Skip to main content

Browse the archive

https://github.com/cilium/cilium
09 April 2024, 21:14:05 UTC
sort by:
Revision Author Date Message Commit Date
cdfb40c Ray Bejjani 30 March 2018, 18:56:14 UTC api: Refactor /endpoint API for 1.0 https://github.com/cilium/cilium/issues/3280 We want the API to be more declarative and to reflect the difference between the desired configuration and the one in effect. Signed-off-by: Ray Bejjani <ray@covalent.io> 03 April 2018, 23:42:57 UTC
4394529 Ray Bejjani 30 March 2018, 22:15:05 UTC k8s: CEP controller more resilient to invalid objects When we change the CEP schema between versions the new agent may see existing CEPs as invalid. Deleting them is the simplest way to guarantee compatibility. Signed-off-by: Ray Bejjani <ray@covalent.io> 03 April 2018, 23:42:57 UTC
85fecbb Joe Stringer 03 April 2018, 21:50:17 UTC policymap: Avoid using golang arrays in entry Split the array into separate fields in case it has any effect on #3491. Signed-off-by: Joe Stringer <joe@covalent.io> 03 April 2018, 23:18:14 UTC
a3a1545 Thomas Graf 03 April 2018, 18:01:17 UTC etcd: Run etcd version check in the background When an etcd endpoint is unavailable, the version check retrieves the version of each etcd endpoint. If one etcd endpoint is not available, the version check will time out eventually. This is currently a blocking operation which delays the renewal of etcd sessions. Run the version check in the background instead to not delay renewal of etcd sessions. Never return errors on version checks except when the version check clearly fails. Fixes: #3496 Signed-off-by: Thomas Graf <thomas@cilium.io> 03 April 2018, 23:17:20 UTC
f7c2adf Ian Vernon 03 April 2018, 17:58:57 UTC bugtool: run `cilium-health status` Signed-off by: Ian Vernon <ian@cilium.io> 03 April 2018, 22:49:35 UTC
2c71bec Ian Vernon 03 April 2018, 17:57:06 UTC bugtool: run `ip rule` Signed-off by: Ian Vernon <ian@cilium.io> 03 April 2018, 22:49:35 UTC
2d7f8af Joe Stringer 03 April 2018, 16:39:16 UTC bpf: Reduce IP comparisons These IP comparisons are performed earlier in the egress path and are cached, reuse the cached value. Signed-off-by: Joe Stringer <joe@covalent.io> 03 April 2018, 21:12:44 UTC
97836cc Joe Stringer 03 April 2018, 16:45:29 UTC bpf: Remove embedded L4 policy map L4 policies applying to traffic outside the cluster IP range can only be applied to all such traffic via either no L3 match, or an L3 match on the world entity. We already push such policies down into the POLICY_MAP and look them up in policy_can_egress*(), so we can reuse this rather than using the embedded L4 policy array. This allows us to get rid of the embedded L4 policy for such cases, which simplifies the datapath and expands the scalability of L4 policies. Signed-off-by: Joe Stringer <joe@covalent.io> 03 April 2018, 21:12:44 UTC
f345241 Joe Stringer 03 April 2018, 16:35:33 UTC bpf: Perform external policy lookup via POLICY_MAP By default, use CLUSTER_ID / WORLD_ID for the egress policy lookup, depending on the destination of the packet. If the destination identity is not known, these will look up the policy for the entity which allows L4 policy to be applied as well. Signed-off-by: Joe Stringer <joe@covalent.io> 03 April 2018, 21:12:44 UTC
f48021c Joe Stringer 03 April 2018, 01:03:12 UTC bpf: Block ICMP at L4 when policy is enabled Signed-off-by: Joe Stringer <joe@covalent.io> 03 April 2018, 21:12:44 UTC
