalent.com> 03 September 2020, 20:29:31 UTC
f7b2a29 Alexandre Perrin 25 August 2020, 15:49:10 UTC doc: fix the cilium namespace for AKS and Azure cni chaining [ upstream commit 0d9788d843714e63933df22535ab3284f235143f ] Before this patch, documentation for both AKS and Azure CNI chaining were setting CILIUM_NAMESPACE=kube-system although cilium is installed in the cilium namespace. Signed-off-by: Alexandre Perrin <alex@kaworu.ch> Signed-off-by: Chris Tarazi <chris@isovalent.com> 03 September 2020, 20:29:31 UTC
16c092f André Martins 20 August 2020, 16:27:07 UTC pkg/kvstore: set endpoint shuffle in etcd client connectivity [ upstream commit 642a2e1f516bb2ba423cde4c083668c89b757533 ] The endpoint shuffle was happening before loading the etcd configuration. To have the endpoints shuffled we should do it after loading the configuration from disk. Fixes: b95650b30b46 ("etcd: Shuffle list of etcd endpoints") Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Chris Tarazi <chris@isovalent.com> 03 September 2020, 20:29:31 UTC
09c3add Martynas Pumputis 28 August 2020, 14:38:37 UTC daemon: Disable BPF-masq if host-svc is disabled in tunnel mode [ upstream commit 50e59c309e6d86adad84dc175678a91dce6def03 ] Currently, when running with --enable-bpf-masquerade=true, --tunnel!=disabled and --enable-host-reachable-services=false, accessing a remote backend from a host netns via ClusterIP is broken. This is because the DNAT is performed by an iptables rule installed by kube-proxy, which means that src IP addr is selected before the DNAT. So, the kernel picks the src IP addr of the iface with a IP default route, then does the DNAT, and finally sends the packet over the native device to the remote node. Everything is fine until a reply to the request is about to be sent by the remote backend. On the remote node, the reply (dst=the client node IP) gets masqueraded by the BPF-masq feature, because we masquerade pod -> remote host IP in the tunnel mode (see comment in the "snat_v4_needed()" for the reason), and currently we don't consult the CT map to see whether a packet is reply. When the host-svc feature is enabled, the socket dst addr is rewritten before a related skb is even crafted. This makes the routing lookup to be performed with dst IP addr of the remote backend IP addr. So, in the tunnel mode the kernel will pick cilium_host's IP addr as the src IP addr, and the packet will be sent over the tunnel (and a reply). Therefore, the troublesome masquerading is avoided. Disable the BPF-masq feature if the conditions are not met until we add a lookup in CT map (https://github.com/cilium/cilium/issues/12544). Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Chris Tarazi <chris@isovalent.com> 03 September 2020, 20:29:31 UTC
71ecad7 Paul Chaignon 28 August 2020, 13:11:10 UTC docs: Mention L7 limitation in Calico chaining GSG [ upstream commit 40a30cfc928833d5227f7c2097503999ce58b612 ] Several users have reported issues with L7 policies when running Cilium in chaining configuration on top of Calico. The long-term solution to this issue is well known (BPF TPROXY), but we should add a note to the documentation in the meantime to warn users. Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Chris Tarazi <chris@isovalent.com> 03 September 2020, 20:29:31 UTC
089a1a0 Quentin Monnet 04 August 2020, 14:52:25 UTC iptables, loader: add rules to ensure symmetric routing for AWS ENI traffic [ upstream commit c7f9997d7001c8561583d374dcbd4d973bad6fac ] Multi-node NodePort traffic with AWS ENI needs a set of specific rules that are usually set by the AWS DaemonSet: # sysctl -w net.ipv4.conf.eth0.rp_filter=2 # iptables -t mangle -A PREROUTING -i eth0 -m comment --comment "AWS, primary ENI" -m addrtype --dst-type LOCAL --limit-iface-in -j CONNMARK --set-xmark 0x80/0x80 # iptables -t mangle -A PREROUTING -i eni+ -m comment --comment "AWS, primary ENI" -j CONNMARK --restore-mark --nfmask 0x80 --ctmask 0x80 # ip rule add fwmark 0x80/0x80 lookup main These rules mark packets coming from another node through eth0, and restore the mark on the return path to force a lookup into the main routing table. Without them, the "ip rules" set by the cilium-cni plugin tell the host to lookup into the table related to the VPC for which the CIDR used by the endpoint has been configured. We want to reproduce equivalent rules to ensure correct routing, or multi-node NodePort traffic will not be routed correctly. This could be observed with the pod-to-b-multi-node-nodeport pod from connectivity check never getting ready. This commit makes the loader and iptables module create the relevant rules when ENI is in use. The rules are nearly identical to those from the aws daemonset (different comments, different interface prefix for conntrack return path, explicit preference for ip rule): # sysctl -w net.ipv4.conf.<egressMasqueradeInterfaces>.rp_filter=2 # iptables -t mangle -A PREROUTING -i <egressMasqueradeInterfaces> -m comment --comment "cilium: primary ENI" -m addrtype --dst-type LOCAL --limit-iface-in -j CONNMARK --set-xmark 0x80/0x80 # iptables -t mangle -A PREROUTING -i lxc+ -m comment --comment "cilium: primary ENI" -j CONNMARK --restore-mark --nfmask 0x80 --ctmask 0x80 # ip rule add fwmark 0x80/0x80 lookup main pref 109 Fixes: #12098 Signed-off-by: Quentin Monnet <quentin@isovalent.com> Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: Chris Tarazi <chris@isovalent.com> 03 September 2020, 20:29:31 UTC
