Skip to main content

Browse the archive

https://github.com/cilium/cilium
12 July 2024, 03:14:21 UTC
sort by:
Revision Author Date Message Commit Date
41fa2d3 Ian Vernon 29 March 2018, 19:38:46 UTC test/runtime: reduce redundant arguments in policy formatting Use string formatting index references to populate policies within test. Signed-off by: Ian Vernon <ian@cilium.io> 29 March 2018, 23:54:02 UTC
8864c72 Ian Vernon 29 March 2018, 19:16:42 UTC test/runtime: send output of cilium-agent to logger The kvstore test stops the cilium service, and starts the process directly. Thus, no logs are sent to syslog; edit the command which runs the cilium-agent to send output to syslog for debugging. Signed-off by: Ian Vernon <ian@cilium.io> 29 March 2018, 23:54:02 UTC
a137867 Ian Vernon 29 March 2018, 18:54:19 UTC cmd: add documentation and TODO for updatePolicyKey Signed-off by: Ian Vernon <ian@cilium.io> 29 March 2018, 23:54:02 UTC
da43a12 Ian Vernon 29 March 2018, 18:47:03 UTC pkg/k8s: remove remove duplicate port check for egress rules Signed-off by: Ian Vernon <ian@cilium.io> 29 March 2018, 23:54:02 UTC
d40ca2b Ian Vernon 29 March 2018, 18:45:02 UTC pkg/endpoint: cleanup formatting of log message Move fields in log message to be on each line for easier readability. Signed-off by: Ian Vernon <ian@cilium.io> 29 March 2018, 23:54:02 UTC
cd9318e Ian Vernon 29 March 2018, 18:43:37 UTC cilium/cmd: refactor parseTrafficString Use a switch statement instead of if-else chain. Signed-off by: Ian Vernon <ian@cilium.io> 29 March 2018, 23:54:02 UTC
461b151 Ian Vernon 29 March 2018, 18:41:28 UTC pkg/policy: remove outdated TODO message Unit tests are added for ResolveL4EgressPolicy, so remove TODO message to add unit tests. Signed-off by: Ian Vernon <ian@cilium.io> 29 March 2018, 23:54:02 UTC
3bff09e Ian Vernon 29 March 2018, 18:40:55 UTC pkg/endpoint: add GitHub issue number for egress ConnTrack work Signed-off by: Ian Vernon <ian@cilium.io> 29 March 2018, 23:54:02 UTC
22e402d Ian Vernon 29 March 2018, 18:40:28 UTC daemon: add TODO for GH-3394 Add TODO message for egress policy tracing. Signed-off by: Ian Vernon <ian@cilium.io> 29 March 2018, 23:54:02 UTC
d1d42a4 Joe Stringer 29 March 2018, 17:23:50 UTC bpf: Fix non-CT egress policy address lookup When conntrack is disabled, the destination address in the ct_tuple is not flipped, so egress IP->ID lookup was using the wrong address to lookup the destination identity. Fix it up. Signed-off-by: Joe Stringer <joe@covalent.io> 29 March 2018, 23:54:02 UTC
c1584a1 Ian Vernon 29 March 2018, 04:10:22 UTC pkg/endpoint: populate AllowedEgressIdentities in GetPolicyModel Signed-off by: Ian Vernon <ian@cilium.io> 29 March 2018, 23:54:02 UTC
2c5d299 Ian Vernon 29 March 2018, 04:09:50 UTC api: add allowed-egress-identities to EndpointPolicy Add list of allowed identities for egress communication. Signed-off by: Ian Vernon <ian@cilium.io> 29 March 2018, 23:54:02 UTC
cb2f6b8 Ian Vernon 29 March 2018, 03:43:53 UTC test/runtime/manifests: update conntrack test policies to account for label-based egress Now that we do label-based lookups for egress in datapath, need to explicitly add label-based egress policies because the agent's policy enforcement mode is set to 'always' (default deny for egress) for these tests. Signed-off by: Ian Vernon <ian@cilium.io> 29 March 2018, 23:54:02 UTC
883125c Ian Vernon 28 March 2018, 20:32:41 UTC test/runtime: add L3-dependent L7 policy and commented-out tests Tests are commented out because egress L3-dependent-L7 still needs to be added to Cilium. Signed-off by: Ian Vernon <ian@cilium.io> 29 March 2018, 23:54:02 UTC
3a9d56a Ian Vernon 28 March 2018, 06:08:11 UTC test/runtime: add egress L4 with L3 label wildcard test Misc. comment fixes as well. Signed-off by: Ian Vernon <ian@cilium.io> 29 March 2018, 23:54:02 UTC
