3389456 | Thomas Graf | 15 February 2018, 21:29:56 UTC | bpf: Allow CT creation on FIN After policy changes, the conntrack table is being cleared and adjusted. However, the proxy may still be closing connections to/from the endpoint. The packet exchange required for thne closing was not allowed because CT re-creation was prevented for FIN and RST packets. Given that the policy table is always consulted on every packet, it is safe to create a CT entry even on RST/FIN to not slow down the connection termination. Signed-off-by: Thomas Graf <thomasa@cilium.io> | 16 February 2018, 00:30:57 UTC |
9ad6ebd | Thomas Graf | 15 February 2018, 19:33:15 UTC | Update NEWS for 1.0.0-rc4 Signed-off-by: Thomas Graf <thomas@cilium.io> | 15 February 2018, 21:08:50 UTC |
474b72f | Thomas Graf | 15 February 2018, 19:32:44 UTC | endpoint: Fix endpoint restore functionality Commit 7948462f5 "pkg/endpoint: rename Endpoint SecLabels field" unintentionally broke endpoint restore across upgrades crossing the commit. Signed-off-by: Thomas Graf <thomas@cilium.io> | 15 February 2018, 20:46:17 UTC |
95a2c8a | Thomas Graf | 15 February 2018, 17:17:05 UTC | bpf: Remove old calls map when inserting endpoint programs This allows upgrading the format of the endpoint calls map Related: #2799 Signed-off-by: Thomas Graf <thomas@cilium.io> | 15 February 2018, 18:47:47 UTC |
44c9a95 | Joe Stringer | 15 February 2018, 00:57:12 UTC | Ginkgo: log docker execution in verbose mode When in verbose mode, print all commands that are executing in the runtime tests. Signed-off-by: Joe Stringer <joe@covalent.io> | 15 February 2018, 14:35:00 UTC |
ea1358c | Ray Bejjani | 14 February 2018, 18:51:49 UTC | k8s: Avoid references in CNP CRD validation We previously used references to previous types in our CiliumNetworkPolicy validation. As of k8s 1.9.3 this is explicitly an error (apparently it didn't work to begin with): https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG-1.9.md#other-notable-changes CustomResourceDefinitions: OpenAPI v3 validation schemas containing $ref references are no longer permitted (valid references could not be constructed previously because property ids were not permitted either). Before upgrading, ensure CRD definitions do not include those $ref fields. (#58438, @carlory) This change restructures how we build the validation, allowing us to use references to the objects in go instead of relying on the late-binding scheme from before. Signed-off-by: Ray Bejjani <ray@covalent.io> | 15 February 2018, 09:35:35 UTC |
4566a55 | Thomas Graf | 15 February 2018, 01:36:12 UTC | kafka: Use policy identity cache to lookup identity for L3 dependant rules Fixes Issue: #2824 Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: Manali Bhutiyani <manali@covalent.io> | 15 February 2018, 07:02:18 UTC |
8f22e72 | Thomas Graf | 15 February 2018, 00:30:55 UTC | kafka: Test wildcard kafka rule Signed-off-by: Thomas Graf <thomas@cilium.io> | 15 February 2018, 02:50:24 UTC |
b46592a | Thomas Graf | 15 February 2018, 01:01:06 UTC | allocator/proxy: Avoid concurrent access of rand.Rand Fixes: #2808 Signed-off-by: Thomas Graf <thomas@cilium.io> | 15 February 2018, 02:28:20 UTC |