556379b Kornilios Kourtis 27 August 2020, 14:06:53 UTC daemon: properly maintain node lists on updates [ upstream commit 5550c0f3f2206d05f3ef3af569ab756cbba94fae ] NodeAdd and NodeUpdate update the node state for clients so that they can return the changes when client requests so. If a node was added and then updated, its old and new version would be on the added list and its old on the removed list. Instead, we can just update the node on the added list. Note that the setNodes() function on pkg/health/server/prober.go first deletes the removed nodes and then adds the new ones, which means that the old version of the node would be added and remain as stale on the health server. This was found during investigation of issues with inconsistent health reports when nodes are added/removed from the cluster (e.g., #11532), and it seems to fix inconsistencies observed a small-scale test I did to reproduce the issue. Signed-off-by: Kornilios Kourtis <kornilios@isovalent.com> Signed-off-by: Chris Tarazi <chris@isovalent.com> 03 September 2020, 20:29:31 UTC
ec31831 Sergey Generalov 28 August 2020, 00:44:43 UTC docs: limit copybutton to content area only [ upstream commit 6711a0ce13cceb217df187c492f11e7879cb3a09 ] Fixes copy button to not conflict with the search Signed-off-by: Sergey Generalov <sergey@genbit.ru> Signed-off-by: Chris Tarazi <chris@isovalent.com> 03 September 2020, 20:29:31 UTC
bfa4661 Neelajacques 28 August 2020, 00:15:48 UTC Upgrade Cilium docs theme version [ upstream commit eeec4d0e00549a886511069ebf6784042d93550c ] Signed-off-by: Nicolas Jacques <neela@isovalent.com> Signed-off-by: Chris Tarazi <chris@isovalent.com> 03 September 2020, 20:29:31 UTC
a88ffcd Deepesh Pathak 27 August 2020, 10:13:20 UTC docs: update kubeproxy-free gsg to account for #12438 [ upstream commit 326487aa506df7b384603cd403b2b2504fec4312 ] Signed-off-by: Deepesh Pathak <deepshpathak@gmail.com> Signed-off-by: Chris Tarazi <chris@isovalent.com> 03 September 2020, 20:29:31 UTC
ffa80dd Paul Chaignon 19 June 2020, 21:13:51 UTC vagrant: Don't use the NFS device's IP as node IP [ upstream commit 1c37921003a824568d8165de4625c4ce390df37c ] The K8s node IP is the IP address propagated to other nodes and mapped to the REMOTE_NODE_ID in the ipcache. We therefore don't want to use the IP address of the NFS interface (enp0s9) for that. When we use that IP address, any policy using the remote-node identity (or host in case the two aren't dissociated) will fail to resolve properly. In general, I don't think K8s even needs to know about the NFS interface or its IP addresses. Fixes: 0eafea4 ("examples/kubernetes-ingress: fixing scripts to run k8s 1.8.1") Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Chris Tarazi <chris@isovalent.com> 03 September 2020, 20:29:31 UTC
7910deb John Watson 25 August 2020, 17:44:23 UTC Fix expression per lint error [ upstream commit 7457ce6299dc64f4b6a810fef8c8dd9f2bc4f4fa ] Signed-off-by: John Watson <johnw@planetscale.com> Signed-off-by: Alexandre Perrin <alex@kaworu.ch> 02 September 2020, 07:27:02 UTC
935e99c John Watson 25 August 2020, 17:41:21 UTC Simplify gate expression [ upstream commit ff821d2bdc79606631409379791742c04807f665 ] Signed-off-by: John Watson <johnw@planetscale.com> Signed-off-by: Alexandre Perrin <alex@kaworu.ch> 02 September 2020, 07:27:02 UTC
38b2fda John Watson 21 August 2020, 22:04:23 UTC nodeinit: only bypass IP-MASQ if Cilium manages masquerade [ upstream commit 58aea35c82ec04a9d637dd0f710d1f258794fb60 ] Signed-off-by: John Watson <johnw@planetscale.com> Signed-off-by: Alexandre Perrin <alex@kaworu.ch> 02 September 2020, 07:27:02 UTC
2835d5d Tobias Klauser 26 August 2020, 16:07:18 UTC docs: bump kernel and ena driver version, drop custom prebuilt driver in EKS XDP GSG [ upstream commit dee019147a9d0bfdb1fb4225bca34ca836d774b9 ] The kernel-ng package updated to 5.4.58-27.104.amzn2.x86_64 which includes version 2.2.10g of the ena driver. Thus we no longer require a manually built ena driver for the EKS XDP Getting Started Guide. Drop the corresponding note as well. Signed-off-by: Tobias Klauser <tklauser@distanz.ch> Signed-off-by: Alexandre Perrin <alex@kaworu.ch> 02 September 2020, 07:27:02 UTC
2d47e9c Martynas Pumputis 26 August 2020, 13:08:30 UTC docs: Disable BPF-masq in KIND GSG [ upstream commit 7403251cc119aad7438ba678166c0a2d9d1bcf12 ] Disable BPF-masq when deploying in KIND until https://github.com/cilium/cilium/issues/12699 has been fixed. Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Alexandre Perrin <alex@kaworu.ch> 02 September 2020, 07:27:02 UTC
1c09c38 Paul Chaignon 22 July 2020, 20:51:47 UTC test: NodePort with host policy [ upstream commit eecd5b9509888f3d6d322507ffb949b7a3c96ba5 ] This commit adds new tests, identical to NodePort tests under vxlan tunneling and direct routing, but with an ingress+egress host policy applied. The host policy only allow communications between nodes and to specific endpoints for readiness probes. Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Alexandre Perrin <alex@kaworu.ch> 02 September 2020, 07:27:02 UTC
172b4b6 Paul Chaignon 22 July 2020, 19:15:44 UTC test: fromCIDR+toPorts host policy [ upstream commit 74be0b2a593d506d6522474080af1ac2ee7b92ee ] This commit extends the existing fromCIDR+toPorts policy test to test the same kind of policy for the host firewall. To that end, it: 1. Enables the host firewall. The issue in comment is not relevant anymore since masquerading is disabled. 2. Introduce a helper to get the ID of the host endpoint. This helper will likely be needed for other host firewall tests as well. 3. Load a new DaemonSet to instanciate a host-networking pod on each k8s node. This pod serves as the target for host firewall connectivity tests. 4. Extend the existing test cases with CCNP tests. Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Alexandre Perrin <alex@kaworu.ch> 02 September 2020, 07:27:02 UTC