f4b1f47 Ian Vernon 28 March 2018, 04:56:00 UTC test/runtime: add egress L3-only test Signed-off by: Ian Vernon <ian@cilium.io> 29 March 2018, 23:54:02 UTC
a871244 Ian Vernon 28 March 2018, 03:19:39 UTC test/runtime: remove useless CIDR tests CIDR policy does not apply to IPs within the cluster, which this test was trying to test. So, these tests were not truly testing CIDR policy. Signed-off by: Ian Vernon <ian@cilium.io> 29 March 2018, 23:54:02 UTC
79b3f5f Ian Vernon 28 March 2018, 03:13:44 UTC test/runtime: enable test which was disabled due to lack of L3-dependent L4 egress enforcement Signed-off by: Ian Vernon <ian@cilium.io> 29 March 2018, 23:54:02 UTC
f5088ff Ian Vernon 28 March 2018, 04:29:55 UTC test/runtime/manifests: change policy to be L3-dependent-L4 for egress Signed-off by: Ian Vernon <ian@cilium.io> 29 March 2018, 23:54:02 UTC
f86c1ec Ian Vernon 29 March 2018, 00:01:17 UTC test/runtime: fix up CIDR tests to reflect datapath changes Need to add egress rules because we go into "always" PolicyEnforcement mode in the CIDR tests. Signed-off by: Ian Vernon <ian@cilium.io> 29 March 2018, 23:54:02 UTC
ad6e500 Joe Stringer 28 March 2018, 22:14:20 UTC bpf: Fix proxy_port lookup on egress Signed-off-by: Joe Stringer <joe@covalent.io> 29 March 2018, 23:54:02 UTC
0598ff5 Joe Stringer 28 March 2018, 22:10:44 UTC bpf: Apply L4 rules to external IPs Previously, this check was erroneously applied to all traffic, which, in the case that there were no L4 policies, would result in allowing all traffic. Only apply this (and drop) in the case where the traffic is egressing outside the cluster. If L4 would drop the traffic, drop it; otherwise, defer to the CIDR check later in the function. Signed-off-by: Joe Stringer <joe@covalent.io> 29 March 2018, 23:54:02 UTC
e92575b Joe Stringer 28 March 2018, 21:57:35 UTC bpf: Force inlining of handle_ipv6 Fixes an issue where clang 3.8 was generating "call 0" instructions. Signed-off-by: Joe Stringer <joe@covalent.io> 29 March 2018, 23:54:02 UTC
3df1264 Joe Stringer 28 March 2018, 21:56:38 UTC bpf: Reduce IPv6 CIDR egress prefixes in build The number being used before was way too big, and was causing common build environments to exceed the verifier limits. Signed-off-by: Joe Stringer <joe@covalent.io> 29 March 2018, 23:54:02 UTC
268c35c Ian Vernon 28 March 2018, 02:45:12 UTC pkg/endpoint: use correct label access call in checkEgressAccess Should be AllowsEgressLabelAccess, not AllowsIngressLabelAccess. Signed-off by: Ian Vernon <ian@cilium.io> 29 March 2018, 23:54:02 UTC
3f7356d Ian Vernon 27 March 2018, 18:54:19 UTC cmd: move updatePolicyKey to helpers.go This function is used both by `cilium bpf policy add` and `cilium bpf policy delete`,so move it to the file where helpers that are common to more than one command are located. Signed-off by: Ian Vernon <ian@cilium.io> 29 March 2018, 23:54:02 UTC
18fbfad Ian Vernon 27 March 2018, 04:48:50 UTC cmd: add directionality to `cilium bpf policy <add,delete>` Add capability to specify whether policy should apply to ingress or egress to the given BPF PolicyMap for an endpoint. Signed-off by: Ian Vernon <ian@cilium.io> 29 March 2018, 23:54:02 UTC
1c640d8 Ian Vernon 27 March 2018, 17:54:31 UTC cmd: add parseTrafficString helper Add a helper which converts a given string to policymap.TrafficDirection. Signed-off by: Ian Vernon <ian@cilium.io> 29 March 2018, 23:54:02 UTC
93d0b8c Ian Vernon 27 March 2018, 17:51:42 UTC pkg/maps/policymap: add Invalid TrafficDirection Signed-off by: Ian Vernon <ian@cilium.io> 29 March 2018, 23:54:02 UTC
ab4c7fb Ian Vernon 27 March 2018, 22:24:02 UTC pkg/k8s: enable TestParseNetworkPolicyEgressL4AllowAll Enable this unit test now that L3-dependent-L4 for egress is added. Signed-off by: Ian Vernon <ian@cilium.io> 29 March 2018, 23:54:02 UTC