bdbb622 Joe Stringer 03 April 2018, 00:39:33 UTC bpf: Apply CIDR egress policy earlier Adjust the application of L4 / CIDR egress policy to allow traffic that matches either the L4 policy or the CIDR policy, as part of the same check. Previously, if L4-only policy allowed traffic, it would be denied by CIDR; and if CIDR-only policy allowed traffic, it would be denied by L4. These cases should now work as expected. Fixes: #3371 Fixes: #3427 Signed-off-by: Joe Stringer <joe@covalent.io> 03 April 2018, 21:12:44 UTC
79b58bf Ray Bejjani 02 April 2018, 21:28:46 UTC api: Refactor /policy/trace API for 1.0 https://github.com/cilium/cilium/issues/3280 We want the API to be more declarative and to reflect the difference between the desired configuration and the one in effect. Signed-off-by: Ray Bejjani <ray@covalent.io> 03 April 2018, 20:56:30 UTC
c0c3c21 Ray Bejjani 02 April 2018, 20:34:53 UTC api: Refactor /prefilter API for 1.0 https://github.com/cilium/cilium/issues/3280 We want the API to be more declarative and to reflect the difference between the desired configuration and the one in effect. Signed-off-by: Ray Bejjani <ray@covalent.io> 03 April 2018, 20:56:30 UTC
79fed6b Ray Bejjani 02 April 2018, 15:00:54 UTC api: Refactor /service API for 1.0 https://github.com/cilium/cilium/issues/3280 We want the API to be more declarative and to reflect the difference between the desired configuration and the one in effect. Signed-off-by: Ray Bejjani <ray@covalent.io> 03 April 2018, 20:56:30 UTC
dee6674 Ray Bejjani 03 April 2018, 15:32:05 UTC cli: cilium service list -o json returns raw json We previously return the processed, printable, service data. This was inconsistent with other "-o json" output and "cilium service get <id> -o json". 03 April 2018, 20:56:30 UTC
56e82b7 Ray Bejjani 03 April 2018, 15:27:05 UTC test: ServiceGetIds jsonpath is splittable We accidentally concatenated all the IDs into one unsplittable number.We introduce the \n needed to split the list. 03 April 2018, 20:56:30 UTC
9211d38 Joe Stringer 02 April 2018, 22:07:00 UTC test: Fix call to SetPolicyEnforcement() SetPolicyEnforcement() doesn't attempts to wait for policy to be enforced, and returns a result. This test wasn't checking the result for success, and wasn't waiting for endpoints to be ready afterwards. Check the error and also check the wait for endpoints to be ready. Signed-off-by: Joe Stringer <joe@covalent.io> 03 April 2018, 16:22:27 UTC
f5801c2 Joe Stringer 02 April 2018, 22:04:04 UTC test: Don't silently allow pod unreadiness `cilium policy wait ...` could fail here, and the failure would be ignored, then the test would continue and potentially fail on some subsequent check, which could mislead people trying to triage the error. Fail out if policy wait fails. Signed-off-by: Joe Stringer <joe@covalent.io> 03 April 2018, 16:22:27 UTC
dd717c3 Eloy Coto 03 April 2018, 07:23:07 UTC Test: Fix bugtool on kubernetes 1.7 On kubernetes 1.7 the cp need to have a specific destination, and the `kubectl cp` command was failing: ``` vagrant@k8s1:~$ kubectl cp kube-system/cilium-jk0kn:/tmp/cilium-bugtool-20180403-065927.547+0000-UTC-039557248.tar /tmp/ tar: Removing leading `/' from member names error: open /tmp: is a directory ``` I added a new param to the command and now works as expected ``` vagrant@k8s1:~$ kubectl cp kube-system/cilium-jk0kn:/tmp/cilium-bugtool-20180403-065927.547+0000-UTC-039557248.tar /tmp/cilium-bugtool-20180403-065927.547+0000-UTC-039557248.tar tar: Removing leading `/' from member names vagrant@k8s1:~$ ``` Related to #3475 Signed-off-by: Eloy Coto <eloy.coto@gmail.com> 03 April 2018, 09:37:11 UTC