399a545 Paul Chaignon 21 July 2020, 15:06:47 UTC test: Enable host firewall in CI only when label is set [ upstream commit 3f8f7c3d6420cb1c03964335f43836421edc9096 ] The host firewall is only enabled in CI if label ci/host-firewall is set. The goal is to have default CI options closer to common user environments and host firewall is not enabled by default in those. Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Alexandre Perrin <alex@kaworu.ch> 02 September 2020, 07:27:02 UTC
5da8446 Nathan Bird 14 August 2020, 12:39:36 UTC fix: node-init should use docker if /etc/crictl.yaml not found [ upstream commit 552c823f561149213807627cfbd724c39dbd8a10 ] This script has several tests for what the container runtime situation looks like to determine how best to restart the underlying containers (going around the kubelet) so that the new networking configuration can take effect. The first test looks to see if the crictl config file is configured to use docker, but if that file doesn't exist then it fails. I believe docker is the default if this hasn't been configured at all so if that file doesn't exist then use docker. Fixes #12850 Signed-off-by: Nathan Bird <njbird@infiniteenergy.com> Signed-off-by: Alexandre Perrin <alex@kaworu.ch> 02 September 2020, 07:27:02 UTC
1a69583 Martynas Pumputis 20 August 2020, 14:14:14 UTC docs: Add ipmasq and src range BPF maps limits [ upstream commit 2a30cc13b3e7e64ab89674f7409d3e1f5ebe1684 ] Signed-off-by: Martynas Pumputis <m@lambda.lt> 26 August 2020, 19:13:37 UTC
016e356 Martynas Pumputis 20 August 2020, 14:07:01 UTC docs: Add LB src range check section to kube-proxy-free gsg [ upstream commit 871080bd0ed868c4eb0d8ea93bad698cd41f0cbd ] Signed-off-by: Martynas Pumputis <m@lambda.lt> 26 August 2020, 19:13:37 UTC
f316d0a Martynas Pumputis 20 August 2020, 14:05:50 UTC helm: Add config.svcSourceRangeCheck [ upstream commit 3ec7b35ef98fb1a26d8d78ba276a14d08a177073 ] The config option can be used to disable the (LB) source range check feature (--enable-svc-source-range-check). Signed-off-by: Martynas Pumputis <m@lambda.lt> 26 August 2020, 19:13:37 UTC
4c179d5 Martynas Pumputis 13 August 2020, 15:20:12 UTC test: Add integration test for LB src range check [ upstream commit c142e5e2d0b92686950e553dca5805056fa2007f ] Currently, the test contains some sleeps for waiting until cilium-agents have updated their LB src range maps. In the future, it will be replaced by checking whether "cilium bpf source-list list" (TODO) contains relevant entries. Signed-off-by: Martynas Pumputis <m@lambda.lt> 26 August 2020, 19:13:37 UTC
2f0ed3b Martynas Pumputis 13 August 2020, 15:42:31 UTC daemon: Rename --enable-loadbalancer-source-range-check [ upstream commit bd6600f0b4774270ab73d900ac9cd408d33c4f37 ] Rename to --enable-svc-source-range-check, as in the future we might enable (e.g. via annotations) the checks for services which type != LoadBalancer. Signed-off-by: Martynas Pumputis <m@lambda.lt> 26 August 2020, 19:13:37 UTC
ceb8b96 Martynas Pumputis 13 August 2020, 13:30:30 UTC daemon: Enable LB src range check by default [ upstream commit ae71d89026b6872276adee618bdbaf755b4e2948 ] Disable it when running in the non-strict mode if the full LPM is missing, or fail hard if running in the strict mode. Signed-off-by: Martynas Pumputis <m@lambda.lt> 26 August 2020, 19:13:37 UTC
eb8f15f Martynas Pumputis 13 August 2020, 12:48:14 UTC probe: Invoke HaveFullLPM checks only once [ upstream commit dd135f512be1adce0edb4d3d937170862bfb3934 ] The check is going to be used by the LB src range check, so reuse a result from a previous check if available. Signed-off-by: Martynas Pumputis <m@lambda.lt> 26 August 2020, 19:13:37 UTC
5c05e19 Martynas Pumputis 11 August 2020, 15:39:28 UTC service: Replace UpsertServiceParams with lb.SVC [ upstream commit f903c17a325882f8b9fb84ee810549c4d886c0cd ] Both structs are identical, and the latter has been used everywhere. Signed-off-by: Martynas Pumputis <m@lambda.lt> 26 August 2020, 19:13:37 UTC
5ed92a4 Martynas Pumputis 11 August 2020, 12:51:50 UTC datapath: Add source range check for LB services [ upstream commit 8ad79dc63d86a5ce179d57caabdd9d5bae6ab57d ] The check is performed only if the SVC_FLAG_CHECK_SRC bit is set of a given service. The check is based on a lookup of the LB{4,6}_SRC_RANGE_MAP BPF maps which are of the LPM type. If an entry is not found for a given src IP addr + rev_nat_index, then such request is dropped. Signed-off-by: Martynas Pumputis <m@lambda.lt> 26 August 2020, 19:13:37 UTC
680279e Martynas Pumputis 11 August 2020, 12:48:30 UTC service: Add provisioning of LoadBalancerSourceRanges [ upstream commit 34fae55215c5b877e13990987d2e447044588bf6 ] The service manager gets updates from the k8s service watcher. If --enable-loadbalancer-source-range=true AND svc type = LB AND len(.spec.loadBalancerSourceRanges) != 0, it will populate the corresponding BPF maps via lbmap. Signed-off-by: Martynas Pumputis <m@lambda.lt> 26 August 2020, 19:13:37 UTC
7fb4130 Martynas Pumputis 11 August 2020, 12:22:44 UTC lbmap: Add SourceRange maps [ upstream commit 945a852cfe62d1ea865e52c53aab3a4bee2de75a ] The maps are going to be used by the LB source range check. The check is going to be enabled for those services which type is LoadBlancer AND .spec.loadBalancerSourceRanges is not empty. Such service flags have the check source range bit being set. This allows the datapath to avoid doing a lookup in the maps for each request sent to a service of the LoadBalancer type. The maps are of the LPM type, and a key is a tuple containing LPM prefix, SVC rev_nat_id (aka svc ID), some padding and source IPv{4,6} addr. Signed-off-by: Martynas Pumputis <m@lambda.lt> 26 August 2020, 19:13:37 UTC