4e242f1 Ian Vernon 14 March 2018, 20:11:20 UTC pkg/policy: add label-dependent L4 for egress Rename existing functions in terms of ingress and factor out egress-related parts in now-ingress-only functions to their corresponding egress-related counterparts. Signed-off by: Ian Vernon <ian@cilium.io> 29 March 2018, 23:54:02 UTC
0394dfe Ian Vernon 15 March 2018, 03:09:22 UTC pkg/policy: remove unit test which disallows label-dependent l4 Signed-off by: Ian Vernon <ian@cilium.io> 29 March 2018, 23:54:02 UTC
3135a2f André Martins 29 March 2018, 17:02:27 UTC Dockerfile: update cilium-builder to 2018-03-29 Signed-off-by: André Martins <andre@cilium.io> 29 March 2018, 18:15:03 UTC
7240a5c Maciej Kwiek 28 March 2018, 10:22:46 UTC Check if localStatus is populated in health server If the status wasn't populated it caused panics. Node name is set to empty if localStatus is nil. Signed-off-by: Maciej Kwiek <maciej@covalent.io> 29 March 2018, 17:35:37 UTC
5c9efe0 Eloy Coto 29 March 2018, 14:00:03 UTC Vagrant: Bump version to 46 Fix dependencies cache made by 996e41adf593f8d7fdbf8d34bd2a57cc635f8c64 Signed-off-by: Eloy Coto <eloy.coto@gmail.com> 29 March 2018, 16:07:27 UTC
b2a62c4 Joe Stringer 23 March 2018, 21:34:51 UTC daemon: Clarify cases in which PATCH /endpoint waits Commit 41c08396ce4b ("daemon: Only regenerate in PATCH from valid state") removed the endpointWait from "PATCH /endpoint" in the case where the identity is not yet resolved, but introduced an unlocked access to the endpoint's state field. Fix it so that it will instead wait if the API call is forcing regeneration. Signed-off-by: Joe Stringer <joe@covalent.io> 29 March 2018, 14:12:38 UTC
8d87773 Eloy Coto 29 March 2018, 07:38:09 UTC Ginkgo: Add NFS support on Vagrantfile Add NFS Supoort in Vagrantfile Fix #3365 Signed-off-by: Eloy Coto <eloy.coto@gmail.com> 29 March 2018, 14:10:25 UTC
35145e6 Ian Vernon 28 March 2018, 23:03:44 UTC pkg/policy: remove fromEntities and toEntities from rule type Due to a regression introduced with the calling of rule sanitization functions, rule.sanitize() (different than Rule.sanitize) was never called at runtime, only during unit tests. As a result, any rule with toEntities or fromEntities was not properly populated during runtime. This was because the type pkg/policy:rule only populated these fields during rule.sanitize(), which as mentioned before, was not called outside of unit tests. Remove the toEntities and fromEntities fields, and just use the ToEntities and FromEntities within Rule.Ingress and Rule.Egress accordingly. While this involves a map lookup to map entities to their corresponding EndpointSelector, this means that we now only have one code path for validating rules; having multiple ones, as shown by the regression, is error-prone. Update the policy resolution functions to account for this change, as well as unit tests. Signed-off by: Ian Vernon <ian@cilium.io> 29 March 2018, 14:09:42 UTC
df40e26 Tony Lambiris 29 March 2018, 11:17:31 UTC Update rpm packaging files 29 March 2018, 14:08:28 UTC
adeacc1 Jarno Rajahalme 28 March 2018, 19:54:47 UTC daemon: Merge Envoy logs with cilium logs by default. Use a file logger for Envoy only if non-empty '--envoy-log' command line parameter is given. Otherwise merge Envoy logs with Cilium logs with 'subsys=envoy-<part>', where '<part>' is Envoy's logger name (e.g., "filter", "upstream", "router", etc.). When merging Envoy logs to Cilium logs all Envoy log messages will be logged at "Debug" level. This causes Envoy logs only appear when Cilium is in debug mode. Signed-off-by: Jarno Rajahalme <jarno@covalent.io> 29 March 2018, 05:00:41 UTC