afd1d5b | Romain Lenglet | 13 February 2018, 02:15:03 UTC | endpoint: Move deletion of obsolete proxy redirects until after BPF regeneration To avoid traffic loss, wait for the new policy to be computed and compiled into BPF before deleting obsolete redirects, to make sure no packets are redirected to those ports. Replace the tracking of redirects to delete with a tracking of the redirects that have been realized, to simplify the logic. Fixes: #2796 Signed-off-by: Romain Lenglet <romain@covalent.io> | 15 February 2018, 00:26:06 UTC |
6a8b489 | Romain Lenglet | 12 February 2018, 23:18:27 UTC | endpoint: Limit proxy completion timeout to proxy updates Wait for proxy redirect completion before generating policies that redirect traffic to proxy redirect ports, to prevent traffic loss. Reduce the proxy completion timeout to 10 seconds again, since policy regeneration is now excluded from the timeout. Fixes: #2788 Signed-off-by: Romain Lenglet <romain@covalent.io> | 15 February 2018, 00:26:06 UTC |
7948462 | Ian Vernon | 13 February 2018, 15:57:03 UTC | pkg/endpoint: rename Endpoint SecLabels field Address the FIXME comment to rename Endpoint's SecLabels field to SecurityIdentity. This results in more consistent naming across the code. Signed-off by: Ian Vernon <ian@cilium.io> | 14 February 2018, 22:22:44 UTC |
f5fe001 | Ian Vernon | 14 February 2018, 18:04:41 UTC | pkg/policy: add comment in wasLastRule to be outside of it Signed-off by: Ian Vernon <ian@cilium.io> | 14 February 2018, 22:07:13 UTC |
d5280f4 | Ian Vernon | 13 February 2018, 22:28:05 UTC | pkg/endpoint: create slice with capacity Be more efficient in creation of slice of identities in GetPolicyModel, as we know how many entries will be added to it. Signed-off by: Ian Vernon <ian@cilium.io> | 14 February 2018, 22:07:13 UTC |
479ee2a | Ian Vernon | 13 February 2018, 02:44:10 UTC | clarify addition of security identities for ingress policy Rephrase some comments and log messages to specify that we are tracking security policies for ingress, not "ingress security policies", which may be confusing. Signed-off by: Ian Vernon <ian@cilium.io> | 14 February 2018, 22:07:13 UTC |
a543d6b | Ian Vernon | 13 February 2018, 00:45:51 UTC | pkg/policy: add TODO for ReverseRules clean up Add link to #2795, which documents issues with the implementation of ReverseRules, which is populated when ConnTrack is not enabled for an endpoint. Signed-off by: Ian Vernon <ian@cilium.io> | 14 February 2018, 22:07:13 UTC |
f092fa5 | Ian Vernon | 12 February 2018, 22:45:44 UTC | pkg/policy: fix logic in wasLastRule Checking if the value in the map is false is not enough; we need to check if the entry exists to determine if we can remove the identity from the policy maps for a Consumable. Signed-off by: Ian Vernon <ian@cilium.io> | 14 February 2018, 22:07:13 UTC |
29155b0 | Ian Vernon | 12 February 2018, 20:26:42 UTC | pkg/policy: remove isIdentityAllowed function Also fix logic for AllowsIngressIdentityLocked to correctly determine whether the provided identity is in the map or not. Signed-off by: Ian Vernon <ian@cilium.io> | 14 February 2018, 22:07:13 UTC |
62e1756 | Ian Vernon | 09 February 2018, 21:36:16 UTC | tests: update test to reflect change in API Reflect change in JSON for endpoint policy from allowed-consumers to allowed-ingress-identities. Signed-off by: Ian Vernon <ian@cilium.io> | 14 February 2018, 22:07:13 UTC |
8c71d6b | Ian Vernon | 09 February 2018, 21:33:35 UTC | pkg: update API models to reflect removal of Consumer Signed-off by: Ian Vernon <ian@cilium.io> | 14 February 2018, 22:07:13 UTC |