0545b62 Romain Lenglet 03 April 2018, 00:28:16 UTC test: Re-enable Kafka tests Fixes: #3472 Signed-off-by: Romain Lenglet <romain@covalent.io> 03 April 2018, 08:37:26 UTC
b605c63 Romain Lenglet 03 April 2018, 00:26:08 UTC maps: Fix proxymap error messages Signed-off-by: Romain Lenglet <romain@covalent.io> 03 April 2018, 08:37:26 UTC
9d16543 Romain Lenglet 03 April 2018, 00:25:30 UTC proxy: Use the same proxy map size as in BPF Fixes: #3472 Signed-off-by: Romain Lenglet <romain@covalent.io> 03 April 2018, 08:37:26 UTC
0bf5b6d Romain Lenglet 03 April 2018, 00:23:00 UTC bpf: Add bpf/cilium-map-migrate to .gitignore Signed-off-by: Romain Lenglet <romain@covalent.io> 03 April 2018, 08:37:26 UTC
f56cdf1 Thomas Graf 02 April 2018, 21:36:00 UTC bpf: Do not route packets from egress proxy back into cilium_host Signed-off-by: Thomas Graf <thomas@cilium.io> 03 April 2018, 02:44:53 UTC
02cd138 Ray Bejjani 30 March 2018, 14:53:56 UTC api: Refactor /endpoint policies API for 1.0 https://github.com/cilium/cilium/issues/3280 We want the API to be more declarative and to reflect the difference between the desired configuration and the one in effect. Signed-off-by: Ray Bejjani <ray@covalent.io> 03 April 2018, 02:38:07 UTC
9833794 Ian Vernon 02 April 2018, 17:26:44 UTC gitignore: add generated JUnit XML files Signed-off by: Ian Vernon <ian@cilium.io> 03 April 2018, 02:09:34 UTC
c4b4251 Ian Vernon 02 April 2018, 21:56:16 UTC test/runtime: wait for endpoints to be ready after setting NAT46 config Now that `EndpointSetConfig` does not wait for endpoints to be ready after setting their configuration values, we need to wait for endpoints to regenerate separately. Otherwise, tests might try to test the datapath before it is configured for a specific endpoint in accordance with policy that has been imported. Signed-off by: Ian Vernon <ian@cilium.io> 03 April 2018, 00:57:25 UTC
2fa9068 Manali Bhutiyani 31 March 2018, 19:18:52 UTC policy: Allow only if all topics in a request are allowed Currently, If a request (e.g. a produce) has multiple topics, and one topic is allowed by policy, the whole request is allowed. This is a security hole and should be changed to only allow a request if all the topics are allowed. Fixes: #3397 Signed-Off-by: Manali Bhutiyani <manali@covalent.io> 03 April 2018, 00:09:10 UTC
4d38393 Manali Bhutiyani 31 March 2018, 19:21:04 UTC Tests: Extend tests to test multi-topic requests Fixes: #3397 Signed-Off-by: Manali Bhutiyani <manali@covalent.io> 03 April 2018, 00:09:10 UTC
12d7acb Jarno Rajahalme 02 April 2018, 22:00:13 UTC test: Use current cilium-builder also for Ginkgo tests. The cilium-builder image has been updated for the main Dockerfile, but the docker-compose.yml reference was left intact. Update it too. Signed-off-by: Jarno Rajahalme <jarno@covalent.io> 02 April 2018, 23:54:01 UTC
f9000c8 André Martins 02 April 2018, 16:46:18 UTC daemon: update CNP with timestamps in case of failure Signed-off-by: André Martins <andre@cilium.io> 02 April 2018, 20:08:17 UTC
482e20b Joe Stringer 30 March 2018, 17:59:02 UTC test: Add test for L3DL7 + L3CIDR Add a test that introduces an L3-dependent L7 in-cluster egress rule which denies all traffic, plus a separate L3 CIDR egress rule. External access should not occur via the proxy. This detects issue #3414. Signed-off-by: Joe Stringer <joe@covalent.io> 02 April 2018, 20:07:34 UTC