996e41a Jarno Rajahalme 28 March 2018, 17:30:31 UTC envoy: Rebase to Envoy master. Need support for `--log-format` command line option. Signed-off-by: Jarno Rajahalme <jarno@covalent.io> 29 March 2018, 05:00:41 UTC
18f8a83 Eloy Coto 29 March 2018, 04:49:32 UTC Test: Fix RuntimeValidatedConntrackTest test flake (#3333) * Test: Fix RuntimeValidatedConntrackTest test flake - TestConnectivity started without waiting for all endpoints to be in ready state. - Fix some assert messages Fix #3330 Signed-off-by: Eloy Coto <eloy.coto@gmail.com> 29 March 2018, 04:49:32 UTC
1d7f869 Joe Stringer 25 March 2018, 23:25:06 UTC test/bpf: Add unit tests for CIDR lookups Signed-off-by: Joe Stringer <joe@covalent.io> 29 March 2018, 04:25:20 UTC
ac45144 Joe Stringer 28 March 2018, 18:15:14 UTC bpf: Rearrange CIDR map declarations Previously, in certain combinations of #defines, the lpmx_xxgress_lookup functions were being double-defined. Prevent this by arranging the declarations in a more sensible manner: * If either ingress/egress policy is defined, define the common fns -> Handle availability / non-availability of LPM * If ingress policy is defined, define map lookups on ingress -> LPM-based lookup or hash-based using common fns * If egress policy is defined, define map lookups on egress -> LPM-based lookup or hash-based using common fns Signed-off-by: Joe Stringer <joe@covalent.io> 29 March 2018, 04:25:20 UTC
53339a8 Joe Stringer 28 March 2018, 18:15:14 UTC bpf: Fix IPv4 CIDR prefix matches on older kernels The IPv6 path already had this GET_PREFIX() macro which does the right thing, reuse it. Fixes: #3352 Signed-off-by: Joe Stringer <joe@covalent.io> 29 March 2018, 04:25:20 UTC
99171fc Joe Stringer 28 March 2018, 17:11:12 UTC bpf: Fix default build The target for cilium-map-migrate was the first target in the file, which meant it would be the only target compiled in the bpf/ directory. Move it later in the file so that all files are built. Signed-off-by: Joe Stringer <joe@covalent.io> 29 March 2018, 04:25:20 UTC
bc85290 Joe Stringer 28 March 2018, 17:10:20 UTC bpf: Quieten Makefile comment Signed-off-by: Joe Stringer <joe@covalent.io> 29 March 2018, 04:25:20 UTC
5a19754 Maciej Kwiek 28 March 2018, 14:55:38 UTC Fix ingress allow all example Signed-off-by: Maciej Kwiek <maciej@covalent.io> 28 March 2018, 16:48:32 UTC
a2782f9 Eloy Coto 28 March 2018, 06:46:17 UTC Doc: Address PR comments Signed-off-by: Eloy Coto <eloy.coto@gmail.com> 28 March 2018, 15:13:43 UTC
598d846 Eloy Coto 26 March 2018, 09:10:39 UTC Documentation: Add Packer-ci-build project and Ginkgo Helpers Signed-off-by: Eloy Coto <eloy.coto@gmail.com> 28 March 2018, 15:13:43 UTC
93016a4 André Martins 26 March 2018, 09:08:23 UTC Jenkinsfile: update kubernetes version to test Change default kubernetes version to be tested against kubernetes 1.7 and 1.10-rc1. Add all other kubernetes versions to be tested. Signed-off-by: André Martins <andre@cilium.io> 28 March 2018, 15:12:39 UTC
9acf84c André Martins 26 March 2018, 08:58:04 UTC test: update kubernetes to 1.10.0 Specified a kubernetes version for each major.minor k8s version. Signed-off-by: André Martins <andre@cilium.io> 28 March 2018, 15:12:39 UTC
6d3aa1e Thomas Graf 28 March 2018, 05:34:36 UTC test: Verify L4 rule with L3 wildcard correctnes Fixes: #3231 Signed-off-by: Thomas Graf <thomas@cilium.io> 28 March 2018, 14:16:02 UTC
f28edb0 Ian Vernon 28 March 2018, 06:51:31 UTC test/runtime/manifests: fix typo in policy Change id.http2 --> id.httpd2. This rule wasn't actually selecting any endpoints. Signed-off by: Ian Vernon <ian@cilium.io> 28 March 2018, 09:06:45 UTC
d1798b3 Eloy Coto 27 March 2018, 09:06:23 UTC Test: Add variadic argument on Node.Exec functions Signed-off-by: Eloy Coto <eloy.coto@gmail.com> 28 March 2018, 08:50:23 UTC