c8b30d9 | Ian Vernon | 09 February 2018, 21:32:02 UTC | api: change allowed-consumers to allowed-ingress-identities Reflect removal of Consumers in API. Signed-off by: Ian Vernon <ian@cilium.io> | 14 February 2018, 22:07:13 UTC |
533ab78 | Ian Vernon | 09 February 2018, 21:00:04 UTC | change code to not contain references to Consumer Change variable names, code comments to remove notion of Consumer. Signed-off by: Ian Vernon <ian@cilium.io.> | 14 February 2018, 22:07:13 UTC |
2fcab0c | Ian Vernon | 09 February 2018, 18:46:24 UTC | pkg/policy: rename Consumers to Ingress Identities Signed-off by: Ian Vernon <ian@cilium.io> | 14 February 2018, 22:07:13 UTC |
b3c6ecc | Ian Vernon | 09 February 2018, 18:43:43 UTC | pkg/maps/policymap: get rid of Consumer in function names Change functions to refer to identities instead of Consumers. Signed-off by: Ian Vernon <ian@cilium.io> | 14 February 2018, 22:07:13 UTC |
e69cb1f | Ian Vernon | 09 February 2018, 18:34:25 UTC | pkg/policy: get rid of Consumer type Signed-off by: Ian Vernon <ian@cilium.io>: | 14 February 2018, 22:07:13 UTC |
47beac7 | Ian Vernon | 09 February 2018, 18:33:59 UTC | change Consumable ReverseRules to map to boolean instead of Consumer Signed-off by: Ian Vernon <ian@cilium.io> | 14 February 2018, 22:07:13 UTC |
2455b07 | Ian Vernon | 09 February 2018, 18:14:13 UTC | change Consumable Consumers map to map from identity to boolean Signed-off by: Ian Vernon <ian@cilium.io> | 14 February 2018, 22:07:13 UTC |
d74eee4 | Ian Vernon | 09 February 2018, 15:22:32 UTC | pkg/policy: get rid of functions with Consumer receiver StringID isn't use anymore anywhere, and NewConsumer doesn't provide much value. Signed-off by: Ian Vernon <ian@cilium.io> | 14 February 2018, 22:07:13 UTC |
c6c60fa | Ian Vernon | 09 February 2018, 15:20:14 UTC | pkg/policy: remove Reserved field from Consumer This field is useless, as it is never populated. Signed-off by: Ian Vernon <ian@cilium.io> | 14 February 2018, 22:07:13 UTC |
248a79c | Ian Vernon | 09 February 2018, 02:58:31 UTC | test/runtime: added ReportFailed for conntrack test Signed-off by: Ian Vernon <ian@cilium.io> | 14 February 2018, 22:07:13 UTC |
04c62be | Ian Vernon | 06 February 2018, 22:24:43 UTC | pkg/policy: remove Decision field from Consumer This field never actually stored any useful information about policy decision. It was never set to anything other than api.Allowed. As such, remove it. Signed-off by: Ian Vernon <ian@cilium.io> | 14 February 2018, 22:07:13 UTC |
b9b0418 | Ian Vernon | 06 February 2018, 18:00:45 UTC | pkg/policy: change key of Consumers from string to NumericIdentity Signed-off by: Ian Vernon <ian@cilium.io> | 14 February 2018, 22:07:13 UTC |
7421877 | Ian Vernon | 06 February 2018, 22:13:38 UTC | pkg/policy: remove GetConsumables function This function is never used and thus is dead code, so remove it. Signed-off by: Ian Vernon <ian@cilium.io> | 14 February 2018, 22:07:13 UTC |
d092dee | Eloy Coto | 11 February 2018, 10:35:45 UTC | Ginkgo: Add Kubernetes 1.9 support Added kubernetes 1.9 support in vagrantfile and added that version in Nightly test Signed-off-by: Eloy Coto <eloy.coto@gmail.com> | 14 February 2018, 18:49:27 UTC |
d74c737 | Eloy Coto | 14 February 2018, 16:16:12 UTC | Ginkgo: Dump all cilium logs in case of a fail At the moment the report only saves the logs for Cilium pod on node k8s1. With this commit, we save all Cilium pods logs. (This covers nightly too, where four nodes are deployed) Signed-off-by: Eloy Coto <eloy.coto@gmail.com> | 14 February 2018, 17:44:00 UTC |