ec0b424 Joe Stringer 30 March 2018, 21:49:53 UTC test: Add TCP request to egress world test Signed-off-by: Joe Stringer <joe@covalent.io> 02 April 2018, 20:07:34 UTC
6961a5d Joe Stringer 30 March 2018, 17:46:24 UTC test: Refactor CIDR egress to world check This will be reused in an upcoming commit. Signed-off-by: Joe Stringer <joe@covalent.io> 02 April 2018, 20:07:34 UTC
47b3a84 Joe Stringer 30 March 2018, 17:29:10 UTC test: Improve failed policy import message When policy import fails, print the poolicy as well. Signed-off-by: Joe Stringer <joe@covalent.io> 02 April 2018, 20:07:34 UTC
884be34 Joe Stringer 30 March 2018, 23:00:32 UTC bpf: Lookup L3-dependent L4 proxyport separately L3-dependent L4 proxyport should only ever be found via the lookup in the label-based policy enforcement, and never be found via the CIDR-dependent L4 policy lookup. Split it out. Fixes: #3414 Signed-off-by: Joe Stringer <joe@covalent.io> 02 April 2018, 20:07:34 UTC
e2ca182 Joe Stringer 30 March 2018, 22:45:19 UTC endpoint: Refactor CFG_L4_*GRESS accumulation Refactor the way that we generate CFG_L4_INGRESS and CFG_L4_EGRESS. An upcoming commit will split this into two, to differentiate l3-dependent L4 vs. L3-independent L4. Signed-off-by: Joe Stringer <joe@covalent.io> 02 April 2018, 20:07:34 UTC
3a1fa4f Ray Bejjani 29 March 2018, 19:45:47 UTC api: Refactor /config API for 1.0 https://github.com/cilium/cilium/issues/3280 We want the API to be more declarative and to reflect the difference between the desired configuration and the one in effect. Signed-off-by: Ray Bejjani <ray@covalent.io> 02 April 2018, 16:10:06 UTC
9060351 Ray Bejjani 02 April 2018, 13:42:12 UTC policy: Add missing EntitySlice autogen code 02 April 2018, 15:53:09 UTC
882e062 Thomas Graf 02 April 2018, 05:33:44 UTC Prepare for 1.0.0-rc9 release Signed-off-by: Thomas Graf <thomas@cilium.io> 02 April 2018, 05:34:53 UTC
f1d4144 Thomas Graf 01 April 2018, 05:34:32 UTC policy: Do not populate reserved policy maps anymore The datapath no longer uses them, remove all code to keep them up to date Signed-off-by: Thomas Graf <thomas@cilium.io> 02 April 2018, 04:11:31 UTC
6103362 Thomas Graf 31 March 2018, 18:19:07 UTC bpf: Remove ALLOW_TO_HOST It is no longer required now that egress support has been merged. Signed-off-by: Thomas Graf <thomas@cilium.io> 02 April 2018, 04:11:31 UTC
464089b Thomas Graf 01 April 2018, 05:01:41 UTC policy: Do not check source labels for each ToPorts entry Existing code was checking the required source labels for each entry in the ToPorts slice. This is unnecessary and obstructs the code. Signed-off-by: Thomas Graf <thomas@cilium.io> 02 April 2018, 04:11:31 UTC
c389010 Thomas Graf 01 April 2018, 04:27:18 UTC policy: Support entity based L4 - Combines Entity and Endpoint labels into a single EndpointSelectors slice - Removes dead code in mergeL4Egress() as ctx.To is *never* set Fixes: #3421 Signed-off-by: Thomas Graf <thomas@cilium.io> 02 April 2018, 04:11:31 UTC
ce44320 Thomas Graf 01 April 2018, 04:13:47 UTC policy: Split API into individual files Signed-off-by: Thomas Graf <thomas@cilium.io> 02 April 2018, 04:11:31 UTC
2b249d2 Thomas Graf 01 April 2018, 04:04:57 UTC policy: Add ability to represent entities as endpoint selectors Signed-off-by: Thomas Graf <thomas@cilium.io> 02 April 2018, 04:11:31 UTC
0252ef2 Thomas Graf 01 April 2018, 03:54:29 UTC policy: Move WildcardEndpointSelector to api package Signed-off-by: Thomas Graf <thomas@cilium.io> 02 April 2018, 04:11:31 UTC