3a2a8cd Martynas Pumputis 05 August 2020, 09:55:57 UTC k8s: Add and parse LoadBalancerSourceRanges field [ upstream commit 31956817bbd4e68bc2dc9dd72d949f31331eac6e ] It's going to be used by the loadBalancerSourceRanges check. Signed-off-by: Martynas Pumputis <m@lambda.lt> 26 August 2020, 19:13:37 UTC
685d5fe Martynas Pumputis 05 August 2020, 11:16:12 UTC daemon: Add --enable-loadbalancer-source-range-check flag [ upstream commit c815406610408583a9b35fc844958d55319339c5 ] Currently, the flag is noop. Signed-off-by: Martynas Pumputis <m@lambda.lt> 26 August 2020, 19:13:37 UTC
9136198 Martynas Pumputis 17 August 2020, 12:55:13 UTC test: Do not provision LB SVC with IP addr on GKE [ upstream commit acd8a7d8b191a702e5a3472577aaa22be82778fd ] Otherwise, GKE LB might fail to assign the IP addr to other LB svcs which results in the following failure: <*errors.errorString | 0xc0002a6410>: { s: "could not get service LoadBalancer IP addr: 30s timeout expired", } Signed-off-by: Martynas Pumputis <m@lambda.lt> 26 August 2020, 19:13:37 UTC
906a929 Martynas Pumputis 12 August 2020, 15:26:56 UTC test: Refactor IP{Add,Del}Route helpers [ upstream commit a7c21305076ebe9832504a3568008bee08d49529 ] - Invoke cmds for a given node instead of returning cmd itself - reduces boilerplate by quite a bit. - Changes method names form to verb + noun. Suggested-by: Chris Tarazi <chris@isovalent.com> Signed-off-by: Martynas Pumputis <m@lambda.lt> 26 August 2020, 19:13:37 UTC
11717e8 Martynas Pumputis 13 August 2020, 10:27:52 UTC test: Make ExecInFirstPod() to return a single value [ upstream commit 03ef3e4bfeed4b8b541a55b3e2fe6c2f693032c1 ] Instead of returning (*CmdRes, error) make the method to return *CmdRes by setting error in the CmdRes.err field. This makes assertions of functions which depend on the method simpler. A notable example is ExecInHostNetNS() which previously required to assertions. Finally, extend the *CMDRes success matcher by adding a check whether CmdRes.err is not nil. This will help us to catch bugs when CmdRes was considered as successful, although an error was set. Signed-off-by: Martynas Pumputis <m@lambda.lt> 26 August 2020, 19:13:37 UTC
d3b52ef Martynas Pumputis 12 August 2020, 08:49:37 UTC test: Re-enable LoadBalancer tests [ upstream commit 08187408841a951e58fdbbcc684517e8432f00fd ] This commit re-enables LoadBalancer service tests, and switches from MetalLB to dummylb [1]. The main reason for switching is that the former was operating in L2 mode which interfered with the vbox VM bridge resulting in the test flakes. The new lb only assigns LoadBalancerIP addr to a service (specified by a user in .spec.loadBalancerIP). Therefore, making the LB IP addr reachable from other nodes is up to a user. This can be achieved by installing a route on a client node (as we do in the test). [1]: https://github.com/cilium/dummylb. Signed-off-by: Martynas Pumputis <m@lambda.lt> 26 August 2020, 19:13:37 UTC
08dcdd3 Martynas Pumputis 07 August 2020, 10:10:35 UTC loadbalancer: Refactor flag-related methods [ upstream commit 696e3ecb742787948a5983dab81855e28daf3ec6 ] Major changes: - Remove unused multi-svc type feature - Introduce struct to represent NewSvcFlag() params. Misc: - Remove redundant logging (pkg/service is verbose enough). - Add a flag to be used by LB src range check. Signed-off-by: Martynas Pumputis <m@lambda.lt> 26 August 2020, 19:13:37 UTC
72cedb7 Martynas Pumputis 05 August 2020, 11:16:39 UTC service: Add UpsertServiceParams struct [ upstream commit 62a4b6e07aeb5274351782e14cdfccbec126e57e ] The struct is used to pass params to (*service).UpsertService(). The main advantage of using the struct instead of listing individual params is that a new param can be added without much pain. Signed-off-by: Martynas Pumputis <m@lambda.lt> 26 August 2020, 19:13:37 UTC
021d8f0 Thomas Graf 21 August 2020, 15:37:59 UTC etcd: Make keepalive interval and timeout configurable [ upstream commit a4a1df0289a3067e3c9913c894b322b64cc3b0e1 ] Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: Martynas Pumputis <m@lambda.lt> 26 August 2020, 19:13:37 UTC
3746e29 André Martins 21 August 2020, 11:13:51 UTC pkg/kvstore: add gRPC keep alives for etcd connectivity [ upstream commit 268f4066e4f8d245f67d3cfc305a11d76ffffb1e ] If the client does not receive a keep alive from the server, that connection should be closed so the etcd client library does proper round robin for the other available endpoints. This might be a little bit aggressive in a larger environment if all clients perform a keep alive requests to the etcd servers. Some testing could be done to verify if there is a large overhead of doing these keep alive requests. Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Martynas Pumputis <m@lambda.lt> 26 August 2020, 19:13:37 UTC
935ce01 Joe Stringer 19 August 2020, 18:54:38 UTC docs: Add summary of bird integration [ upstream commit 3fb879330ed8aabf3d56d70f8d480d20f2b25b23 ] This page previously lacked the core explanation of the roles that either Cilium or bird perform in this guide: That Cilium manages in-cluster network connectivity while bird advertises the pod ranges outside the cluster. Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> 24 August 2020, 09:41:54 UTC
