https://github.com/cilium/cilium
- HEAD
- refs/heads/1.2.7-hotfix1-fqdn-regen
- refs/heads/EndpointPolicyEnformcement
- refs/heads/add_metrics_to_scale_test
- refs/heads/all-scalability-improvements
- refs/heads/beta/service-mesh
- refs/heads/bpf-metrics
- refs/heads/brb/brb-patch-2
- refs/heads/cilium-envoy-crd-pre-beta
- refs/heads/cilium-no-gopath
- refs/heads/cli-upgrade-v1.12-ci-test
- refs/heads/clustermesh511-upgrade-test
- refs/heads/committers-codeowners
- refs/heads/dev/joe/v1.8-with-hostfw-fixes
- refs/heads/encrypt-node-fixes
- refs/heads/encrypted-overlay-xfrm-policies
- refs/heads/ensure-macos-build-succeeds
- refs/heads/envoy-policy-precedence
- refs/heads/envoy-warnings-cleanup
- refs/heads/extension-mysql
- refs/heads/feature/cep-scalability
- refs/heads/feature/devices-and-addresses
- refs/heads/feature/devices-reconciliation-v1.16
- refs/heads/feature/main/svc-icmp-response
- refs/heads/feature/service-refactor
- refs/heads/feature/service-refactor-fresh
- refs/heads/feature/v1.11/beta-test
- refs/heads/feature/v1.11/k8s-ingress
- refs/heads/fix-error-wrapping-1.13
- refs/heads/fix-error-wrapping-1.14
- refs/heads/fix-error-wrapping-1.15
- refs/heads/fix-iphealth
- refs/heads/fqdn-fixl3-wildcard
- refs/heads/fristonio/iptables-manager-fix
- refs/heads/ft/main/chancez/push-dev-charts
- refs/heads/ft/main/push_chart_stable_branches_fix
- refs/heads/ft/main/test_push_chart_updates
- refs/heads/gce-example
- refs/heads/gh-readonly-queue/main/pr-27509-78a5f177693fb443cd946441f45826bf7fa2437a
- refs/heads/ginkgo-better-timeout
- refs/heads/graduation
- refs/heads/hf/main/ipam-pools-build-230605
- refs/heads/hf/master/v1.12-rc2-health-dbg-v1
- refs/heads/hf/master/wg-fix-ipam-k8s-v2
- refs/heads/hf/v1.10/cls-prio2
- refs/heads/hf/v1.10/debug-taint-removal
- refs/heads/hf/v1.10/v1.10.10-with-19452
- refs/heads/hf/v1.10/v1.10.2-fix-ipsec-ep-routes
- refs/heads/hf/v1.10/v1.10.5-with-identity-leak-fix
- refs/heads/hf/v1.10/v1.10.7-additional-logs
- refs/heads/hf/v1.10/v1.10.7-exclude-local
- refs/heads/hf/v1.10/v1.10.7-exclude-loopback
- refs/heads/hf/v1.10/v1.10.7-extra-logs
- refs/heads/hf/v1.10/v1.10.7-more-logs
- refs/heads/hf/v1.10/v1.10.8-deadlock-and-complexity-fix
- refs/heads/hf/v1.10/v1.10.8-deadlock-fix
- refs/heads/hf/v1.10/xdp-multidev-with-bpf-multihoming-and-egress-gw-fixes-v3
- refs/heads/hf/v1.10/xdp-multidev-with-bpf-multihoming-and-egress-gw-fixes-v4
- refs/heads/hf/v1.10/xdp-multidev-with-bpf-multihoming-and-egress-gw-fixes-v5
- refs/heads/hf/v1.10/xdp-multidev-with-bpf-multihoming-and-egress-gw-fixes-v6
- refs/heads/hf/v1.10/xdp-multidev-with-bpf-multihoming-and-egress-gw-fixes-v7
- refs/heads/hf/v1.11/1.11.4-custom-taint
- refs/heads/hf/v1.11/19247-custom-taint-key
- refs/heads/hf/v1.11/dbg-svc-restore
- refs/heads/hf/v1.11/v1.11.16-fix-xfrm-leak
- refs/heads/hf/v1.11/v1.11.16-fix-xfrm-leak-eni-attach-and-logging
- refs/heads/hf/v1.11/v1.11.16-fix-xfrm-leak-eni-attachment
- refs/heads/hf/v1.11/v1.11.3-with-19259
- refs/heads/hf/v1.11/v1.11.4-custom-taint
- refs/heads/hf/v1.11/v1.11.5-and-19247-eed5544
- refs/heads/hf/v1.11/xdp-multidev-v1
- refs/heads/hf/v1.11/xdp-multidev-v2-ipcache-fix
- refs/heads/hf/v1.12/next-net-v1
- refs/heads/hf/v1.12/v1.12.18-994
- refs/heads/hf/v1.12/v1.12.3-debug-k8s-heartbeat
- refs/heads/hf/v1.12/v1.12.3-debug-k8s-heartbeat-v2
- refs/heads/hf/v1.13/bpf-sock-l7-fix
- refs/heads/hf/v1.13/v1.13.2-with-24875
- refs/heads/hf/v1.13/v1.13.3-with-26242
- refs/heads/hf/v1.14/cidr-identity-refcnt-fix
- refs/heads/hf/v1.14/v1.14-with-27327