705cadd Thomas Graf 01 April 2018, 23:58:12 UTC option: Only validate options if change is requested This allows to send the entire set of options including immutable options as long as their value is unchanged. This is useful as it allows to ensure that the set of all options is x, where x is a combination of mutable and immutable options. Signed-off-by: Thomas Graf <thomas@cilium.io> 02 April 2018, 04:11:12 UTC
e4cfece Thomas Graf 01 April 2018, 17:37:16 UTC test: Fix connectivity policy and test for conntrack disabled case Signed-off-by: Thomas Graf <thomas@cilium.io> 02 April 2018, 04:11:12 UTC
16fb3a8 Ray Bejjani 01 April 2018, 03:35:42 UTC api: Deprecate PATCH /endpoint for 1.0 We need to continue to support plugins that create endpoints with PATCH but we will transition to a scheme where we only PATCH /endpoint/config 02 April 2018, 04:11:12 UTC
4a88925 Ray Bejjani 01 April 2018, 03:35:42 UTC api: Refactor /endpoint/config API for 1.0 https://github.com/cilium/cilium/issues/3280 We want the API to be more declarative and to reflect the difference between the desired configuration and the one in effect. Signed-off-by: Ray Bejjani <ray@covalent.io> 02 April 2018, 04:11:12 UTC
a2571a2 Thomas Graf 31 March 2018, 19:25:20 UTC cli: Fix cilium bpf policy get Print numeric when label resolution does not work Fixes: #3318 Signed-off-by: Thomas Graf <thomas@cilium.io> 01 April 2018, 02:19:22 UTC
c60623a Ray Bejjani 28 March 2018, 13:35:29 UTC api: Refactor /endpoint/labels API for 1.0 https://github.com/cilium/cilium/issues/3280 We want the API to be more declarative and to reflect the difference between the desired configuration and the one in effect. Signed-off-by: Ray Bejjani <ray@covalent.io> 01 April 2018, 01:46:05 UTC
ead59b2 Thomas Graf 30 March 2018, 16:32:32 UTC bpf: Define size of policy prog map via node_config.h The policy prog map needs a much lower limit as it is constrained only by the number of endpoints per node. Signed-off-by: Thomas Graf <thomas@cilium.io> 31 March 2018, 19:08:42 UTC
4cf8d0f Thomas Graf 29 March 2018, 17:48:53 UTC bpf: Rename lxcmap MaxKeys to MaxEntries to be consistent Signed-off-by: Thomas Graf <thomas@cilium.io> 31 March 2018, 19:08:42 UTC
5963e8c Thomas Graf 29 March 2018, 17:38:49 UTC bpf: Define size of ipcache map via node_config.h The size of the map is unchanged Signed-off-by: Thomas Graf <thomas@cilium.io> 31 March 2018, 19:08:42 UTC
2ff0aa9 Thomas Graf 29 March 2018, 17:31:40 UTC bpf: Increase policymap size to 16K Signed-off-by: Thomas Graf <thomas@cilium.io> 31 March 2018, 19:08:42 UTC
8536733 Thomas Graf 29 March 2018, 17:27:28 UTC bpf: Increase CIDR map size to 16K Signed-off-by: Thomas Graf <thomas@cilium.io> 31 March 2018, 19:08:42 UTC
9935adb Thomas Graf 29 March 2018, 17:16:22 UTC bpf: Increase proxymap size to 524288 Signed-off-by: Thomas Graf <thomas@cilium.io> 31 March 2018, 19:08:42 UTC
5f4db9a Thomas Graf 29 March 2018, 14:58:29 UTC bpf: Define size of loadbalancing maps via node_config.h Signed-off-by: Thomas Graf <thomas@cilium.io> 31 March 2018, 19:08:42 UTC
3abffe1 Thomas Graf 31 March 2018, 19:06:44 UTC test: Disable unstable Kafka runtime test Signed-off-by: Thomas Graf <thomas@cilium.io> 31 March 2018, 19:08:01 UTC
c1ee315 Thomas Graf 31 March 2018, 17:33:40 UTC test: Disable unstable test K8sValidatedUpdates Signed-off-by: Thomas Graf <thomas@cilium.io> 31 March 2018, 17:34:23 UTC