a0701c2 Martynas Pumputis 18 August 2020, 14:37:33 UTC datapath: Pull skb data in to-netdev path [ upstream commit 2960b5f56ad048fe04560e01349b36c2422c8afc ] It has been reported [1][2] that ICMP packets are being dropped by a receiving node due to DROP_INVALID when bpf_host was attached to the receiving iface. Further look into the issue revealed that the drops were happening because IP headers were not in the skb linear data (unsuccessful revalidate_data() caused the DROP_INVALID return). Fix this by making sure that the first invocation of revalidate_data() in the "to-netdev" path will always do skb_data_pull() before deciding that the packet is invalid. [1]: https://github.com/cilium/cilium/issues/11802 [2]: https://github.com/cilium/cilium/issues/12854 Reported-by: Andrei Kvapil <kvapss@gmail.com> Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> 24 August 2020, 09:41:54 UTC
0f34a1f Alexandre Perrin 17 August 2020, 16:25:00 UTC hubble/relay: don't attempt to connect to peer without address [ upstream commit 4ae060cf629dbe7a92c6fcdd2d310e64df274505 ] Before this patch, the pool manager would attempt to connect to peer with a nil Address field, and crash. This patch make the pool manager return from connect() as soon as a nil Address is detected. Signed-off-by: Alexandre Perrin <alex@kaworu.ch> Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> 24 August 2020, 09:41:54 UTC
72bb3a2 Alexandre Perrin 17 August 2020, 15:51:16 UTC hubble/relay: observer server handle peer without address [ upstream commit 4d8b175eecadfecaa9399006a875fd51a9024fec ] Background: the observer server doesn't use use the peer Address field other than for logging. Before this patch, the observer server would segfault when one of the peer would have a nil Address. This patch simply make it log <nil> instead. Signed-off-by: Alexandre Perrin <alex@kaworu.ch> Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> 24 August 2020, 09:41:54 UTC
078704a André Martins 18 August 2020, 14:25:14 UTC install/kubernetes: add permissive tolerations to cilium operator [ upstream commit 1d814f9b846a183a9e71eb8879b34bb1dca00d03 ] Since Cilium agents depend on the operator to be up and running, it is better to have some permissive tolerations in the Cilium Operator deployment spec. This will allow Cilium operator to be deployed in the cluster in similar tolerations as the Cilium agent daemonset. Regardless of node taints, the Operator pod will be scheduled, hence a permissive toleration. Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> 24 August 2020, 09:41:54 UTC
b2b3d9a Tobias Klauser 14 August 2020, 10:33:50 UTC operator: make EC2 AWS API endpoint configurable [ upstream commit f0e584d92b4799a48b83c1d1a4758541c0033ac2 ] Add a new --ec2-api-endpoint operator option which allows to specify a custom AWS API endpoints for the EC2 service. One possible use-case for this is the usage of FIPS endpoints, see https://aws.amazon.com/compliance/fips/. For example, to use API endpoint ec2-fips.us-west-1.amazonaws.com, the AWS operator can be called using: cilium-operator-aws --ec2-api-endpoint=ec2-fips.us-west-1.amazonaws.com Fixes #12620 Signed-off-by: Tobias Klauser <tklauser@distanz.ch> 19 August 2020, 21:35:41 UTC
74b15ef Tam Mach 15 August 2020, 07:34:50 UTC docs/metrics: Correct label typo `equal` in metrics.rst [ upstream commit 85600be8c0d73ca564661979f37c37e63340cd2d ] This PR is to correct simple typo equal in metrics.rst Signed-off-by: Tam Mach <sayboras@yahoo.com> Signed-off-by: Tobias Klauser <tklauser@distanz.ch> 18 August 2020, 06:59:37 UTC
12d0bde Tam Mach 15 August 2020, 07:51:33 UTC docs/metrics: Correct label typo family in metrics.rst [ upstream commit 868670e18e836234cc7a09ce25fe994cb5cb8bde ] This PR is to correct simple typo in metrics.rst Signed-off-by: Tam Mach <sayboras@yahoo.com> Signed-off-by: Tobias Klauser <tklauser@distanz.ch> 18 August 2020, 06:59:37 UTC
3ade299 Thomas Graf 14 August 2020, 08:16:23 UTC doc: Replace intro image [ upstream commit ecb3a25d7ce1ed941f0807f6885f436f8ed0398d ] This is a more up to date image which gives a better inital overview of all the functionality provided. Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: Tobias Klauser <tklauser@distanz.ch> 18 August 2020, 06:59:37 UTC
f6859c6 Thomas Graf 14 August 2020, 08:14:35 UTC Link to ebpf.io [ upstream commit 3ee7611b572b6d01ab1904ae983e78654e128b03 ] Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: Tobias Klauser <tklauser@distanz.ch> 18 August 2020, 06:59:37 UTC
c39ea8c Tobias Klauser 13 August 2020, 13:11:54 UTC operator: bind provider-specific flags [ upstream commit ca2aecede2dd15c8b4e42b8051a1c6f3209a2e49 ] Provider specific options passed as command line flags are currently ignore because the flags are not bound. Add the missing viper.BindPFlags to fix this. Fixes: #12870 Fixes: 053fc866ab53 ("operator: Build 3 new slimmer binaries") Signed-off-by: Tobias Klauser <tklauser@distanz.ch> 17 August 2020, 09:47:23 UTC
4170da1 Deepesh Pathak 13 August 2020, 15:33:32 UTC docs: fix incomplete statement ipam-crd docs [ upstream commit df367832502efffea998a9325be1d4a55cd5db1a ] Signed-off-by: Deepesh Pathak <deepshpathak@gmail.com> Signed-off-by: Tobias Klauser <tklauser@distanz.ch> 17 August 2020, 09:47:23 UTC
af3c456 Maximilian Mack 13 August 2020, 06:43:41 UTC Fix documentation on ipam-crd [ upstream commit 74dec487b750a2c0ac692a883aba00f87f74f018 ] Signed-off-by: Maximilian Mack <max@mack.io> Signed-off-by: Tobias Klauser <tklauser@distanz.ch> 17 August 2020, 09:47:23 UTC