70043b4 | Ian Vernon | 11 February 2018, 19:52:29 UTC | tests: deprecate 20-identity-list.sh Signed-off by: Ian Vernon <ian@cilium.io> | 14 February 2018, 17:39:03 UTC |
e3ab17a | Ian Vernon | 11 February 2018, 19:26:12 UTC | test/runtime: add identity list test Migrate tests/20-identity-list.sh to Ginkgo framework. Signed-off by: Ian Vernon <ian@cilium.io> | 14 February 2018, 17:39:03 UTC |
760ffba | Ian Vernon | 11 February 2018, 19:02:46 UTC | test/runtime: mark CLI tests as validated Also make name of identity get test more specific. Signed-off by: Ian Vernon <ian@cilium.io> | 14 February 2018, 17:39:03 UTC |
e9673fd | Ian Vernon | 11 February 2018, 19:02:13 UTC | tests: deprecate 19-identity-get.sh Signed-off by: Ian Vernon <ian@cilium.io> | 14 February 2018, 17:39:03 UTC |
4f6acaa | Ray Bejjani | 14 February 2018, 15:25:04 UTC | k8s: k8s 1.9 compatible version parsing On minikube 0.25.0, at least, cilium-agent cannot parse the k8s version because ServerVersion.major and .minor are not populated. gitVersion is and we fall back to parsing that instead. Signed-off-by: Ray Bejjani <ray@covalent.io> | 14 February 2018, 17:33:21 UTC |
97faf61 | Romain Lenglet | 08 February 2018, 07:37:53 UTC | envoy: Integrate the LDS/RDS server with the new XDS server backend Signed-off-by: Romain Lenglet <romain@covalent.io> | 14 February 2018, 05:12:31 UTC |
ecfe94e | Romain Lenglet | 08 February 2018, 07:08:27 UTC | xds: Support completion of cache updates with ACKs from proxies Define new ResourceVersionAckObserver to receive notifications of ACKs from proxies. Callback observers in Server. Implement AckingResourceMutatorWrapper to wrap a Cache and complete a Completion when a Cache update is ACKed by proxies. Signed-off-by: Romain Lenglet <romain@covalent.io> | 14 February 2018, 05:12:31 UTC |
7aeea7c | Romain Lenglet | 08 February 2018, 00:01:09 UTC | envoy: Use same Envoy Node ID structure as in Istio sidecar proxy Signed-off-by: Romain Lenglet <romain@covalent.io> | 14 February 2018, 05:12:31 UTC |
798293d | Jarno Rajahalme | 13 February 2018, 19:40:28 UTC | envoy: Set source identity correctly in access log. Since 22cfad197 the source identity is in the upper 16 bits of the mark. Fixes: 22cfad197 ("bpf: Use upper 16 bits for identity") Signed-off-by: Jarno Rajahalme <jarno@covalent.io> | 13 February 2018, 21:40:00 UTC |
64b3f53 | André Martins | 08 February 2018, 21:20:57 UTC | examples/polices: fixed default-deny examples Signed-off-by: André Martins <andre@cilium.io> | 13 February 2018, 20:56:19 UTC |
ea78a26 | André Martins | 08 February 2018, 18:50:35 UTC | k8s: implemented kubernetes network policy default deny Signed-off-by: André Martins <andre@cilium.io> | 13 February 2018, 20:56:19 UTC |
15138cf | André Martins | 13 February 2018, 12:05:15 UTC | pkg/endpoint: return WaitForProxyCompletion errors Signed-off-by: André Martins <andre@cilium.io> | 13 February 2018, 19:26:10 UTC |
b5f3183 | Nirmoy Das | 13 February 2018, 09:20:49 UTC | Makefile: enable backslash escapes for echo Signed-off-by: Nirmoy Das <ndas@suse.de> | 13 February 2018, 15:37:09 UTC |
6a6ced4 | André Martins | 11 February 2018, 16:53:00 UTC | common/plugins: replaced sysctl invocation with echo redirect Signed-off-by: André Martins <andre@cilium.io> | 13 February 2018, 11:47:11 UTC |
