Skip to main content

Browse the archive

https://github.com/cilium/cilium
12 July 2024, 03:14:21 UTC
sort by:
Revision Author Date Message Commit Date
975b667 André Martins 04 December 2020, 17:16:09 UTC Prepare for release v1.9.1 Signed-off-by: André Martins <andre@cilium.io> 04 December 2020, 17:29:53 UTC
58b8a89 Paul Chaignon 03 December 2020, 12:19:25 UTC test: Minimal test for the host firewall in IPv4-only mode [ upstream commit 44c122d930bafffd95805c3b91a3831ceecf9bfd ] This test is meant to catch complexity regressions such as fixed in the previous commit. It runs only on GKE for now and will be extended in follow up PRs. Signed-off-by: Paul Chaignon <paul@cilium.io> 04 December 2020, 14:42:17 UTC
48e3058 Paul Chaignon 03 December 2020, 12:14:05 UTC bpf: Fix the IS_BPF_HOST definition [ upstream commit c83978cdc2a2695e91e58c4e9db082fa1b43f18c ] Because we use IS_BPF_HOST with the is_defined macro in tail call invokations, we not only need that macro to be defined, but also to have value 1. See the is_defined definition [1] for details. 1 - https://github.com/cilium/cilium/blob/641c0f9b3072a014c9541ecaa4e00a2b24c98d97/bpf/lib/config.h#L8-L14 Fixes: bf635d8 ("bpf: Fix program size issue with hostfw + ipv4-only") Signed-off-by: Paul Chaignon <paul@cilium.io> 04 December 2020, 14:42:17 UTC
ba98bb4 Michi Mutsuzaki 18 November 2020, 22:49:16 UTC helm: Add extraConfig in configmap template [ upstream commit e3f96e3328757f5af394a7e09a2781ce5a1554be ] This allows users to provide additional fields in the configmap without having them explicitly listed in the template. For example, you can do: % cat my-config.yaml extraConfig: my-config-a: "1234" my-config-b: |- test 1 test 2 test 3 % helm install ./cilium -n kube-system -f ./my-config.yaml to add my-config-a and my-config-b to cilium-config. This could be useful in case the template is missing some fields. Ref: https://github.com/cilium/cilium/pull/13317 Signed-off-by: Michi Mutsuzaki <michi@isovalent.com> Signed-off-by: Paul Chaignon <paul@cilium.io> 04 December 2020, 14:42:17 UTC
bfe3124 Gilberto Bertin 01 December 2020, 09:19:18 UTC metricsmap: fix Prometheus exporter [ upstream commit d5d34ab6b9cd4a07ccf8486013beed51f397879d ] Fix the Prometheus exporter as it was not aggregating correctly the multiple entries that make up a value. This commit changes the logic from: func updatePrometheusMetrics(value) { updateMetric(value.Packets) updateMetric(value.Bytes) } func SyncMetrics() { for _, value := range values { updatePrometheusMetrics(value) } } to: func updatePrometheusMetrics(values) { for _, value := range values { packets += value.Packets bytes += value.Bytes } updateMetrics(packets) updateMetrics(bytes) } func SyncMetrics() { updatePrometheusMetrics(values) } What updateMetric does is: * diff the packets/bytes value it receive with the one stored in Prometheus * increment the Prometheus counter by the delta it just calculated Since the logic in updateMetric is not linear, it will work correctly only if the packets/bytes counter it receives is the sum of all the per-CPU values for a given key (rather than what we are doing now, which is calling updateMetric() on every single per-CPU value for a given key) Fixes: a59105352 ("pkg/maps/metricsmap: userspace aggregation of BPF_PER_CPU_HASH_MAP metrics map.") Signed-off-by: Gilberto Bertin gilberto@isovalent.com Signed-off-by: Paul Chaignon <paul@cilium.io> 04 December 2020, 14:42:17 UTC
ce45d5e Gilberto Bertin 01 December 2020, 09:15:36 UTC metricsmap: simplify logic to iterate map in SyncMetricsMap [ upstream commit 3580c5fbd658ed836bb47a6ee972787e05a9d1af ] Simplify the logic used to iterate the metrics map by replacing it with a call to Metrics.DumpWithCallback(). Signed-off-by: Gilberto Bertin <gilberto@isovalent.com> Signed-off-by: Paul Chaignon <paul@cilium.io> 04 December 2020, 14:42:17 UTC
9b405ac Paul Chaignon 03 December 2020, 18:46:17 UTC docs: Document kernel requirement for BPF host routing [ upstream commit 130da11437d701ecfa2fde68121e7d671e3a35c7 ] Signed-off-by: Paul Chaignon <paul@cilium.io> 04 December 2020, 14:42:17 UTC
189b6de Paul Chaignon 03 December 2020, 18:30:47 UTC daemon: Log info if we fallback from BPF to legacy host routing [ upstream commit ddcb414ace9e2954b96b0b75ebfdf5c5d15b1cf6 ] BPF host routing is the new default in Cilium, but we may need to fallback to legacy host routing in a number of cases (e.g., if in tunneling mode, if BPF NodePort is disabled, if using per-endpoint routes, etc.). This commit logs (as level=info) the exact reason why we fell back to legacy host routing to help users act appropriately if they want BPF host routing. Signed-off-by: Paul Chaignon <paul@cilium.io> 04 December 2020, 14:42:17 UTC
da2b7e2 Martynas Pumputis 03 December 2020, 12:42:25 UTC node: Fix ineffectual assignment [ upstream commit 354d42bfa2eedce150c22820fdc366e1f3b948f9 ] /home/travis/gopath/src/github.com/cilium/cilium/pkg/datapath/linux/node_linux_test.go:1096:14: ineffectual assignment to err Reported-by: André Martins <andre@cilium.io> Fix: b78b3b7f25 ("node: Refcount neighbour entries") Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Paul Chaignon <paul@cilium.io> 04 December 2020, 14:42:17 UTC
a1f8d62 André Martins 02 December 2020, 01:23:45 UTC vendor: update etcd to 3.4.14 [ upstream commit 7b0037c31f8b57940f395c765306db158b15cd1a ] This version fixes etcd error "auth token invalid after watch reconnects" https://github.com/etcd-io/etcd/issues/11954. Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Paul Chaignon <paul@cilium.io> 04 December 2020, 14:42:17 UTC
16b29b3 Paul Chaignon 26 November 2020, 18:15:48 UTC .travis: Run race detection builds on master commits only [ upstream commit 6d0a4319718c10fb0671e312cc05277e51247e20 ] We had to temporarily subscribe to Travis CI because we consumed our 10000 free credits. Our current plan however only allows for two concurrent builds. With four builds per commit, we are constantly running behind, with Travis CI builds now taking longer to be scheduled than it takes our Jenkins tests to finish. Long gone are the days when we considered Travis CI a viable smoke test... This commit attempts to alleviate the issue by running our race detection builds only on master commits. Signed-off-by: Paul Chaignon <paul@cilium.io> 04 December 2020, 14:42:17 UTC
9f5eefb Paul Chaignon 01 December 2020, 14:06:43 UTC bpf: Fix program size issue with hostfw + ipv4-only [ upstream commit bf635d8e731ed0f33cac1db61a70d6f46dc3a8f3 ] Running Cilium in IPv4-only mode with the host firewall and our kube-proxy replacement enabled causes program to-netdev from bpf_host to have an excessive size (>4096 instructions): level=warning msg="Prog section 'to-netdev' rejected: Argument list too long (7)!" subsys=datapath-loader level=warning msg=" - Type: 3" subsys=datapath-loader level=warning msg=" - Attach Type: 0" subsys=datapath-loader level=warning msg=" - Instructions: 4179 (83 over limit)" subsys=datapath-loader level=warning msg=" - License: GPL" subsys=datapath-loader The section in question consists in particular of the host firewall enforcement and the NAT+service handling via nodeport_nat_fwd(). That last function is only split into several programs via tail calls when both IPv4 and IPv6 are enabled. To reduce the program size, this commit also splits nodeport_nat_fwd() into several BPF programs via tail calls when the host firewall is enabled. We also need to check for IS_BPF_HOST to only split if we're calling nodeport_nat_fwd() from bpf_host. Signed-off-by: Paul Chaignon <paul@cilium.io> 03 December 2020, 20:08:18 UTC