5d77fd6 Eloy Coto 26 March 2018, 15:25:41 UTC Test: Added JustAfterEach and AfterFailed in Nightly test Adapt Nightly test to the ginkgo-ext helpers functions Signed-off-by: Eloy Coto <eloy.coto@gmail.com> 28 March 2018, 08:50:23 UTC
b75e569 Eloy Coto 26 March 2018, 15:25:24 UTC Ginkgo: Add Measure in Ginkgo-ext Signed-off-by: Eloy Coto <eloy.coto@gmail.com> 28 March 2018, 08:50:23 UTC
f8b64a5 Eloy Coto 26 March 2018, 15:14:49 UTC Test: Added JustAfterEach and AfterFailed in k8st test Added JustAfterEach and AfterFailed in all kubernetes test Signed-off-by: Eloy Coto <eloy.coto@gmail.com> 28 March 2018, 08:50:23 UTC
b60eaa3 Eloy Coto 26 March 2018, 15:02:11 UTC Ginkgo: Refactor kubectl.CiliumReport Avoid the use of CiliumPod in the CiliumReport and use all cilium pods Signed-off-by: Eloy Coto <eloy.coto@gmail.com> 28 March 2018, 08:50:23 UTC
9cbc269 Eloy Coto 26 March 2018, 14:31:50 UTC Test: Refactor runtime test to use AfterEach and AfterFail functions Signed-off-by: Eloy Coto <eloy.coto@gmail.com> 28 March 2018, 08:50:23 UTC
4b787f5 Eloy Coto 26 March 2018, 13:31:18 UTC Ginkgo: Add JustAfterEach and AfterFailed helper functions Signed-off-by: Eloy Coto <eloy.coto@gmail.com> 28 March 2018, 08:50:23 UTC
b09fe2f Eloy Coto 26 March 2018, 12:54:18 UTC Test: add a option to not output log to GinkgoWriter Add a option to not duplicated the information across test_results Signed-off-by: Eloy Coto <eloy.coto@gmail.com> 28 March 2018, 08:50:23 UTC
63682d6 Thomas Graf 28 March 2018, 02:47:36 UTC bpf: Fix return value of lpm{46}_ingress_lookup When policy enforcement is disabled, these lookup calls should always return a positive value to indicate a match. This bug had no effect so far as calls to these functions are currently protected by defines only defined when policy enforcement is enabled. Signed-off-by: Thomas Graf <thomas@cilium.io> 28 March 2018, 05:54:03 UTC
b9bd015 Thomas Graf 28 March 2018, 00:40:41 UTC bpf: Fix egress CIDR policy enforcement The existing egress CIDR enforcement lookup was performed correctly but relied on a later policy check enforcing a drop and thus only marked the packet to skip the policy check instead of dropping it directly. The latter policy check was removed and since broke the egress CIDR policy enforcement. The CI test is in-effective and thus did not catch this regression. This commit fixes the bug, the CI test will be fixed in a separate commit. Fixes: #3345 Fixes: #3340 Signed-off-by: Thomas Graf <thomas@cilium.io> 28 March 2018, 05:54:03 UTC
41e9af3 Manali Bhutiyani 28 March 2018, 03:29:44 UTC docs: Fix the Kafka policy to use the new role in the GSG Fixes: #3349 Signed-Off-By: Manali Bhutiyani <manali@covalent.io> 28 March 2018, 04:46:45 UTC
1237ec3 Joe Stringer 27 March 2018, 22:08:16 UTC monitor: Fix egress identity mapping output Signed-off-by: Joe Stringer <joe@covalent.io> 28 March 2018, 03:45:10 UTC
f53a362 Joe Stringer 25 March 2018, 02:25:16 UTC monitor: Fix ct entry port byteorder in output Signed-off-by: Joe Stringer <joe@covalent.io> 28 March 2018, 03:45:10 UTC
3d82a4b Daniel Borkmann 21 March 2018, 11:02:32 UTC maps: allow for migration when map properties change Currently, when changing simple map properties such as type, key/value size, maximum number of elements or flags, then the loader rightfully bails out when it sees an already pinned map node comparing it to the one specified in the object file. The issue is that this makes it hard to upgrade certain maps, e.g. tail call maps when they get extended with new call entries or other generic maps when bumping their maximum elements or changing key/value size. For tail call maps, we temporarily move the map to a different location in the bpf fs and once the prog got installed successfully then we can unlink it such that the old map gets released eventually, or in case of failure, we can move it back. This patch