2da54a4 | Romain Lenglet | 12 February 2018, 18:39:36 UTC | endpoint: Increase the proxy completion timeout to 1 minute Fixes: #2788 Signed-off-by: Romain Lenglet <romain@covalent.io> | 12 February 2018, 21:19:14 UTC |
3523143 | Michal Rostecki | 30 January 2018, 16:03:18 UTC | pkg/envoy: Move all operations on the cmd to StartEnvoy The Envoy struct contains the attribute for managing the Envoy process. Different operations (like starting, waiting and killing) shouldn't happen at the same time, so we need to ensure that only one method is doing them. That's why supervising of the Envoy process is moved to a goroutine inside StartEnvoy method. And StopEnvoy method only closes the "stop channel" and gets an error, through the another channel. Fixes: #2631 Signed-off-by: Michal Rostecki <mrostecki@suse.com> | 12 February 2018, 18:17:32 UTC |
2a07843 | Eloy Coto | 08 February 2018, 15:11:32 UTC | Jenkins: Adjust timeouts With the new behaviour of Jenkins some builds died over timeout. The global timeout counts from start of the build (Including time in the queue) with this patch the timeouts are set in the stage part. Signed-off-by: Eloy Coto <eloy.coto@gmail.com> | 12 February 2018, 16:07:36 UTC |
97fedbb | Ian Vernon | 11 February 2018, 18:50:29 UTC | test/runtime: address misc. review comments * Fix indentation * Make test name in log field consistent with actual test name * Add message to Ginkgo assertion in case of failure Signed-off by: Ian Vernon <ian@cilium.io> | 12 February 2018, 16:02:17 UTC |
3a24b69 | Ian Vernon | 11 February 2018, 18:48:22 UTC | test/helpers: add missing single quotation mark in log message Signed-off by: Ian Vernon <ian@cilium.io> | 12 February 2018, 16:02:17 UTC |
8b92531 | Ian Vernon | 11 February 2018, 04:39:43 UTC | tests: deprecate 20-cidr-limit.sh Signed-off by: Ian Vernon <ian@cilium.io> | 12 February 2018, 16:02:17 UTC |
22215b7 | Ian Vernon | 11 February 2018, 04:38:11 UTC | test/runtime: migrate 20-cidr-limit test to Ginkgo Signed-off by: Ian Vernon <ian@cilium.io> | 12 February 2018, 16:02:17 UTC |
452bf7b | Ian Vernon | 11 February 2018, 04:34:23 UTC | test/helpers: add log to ContainerRm function Add log which says that container is being deleted. Signed-off by: Ian Vernon <ian@cilium.io> | 12 February 2018, 16:02:17 UTC |
4f55c02 | Ian Vernon | 11 February 2018, 04:33:56 UTC | test/helpers: misc. enhancements * Rename PolicyImport function to PolicyImportAndWait, as it waits until the policy revision number is incremented before returning. * Add PolicyImport function, which does not wait after a policy is imported. Signed-off by: Ian Vernon <ian@cilium.io> | 12 February 2018, 16:02:17 UTC |
4c8abbe | Ian Vernon | 11 February 2018, 00:10:52 UTC | test/runtime: factor out policy import tests into separate Describe Factor out these tests into a separate Describe, as no containers are needed to be launched in these tests. Signed-off by: Ian Vernon <ian@cilium.io> | 12 February 2018, 16:02:17 UTC |
53840fc | Ian Vernon | 10 February 2018, 20:11:54 UTC | test/runtime: change variable names to reflect types of invalid policy Signed-off by: Ian Vernon <ian@cilium.io> | 12 February 2018, 16:02:17 UTC |
035605f | André Martins | 11 February 2018, 22:12:18 UTC | tests: deprecating 18-kvstore.sh test Signed-off-by: André Martins <andre@cilium.io> | 12 February 2018, 01:43:16 UTC |