c2a8031 Sebastian Wicki 26 November 2020, 15:09:12 UTC ci/helpers: Delete CRDs in CleanupCiliumComponents [ upstream commit 03dd30a2f0a3053a1fed0700440b3971200169a7 ] `CleanupCiliumComponents` is invoked before running the test suite in order to remove any traces of Cilium in the existing cluster. In addition, PR #14165 also invokes this helper for the `K8sUpdates` test, again with the goal to remove traces of the previous installation. This change here ensures that besides deleting the Cilium pods, configmaps and secrets, that we also remove the Cilium CRDs (network policies, endpoints, etc) from the cluster, in order to avoid issues where stale CRDs can interfere with the tests. One such example of interference from stale CRDs is CI flake #13833, which this change (in conjunction with PR#14165) intends to fix. By removing the CEPs after uninstalling the old version of Cilium in the `K8sUpdates` suite, we ensure that `RestartUnmanagedPodsInNamespace` (which relies on the fact that CEPs should only exist for managed pods) does indeed restart _all_ unmanaged pods (including the pods managed by a previous installation of Cilium). Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> 03 December 2020, 20:08:18 UTC
a0c8663 Jarno Rajahalme 30 November 2020, 16:30:56 UTC vendor: Fix cilium/arping goroutine leak [ upstream commit 24d44500e40af599dfc1b932be0dac1b75504889 ] This fixes a privileged runtime test failure caused by leaked goroutines on arpings with no response. Signed-off-by: Jarno Rajahalme <jarno@covalent.io> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> 03 December 2020, 20:08:18 UTC
f3a51b8 Kornilios Kourtis 17 November 2020, 09:30:57 UTC kpr: ensure DirectRoutingDevice is in devices [ upstream commit 63f19d232b090137dc17fd047b091752b0dd99ba ] As reported by #14052, there can be a panic if the configured DirectRoutingDevice is not included in devices. (InitNodePortAddrs() is called with option.Config.Devices.) docs state that: If the direct routing device does not exist within devices, Cilium will add the device to the latter list. so this patch adds the device to the list. Fixes #14052 Signed-off-by: Kornilios Kourtis <kornilios@isovalent.com> Co-authored-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> 03 December 2020, 20:08:18 UTC
4a85740 Martynas Pumputis 27 November 2020, 13:48:40 UTC node: Refcount neighbour entries [ upstream commit b78b3b7f259d842a96142c7c900d4b293fc7d23b ] To avoid redundant pings and neigh entry removals when the entry is still used by other node (happens when two or more nodes can be accessed through the same gateway). Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> 03 December 2020, 20:08:18 UTC
f3366a3 Martynas Pumputis 17 November 2020, 15:52:17 UTC node: Handle case when remote node is in different L2 [ upstream commit af6ca1948d9b2d284f8b94b8a672c4133cab8f2d ] Previously, insertNeighbor() was assuming that a remote node is in the same L2 subnet, i.e. directly reachable w/o a gateway. However, this is not the case for all deployments. This commit adds a check for detecting whether the remote node is in the same L2. If it's not, then a gateway IP addr (nexthop) is going to be arpinged instead of the remote node IP addr. The missing bit in this commit is a refcounting to avoid redundant arpings and neigh removals when the gateway is used to access more than one remote node. Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> 03 December 2020, 20:08:18 UTC
278f4b8 Tam Mach 30 November 2020, 11:35:29 UTC docs: Correct typo in upgrade notes [ upstream commit d390b97ba730585c285620f70d255a70e49098ce ] Relates to 5db47e3 Signed-off-by: Tam Mach <sayboras@yahoo.com> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> 03 December 2020, 20:08:18 UTC
077cfa3 Gilberto Bertin 30 November 2020, 13:40:28 UTC bpf: revert changes to metrics directions contants [ upstream commit 76c1b5a1d749b522c001c27025ec9e1c5cabd26c ] This commit partially reverts commit 38ab8f0f35ba ("bpf: add support for SERVICE metrics") by bringing the `METRIC_INGRESS` and `METRIC_EGRESS` constants back to their original values. In addition to that, it introduces the `ct_to_metrics_dir` helper which allows to convert a CT direction into the corresponding metric one. This mitigates any upgrade/downgrade impact caused by having keys with 2 different formats on the metrics map. Fixes: #14175 Signed-off-by: Gilberto Bertin <gilberto@isovalent.com> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> 03 December 2020, 20:08:18 UTC
ce211d0 Paul Chaignon 27 November 2020, 10:19:46 UTC ci: Enable NFS for Runtime tests [ upstream commit 8bf3ed83cfbbbf8c9da2d7c57c1b8debecc6b35d ] Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: André Martins <andre@cilium.io> 02 December 2020, 10:44:31 UTC
38b6bd1 Paul Chaignon 26 November 2020, 17:27:04 UTC test: Avoid use of install with NFS [ upstream commit a77842b43051db38ed38fc272ea378b10680dce6 ] Running the Runtime tests in CI with NFS enabled currently fails because 'install' reports a permission error when trying to change permissions of cilium.conf.ginkgo. This commit switches 'install' for 'chmod' which works fine. The reason for this error is that 'install' relies on the fsetxattr(2) system call to change the permissions and, as pointed by Quentin, there is no support for Extended File Attributes in NFS [1]. 'install' therefore fails whereas 'chmod', which relies on fchmodat(2) works fine. That bug wasn't found when running the Runtime test with NFS locally because, for local tests, a different implementation of RenderTemplateToFile() is used, one that does not rely on 'install'. 1 - https://tools.ietf.org/html/rfc8276 Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: André Martins <andre@cilium.io> 02 December 2020, 10:44:31 UTC
5ccd143 Paul Chaignon 23 November 2020, 19:01:16 UTC bpf: Don't compile unused BPF sections [ upstream commit 81dc19b60f1450939cb4676a7968a0e43bc02a1d ] When we load a BPF program in the kernel, tc loads the entire object file, meaning it attempts to load each BPF program found in the object file. In some cases (e.g., ICMPv6 code in bpf_xdp.o), we include BPF program as sections in the object file even though we never tail call to them. This commit fixes it by ensuring we only compile those sections if they are needed. This also fixes a failure to load bpf_xdp on 4.19 when compiled with our MAX_LB_OPTIONS options combination: ENABLE_IPV4 ENABLE_IPV6 ENABLE_HOST_SERVICES_TCP ENABLE_HOST_SERVICES_UDP ENABLE_IPSEC. Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: André Martins <andre@cilium.io> 02 December 2020, 10:44:31 UTC
d0d5a71 Deepesh Pathak 25 November 2020, 10:10:31 UTC test: use kubectl helper for cilium cleanup in upgrade tests [ upstream commit 19a60118e46ebf4721c572eec65873250efd7909 ] Signed-off-by: Deepesh Pathak <deepshpathak@gmail.com> Signed-off-by: André Martins <andre@cilium.io> 02 December 2020, 10:44:31 UTC