312c99f Jarno Rajahalme 30 March 2018, 21:53:33 UTC envoy: Make 403 message configurable. Accept a new '--403-msg' command line option to specify the message returned in 403 responses. Defaults to "Access denied". Note that the message is returned in HTML body and needs to be HTML encoded. Signed-off-by: Jarno Rajahalme <jarno@covalent.io> 31 March 2018, 15:18:53 UTC
affad13 Ian Vernon 30 March 2018, 22:21:13 UTC pkg/endpoint: misc. comments and log message cleanup Clearly specify that localhost egress access is a special case in the datapath when utilizing Endpoint.checkEgressAccess(). Clean up log messages. Signed-off by: Ian Vernon <ian@cilium.io> 31 March 2018, 08:00:29 UTC
c46fcbc Ian Vernon 30 March 2018, 22:10:39 UTC daemon: add host IPs to IPCache Egress to host did not work with policy containing toEndpoints "reserved:host" label because previously, only endpoint IPs were added to the local IPCache in each cilium-agent. To allow for label-based selecting of the host, we need to add the host IPs to the IPCache so lookup in the datapath succeeds when mapping the IP of the host to its identity. Signed-off by: Ian Vernon <ian@cilium.io> 31 March 2018, 08:00:29 UTC
3238677 Ian Vernon 30 March 2018, 22:02:40 UTC daemon: log when OnIPIdentityCacheChange gets called Signed-off-by: Ian Vernon <ian@cilium.io> 31 March 2018, 08:00:29 UTC
28f6240 Ian Vernon 30 March 2018, 22:01:50 UTC pkg/ipcache: export Upsert functionality for use in daemon initialization Also use new logfield "Modification" for logging cacheModification in log message. Signed-off-by: Ian Vernon <ian@cilium.io> 31 March 2018, 08:00:29 UTC
3a52997 Ian Vernon 30 March 2018, 22:00:10 UTC pkg/logging/logfields: add Modification logfield Signed-off-by: Ian Vernon <ian@cilium.io> 31 March 2018, 08:00:29 UTC
f602e9d Ian Vernon 30 March 2018, 21:11:22 UTC pkg/maps/ipcache: remove marking ipcache BPF map as non-persistent Since garbage collection is now performed in this map, we do not have to mark the map as non-persistent. If it is marked as non-persistent, this means that ongoing connections on endpoints with egress policy enabled will be terminated due to the clearing of the ipcache map upon start of the Cilium agent. Signed-off-by: Ian Vernon <ian@cilium.io> 31 March 2018, 08:00:29 UTC
ec53bab Ian Vernon 29 March 2018, 22:42:42 UTC bugtool: add output of `cilium bpf ipcache list` Signed-off by: Ian Vernon <ian@cilium.io> 31 March 2018, 06:24:46 UTC
e6a559a Thomas Graf 31 March 2018, 06:10:01 UTC test: Disable unstable K8sValidatedKafkaPolicyTest KafkaPolicies test Signed-off-by: Thomas Graf <thomas@cilium.io> 31 March 2018, 06:10:56 UTC
25d4dc0 Thomas Graf 31 March 2018, 04:03:33 UTC test: Temporarily disable default deny egress test Signed-off-by: Thomas Graf <thomas@cilium.io> 31 March 2018, 04:52:06 UTC
82fbce1 Eloy Coto 29 March 2018, 11:05:43 UTC Test: Complete Egress default-deny test In Egress default-deny tested that the endpoint has policy enabled but connectivity was not tested. This changes make sure that the changes are updated correctly. Also, some refactoring in the test to use BeforeAll,AfterAll and make things a bit faster. Signed-off-by: Eloy Coto <eloy.coto@gmail.com> 30 March 2018, 14:07:36 UTC
f8c58b0 Jarno Rajahalme 30 March 2018, 02:25:22 UTC .gitignore: Ignore 'envoy/external' which is needed for gdb Running Envoy tests under gdb requires the sources to be available via 'external'. It should be created as a symlink to 'bazel-envoy/external' once bazel has fetched the dependencies. Signed-off-by: Jarno Rajahalme <jarno@covalent.io> 30 March 2018, 14:06:56 UTC