46c08b7 | Ian Vernon | 10 February 2018, 07:12:08 UTC | tests: deprecate 17-cilium_policy-id-remove.sh Signed-off by: Ian Vernon <ian@cilium.io> | 11 February 2018, 18:43:09 UTC |
7b072e5 | Ian Vernon | 10 February 2018, 07:11:00 UTC | test/runtime: migrate 17-cilium_policy-id-remove.sh test Migrate bash test to Ginkgo framework Signed-off by: Ian Vernon <ian@cilium.io> | 11 February 2018, 18:43:09 UTC |
040fc5c | Ian Vernon | 10 February 2018, 07:10:28 UTC | test/helpers: add WaitEndpointsDeleted function This waits until all endpoints except for cilium-health are deleted. Signed-off by: Ian Vernon <ian@cilium.io> | 11 February 2018, 18:43:09 UTC |
4ec32af | Daniel Borkmann | 11 February 2018, 00:27:36 UTC | bpf, init: don't use sysctl, just write setting directly Martin reported that sysctl binary is not available in CoreOS hyperkube image and thus Cilium fails in init. Lets just not use the binary and write the setting directly instead. Reported-by: Martin Mailand <martin@tuxadero.com> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> | 11 February 2018, 08:25:14 UTC |
6bf5e4e | Daniel Borkmann | 09 February 2018, 21:35:43 UTC | bpf: fix complexity issues around recent CT changes on 4.9 kernels The single heavy hitter in complexity in our BPF progs right now is the slave selection based on weights in the LB. Reason is that in the verifier pruning, a couple of assumptions cannot be made once the kernel sees that there's one or multiple usages with dynamic map access and thus we bump from ~30k to ~90k closely hitting limits and for older 4.9 kernels that don't have the 98k complexity limit we easily overrun the 68k. Now with this change the heavy hitter in section '2/10' (IPv6 handling) reduces down to ~30k and loads fine on my side. It also allows us to remove the relax_verifier() pseudo helper again. Thus for the LB fall back to just use hash-based which afaik is the default anyway in our case. We can enable this for more recent kernels that have a smarter verifier if we want to. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> | 11 February 2018, 08:25:14 UTC |
78aa0aa | Ian Vernon | 11 February 2018, 00:13:02 UTC | ginkgo.Jenkinsfile: bump timeout to 90 minutes 60 minute limit kept getting hit, which caused Jenkins to forcibly abort PRs. Signed-off by: Ian Vernon <ian@cilium.io> | 11 February 2018, 01:34:07 UTC |
e5f4443 | Ian Vernon | 09 February 2018, 23:52:10 UTC | tests: deprecate 14-policy-enforcement-docker.sh Corresponding Ginkgo test has been marked as validated already. Signed-off by: Ian Vernon <ian@cilium.io> | 10 February 2018, 10:32:02 UTC |
08fee04 | Ian Vernon | 09 February 2018, 21:48:00 UTC | test/runtime: validate connectivity.go Signed-off by: Ian Vernon <ian@cilium.io> | 10 February 2018, 10:31:37 UTC |
db49090 | Ian Vernon | 09 February 2018, 21:57:04 UTC | tests: deprecate 03-docker.sh Signed-off by: Ian Vernon <ian@cilium.io> | 10 February 2018, 10:31:37 UTC |
b2c724e | Ian Vernon | 09 February 2018, 21:53:19 UTC | tests: deprecate 08-nat46.sh Signed-off by: Ian Vernon <ian@cilium.io> | 10 February 2018, 10:31:37 UTC |
8bc9a6d | Ian Vernon | 09 February 2018, 21:47:29 UTC | tests: deprecate 01-ct.sh Signed-off by: Ian Vernon <ian@cilium.io> | 10 February 2018, 10:31:37 UTC |
484bdc5 | Ian Vernon | 09 February 2018, 23:36:08 UTC | test/runtime: mark lb.go as Validated Signed-off by: Ian Vernon <ian@cilium.io> | 10 February 2018, 10:30:54 UTC |