6deb3ab Jarno Rajahalme 19 November 2020, 19:57:51 UTC daemon: Postpone ipcache upserts until after policy changes have been regenerated by endpoints. [ upstream commit 8f20d3bfd73b603e3ff8d2c81c11d54292f60ec5 ] Move ipcache CIDR upserts and releases to the policy reaction queue, where upserts can be executed after regenerations have been completed, i.e. after endpoint policy maps have been updated. This way IP addresses are mapped to newly allocated identities only after endpoint policy maps are ready to classify them. Correspondingly, on deletes the to-be-deleted CIDR identities are first deleted from ipcache so that when they are deleted from endpoint policy maps they are no longer used in classification. Releases of CIDR identities must still be serialized with ipcache upserts via the policy reaction queue so that they are executed in the same order w.r.t. ipcache upserts as policy deletes and adds. Signed-off-by: Jarno Rajahalme <jarno@covalent.io> Signed-off-by: André Martins <andre@cilium.io> 02 December 2020, 10:44:31 UTC
01949df Jarno Rajahalme 19 November 2020, 17:49:11 UTC fqdn: Delay ipcache upserts until policies have been updated [ upstream commit 60bd47fe1b5897be76602acbe133cd28218994f5 ] Add a map for newly allocated identities to ipcache.AllocateCIDR functions that the caller can use to upsert the IPs to ipcache later, after affected endpoint policy maps have been updated. Use this new functionality on the DNS proxy code path, that makes sure that new policy map entries are in place before an IP received from a DNS server is placed in ipcache. This is really straightforward as the logic for waiting was already in place for delaying the forwarding of the DNS response. Policy update path is still allowing ipcache upserts at policy ingestion time rather than waiting for the policy maps to be updated. This means that new, more specific CIDRs (e.g., 10.0.0/24) in policies can still cause momentary drops on traffic currently using a less specific CIDR (e.g., 10.0/16). Signed-off-by: Jarno Rajahalme <jarno@covalent.io> Signed-off-by: André Martins <andre@cilium.io> 02 December 2020, 10:44:31 UTC
b8a1d50 Martynas Pumputis 25 November 2020, 14:11:10 UTC daemon: Fix netns usage in kpr privileged unit tests [ upstream commit 885a319876321cb05fbe7f24fbac0394d0990f8e ] Previously, the SetUpSuite() routine called netns.New(). It expected that the latter only creates a new netns without setting it. However, according to the docs it's not the case: package netns // import "github.com/vishvananda/netns" func New() (ns NsHandle, err error) New creates a new network namespace, sets it as current and returns a handle to it. This meant that we changed the netns before locking the OS thread which could result in other Go runtime threads running in the test netns. Fixes: b059c3185c ("daemon: Add unit tests for device detection") Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: André Martins <andre@cilium.io> 02 December 2020, 10:44:31 UTC
282de5c Paul Chaignon 26 November 2020, 14:49:55 UTC test: Avoid installing Cilium for K8sBandwidth if tests are skipped [ upstream commit f380dd3ff740a3d169e3f24208aa34fffb7c967d ] The overall structure for test K8sBandwidth looks to have been extracted from K8sServices. It works fine but is more complex than necessary and leads to unintended behavior when tests are skipped. This commit simplifies the structure to have a single conditional Context (conditioned on net-next kernel) inside which the three It tests are run. Cilium was also installed with the bandwidth manager enabled *before* the conditional Context. That installation would therefore happen regardless of whether bandwidth tests should actually be skipped, sometimes even leading to flakes on 4.9 kernels [1]. Removing this initial installation of Cilium implies that the test pods are now deployed (once for all tests) before Cilium is installed. We therefore need to wait for the test pods, with a new helper waitForTestPods(), after each re-installation of Cilium. 1 - https://jenkins.cilium.io/job/Cilium-PR-Ginkgo-Tests-K8s/3740/testReport/junit/Suite-k8s-1/16/K8sBandwidthTest_Checks_Bandwidth_Rate_Limiting/ Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: André Martins <andre@cilium.io> 02 December 2020, 10:44:31 UTC
42d4009 Sebastian Wicki 19 November 2020, 11:35:17 UTC hubble/parser: Always preserve datapath numeric identity [ upstream commit 1b2904410a73058ee81c92c7027f65bc3a5410b2 ] This introduces a check that we do not overwrite the numeric security identity provided by the datapath trace point. Only if the datapath did not provide an identity (i.e. in `FROM_LXC` trace points) do we want to fall back on the identity from the user-space ip cache or endpoint manager. The numeric identity from the datapath can differ from the one we obtain from user-space (e.g. the endpoint manager or the IP cache), because the identity could have changed between the time the datapath event was created and the time the event reaches the Hubble parser. To aid in troubleshooting, we want to preserve what the datapath observed when it made the policy decision. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> Signed-off-by: André Martins <andre@cilium.io> 02 December 2020, 10:44:31 UTC
00e45f6 Paul Chaignon 11 November 2020, 10:52:50 UTC test: Use NFS by default for test VMs [ upstream commit acb2daae88ca0363dd98a20ccc484f13cb4d2578 ] The new K8sVerifier test compiles some Cilium binaries inside the VM, which can lead to 'interrupted system call' errors. Using NFS should fix it by speeding up the filesystem accesses. This commit switches the test VMs to use NFS by default, thereby enabling NFS in our CI. NFS remains disabled in the CI's Runtime tests because it leads to permission errors [1]. 1 - https://jenkins.cilium.io/job/Cilium-PR-Runtime-4.9/2739/consoleFull Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: André Martins <andre@cilium.io> 02 December 2020, 10:44:31 UTC
e1727ae Daniel Borkmann 26 November 2020, 11:56:44 UTC cilium: disable bind-protection in kube-proxy free probe mode [ upstream commit 2a3e5d43b6a5e450c6d6949ff057253d45c035ce ] The probe mode is expected to only run alongside kube-proxy as hybrid. There was confusion that the kube-proxy log was throwing (harmless) warnings to its log that it could not bind sockets to service ports in the hostns. This is due to Cilium performing bind protection right out of the bind(2) syscall with eBPF. To avoid this confusion, defer to kube-proxy to bind sockets instead. This is less efficient and consuming more resources, but if users want to avoid the overhead, they would run kube-proxy free in strict mode anyway where Cilium does the bind protection by default anyway. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: André Martins <andre@cilium.io> 02 December 2020, 10:44:31 UTC