a805512 Joe Stringer 13 August 2020, 00:05:45 UTC test: Fix runtime test timeout failures [ upstream commit b404b547b994cbfe4c5e2292a32e2755fbbe4ee0 ] Since Cilium v1.8.0, there is typically two endpoints remaining after all cleanup: One for the health endpoint and one for the host. This code was assuming there should only be one, failing for 4 minutes, then giving up. This just wastes time unnecessarily. Fix it by correcting the number of endpoints expected after test run. Fixes: #12863 Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Tobias Klauser <tklauser@distanz.ch> 17 August 2020, 09:47:23 UTC
7eb6ab1 Jarno Rajahalme 12 August 2020, 21:45:30 UTC Istio: Update to release 1.5.9 [ upstream commit 8dca1c8e10138e99e664951a4d3540154bb25117 ] Signed-off-by: Jarno Rajahalme <jarno@covalent.io> Signed-off-by: Tobias Klauser <tklauser@distanz.ch> 17 August 2020, 09:47:23 UTC
580d32e André Martins 26 July 2020, 09:16:07 UTC k8s: update k8s libraries to 1.18.8 Also update tests to 1.16.14, 1.17.11 and 1.18.8 Signed-off-by: André Martins <andre@cilium.io> 14 August 2020, 10:39:04 UTC
92ce952 John Watson 07 July 2020, 01:57:16 UTC Make comment more descriptive [ upstream commit 487313d5497ec2a4b2b0bb94aff9c80af2f81890 ] Signed-off-by: John Watson <johnw@planetscale.com> Signed-off-by: Aditi Ghag <aditi@cilium.io> 13 August 2020, 11:41:22 UTC
73c28cd John Watson 29 May 2020, 21:45:06 UTC Messing with ip-masq jump not neceesary in AKS [ upstream commit 8fed869a7d0c0306c1ed688aa91d7e121b5f1f92 ] Signed-off-by: John Watson <johnw@planetscale.com> Signed-off-by: Aditi Ghag <aditi@cilium.io> 13 August 2020, 11:41:22 UTC
e9c7019 John Watson 22 May 2020, 22:22:02 UTC nodeinit: Disable ip-masq-agent jumps [ upstream commit 98886a5df413dd884ff98ae6fd9a7ada6c44a392 ] Signed-off-by: John Watson <johnw@planetscale.com> Signed-off-by: Aditi Ghag <aditi@cilium.io> 13 August 2020, 11:41:22 UTC
d5f72e0 Joe Stringer 07 August 2020, 17:52:35 UTC daemon: Add hidden --k8s-sync-timeout option [ upstream commit bd89e83a4245769dac42860cf928e2dd7c227ce1 ] This option governs how long Cilium agent will wait to synchronize local caches with global Kubernetes state before exiting. The default is 3 minutes. Don't expose it by default, this is for advanced tweaking. Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Aditi Ghag <aditi@cilium.io> 13 August 2020, 11:41:22 UTC
8720074 Alexandre Perrin 03 August 2020, 08:21:08 UTC helm: run relay in debug mode when debug is globally enabled [ upstream commit c320d628e58894270054170daa03d60fe3c82f2c ] Along with a couple of comment fixes. Signed-off-by: Alexandre Perrin <alex@kaworu.ch> Signed-off-by: Aditi Ghag <aditi@cilium.io> 13 August 2020, 11:41:22 UTC
538cff2 Chris Tarazi 07 August 2020, 21:54:58 UTC operator: Fix non-leader crashing with kvstore [ upstream commit 3d376fae42ab0fac43403dfec6f08fe7eecb3234 ] A non-leader operator will hang during its healthcheck report as it tries to check the status of the kvstore. The reason it hangs is because the leader operator is the only one that has access to the client. This hang causes an HTTP level timeout on the kubetlet liveness check. The timeout then causes kubelet to roll the pod, eventually into CrashLoopBackOff. ``` Warning Unhealthy 8m17s (x19 over 17m) kubelet, ip-10-0-12-239.us-west-2.compute.internal Liveness probe failed: Get http://127.0.0.1:9234/healthz: net/http: request canceled (Client.Timeout exceeded while awaiting headers) ``` Signed-off-by: Chris Tarazi <chris@isovalent.com> 11 August 2020, 22:35:12 UTC
ddf0fcb Tobias Klauser 10 August 2020, 10:32:46 UTC proxy: fix test build in v1.8 branch The respective tests were removed from master in commit 03777e0ce0f1 ("proxy: Move Kafka proxy to Envoy Go extensions"). This fixes the following test build failure: ./kafka_test.go:112:2: cannot use &proxyUpdaterMock literal (type *proxyUpdaterMock) as type logger.EndpointUpdater in assignment: *proxyUpdaterMock does not implement logger.EndpointUpdater (missing GetNamedPortLocked method) ./mock_test.go:49:42: undefined: policy.NamedPortsMap FAIL github.com/cilium/cilium/pkg/proxy [build failed] Signed-off-by: Tobias Klauser <tklauser@distanz.ch> 10 August 2020, 11:12:43 UTC
62c5165 André Martins 27 July 2020, 17:57:42 UTC pkg/policy: remove unused returned field [ upstream commit 491c9273c46fe8b7cc0655f5e43eb54a9234fa05 ] This field was only used in unit tests, to simplify the code we can remove its return. Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Jarno Rajahalme <jarno@covalent.io> 10 August 2020, 11:12:43 UTC
4893d90 Tobias Klauser 06 August 2020, 12:56:40 UTC fqdn/dnsproxy: set SO_REUSEPORT on listening socket [ upstream commit 3abd218c224ce489ea271c728ba64e967ba2e66b ] Forward port of #12728 Once we start re-using the same port for the DNS proxy across restarts (see #12794), it's useful to set the SO_REUSEPORT option on the listening port. This given the proxy a better chance to re-bind() upon restarts. Updates #12794 Signed-off-by: Tobias Klauser <tklauser@distanz.ch> Signed-off-by: Jarno Rajahalme <jarno@covalent.io> 10 August 2020, 11:12:43 UTC
7823c76 Jarno Rajahalme 21 July 2020, 22:43:46 UTC logging: Add rate limiting and use it for named port logging [ upstream commit a02432bc1d9c8b48fba22b49ab55fb648678596a ] Rate limit the warning messages emitted to the logs when a port name can not be (uniquely) mapped to a port number. Rate limit is set to 1 log every 10 seconds with a burst of 3. Signed-off-by: Jarno Rajahalme <jarno@covalent.io> 10 August 2020, 11:12:43 UTC