dc45449 | Ian Vernon | 09 February 2018, 23:35:46 UTC | tests: deprecate 06-lb.sh Signed-off by: Ian Vernon <ian@cilium.io> | 10 February 2018, 10:30:54 UTC |
56e2625 | Ian Vernon | 10 February 2018, 00:00:31 UTC | tests: deprecate 13-fd-open.sh Corresponding Ginkgo test has already been marked as validated. Signed-off by: Ian Vernon <ian@cilium.io> | 10 February 2018, 10:30:18 UTC |
18857b4 | Ian Vernon | 10 February 2018, 00:11:31 UTC | test/runtime: mark Kafka test as validated Signed-off by: Ian Vernon <ian@cilium.io> | 10 February 2018, 10:29:42 UTC |
04a6939 | Ian Vernon | 10 February 2018, 00:10:20 UTC | tests: deprecate 07-kafka.sh Signed-off by: Ian Vernon <ian@cilium.io> | 10 February 2018, 10:29:42 UTC |
ffbc64a | Ian Vernon | 10 February 2018, 00:23:24 UTC | tests: deprecate Bash monitor tests Signed-off by: Ian Vernon <ian@cilium.io> | 10 February 2018, 10:29:09 UTC |
ac87f11 | Ian Vernon | 10 February 2018, 02:00:55 UTC | test/runtime: mark RuntimePolicies as validated Signed-off by: Ian Vernon <ian@cilium.io> | 10 February 2018, 10:28:33 UTC |
0411dac | Ian Vernon | 10 February 2018, 02:00:30 UTC | tests: deprecate 11-getting-started.sh Signed-off by: Ian Vernon <ian@cilium.io> | 10 February 2018, 10:28:33 UTC |
deb2de2 | Romain Lenglet | 06 February 2018, 21:51:38 UTC | completion: Refactor proxy completion logic in a new package Move the completion into its own package: github.com/cilium/cilium/pkg/completion. Rename CompletionContainer into WaitGroup to reflect the similarity with sync.WaitGroup. Refactor Completion and WaitGroup to take a Context and handle context cancellation. Rename Completion.Completed into Complete to make it a verb. Added Completion.Completed method to return a channel, to make it easier to use in unit tests. Revert the (de)serialization of the ProxyCompletions field to/from JSON within the Endpoint struct, and rename ProxyCompletions into ProxyWaitGroup. Signed-off-by: Romain Lenglet <romain@covalent.io> | 10 February 2018, 01:00:39 UTC |
81e68c1 | Joe Stringer | 31 January 2018, 22:26:01 UTC | docs: Add endpoint to glossary Signed-off-by: Joe Stringer <joe@covalent.io> | 09 February 2018, 20:43:52 UTC |
4e562c7 | Joe Stringer | 31 January 2018, 22:25:41 UTC | docs: Sort glossary Signed-off-by: Joe Stringer <joe@covalent.io> | 09 February 2018, 20:43:52 UTC |
ac40ff4 | André Martins | 09 February 2018, 17:17:53 UTC | Revert "bpf: Relax the verifier in CT slow paths" This reverts commit e96c42ce4c733ecd665a7831d676d58dbd817f26. | 09 February 2018, 18:04:07 UTC |
e96c42c | Thomas Graf | 09 February 2018, 10:52:16 UTC | bpf: Relax the verifier in CT slow paths Signed-off-by: Thomas Graf <thomas@cilium.io> | 09 February 2018, 15:06:56 UTC |
4903142 | Eloy Coto | 09 February 2018, 08:42:14 UTC | Ginkgo: Fix issues with DNS Stopped and deleted the systemctl-resolved to avoid issues with kubedns Signed-off-by: Eloy Coto <eloy.coto@gmail.com> | 09 February 2018, 14:05:51 UTC |
4802cf4 | Ray Bejjani | 26 January 2018, 13:56:21 UTC | containerd: Remove synchronous syncWithRuntime init We synchronously ran syncWithRuntime before spawning the containerd listener and periodic sync. This could, at times, block waiting for docker and so block agent initialisation. This happens before the API socket is openened and resulted in the API not being served. This change removes the init call, relying on the timestamp passed to docker and the periodic sync running as soon as the goroutine is scheduled. Signed-off-by: Ray Bejjani <ray@covalent.io> | 09 February 2018, 08:22:32 UTC |