45478ff Joe Stringer 25 November 2020, 08:08:07 UTC helm: Fix description for clustermesh [ upstream commit e38fd961baf798ab70ea87447c9651cb022f100e ] With the `disableEnvoyVersionCheck` option commented out and no subsequent comment for the `clustermesh` option, the autogeneration script was pulling the description for `disableEnvoyVersionCheck` in for `clustermesh`. Fix it by removing the dashes so no description is generated for this particular option. Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: André Martins <andre@cilium.io> 02 December 2020, 10:44:31 UTC
d018dfa Tam Mach 20 November 2020, 11:01:26 UTC fix/helm: Correct nodeSelector values [ upstream commit 11e38d616725de18cdf3c0289425b7b993af4248 ] This commit is to use the correct nodeSelectors in etc, operator and preflight templates. Add deprecated note for .Values.nodeSelector option. Closes #14005 Signed-off-by: Tam Mach <sayboras@yahoo.com> Signed-off-by: André Martins <andre@cilium.io> 02 December 2020, 10:44:31 UTC
693c1ca Joe Stringer 24 November 2020, 01:56:37 UTC bugtool: Add lsmod [ upstream commit baf84ad0d4c9acb1a285ef69a61a4df206ded357 ] Module listings can allow figuring out the availability of certain functionality like iptables or aes modules which can be useful when debugging certain types of problems. Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: André Martins <andre@cilium.io> 02 December 2020, 10:44:31 UTC
5eef8aa Jarno Rajahalme 24 November 2020, 19:19:09 UTC endpoint: Update lock requirement comments [ upstream commit 8704e85e9d71d651eac1c0b7d37827c23b2525e9 ] Endpoint's Mutex has been renamed as 'mutex'. Update comments to reflect this and also the lock level requirement (Lock for writing, RLock for reading). Signed-off-by: Jarno Rajahalme <jarno@covalent.io> Signed-off-by: André Martins <andre@cilium.io> 02 December 2020, 10:44:31 UTC
d8a1614 Martynas Pumputis 18 November 2020, 16:42:20 UTC endpoint: Add DebugPolicy option [ upstream commit baeb61facde9c05f6365c360a23cfad52d4454b8 ] Add endpoint DebugPolicy option that, if enabled, logs endpoint policy map update details to /var/run/cilium/state/endpoint-policy.log. The new DebugPolicy option is enabled if the new flag --debug-verbose=policy is set, but can be enabled also independently via: cilium endpoint config <EPID> DebugPolicy=true Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Jarno Rajahalme <jarno@covalent.io> Signed-off-by: André Martins <andre@cilium.io> 02 December 2020, 10:44:31 UTC
f0ab101 Quentin Monnet 23 November 2020, 17:26:44 UTC checkpatch: update image tag to latest [ upstream commit a3d1f020fb6e3ccbc2b734e057d0d121eecf5151 ] Update the tag for the checkpatch image in order to benefit from the latest changes when running the GitHub actions: The latest image suppresses reports for FILE_PATH_CHANGES to avoid checkpatch to complain when files are added or moved under bpf/ directory. See discussion at https://github.com/cilium/cilium/pull/14088#issuecomment-731035505 Signed-off-by: Quentin Monnet <quentin@isovalent.com> Signed-off-by: André Martins <andre@cilium.io> 02 December 2020, 10:44:31 UTC
cba6d38 Ilya Dmitrichenko 23 November 2020, 17:21:15 UTC helm: fix and improve `extraHostPathMounts` for agent and operator [ upstream commit 625f82dbd81fed35a21f18025122b283373ad80d ] - fix reference for host-side path, use `hostPath` instead of `mountPath` - add `type` Fixes: #14132 Signed-off-by: Ilya Dmitrichenko <errordeveloper@gmail.com> Signed-off-by: André Martins <andre@cilium.io> 02 December 2020, 10:44:31 UTC
7458a9d mandarjog 06 November 2020, 09:18:58 UTC Doc: Link hubble metrics to L7 visibility. [ upstream commit 53f35fbdd7dd730a496796665fd9c8730678efe2 ] Signed-off-by: Mandar U Jog <mjog@google.com> Signed-off-by: André Martins <andre@cilium.io> 02 December 2020, 10:44:31 UTC
0e923ec Tobias Klauser 26 November 2020, 17:10:47 UTC hubble/observer: use event timestamp when a time range is set Manually cherry-picked from #14168 When r.timeRange is set but the received event is not a v1.Flow (i.e. e.GetFlow() is nil), v1.Flow(nil).GetTime() will return nil and lead to a panic. So far, this wasn't triggered in CI because the only other option for e.Event.(type) was *flowpb.LostEvent. These are very uncommon and hard to trigger in CI, thus the failure was not observed to far. Fix this by using e.Timestamp consistently which is always set. Reference: https://github.com/cilium/cilium/pull/14168#issuecomment-734386525 Reference: https://github.com/cilium/cilium/pull/14168#issuecomment-734405743 Fixes: f40c4ce4ad65 ("hubble: Import server-side Hubble code") Signed-off-by: Tobias Klauser <tklauser@distanz.ch> 30 November 2020, 10:12:08 UTC
ddca71e Chris Tarazi 20 November 2020, 22:31:23 UTC docs: Clarify best methods to limit sysdump [ upstream commit 0d578a807266fc3ea9fda299fef3cb0c8fc02046 ] This commit clarifies the cilium-sysdump methods of limiting the size of the sysdump to ensure the user is aware of the most effective approach. Signed-off-by: Chris Tarazi <chris@isovalent.com> Signed-off-by: Joe Stringer <joe@cilium.io> 25 November 2020, 23:15:26 UTC
4eedd5a Chris Tarazi 20 November 2020, 22:23:48 UTC docs: Update docs for --since arg for sysdumps [ upstream commit 363126733cce168ae85dedf8f1b1684e484ab71b ] Now that https://github.com/cilium/cilium-sysdump/pull/96 has been merged, we no longer have a 30m default for --since. Instead, cilium-sysdump will no longer have time-based default limits; it will default to collecting the entire history. Signed-off-by: Chris Tarazi <chris@isovalent.com> Signed-off-by: Joe Stringer <joe@cilium.io> 25 November 2020, 23:15:26 UTC
42371b3 Chris Tarazi 20 November 2020, 22:22:58 UTC docs: Document --size-limit from cilium-sysdump [ upstream commit 0611e22a1c07c4bb0a2c1145ee2e0e4166aef3db ] Signed-off-by: Chris Tarazi <chris@isovalent.com> Signed-off-by: Joe Stringer <joe@cilium.io> 25 November 2020, 23:15:26 UTC
a0575f4 Joe Stringer 20 November 2020, 19:29:26 UTC helm: Link logo via CDN based on git branch [ upstream commit ad865cd4a1a496f7584254dcfdccf36ceac2dd37 ] Signed-off-by: Joe Stringer <joe@cilium.io> 25 November 2020, 23:15:26 UTC
9ce703c Joe Stringer 20 November 2020, 01:42:38 UTC helm: Fix documentation URL for v1.10 [ upstream commit e363b4ab0a3ecfcfcdf2b6b0a1ce03bef134c578 ] v1.10 will need more than the first 3 digits of the version semver, it will need the full $major.$minor. Fix this up. Signed-off-by: Joe Stringer <joe@cilium.io> 25 November 2020, 23:15:26 UTC
750adc8 Joe Stringer 19 November 2020, 02:47:58 UTC helm: Add artifacthub CRD annotations. [ upstream commit cb98323f1fece88712839e33aade05f27afd2dfd ] Artifact Hub suggests that if we add such annotations to our charts, then they will show up in the Artifact Hub UI somewhere: https://artifacthub.io/docs/topics/annotations/helm/ Signed-off-by: Joe Stringer <joe@cilium.io> 25 November 2020, 23:15:26 UTC
2cce9b8 Joe Stringer 19 November 2020, 02:08:47 UTC helm: Remove wellKnownIdentities [ upstream commit 25f45b5bbe6fba4165dccf3bd72492fb32cf42de ] This option was too specific and doesn't make sense to expose as a user-visible flag in the helm charts. Remove it. Signed-off-by: Joe Stringer <joe@cilium.io> 25 November 2020, 23:15:26 UTC
356c218 Joe Stringer 19 November 2020, 02:06:28 UTC helm: Remove 'kvstore' option. [ upstream commit e2b3707c57fa247a050c102983ba6d21be6018b9 ] This was not referenced anywhere else, remove it. Signed-off-by: Joe Stringer <joe@cilium.io> 25 November 2020, 23:15:26 UTC