generalizes such migration of the data path such that updates on any maps would work. It consists of two parts, i) object based tool that checks directly all maps in the generated object file agains the pinned ones, and ii) daemon based checks on daemon-triggered map creation. The former also allows to get rid of remove_non_persistent_map() in the init.sh before each bpf_load(), and the cilium_calls_${EPID} specific workaround in the join_ep.sh. The cilium-map-migrate tool will report into the journal once map migration needed to be done. On the daemon side, we move the existing migrate() logic out of the Map's OpenOrCreate() handler into the lower-level OpenOrCreateMap() function, since the latter is used also from other locations where we otherwise would need to duplicate the logic. It also makes sense to actually check what we've received from ObjGet() call and whether it matches with the request instead of blindly passing the fd onwards. The original migrate() logic is extended to remove the map with exception to tail call maps due to eviction of prog entries upon inode removal. Limitations: what cannot be detected as of today is struct changes in the key/value for the case where the size doesn't change. There will be kernel side support with BPF type format soon for allowing this at least on newer kernels. Also, there will be data loss for the time being when such conflict in map properties is detected on live update. In future, BPF type format we could make this more graceful by automating such upgrades with a mapping scheme between the two maps. Fixes: #3182 Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> 28 March 2018, 00:20:45 UTC
089e625 Daniel Borkmann 21 March 2018, 11:02:32 UTC bpf: import elf headers to avoid extra dep Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> 28 March 2018, 00:20:45 UTC
edb8896 Romain Lenglet 27 March 2018, 06:25:07 UTC ctmap: Move doFiltering debug logs under flowdebug Fixes: #3295 Signed-off-by: Romain Lenglet <romain@covalent.io> 28 March 2018, 00:10:13 UTC
edda929 Romain Lenglet 27 March 2018, 06:11:14 UTC envoy: Fix xDS server start log message Fixes: #3273 Signed-off-by: Romain Lenglet <romain@covalent.io> 28 March 2018, 00:10:13 UTC
87c62e3 Ian Vernon 27 March 2018, 21:07:23 UTC pkg/endpoint: pass denied egress identities to UpdateNetworkPolicy Signed-off by: Ian Vernon <ian@cilium.io> 27 March 2018, 23:30:54 UTC
1b03f6d Romain Lenglet 27 March 2018, 21:44:54 UTC envoy: Don't try to set the endpoint's policy revision if policy is nil Signed-off-by: Romain Lenglet <romain@covalent.io> 27 March 2018, 23:06:06 UTC
59ef1e3 Romain Lenglet 27 March 2018, 20:39:29 UTC envoy: Use mutex to protect field accesses in Cilium xDS server Fixes: #3329 Signed-off-by: Romain Lenglet <romain@covalent.io> 27 March 2018, 23:06:06 UTC
cecd5f1 Ian Vernon 23 March 2018, 00:46:54 UTC test/helpers: do not wait for endpoint to regenerate in EndpointSetConfig The command to set configuration should take care of this; clients should not have to implement logic to set configuration on endpoints based off of endpoint state. Signed-off by: Ian Vernon <ian@cilium.io> 27 March 2018, 22:25:58 UTC
28b6b78 Ian Vernon 22 March 2018, 21:13:17 UTC pkg/endpoint: update variable from changed --> needToRegenerateBPF Make variable more evocative of what it means. Signed-off by: Ian Vernon <ian@cilium.io> 27 March 2018, 22:25:58 UTC
5b62f57 Ian Vernon 22 March 2018, 16:40:25 UTC pkg/endpoint: check endpoint state before trying to regenerate * check if endpoint state is able to be changed to waiting-to-regenerate before trying configuration update * return error if after a hardcoded timeout, regeneration is unable to occur if endpoint state not able to be changed to waiting-to-regenerate. Signed-off by: Ian Vernon <ian@cilium.io> 27 March 2018, 22:25:58 UTC