b41f1b4 Jarno Rajahalme 30 March 2018, 02:25:22 UTC envoy: Treat empty NPDS correctly. No resources means we should delete all cached policies, rather than return without doing anything. Signed-off-by: Jarno Rajahalme <jarno@covalent.io> 30 March 2018, 14:06:56 UTC
309443e Jarno Rajahalme 30 March 2018, 02:25:21 UTC envoy: Add nphds gRPC client. Refactor gRPC subscription code to share it for host IP - security ID mapping. We never supported using more than one "xdsCluster", hard code it so that we don't need to keep configuring it from all filter instances. Change "bpf_root" default to an empty string, and do not use bfp if "bpf_root" is not configured. Do not try to remove proxymap entries if we don't know the proxy_port (zero proxy_port implies no bpf). Signed-off-by: Jarno Rajahalme <jarno@covalent.io> 30 March 2018, 14:06:56 UTC
93053ea Ian Vernon 29 March 2018, 21:35:39 UTC test/bpf: update unit test to account for allow-all CIDR Signed-off by: Ian Vernon <ian@cilium.io> 30 March 2018, 14:05:49 UTC
cc5809f Ian Vernon 29 March 2018, 21:32:14 UTC bpf: fix GET_PREFIX to account for zero length This allows CIDRs with mask 0 to function correctly in the datapath. This fixes the issue where egress traffic is not allowed to world (0.0.0.0/0) when it should be. Signed-off by: Ian Vernon <ian@cilium.io> 30 March 2018, 14:05:49 UTC
3cc32c0 Ian Vernon 29 March 2018, 15:52:17 UTC test/runtime: add egress to world entity test Add a simple datapath test to ensure that adding egress policy allowing traffic to entity 'world' is plumbed appropriately and is enforced in the datapath. Signed-off by: Ian Vernon <ian@cilium.io> 30 March 2018, 14:05:49 UTC
fc87d6f Eloy Coto 30 March 2018, 11:47:45 UTC Test: Fix issue with cilium bugtool When test has `:` in the name, cilium bugtool didn't work correctly. Signed-off-by: Eloy Coto <eloy.coto@gmail.com> 30 March 2018, 14:03:12 UTC
d010855 Ian Vernon 29 March 2018, 23:05:35 UTC pkg/ipcache: update previous identity -> IP mapping in ipcache upon identity update for IP If the identity is updated for an endpoint, the XDS cache not only needs to have the new identity to list of IPs mapping updated, it needs to have the old identity to IP mapping updated as well to account that the IP for which a key-value store Create or Modify event no longer maps to its old identity. Delete the identity from the XDS cache if it no longer maps to any IPs in the IPIdentityCache, or update it with the list of IPs that it still maps to. Signed-off by: Ian Vernon <ian@cilium.io> 30 March 2018, 14:02:22 UTC
fc4c025 Joe Stringer 30 March 2018, 00:32:54 UTC bpf: Fix ingress CIDR lookup This check was previously using the wrong address, so CIDRs would never match. Signed-off-by: Joe Stringer <joe@covalent.io> 30 March 2018, 14:01:58 UTC
95ebe3a Joe Stringer 30 March 2018, 00:18:54 UTC cidrmap: Log when inserting/removing entries Related: #3304 Signed-off-by: Joe Stringer <joe@covalent.io> 30 March 2018, 14:01:58 UTC
fb47bf3 Eloy Coto 29 March 2018, 14:50:53 UTC Test: Fix logger testName Fix #3367 Signed-off-by: Eloy Coto <eloy.coto@gmail.com> 30 March 2018, 06:57:31 UTC
18d1ed4 Romain Lenglet 30 March 2018, 00:20:53 UTC xds: Handle NACKs of initial versions of resources Signed-off-by: Romain Lenglet <romain@covalent.io> 30 March 2018, 02:05:23 UTC
41fa2d3 Ian Vernon 29 March 2018, 19:38:46 UTC test/runtime: reduce redundant arguments in policy formatting Use string formatting index references to populate policies within test. Signed-off by: Ian Vernon <ian@cilium.io> 29 March 2018, 23:54:02 UTC