3181b28 Joe Stringer 19 November 2020, 04:56:46 UTC helm: Fix autogeneration of helm value descriptions [ upstream commit 3f0b81a51a4c42fd9f007caeae8c52495b54b25d ] These mostly needed '--' at the start for the helm-docs container to pick up the descriptions and render them into the README.md. While we're at it, Remove stuttering via the old go style of typing the variable at the start of the sentence, use full sentences, and remove any comments that were named exactly the same as the variable. Signed-off-by: Joe Stringer <joe@cilium.io> 25 November 2020, 23:15:26 UTC
d34865b Joe Stringer 19 November 2020, 01:16:48 UTC helm: Improve Cilium helm charts [ upstream commit 476133ac27c65231dc5b307df26862885fccff02 ] Expand the charts to include other common fields so that external systems can pull & use icons, tags, k8s version support, etc. Furthermore, flesh out the readme so it renders better. While we're at it, add an SVG without the cilium word so that it's more likely to render correctly in a square on external sites. Signed-off-by: Joe Stringer <joe@cilium.io> 25 November 2020, 23:15:26 UTC
bd5ac73 Joe Stringer 19 November 2020, 02:32:15 UTC helm: Add LICENSE to charts [ upstream commit b8a9c79cad7cdb9be766d78af6043b9fe43612a7 ] This should allow external sites to better represent Cilium in artifacts generated from the Helm charts. Signed-off-by: Joe Stringer <joe@cilium.io> 25 November 2020, 23:15:26 UTC
1e2798b Tobias Klauser 19 November 2020, 11:59:51 UTC build, ci: extend API checks to include Hubble API [ upstream commit 92ce4eecff2e4fc9ee4f4cd1b7a70d981a0ad32c ] Similar to the existing infrastructure to detect OpenAPI based changes, detect whether any of the Hubble API file need to be regenerated. This change also includes regeneration of `api/v1/flow/flow.pb.go` which was previously missed and the GitHub action would otherwise fail. Signed-off-by: Tobias Klauser <tklauser@distanz.ch> Signed-off-by: John Fastabend <john.fastabend@gmail.com> 23 November 2020, 21:12:36 UTC
29b7571 Chris Tarazi 09 November 2020, 19:07:15 UTC ipam: Remove unnecessary deep copies [ upstream commit 5a12dfcb2df1cbf82c8863224b5ca197dc61a7e9 ] As a followup from https://github.com/cilium/cilium/pull/13865, this commit removes the unnecessary deep copies and reduces the number of return values. Instead, the copies are replaced by directly dereferencing the pointers, which also takes care of reducing the number of return values as the args are updated directly. Signed-off-by: Chris Tarazi <chris@isovalent.com> Signed-off-by: John Fastabend <john.fastabend@gmail.com> 23 November 2020, 21:12:36 UTC
fa41bd5 Deepesh Pathak 17 November 2020, 20:37:51 UTC kvstore: add tests for etcd kvstore ratelimiter [ upstream commit 9d3bf0eaaf064cdec0781febc780beeb53c94cdc ] Signed-off-by: Deepesh Pathak <deepshpathak@gmail.com> Signed-off-by: John Fastabend <john.fastabend@gmail.com> 23 November 2020, 21:12:36 UTC
ce77730 Deepesh Pathak 17 November 2020, 20:37:22 UTC kvstore: fix ratelimiting for DeleteIfLocked backend operation [ upstream commit 948dfcf751ddfcf421cc6e559b27f958a8eb8bcd ] Signed-off-by: Deepesh Pathak <deepshpathak@gmail.com> Signed-off-by: John Fastabend <john.fastabend@gmail.com> 23 November 2020, 21:12:36 UTC
a716199 Joe Stringer 18 November 2020, 19:38:07 UTC docs: Improve visibility limitations docs [ upstream commit 549500555f5d40700a8da4378fb3ae529830a376 ] Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: John Fastabend <john.fastabend@gmail.com> 23 November 2020, 21:12:36 UTC
6f63ef4 Joe Stringer 20 November 2020, 06:12:26 UTC install: Disable operator HA for quick/experimental installs [ upstream commit ddb2423fae063ec050bd0332981c5d78f7a39396 ] Users who have HA as a requirement can deploy more explicitly via helm and specify the number of replicas they require (--set operator.replicas). Set the default to 1 for the quick installs for trying Cilium out. Fixes: #14089 Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: John Fastabend <john.fastabend@gmail.com> 23 November 2020, 21:12:36 UTC
d2297de ArthurChiao 18 November 2020, 07:59:25 UTC metrics: add cilium_datapath_nat_gc_entries [ upstream commit 57784e318449e711ffc994ee88609397086330a4 ] Signed-off-by: ArthurChiao <arthurchiao@hotmail.com> Signed-off-by: John Fastabend <john.fastabend@gmail.com> 23 November 2020, 21:12:36 UTC
893ae32 ArthurChiao 19 November 2020, 03:54:26 UTC metrics: replace replicated "direction" strings with LabelDirection constant [ upstream commit e4bf8ca149a95a611335bc82acd948995393a189 ] Signed-off-by: ArthurChiao <arthurchiao@hotmail.com> Signed-off-by: John Fastabend <john.fastabend@gmail.com> 23 November 2020, 21:12:36 UTC
f65462b Martynas Pumputis 17 November 2020, 13:10:45 UTC node: Add unit test for node arpinging [ upstream commit c5ed9aeb217eb307e496ad17b19e1d8d93436894 ] The unit test checks whether permanent arp entries for a remote node are properly handled, i.e. added upon node update and removed upon node removal. Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: John Fastabend <john.fastabend@gmail.com> 23 November 2020, 21:12:36 UTC
1a4dbbb Martynas Pumputis 30 October 2020, 14:30:10 UTC node: Clean up insertNeighbor() logging [ upstream commit c6198b11b19594f1a731fc67fbfe1a6b6eb9fd07 ] * Add missing logfields * Inline neighborLog and get rid of debug statement * Convert the code to be more idiomatic Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: John Fastabend <john.fastabend@gmail.com> 23 November 2020, 21:12:36 UTC
7e85253 Paul Chaignon 18 November 2020, 21:12:24 UTC test: Don't wait for network to schedule test-verifier [ upstream commit e3d019dac3008dfd04c942b4dcb33f662d9b0c3e ] The test-verifier pod needs to run when Cilium is uninstall and therefore shouldn't wait for the network to be ready to be scheduled to a node. Fixes: 417cded ("test: Move RuntimeVerifier to K8sVerifier") Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: John Fastabend <john.fastabend@gmail.com> 23 November 2020, 21:12:36 UTC
d126a41 Jarno Rajahalme 19 November 2020, 07:53:04 UTC fqdn: Fix unit test [ upstream commit b9c203ba4ded74b9119c04c9577db12e8f7f70bb ] Setting usedServers to nil caused write to nil map on other tests. Signed-off-by: Jarno Rajahalme <jarno@covalent.io> Signed-off-by: John Fastabend <john.fastabend@gmail.com> 23 November 2020, 21:12:36 UTC
eb1acc4 Joe Stringer 01 October 2020, 03:14:18 UTC contrib: Automate stable docker image tag updates [ upstream commit 51342a3071fff6e65142527a3eaded96362d092f ] Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Alexandre Perrin <alex@kaworu.ch> 21 November 2020, 00:46:42 UTC
6f4e7c3 Chris Tarazi 10 November 2020, 01:51:16 UTC Revert "CI: On EKS, skip cilium-health test" [ upstream commit 48bb78913353508f50e840e0337def88968c562e ] This reverts commit 240997450f9b4c8011f0282d7e2fb512045dd03d. Since https://github.com/cilium/cilium/pull/11073 has been merged, we no longer need to skip this test when running on EKS. Signed-off-by: Chris Tarazi <chris@isovalent.com> Signed-off-by: Alexandre Perrin <alex@kaworu.ch> 21 November 2020, 00:46:42 UTC