9ea330a Ian Vernon 27 March 2018, 18:20:48 UTC F 27 March 2018, 22:25:00 UTC
61f903d Ian Vernon 23 March 2018, 22:26:52 UTC pkg/ipcache: only unmarshal value of key-value store event for create events The value is only populated for create events; for delete events, it is not populated. Thus, added a new function which extracts the IP from the key; this is similar to what is done for `pkg/kvstore/allocator`. Add unit tests for this conversion as well. Also do the following: * Update code-comment for EventTypeListDone to be more accurate. * Add event type to log message were we cannot unmarshal data from the key-value store. Signed-off by: Ian Vernon <ian@cilium.io> 27 March 2018, 22:25:00 UTC
e2fe78d Ian Vernon 24 March 2018, 00:10:49 UTC daemon: only use value for Upsert CacheModification The value field is not used in Delete CacheModification, so only set the value in Upsert CacheModification. Signed-off by: Ian Vernon <ian@cilium.io> 27 March 2018, 22:25:00 UTC
ce762dd Romain Lenglet 27 March 2018, 05:27:03 UTC npds: Send allow-all policy when enforcement is disabled for endpoint Signed-off-by: Romain Lenglet <romain@covalent.io> 27 March 2018, 20:20:07 UTC
992733d Romain Lenglet 27 March 2018, 04:31:43 UTC npds: Convert nil L4Policy into deny-all policy Any endpoint with a nil L4Policy was causing a panic. Instead, generate a policy that denies all traffic at both ingress and egress. Signed-off-by: Romain Lenglet <romain@covalent.io> 27 March 2018, 20:20:07 UTC
0c6d916 Eloy Coto 26 March 2018, 09:45:36 UTC Test: Fix assert message on kafka tests Signed-off-by: Eloy Coto <eloy.coto@gmail.com> 27 March 2018, 19:43:14 UTC
6046566 Ray Bejjani 27 March 2018, 11:02:26 UTC endpoint: Print endpoint logs to agent logs We record information for retrieval with 'cilium endpoint log' but we never log it as part of the agent logs. This change includes an equivalent debug print of these changes. Signed-off-by: Ray Bejjani <ray@covalent.io> 27 March 2018, 18:29:28 UTC
9e6265f Ray Bejjani 27 March 2018, 11:39:12 UTC k8s: Fix formatted annotation log 27 March 2018, 18:29:28 UTC
0c1fd16 André Martins 27 March 2018, 12:43:49 UTC Dockerfile: increment image builder to 2018-03-27 Signed-off-by: André Martins <aanm90@gmail.com> 27 March 2018, 14:00:32 UTC
f75755f André Martins 27 March 2018, 12:34:35 UTC packaging/docker: add libelf-dev to builder image Signed-off-by: André Martins <aanm90@gmail.com> 27 March 2018, 14:00:32 UTC
6b37ad6 Romain Lenglet 26 March 2018, 18:05:42 UTC api: Remove redirects from proxy status Remove the redirects field from proxy status in "cilium status". Move allocated-proxy-port field into proxy-statistics in "cilium endpoint get". Sort the elements of proxy-statistics. Signed-off-by: Romain Lenglet <romain@covalent.io> 27 March 2018, 05:35:10 UTC
7ad82c8 Romain Lenglet 23 March 2018, 22:05:37 UTC proxy: Update endpoint stats from Kafka proxy Rename NetworkPolicyEndpoint interface into EndpointUpdater. Move EndpointUpdater from pkg/envoy into pkg/proxy/logger to make usable from the Kafka proxy. Update stats from Kafka proxy after logging into access log. Fix access logging to only log and account once when a request is denied and a response can't be created. Add endpoint identities, IP addresses, and ports in Kafka response access logs. This is also required to be able to derive endpoint stats. Look up original destination address and port of a Kafka request connection only once after accepting the connection, instead of for every request. Simplify the implementation of handleRequests as it was always passed a nil log record. Signed-off-by: Romain Lenglet <romain@covalent.io> 27 March 2018, 05:35:10 UTC