8864c72 Ian Vernon 29 March 2018, 19:16:42 UTC test/runtime: send output of cilium-agent to logger The kvstore test stops the cilium service, and starts the process directly. Thus, no logs are sent to syslog; edit the command which runs the cilium-agent to send output to syslog for debugging. Signed-off by: Ian Vernon <ian@cilium.io> 29 March 2018, 23:54:02 UTC
a137867 Ian Vernon 29 March 2018, 18:54:19 UTC cmd: add documentation and TODO for updatePolicyKey Signed-off by: Ian Vernon <ian@cilium.io> 29 March 2018, 23:54:02 UTC
da43a12 Ian Vernon 29 March 2018, 18:47:03 UTC pkg/k8s: remove remove duplicate port check for egress rules Signed-off by: Ian Vernon <ian@cilium.io> 29 March 2018, 23:54:02 UTC
d40ca2b Ian Vernon 29 March 2018, 18:45:02 UTC pkg/endpoint: cleanup formatting of log message Move fields in log message to be on each line for easier readability. Signed-off by: Ian Vernon <ian@cilium.io> 29 March 2018, 23:54:02 UTC
cd9318e Ian Vernon 29 March 2018, 18:43:37 UTC cilium/cmd: refactor parseTrafficString Use a switch statement instead of if-else chain. Signed-off by: Ian Vernon <ian@cilium.io> 29 March 2018, 23:54:02 UTC
461b151 Ian Vernon 29 March 2018, 18:41:28 UTC pkg/policy: remove outdated TODO message Unit tests are added for ResolveL4EgressPolicy, so remove TODO message to add unit tests. Signed-off by: Ian Vernon <ian@cilium.io> 29 March 2018, 23:54:02 UTC
3bff09e Ian Vernon 29 March 2018, 18:40:55 UTC pkg/endpoint: add GitHub issue number for egress ConnTrack work Signed-off by: Ian Vernon <ian@cilium.io> 29 March 2018, 23:54:02 UTC
22e402d Ian Vernon 29 March 2018, 18:40:28 UTC daemon: add TODO for GH-3394 Add TODO message for egress policy tracing. Signed-off by: Ian Vernon <ian@cilium.io> 29 March 2018, 23:54:02 UTC
d1d42a4 Joe Stringer 29 March 2018, 17:23:50 UTC bpf: Fix non-CT egress policy address lookup When conntrack is disabled, the destination address in the ct_tuple is not flipped, so egress IP->ID lookup was using the wrong address to lookup the destination identity. Fix it up. Signed-off-by: Joe Stringer <joe@covalent.io> 29 March 2018, 23:54:02 UTC
c1584a1 Ian Vernon 29 March 2018, 04:10:22 UTC pkg/endpoint: populate AllowedEgressIdentities in GetPolicyModel Signed-off by: Ian Vernon <ian@cilium.io> 29 March 2018, 23:54:02 UTC
2c5d299 Ian Vernon 29 March 2018, 04:09:50 UTC api: add allowed-egress-identities to EndpointPolicy Add list of allowed identities for egress communication. Signed-off by: Ian Vernon <ian@cilium.io> 29 March 2018, 23:54:02 UTC
cb2f6b8 Ian Vernon 29 March 2018, 03:43:53 UTC test/runtime/manifests: update conntrack test policies to account for label-based egress Now that we do label-based lookups for egress in datapath, need to explicitly add label-based egress policies because the agent's policy enforcement mode is set to 'always' (default deny for egress) for these tests. Signed-off by: Ian Vernon <ian@cilium.io> 29 March 2018, 23:54:02 UTC
883125c Ian Vernon 28 March 2018, 20:32:41 UTC test/runtime: add L3-dependent L7 policy and commented-out tests Tests are commented out because egress L3-dependent-L7 still needs to be added to Cilium. Signed-off by: Ian Vernon <ian@cilium.io> 29 March 2018, 23:54:02 UTC
3a9d56a Ian Vernon 28 March 2018, 06:08:11 UTC test/runtime: add egress L4 with L3 label wildcard test Misc. comment fixes as well. Signed-off by: Ian Vernon <ian@cilium.io> 29 March 2018, 23:54:02 UTC
back to top