c7e185b Chris Tarazi 10 November 2020, 01:42:55 UTC Revert "CI: On EKS, skip cilium-health --probe" [ upstream commit 3ec53c5402f5426bc9e2da17f3ab92458682f916 ] This reverts commit 22ee8bba2f7c081d5a9e488233584f69d1af0bd6. Since https://github.com/cilium/cilium/pull/11073 has been merged, we no longer need to skip this test when running on EKS. Signed-off-by: Chris Tarazi <chris@isovalent.com> Signed-off-by: Alexandre Perrin <alex@kaworu.ch> 21 November 2020, 00:46:42 UTC
a3c1e7e Yuan Liu 15 November 2020, 00:28:40 UTC Mention MTU kernel bug in frag page [ upstream commit c140bccad6a5552b37ea1c1901381400c0b02156 ] Signed-off-by: Yuan Liu <liuyuan@google.com> Signed-off-by: Alexandre Perrin <alex@kaworu.ch> 21 November 2020, 00:46:42 UTC
98943a0 Kornilios Kourtis 21 October 2020, 07:41:50 UTC docs: encryption: interface clarifications [ upstream commit eb48ff5ca03113c8d73df9ed67535c20bcdc3d44 ] Signed-off-by: Kornilios Kourtis <kornilios@isovalent.com> Signed-off-by: Alexandre Perrin <alex@kaworu.ch> 21 November 2020, 00:46:42 UTC
c203df5 Maxime VISONNEAU 13 November 2020, 12:00:26 UTC helm: 'upgradeCompatibility' needs to be a string, not a float64 [ upstream commit 39d66c2c1ece412bf692f64823ed36535a83ead4 ] Signed-off-by: Maxime VISONNEAU <maxime.visonneau@gmail.com> Signed-off-by: Alexandre Perrin <alex@kaworu.ch> 21 November 2020, 00:46:42 UTC
f885263 Jarno Rajahalme 12 November 2020, 23:43:04 UTC fqdn: Only keep used IPs for restored DNS rules. [ upstream commit 61efa8fd0e58b65de9628de7e3ef8db0cd4df40c ] The DNS policy may allow a huge number of IPs, only some of which are actual DNS servers. Collect a set of DNS servers that have been allowed in the past and only store allowed IPs that have actually been used. Signed-off-by: Jarno Rajahalme <jarno@covalent.io> Signed-off-by: Alexandre Perrin <alex@kaworu.ch> 21 November 2020, 00:46:42 UTC
ccd400d Jarno Rajahalme 12 November 2020, 00:55:43 UTC fqdn: Fix confusion of ToFQDNs vs. DNS rules. [ upstream commit a218052444243b6e439e77675f5f5034d5e86ffe ] Restored DNS proxy rules are DNS rules, not ToFQDNs rules. Fixes: #13991 Fixes: #13992 Signed-off-by: Jarno Rajahalme <jarno@covalent.io> Signed-off-by: Alexandre Perrin <alex@kaworu.ch> 21 November 2020, 00:46:42 UTC
a8e3560 Pranavi Roy 14 November 2020, 05:16:17 UTC helm/hubble-relay: fixed indentation error [ upstream commit b52c9ff551226d7eb9d2a5285da56aaa3c810bdd ] Previously, customizing resources for hubble-relay-deployment via helm produced validation errors due to smaller indentation width. This commit increases the indentation width by 2, so as to not write the resource requests on the same level as 'resources'. Fixes: #14000 Signed-off-by: Pranavi Roy <pranvyr@gmail.com> Signed-off-by: Alexandre Perrin <alex@kaworu.ch> 21 November 2020, 00:46:42 UTC
cefbec5 Joe Stringer 17 November 2020, 17:29:05 UTC docs: Fix wording around labels configuration [ upstream commit 461a09fe0ebef888f5ba6b256d334083ec5f1331 ] ParseLabelPrefixCfg() appends the user-specified list to the user-specified file for labels. By default, the file is empty, which readLabelPrefixCfgFrom() interprets as "use the default list". This means that by default, when the user specifies a set of labels, it will append to the default list rather than replacing it. Reported-by: Arthur Chiao <arthurchiao@hotmail.com> Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Alexandre Perrin <alex@kaworu.ch> 21 November 2020, 00:46:42 UTC
99ff54a Paul Chaignon 17 November 2020, 15:52:26 UTC docs: Fix helm install cmd in kubeadm GSG [ upstream commit 92a6cd893f4f078f1e9adbd00d9c0839fa3d1e02 ] Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Alexandre Perrin <alex@kaworu.ch> 21 November 2020, 00:46:42 UTC
759bbad Gilberto Bertin 11 November 2020, 13:57:37 UTC bpf: reduce complexity of logic to handle IPv4 fragments [ upstream commit a78f75e1eb1dd37e107be01eec6ba7db53ad6f4f ] Refactor the logic to handle IPv4 fragments to have only a single call to `ctx_load_bytes()` in order to load the l4 ports tuple. This change fixes a complexity issue in 5.4 kernels which prevents the BPF program from being loaded by the verifier as it would reach the maximum amount of instructions that can be processed. Signed-off-by: Gilberto Bertin <gilberto@isovalent.com> Signed-off-by: Alexandre Perrin <alex@kaworu.ch> 21 November 2020, 00:46:42 UTC
6da3cb6 Gilberto Bertin 09 November 2020, 10:34:22 UTC bpf: fix complexity issue on kernels <5.3 [ upstream commit e9bf184e3ddc69fe7bd3e00bdb623f286f870e9e ] This commit reduces the complexity of the "to-container" section by introducing a few state pruning points with the help of relax_verifier(). Pruning points have been determined by looking at the instructions that the verifier is spending the most passes on. Signed-off-by: Gilberto Bertin <gilberto@isovalent.com> Signed-off-by: Alexandre Perrin <alex@kaworu.ch> 21 November 2020, 00:46:42 UTC
5ad6063 Gilberto Bertin 02 November 2020, 14:49:55 UTC bpf: optimize relax_verifier() [ upstream commit bb001bda9da548eda1e48231cef14e0481f261bb ] Replace the call to `csum_diff` with `get_smp_processor_id()` as with the latter we can avoid having to init r1-r5 registers. Signed-off-by: Gilberto Bertin <gilberto@isovalent.com> Signed-off-by: Alexandre Perrin <alex@kaworu.ch> 21 November 2020, 00:46:42 UTC
c9cfe3a Gilberto Bertin 04 November 2020, 10:30:36 UTC bpf: reintroduce relax_verifier() [ upstream commit 49aac62fcdf94f88aa2f4fa8a1c88e9fca37ba27 ] relax_verifier() is a dummy helper call to introduce a pruning checkpoint to help relax the verifier to avoid reaching complexity limits on older kernels. Signed-off-by: Gilberto Bertin <gilberto@isovalent.com> Signed-off-by: Alexandre Perrin <alex@kaworu.ch> 21 November 2020, 00:46:42 UTC
ffd4efd Gilberto Bertin 12 November 2020, 13:50:50 UTC datapath/probes: add support for misc features [ upstream commit 18d64a4a189adf4098293216f4c0dc0f077a0e9a ] This commit adds support for the "misc" features reported by bpftool. This is exposed by the ProbeManager object through the GetMisc() method. Signed-off-by: Gilberto Bertin <gilberto@isovalent.com> Signed-off-by: Alexandre Perrin <alex@kaworu.ch> 21 November 2020, 00:46:42 UTC
8cbecdc Gilberto Bertin 11 November 2020, 13:55:42 UTC bpf: add metrics for fragmented IPv4 packets [ upstream commit 938b4940f92bd3754568cad230916e64fa5b4a7a ] This commit introduces 2 new metrics in the datapath logic related to fragmented IPv4 packets: * `REASON_FRAG_PACKET`: number of received fragmented packets * `REASON_FRAG_PACKET_UPDATE`: number of failures in updating the `IPV4_FRAG_DATAGRAMS_MAP` map to register the first logical fragment of a datagram Fixes: #11179 Signed-off-by: Gilberto Bertin <gilberto@isovalent.com> Signed-off-by: Alexandre Perrin <alex@kaworu.ch> 21 November 2020, 00:46:42 UTC
c16200e Gilberto Bertin 12 October 2020, 19:37:00 UTC bpf: add support for SERVICE metrics [ upstream commit 38ab8f0f35ba36a4424450ec6ba67fc35206ef11 ] This change introduces a new bpf metric (`METRIC_SERVICE`) which maps to the CT_SERVICE direction of a flow. Moreover, instead of having 2 different sets of constants for CT and metrics directions (requiring some logic to convert one into another), change the metrics directions so that they match the CT ones. Signed-off-by: Gilberto Bertin <gilberto@isovalent.com> Signed-off-by: Alexandre Perrin <alex@kaworu.ch> 21 November 2020, 00:46:42 UTC