232a018 Jarno Rajahalme 24 July 2020, 19:08:52 UTC policy: Refactor named ports for centralized logging [ upstream commit fd0932409e57ff3753de127b46d6a9a8815461d8 ] Refactor named ports so that error logging can be done in one place. This makes adding rate limiting in a following commit easier. Remove the need for policy.NamedPortsMap interface. Add unit testing. Signed-off-by: Jarno Rajahalme <jarno@covalent.io> 10 August 2020, 11:12:43 UTC
b4e6ff9 Jarno Rajahalme 24 July 2020, 18:09:11 UTC ipcache: Maintain named ports on demand [ upstream commit fbd904915d53b5f1efdc47c4f4a106f12d21a07e ] Pass Endpoint (or a subset interface) to potential users of Endpoint's NamedPortsMap so that instead of preparing the map in advance it can be created on demand in case it is actually needed. NamedPortsMap is an interface that is implemented by both NamedPortMap or NamedPortMultiMap, first of which is built from the POD spec, and the latter is a collection of named ports across all the PODs in the cluster. When a named port is used in an ingress policy, it can be translated by using the PODs own NamedPortMap. When a named port is used in an egress policy the named port can be one of any remote PODs, so the collection of all the named ports in the cluster is used as the individual destination POD is not known at policy computation time. This could be optimized to the scope of PODs sharing the same set of labels as the destination security IDs are known when policy is configured. Currently same port name resolving to different port numbers is flagged as a runtime error and traffic to this/these ports is not allowed. To get around this the port names should be made unique so that each name maps to the same port number and protocol, or preferably the port names in the egress policies should be replaced with the desired port numbers. The maintenance of the collection of named ports across the cluster described above is started only after first needed for computing the bpf map entries from an egress policy that uses a port name instead the number. This way the related overhead is avoided if named ports are never used in egress policies. e.k8sPorts member must be accessed with the Endpoint locked. The normal policy update path already has the endpoint locked, but incremental selection updates originate from the selector cache without any Endpoint locks, and therefore we need both locked and unlocked variant of the GetNamedPortsMap(). Signed-off-by: Jarno Rajahalme <jarno@covalent.io> 10 August 2020, 11:12:43 UTC
30866be André Martins 27 July 2020, 17:54:03 UTC pkg/endpoint: remove unused functions [ upstream commit 06261bc972fc77e6ab91fb394898df4f438210c5 ] The functions Get[Ingress|Egress]PolicyEnabledLocked are not used anywhere so we can clean them up. Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Jarno Rajahalme <jarno@covalent.io> 10 August 2020, 11:12:43 UTC
316d1b2 Jarno Rajahalme 17 July 2020, 00:48:41 UTC ipcache: Keep port name conflicts [ upstream commit ad322a1764657c89d0677208b6dfba75101b5d85 ] Do not warn of port name conflicts when ports are collected, but keep the conficting ports. This allows (any) warnings to be postponed until the named ports are used in a policy. policy.NamedPortsMap is renamed to policy.NamedPortMap, and a new policy.NamedPortMultiMap is defined, as well as an interface policy.NamedPortsMap that abstracts the difference for callers of GetNamedPort(). Signed-off-by: Jarno Rajahalme <jarno@covalent.io> 10 August 2020, 11:12:43 UTC
d5eb285 Tobias Klauser 07 August 2020, 10:57:21 UTC Update Go to 1.14.7 Signed-off-by: Tobias Klauser <tklauser@distanz.ch> 07 August 2020, 16:06:59 UTC
cb0e672 André Martins 05 August 2020, 11:05:50 UTC docs: clarify Kubernetes compatibility with Cilium [ upstream commit 038877cc5a71cb546a27d53f97d4b4fa46f592b4 ] Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Robin Hahling <robin.hahling@gw-computing.net> 07 August 2020, 11:00:10 UTC
88e34fa André Martins 05 August 2020, 10:48:34 UTC docs: add current k8s network policy limitations [ upstream commit c767682be85bb96e7398aa492f538867591943b3 ] Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Robin Hahling <robin.hahling@gw-computing.net> 07 August 2020, 11:00:10 UTC
f131380 Robin Hahling 05 August 2020, 12:29:11 UTC hubble/relay: implement unit tests for observer.Server.GetFlows [ upstream commit d193b1f4d1ea51473fdef9d3562fb295a7116531 ] Note that due to a bug in the `testify` library[0], comparison tests for proto generated structures are done using `go-cmp`. [0]: https://github.com/stretchr/testify/issues/930 Signed-off-by: Robin Hahling <robin.hahling@gw-computing.net> 07 August 2020, 11:00:10 UTC
6339a73 Robin Hahling 05 August 2020, 12:31:37 UTC hubble/testutils: add FakeGetFlowsClient [ upstream commit 2d95de6a85c829d8507d1449a9b999be70223981 ] This implementation of the `Observer_GetFlowsClient` interface will be useful to implemenet tests for `pkg/hubble/relay/observer`. Signed-off-by: Robin Hahling <robin.hahling@gw-computing.net> 07 August 2020, 11:00:10 UTC
19fdb4a Robin Hahling 29 July 2020, 15:49:59 UTC hubble/relay: implement unit tests for observer.Server.ServerStatus [ upstream commit da166a97ac7051c4d4e10da1752e99057caabffb ] As part of writing tests, some minor adjustments had to be made in order to allow passing a custom factory to create `ObserverClient`. As this is only useful in the context of unit test, the new option to set the factory is private. Signed-off-by: Robin Hahling <robin.hahling@gw-computing.net> 07 August 2020, 11:00:10 UTC