fafca54 | Ray Bejjani | 26 January 2018, 13:13:49 UTC | containerd: Add timeout to containerd syncToRuntime This call would sometimes block indefinitely. We now allow 10s to complete the ContainerList call, allowing the periodic sync to try again later. Signed-off-by: Ray Bejjani <ray@covalent.io> | 09 February 2018, 08:22:32 UTC |
78c7cd0 | Ian Vernon | 09 February 2018, 05:12:35 UTC | Jenkinsfile / tests: remove bash K8s stage All Bash-script based K8s tests have been migrated / validated to have equivalent coverage in the Ginkgo framework. Thus, there is no need to provision the Kubernetes VMs for the bash-script based build anymore. Signed-off by: Ian Vernon <ian@cilium.io> | 09 February 2018, 08:18:11 UTC |
cdd5e9e | Ian Vernon | 09 February 2018, 05:07:23 UTC | test: validate runtime policy tests Better now than never. Signed-off by: Ian Vernon <ian@cilium.io> | 09 February 2018, 08:18:11 UTC |
d369b8c | Ian Vernon | 09 February 2018, 05:05:08 UTC | tests: deprecate 04-bad-cnp-import.sh Signed-off by: Ian Vernon <ian@cilium.io> | 09 February 2018, 08:18:11 UTC |
bf255e7 | Ian Vernon | 09 February 2018, 05:01:37 UTC | tests: deprecate 99-restore-state.sh Ginkgo test/runtime/chaos.go covers restore functionality. Signed-off by: Ian Vernon <ian@cilium.io> | 09 February 2018, 08:18:11 UTC |
bc9df7b | Ian Vernon | 09 February 2018, 04:58:27 UTC | tests/k8s: deprecate 04-toservices-test.sh This was migrated by #2380, so we can deprecate it now. Signed-off by: Ian Vernon <ian@cilium.io> | 09 February 2018, 08:18:11 UTC |
a93aa77 | Jarno Rajahalme | 09 February 2018, 00:44:33 UTC | endpoint: Take read lock while accessing Consumable Parallel policy recomputations can update Consumable, so the reader has to protect against that. Signed-off-by: Jarno Rajahalme <jarno@covalent.io> | 09 February 2018, 08:16:30 UTC |
658e01a | Jarno Rajahalme | 09 February 2018, 00:46:43 UTC | envoy: Lock stream server while adding remove completion. Internal slice manipulations must be protected, and one of the calls to addCompletions() missed this. Signed-off-by: Jarno Rajahalme <jarno@covalent.io> | 09 February 2018, 04:46:27 UTC |
ca6e1cb | Thomas Graf | 08 February 2018, 19:44:18 UTC | bpf: Relax verifier in conntrack code Signed-off-by: Thomas Graf <thomas@cilium.io> | 08 February 2018, 21:43:46 UTC |
4dee158 | Thomas Graf | 08 February 2018, 13:49:17 UTC | bpf: Reduce the number of supported IPv6 extension headers This greatly reduces the complexity of the program Signed-off-by: Thomas Graf <thomas@cilium.io> | 08 February 2018, 21:43:46 UTC |
444aa65 | Thomas Graf | 07 February 2018, 23:18:17 UTC | bpf: Split IPv6 handling into separate tail call Signed-off-by: Thomas Graf <thomas@cilium.io> | 08 February 2018, 21:43:46 UTC |
79ae248 | Thomas Graf | 07 February 2018, 19:45:45 UTC | policy: Document what connections FromCIDR and ToCIDR and apply to Signed-off-by: Thomas Graf <thomas@cilium.io> | 08 February 2018, 21:43:46 UTC |
e778731 | Thomas Graf | 05 February 2018, 13:19:43 UTC | bpf: Enforce to-world access via CIDR map Remove ALLOW_TO_WORLD define from the program and enforce all access to external services via the CIDR map. This simplifies the code and makes policy updates more atomic. Signed-off-by: Thomas Graf <thomas@cilium.io> | 08 February 2018, 21:43:46 UTC |