3731968 Gilberto Bertin 09 November 2020, 09:06:36 UTC bpf: don't override DROP_FRAG_NOT_FOUND error [ upstream commit a7999315286d203fae2614ce7ed10c640dc4d13c ] `ipv4_ct_extract_l4_ports()` can return different error codes, but we currently ignore them and just override whichever error code is returned with a generic `DROP_CT_INVALID_HDR`, making metrics less accurate. This commit fixes this behaviour so that `ct_lookup4()` will return, in case of an error, the original error code returned by `ipv4_ct_extract_l4_ports()`. Signed-off-by: Gilberto Bertin <gilberto@isovalent.com> Signed-off-by: Alexandre Perrin <alex@kaworu.ch> 21 November 2020, 00:46:42 UTC
a01784d Daniel Borkmann 03 November 2020, 21:47:35 UTC cilium, docs: add note to upgrade guide on host routing [ upstream commit 9153a87d3a826ff4e8a260566fe6aab5ba02a489 ] Add note to upgrade guide with regards to host routing probing. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: Alexandre Perrin <alex@kaworu.ch> 18 November 2020, 08:10:14 UTC
2c30cf5 Daniel Borkmann 03 November 2020, 22:05:40 UTC cilium, status: add clock source status [ upstream commit 7436d3cbcb1d8de473f08d4e4ed464d57b99bb7a ] Add a Cilium status dump on this datapath feature in order to allow for easier introspection. Clock source will show up under --verbose. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: Alexandre Perrin <alex@kaworu.ch> 18 November 2020, 08:10:14 UTC
78dda35 Daniel Borkmann 03 November 2020, 21:58:40 UTC cilium, api: extend openapi to dump clock source status [ upstream commit d170ce8cf2b73010327eebcab20bc124effea97e ] Dump info on whether we use ktime or jiffies in BPF datapath. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: Alexandre Perrin <alex@kaworu.ch> 18 November 2020, 08:10:14 UTC
cf1a3c7 Daniel Borkmann 03 November 2020, 21:20:45 UTC cilium, helm: add helm option for host routing setting [ upstream commit 3ce28c0c2602df09dd2016a02299d79c87891c80 ] Allow this knob to be configured for Helm users. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: Alexandre Perrin <alex@kaworu.ch> 18 November 2020, 08:10:14 UTC
e9b6c24 Daniel Borkmann 06 November 2020, 01:11:29 UTC cilium: reenable host routing on endpoint routes and ipsec [ upstream commit bbd6886cd8001cc730a942fa73825d1775c3336f ] ... since both need to go up the stack for packet handling. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: Alexandre Perrin <alex@kaworu.ch> 18 November 2020, 08:10:14 UTC
7490928 Daniel Borkmann 03 November 2020, 13:25:33 UTC bpf: lift multi dev restriction on fast redirect [ upstream commit 92edccfad0ee240adada269b40830c4050899d78 ] Refactor current redirect_neigh() code into redirect_direct_{v4,v6}() and add multi-device support. The latter performs a route lookup and only calls into redirect_neigh() if L2 addresses must be resolved. It also passes the GW information from the fib_lookup() to redirect_neigh() to avoid a second lookup for the latter. This now enabled to use the fast redirect in the more general case. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: Alexandre Perrin <alex@kaworu.ch> 18 November 2020, 08:10:14 UTC
283f562 Daniel Borkmann 13 November 2020, 23:28:02 UTC bpf: derive identity from ipcache for external traffic under fast redirect [ upstream commit 8b0c892257e0d4f911f51d90a261016912446b2f ] We're in a similar situation as ipvlan datapath here in that we must derive the secid for policy enforcement via SECCTX_FROM_IPCACHE. This is needed as now we do not push the packet up the stack anymore where it will take the tc egress path of the bpf_lxc dev where it would resolve the secid, but instead we pass it onwards via ipv{4,6}_local_delivery() from bpf_host given we do not have skip_redirect. So in the latter this gets encoded via CB_SRC_LABEL before tail calling into ep->lxc_id. In bpf_host resolve_srcid_ipv4() was always picking WORLD (2) which will fail CIDR-based enforcement, e.g. hubble logs revealed this: {"time":"2020-11-13T13:53:09.636444980Z","verdict":"DROPPED","drop_reason":133,"ethernet":{"source":"0a:4b:c4:b6:2d:4b","destination":"92:79:4f:8e:96:4f"},"IP":{"source":"192.168.36.13","destination":"10.0.1.190","ipVersion":"IPv4"},"l4":{"TCP":{"source_port":56228,"destination_port":80,"flags":{"SYN":true}}},"source":{"identity":2,"labels":["reserved:world"]},"destination":{"ID":1091,"identity":41849,"namespace":"default","labels":["k8s:io.cilium.k8s.policy.cluster=default","k8s:io.cilium.k8s.policy.serviceaccount=default","k8s:io.kubernetes.pod.namespace=default","k8s:zgroup=testDS"],"pod_name":"testds-944zc"},"Type":"L3_L4","node_name":"k8s2","event_type":{"type":5},"traffic_direction":"INGRESS","drop_reason_desc":"POLICY_DENIED","Summary":"TCP Flags: SYN"} The source identity in this case should have been 16777217 as per ipcache dump of ... [...] 192.168.36.13/32 16777217 0 0.0.0.0 [...] ... and thus it failed CI test 'Suite-k8s-1.12.K8sPolicyTest Multi-node policy test validates ingress CIDR-dependent L4 connectivity is restored after importing ingress policy' where a non-Cilium managed node (192.168.36.13) made a request to the backend Pod directly via curl. It succeeded before policy to allow 192.168.36.13 to port 80 was installed but failed after the latter was set in place due to secid mismatch. Fix it by enabling SECCTX_FROM_IPCACHE so that it can assign correct identity in resolve_srcid_ipv{4,6}(). Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: Alexandre Perrin <alex@kaworu.ch> 18 November 2020, 08:10:14 UTC
a098f86 Daniel Borkmann 16 November 2020, 12:39:46 UTC bpf: Fix ENABLE_EXTRA_HOST_DEV logic on host_id check [ upstream commit 6b53c869c98eb8199ec8bde67627e8f37d215868 ] Commit a695f532d060 ("Endpoint for host") changed the logic for the HOST_ID check to ... [...] #ifndef ENABLE_EXTRA_HOST_DEV - if (sec_label != HOST_ID) + if (from_host && sec_label != HOST_ID) #endif [...] ... with the rationale of: [...] ENABLE_EXTRA_HOST_DEV was only defined in init.sh for the from_host path. It is now defined from the Go side for all paths, and we check whether from_host is true in the C code instead. [...] Lets review the situation before a695f532d060: The reason we added the ENABLE_EXTRA_HOST_DEV define came from back when ipvlan was added via 7fbfe1cd92de (cilium, ipvlan: implement base host connectivity). The logic was placed in handle_ipv4() of bpf_netdev and invoked via from-netdev. When in direct routing or ipvlan mode, we would load the latter via 'bpf_load $NATIVE_DEV "$OPTS" "ingress" bpf_netdev.c bpf_netdev.o from-netdev $CALLS_MAP' to the native netdev facing external world and 'bpf_load $HOST_DEV1 "$OPTS" "egress" bpf_netdev.c bpf_host.o from-netdev $CALLS_MAP' to the cilium_host dev and in case of ipvlan where cilium_host is a ipvlan slave dev in hostns, the latter additionally has ENABLE_EXTRA_HOST_DEV set. This means for the veth case 'sec_label != HOST_ID' was always present, and for the ipvlan case 'sec_label != HOST_ID' was only compiled in for cilium_host / egress path. The change into 'from_host && sec_label != HOST_ID' has two issues after a695f532d060 transformation: i) The 'srcid_from_ipcache = *sec_label' assignment under this check is never invoked for traffic in case of veth datapath which is !from_host, that is, for outside world traffic arriving on the node. ii) Given after a695f532d060 the ENABLE_EXTRA_HOST_DEV is now defined from the Go side for all paths for ipvlan, the 'from_host && sec_label != HOST_ID' test is now compiled out and external traffic could wrongly assign HOST_ID. Meaning, for external traffic arriving on the node, the 'sec_label != HOST_ID' guard needs to stay intact. Fixes: a695f532d060 ("Endpoint for host") Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: Alexandre Perrin <alex@kaworu.ch> 18 November 2020, 08:10:14 UTC