ddcbdcc Romain Lenglet 23 March 2018, 06:57:41 UTC api: Move redirect statistics from proxy status to endpoint Remove statistics from ProxyRedirectStatus. Add security identity and labels SHA256 to ProxyRedirectStatus. Move ProxyRedirectStatistics into Endpoint (cilium endpoint get) and redefine it as a subset of ProxyRedirectStatus plus statistics. The output of cilium endpoint get now contains stats like: "proxy-statistics": [ { "location": "ingress", "port": 80, "protocol": "http", "statistics": { "requests": { "denied": 12, "forwarded": 15, "received": 27 }, "responses": { "forwarded": 15, "received": 15 } } } ], Signed-off-by: Romain Lenglet <romain@covalent.io> 27 March 2018, 05:35:10 UTC
8f3f573 Romain Lenglet 22 March 2018, 22:23:44 UTC envoy: Extract network policy name and obs point from log records Associate access log producers to network policies. Remove all logging logic from Redirect. Add the observation point (ingress / egress) in every Envoy log record, and use that to create an access log record. Remove all stats logic from Redirect, to decouple stats from redirects to local proxies. Split the LogRecordProducer interface into the existing LogRecordNotifier interface and a new EndpointInfoRegistry interface. Group identity lookup by ID and by IP under the same EndpointInfoRegistry interface. Split files for readability: logger.go: move enpoint info interface into epinfo.go proxy.go: move Redirect into redirect.go, getMagicMark into mark.go Signed-off-by: Romain Lenglet <romain@covalent.io> 27 March 2018, 05:35:10 UTC
837c044 Romain Lenglet 22 March 2018, 21:24:55 UTC envoy: Use policy name instead of listener ID in access logs Remove duplicate accesslog.pb.go. Move files related to access log protobufs into the right package: pkg/envoy/cilium. Remove listener_id from filter configuration. Use network policy resource name instead. Signed-off-by: Romain Lenglet <romain@covalent.io> 27 March 2018, 05:35:10 UTC
49fcc49 Joe Stringer 26 March 2018, 20:59:09 UTC endpoint: Sweep old identities in applyNewFilter Each time we apply a new filter, sweep through the policymap entries and clear out any identities that don't exist in the new labelsMap. Fixes: #3314 Signed-off-by: Joe Stringer <joe@covalent.io> 27 March 2018, 02:44:00 UTC
74a92f3 Joe Stringer 26 March 2018, 20:20:15 UTC endpoint: Delete old policies based on old labelsMap Related: #3314 Signed-off-by: Joe Stringer <joe@covalent.io> 27 March 2018, 02:44:00 UTC
45276cb Manali Bhutiyani 26 March 2018, 20:10:28 UTC CI/tests: Make Kafka service headless Fixes: #3319 Signed-Off-By: Manali Bhutiyani <manali@covalent.io> 27 March 2018, 00:03:47 UTC
ee379a5 Manali Bhutiyani 26 March 2018, 20:03:18 UTC docs: Make Kafka service headless Fixes: #3319 Signed-Off-By: Manali Bhutiyani <manali@covalent.io> 27 March 2018, 00:03:47 UTC
e1143c5 Joe Stringer 24 March 2018, 23:51:44 UTC health: Fix succinct/verbose modes. Commit 11f420b59d9d ("health: Format localhost first in status output") inadventently swapped the order of the 'succinct' and 'verbose' parameters, leading to weird results with respect to verbosity on the commandline. Put them back in the right order. Signed-off-by: Joe Stringer <joe@covalent.io> 26 March 2018, 20:12:44 UTC
e91065b Eloy Coto 26 March 2018, 16:02:06 UTC Vagrant: Bump minimal version to 2.0 Signed-off-by: Eloy Coto <eloy.coto@gmail.com> 26 March 2018, 18:45:52 UTC
28c8871 Eloy Coto 24 March 2018, 19:47:43 UTC Vagrant: Update base box version Signed-off-by: Eloy Coto <eloy.coto@gmail.com> 26 March 2018, 18:12:08 UTC
f43c706 Shantanu Deshpande 24 March 2018, 15:35:32 UTC Use alpine as base image for Docs container 1. Modify Docs Dockerfile to use alpine. 2. Modify Makefile to use newer docker cli commands. Signed-off-by: Shantanu Deshpande <shantanud106@gmail.com> 26 March 2018, 07:37:53 UTC
back to top