3dab93d Robin Hahling 03 August 2020, 12:35:50 UTC hubble/testutils: add FakeObserverClient [ upstream commit f8e078edfbf088a5e79cfb8ca07209751343db0b ] This fake implementation of the ObserverClient interface will be useful to implement unit tests for `pkg/hubble/relay/observer`. Signed-off-by: Robin Hahling <robin.hahling@gw-computing.net> 07 August 2020, 11:00:10 UTC
d4330f8 Robin Hahling 29 July 2020, 15:27:03 UTC hubble/testutils: add FakePeerListReporter [ upstream commit 2342b309773c19ffd6fc05dcae6bfb8948dcafbc ] This fake implementation of the PeerLisReporter interface will be useful to implement unit tests for `pkg/hubble/relay/observer`. Signed-off-by: Robin Hahling <robin.hahling@gw-computing.net> 07 August 2020, 11:00:10 UTC
fd13e99 Robin Hahling 29 July 2020, 15:17:29 UTC hubble: move some types definition to avoid import cycles [ upstream commit e54c0008ab40dd6c40b10e44d659774cd8f67ef5 ] As part of implementing unit tests for `pkg/hubble/relay/observer`, `FakeClientConn` is needed. Prior to this commit, the implementation was only present for testing in `pkg/hubble/relay/pool`. However, moving it to `pkg/hubble/testutils` creates import cycles within unit test files. In order to resolve them, some types definitions are moved to the existing `pkg/hubble/peer/types` package and a new `pkg/hubble/relay/pool/types` package. There are no functional changes with this commit; only the necessary changes to avoid build/test failures resulting from the aforementioned reorganization of packages and types definitions. Signed-off-by: Robin Hahling <robin.hahling@gw-computing.net> 07 August 2020, 11:00:10 UTC
19e8eb0 Martynas Pumputis 03 August 2020, 15:10:58 UTC datapath: Rename nodeport_nat_ipv{4,6}_needed() [ upstream commit 6e1e4f01cc5d2a36feb234552a169ab237affb7b ] Rename the functions to snat_v{4,6}_needed(), as they are not only used by nodeport. Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Robin Hahling <robin.hahling@gw-computing.net> 07 August 2020, 11:00:10 UTC
7855409 Martynas Pumputis 03 August 2020, 14:42:05 UTC datapath: Remove deadcode from nodeport_nat_ipv{4,6}_needed() [ upstream commit 61d333686fc377ee8e07afb71a8e46bae3663850 ] The nodeport_nat_ipv{4,6}_needed() are called only with dir=NAT_DIR_EGRESS. Therefore, the checks for dir==NAT_DIR_INGRESS are redundant. Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Robin Hahling <robin.hahling@gw-computing.net> 07 August 2020, 11:00:10 UTC
373f60a Martynas Pumputis 03 August 2020, 13:52:17 UTC datapath: Use macro for SNAT max port [ upstream commit 96336336892256a14c35601bda874dd85133ac9a ] Instead of using 65535, use NODEPORT_PORT_MAX_NAT (=65535) macro to specify the highest value of the SNAT port range. Otherwise, if we change NODEPORT_PORT_MAX_NAT, then the ranges for SNAT and rev-SNAT will get out of sync. Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Robin Hahling <robin.hahling@gw-computing.net> 07 August 2020, 11:00:10 UTC
c4b54c3 Martynas Pumputis 05 August 2020, 16:48:06 UTC bpf: Check whether map key and val sizes match [ upstream commit f02c5eda554738760e16b92e72579ed80db53ad6 ] When creating a BPF map representation in Go, we pass pointers to structs which implement bpf.MapKey and bpf.MapValue respectively. In addition, we pass sizes of those structs. This commit adds a runtime check whether the sizes match. Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Robin Hahling <robin.hahling@gw-computing.net> 07 August 2020, 11:00:10 UTC
d97bdd1 Martynas Pumputis 05 August 2020, 16:35:31 UTC lbmap: Fix Affinity6Map key size and name [ upstream commit 725877b9f9d895dab5021876ea6c85994d052a7b ] Previously, the affinity map for IPv6 was using the corresponding IPv4 map's name and key size. Luckily, the LB6_AFFINITY_MAP name didn't match the name of Affinity6Map, so the former map was not re-created each time cilium-agent was restarted. Therefore, there was no user impact. Fixes: 5ca1f7d7c6 ("bpf: Add session affinity maps") Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Robin Hahling <robin.hahling@gw-computing.net> 07 August 2020, 11:00:10 UTC
044ce87 Thomas Graf 04 August 2020, 21:07:43 UTC etcd: Fix firstSession error handling [ upstream commit 40026dbb211a43061ac8bbd9d534a3a1fa1e562f ] The commit bf8e4327448 ("etcd: Ensure that firstSession is closed") incorrectly assumed that only a single reader exists for firstSession. This is not the case and the error returned via the channel will only be read by one of the readers, the other readers will assume success and continue in their code logic even though the etcd client is being shut down. Fixes: bf8e4327448 Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Robin Hahling <robin.hahling@gw-computing.net> 07 August 2020, 11:00:10 UTC
4357272 Quentin Monnet 04 August 2020, 12:30:04 UTC doc: update #ebpf Slack channel name [ upstream commit 0547ea4b5c86e81bf8967ed21dd87b0007fd3d67 ] The Slack channel dedicated to discussions on eBPF and datapath has been renamed from #bpf to #eBPF (on 2020-08-03). Report this change to Cilium's documentation, and also turn "BPF" into "eBPF" on the updated page. Signed-off-by: Quentin Monnet <quentin@isovalent.com> Signed-off-by: Robin Hahling <robin.hahling@gw-computing.net> 07 August 2020, 11:00:10 UTC
513e77e Weil0ng 15 July 2020, 23:17:47 UTC Makes ExecInPods not wait for pod ready during log gathering upon test failure. [ upstream commit 7986df9d25ad345be97e71a5af3e3720367c9533 ] Signed-off-by: Weilong Cui <cuiwl@google.com> Signed-off-by: Robin Hahling <robin.hahling@gw-computing.net> 07 August 2020, 11:00:10 UTC
back to top