004119b Martynas Pumputis 16 November 2020, 13:56:56 UTC test: Bump migrate-svc-test image [ upstream commit 7ffff79db150b5114d021bec3c163b6c11c529ab ] In the new version [1], the client sends a request to the server every 0.5s over the long-lived connection, and it expects a reply from the server in 1s. The change can help to catch intermittent connection failures during Cilium upgrades. [1]: https://github.com/cilium/migrate-svc-test/commit/edc628b2df7bd1002d3499c7f65df8c0396502ff Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Alexandre Perrin <alex@kaworu.ch> 18 November 2020, 08:10:14 UTC
07453c1 Robin Hahling 16 November 2020, 13:20:46 UTC doc/hubble-internals: update Relay section to reflect its current state [ upstream commit 7dc5a57c8bec76f3a866b93931f417af63c6ef5b ] Hubble Relay is no more in-progress and is declared stable with the release of Cilium v1.9 thus remove the "work in progress" note Also update the Hubble internals doc section for Hubble Relay and complete the section with technical information. While here, fix a few typos in the whole doc section. Signed-off-by: Robin Hahling <robin.hahling@gw-computing.net> Signed-off-by: Alexandre Perrin <alex@kaworu.ch> 18 November 2020, 08:10:14 UTC
60052d7 Tam Mach 17 November 2020, 07:26:45 UTC ci/github: Replace set-env command by echo [ upstream commit 659da4bd4c1bbf6accf105f43227f1086a95668c ] Related to https://github.blog/changelog/2020-10-01-github-actions-deprecating-set-env-and-add-path-commands/ Signed-off-by: Tam Mach <sayboras@yahoo.com> Signed-off-by: Alexandre Perrin <alex@kaworu.ch> 18 November 2020, 08:10:14 UTC
fd39388 André Martins 12 November 2020, 09:40:14 UTC pkg/k8s: trim spaces from loadBalancerSourceRanges [ upstream commit ada413f0deeb2b75e1ae91fd5fe74b9037c1acb5 ] Similarly to what is being done in upstream kube-proxy [1], but unfortunately without explaining why, loadBalancerSourceRanges might contain spaces which prevents the CIDR from being parsed correctly. [1] https://github.com/kubernetes/kubernetes/pull/94107 Fixes: 31956817bbd4 ("k8s: Add and parse LoadBalancerSourceRanges field") Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Alexandre Perrin <alex@kaworu.ch> 18 November 2020, 08:10:14 UTC
0114b62 Chris Tarazi 03 November 2020, 00:31:37 UTC ipam: Fix ENI IPAM on smaller instance types [ upstream commit f0f948d78175c1ba5d3f5f2dc69414b214a58854 ] This commit fixes the ENI IPAM mode when the instance types are very limited [1]. The problem was that Cilium by default was attempting to allocate 8 IPs (PreAllocate). However, on smaller instance types such as "t3a.micro" or similar, the maximum number of IPs that can be attached to one ENI device is 4. On top of that, Cilium by default does not use eth0 as an ENI device (default interface index is 1), which could further restrict itself from having enough ENIs for pods in the cluster. This commit fixes this by checking the instance type limits and adjusting the PreAllocate value. Additionally, we likely also need to include eth0 as an ENI device to give more buffer for Cilium to allocate IPs by setting the first interface index to 0. [1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.html?shortFooter=true#AvailableIpPerENI Signed-off-by: Chris Tarazi <chris@isovalent.com> Signed-off-by: Alexandre Perrin <alex@kaworu.ch> 18 November 2020, 08:10:14 UTC
ecb5f41 Chris Tarazi 05 November 2020, 01:33:53 UTC ipam: Clarify purpose of (*Node).syncToAPIServer() [ upstream commit 379ce1e887c293afd45e356c04d0da4c7a90fe70 ] Signed-off-by: Chris Tarazi <chris@isovalent.com> Signed-off-by: Alexandre Perrin <alex@kaworu.ch> 18 November 2020, 08:10:14 UTC
8d14973 Chris Tarazi 05 November 2020, 00:41:36 UTC ipam: Consolidate logic to sync to K8s apiserver [ upstream commit 623dcd3581b6a48994d5e1e28b720b1c0525b6df ] In (*Node).syncToAPIServer(), there are two main loops (operations) which update the CiliumNode status and spec, respectively. The code was exactly the same except for this difference. This commit refactors the logic to consolidate the code when syncing to the CiliumNode resource to the apiserver. In addition, this refactor allows these two operations to have the same erorr handling flow [see commit a7451f82d4 ("ipam: Warn when failing to update CN status")]. The main motivation for that commit is to fix the swallowing of the error when update fails and the subsequent Get succeeds. Before this commit, the error handling flow was different between the two operations (update spec & status). Signed-off-by: Chris Tarazi <chris@isovalent.com> Signed-off-by: Alexandre Perrin <alex@kaworu.ch> 18 November 2020, 08:10:14 UTC
5440866 Chris Tarazi 03 November 2020, 23:18:34 UTC eni: Refactor limits package [ upstream commit 6d9cfe48d45bc848f01c278c2054702f60c8fffa ] This commit refactors the limits package. The biggest change is consolidating the limits map and its mutex into a single type. Functions with "limit" in the name have been removed because it is now redundant since these functions live under the limits package. The reason why this commit wasn't squashed with the previous is because git wouldn't consider the new file as a rename from the old, likely because of too many refactoring changes. Signed-off-by: Chris Tarazi <chris@isovalent.com> Signed-off-by: Alexandre Perrin <alex@kaworu.ch> 18 November 2020, 08:10:14 UTC
dbf3ef2 Chris Tarazi 03 November 2020, 23:03:07 UTC eni: Move limits to seperate package [ upstream commit d69045af67c6ededf55bfc8c6252a02dd0411588 ] This commit was necessary to prevent an import cycle in a future commit. Signed-off-by: Chris Tarazi <chris@isovalent.com> Signed-off-by: Alexandre Perrin <alex@kaworu.ch> 18 November 2020, 08:10:14 UTC
1242779 Maxime VISONNEAU 13 November 2020, 14:09:08 UTC helm/hubble-ui: fixed ingress configuration on EKS clusters [ upstream commit f65bee5fa72c571dbc5f93f0da207f94a434c6fa ] fixes #14018 Signed-off-by: Maxime VISONNEAU <maxime.visonneau@gmail.com> Signed-off-by: Alexandre Perrin <alex@kaworu.ch> 18 November 2020, 08:10:14 UTC
2ce22e5 Nate Sweet 12 November 2020, 03:18:37 UTC Hubble-Relay: proxy metadata from originating client [ upstream commit df9f66e3ad6725d704edbd48b4283f9b81f3a3bf ] PR-12865 attempted to accomplish this by proxying the context object without modifying it, which is incorrect. The incoming and outgoing metadata keys are actually different and must be explicitly set in order for the metadata to be properly proxied. Signed-off-by: Nate Sweet <nathanjsweet@pm.me> Signed-off-by: Alexandre Perrin <alex@kaworu.ch> 18 November 2020, 08:10:14 UTC
back to top