- refs/heads/hf/v1.7/v1.7.15-with-neighbor-fix
- refs/heads/hf/v1.7/v1.7.15-with-neighbor-fix-2
- refs/heads/hf/v1.8/v1.8.13-with-19452
- refs/heads/hf/v1.8/v1.8.6-eni-cidr-fix-1
- refs/heads/hf/v1.8/v1.8.6-eni-cidr-fix-15303
- refs/heads/hf/v1.8/v1.8.7-with-fqdn-underscore-fix
- refs/heads/hf/v1.8/v1.8.8-eni-cidr-fix-1
- refs/heads/hf/v1.8/v1.8.8-with-encrypt-fixes
- refs/heads/hf/v1.9/v1.9.8-azure-ipam-fix
- refs/heads/hf/v1.9/v1.9.9-azure-pod-egress-fix
- refs/heads/images/runtime/20210830
- refs/heads/ipc-demo
- refs/heads/ktls-tx-only
- refs/heads/ktls-tx-only-v2
- refs/heads/ktls-tx-rx
- refs/heads/ktls-tx-rx-v2
- refs/heads/ktls-tx-rx-v3
- refs/heads/ktls-tx-rx-v4
- refs/heads/ktls-tx-rx-v5
- refs/heads/ldelossa/feat/bgp-control-plane
- refs/heads/ldelossa/segment-makefiles
- refs/heads/ldelossa/segment-makefiles-v2
- refs/heads/ldelossa/srv6-encap-fib
- refs/heads/lizrice/pr/cli-confusion
- refs/heads/main
- refs/heads/marseel-modularize_scale_test
- refs/heads/marseel_scale_test_100_nodes
- refs/heads/multi-stack-dev-vm
- refs/heads/pr/1-9-ci-test
- refs/heads/pr/aanm-update-k8s-conformance
- refs/heads/pr/aanm/bisect
- refs/heads/pr/aanm/test-31027
- refs/heads/pr/add-controller-identity
- refs/heads/pr/aditighag/lrp-skip-lb
- refs/heads/pr/asauber/link-local-as-host
- refs/heads/pr/asauber/max-ifindex-metric
- refs/heads/pr/avoid-ct-for-dsr
- refs/heads/pr/backend-state
- refs/heads/pr/bbb-cpy
- refs/heads/pr/bimmlerd/modularize-bandwidth-manager
- refs/heads/pr/bimmlerd/v1.12-backport-quay-org-from-env
- refs/heads/pr/bounded-loops
- refs/heads/pr/bpf-based-masquerading
- refs/heads/pr/bpf-edt-proxy
- refs/heads/pr/brb/arping-nexthop
- refs/heads/pr/brb/arping-via-gw
- refs/heads/pr/brb/auto-multi-dev-v2
- refs/heads/pr/brb/backport-1.8.5-nat-gc
- refs/heads/pr/brb/bpf-host-routing-wg
- refs/heads/pr/brb/bpf-lxc-no-redirect
- refs/heads/pr/brb/bpf-masq-veth
- refs/heads/pr/brb/bpf-multihoming
- refs/heads/pr/brb/cgroup-v2-test
- refs/heads/pr/brb/check-errors-in-logs
- refs/heads/pr/brb/ci
- refs/heads/pr/brb/ci-1111
- refs/heads/pr/brb/ci-2
- refs/heads/pr/brb/ci-4.19
- refs/heads/pr/brb/ci-arping-flake
- refs/heads/pr/brb/ci-bigtcp
- refs/heads/pr/brb/ci-bpf-netdev-without-egress
- refs/heads/pr/brb/ci-cleanup-svc
- refs/heads/pr/brb/ci-dbg-conformance-kind
- refs/heads/pr/brb/ci-dbg-external
- refs/heads/pr/brb/ci-dbg-flake-from-outside
- refs/heads/pr/brb/ci-demo
- refs/heads/pr/brb/ci-disable-ces-for-egress-gw
- refs/heads/pr/brb/ci-dp-disable-bpf-host-routing
- refs/heads/pr/brb/ci-dp-hubble-flows
- refs/heads/pr/brb/ci-dp-more-diversity
- refs/heads/pr/brb/ci-dp-v1.13
- refs/heads/pr/brb/ci-dp-v6
- refs/heads/pr/brb/ci-dp-verifier
- refs/heads/pr/brb/ci-e2e-enable-debug-ipsec
- refs/heads/pr/brb/ci-e2e-helm-mode-v1.13
- refs/heads/pr/brb/ci-e2e-lvh-retry
- refs/heads/pr/brb/ci-e2e-more-nodes
- refs/heads/pr/brb/ci-e2e-new-cli
- refs/heads/pr/brb/ci-e2e-nft
- refs/heads/pr/brb/ci-e2e-unsafe
- refs/heads/pr/brb/ci-e2e-unsafe-v2
- refs/heads/pr/brb/ci-e2e-upgrade-tests
- refs/heads/pr/brb/ci-e2e-upgrade-tests-ipsec
- refs/heads/pr/brb/ci-eks-ipsec-upgrade
- refs/heads/pr/brb/ci-fix-ip-masq-dry-run
- refs/heads/pr/brb/ci-ipsec-upgrade-fix
- refs/heads/pr/brb/ci-ipsec-upgrade-missed-tail-calls
- refs/heads/pr/brb/ci-ipsec-upgrade-v1.13
- refs/heads/pr/brb/ci-ipsec-upgrade-vol2
- refs/heads/pr/brb/ci-keep-missed-tail-calls
- refs/heads/pr/brb/ci-l7-nodeport
- refs/heads/pr/brb/ci-lvh-4.19
- refs/heads/pr/brb/ci-lvh-5.4
- refs/heads/pr/brb/ci-lvh-5.4-v2
- refs/heads/pr/brb/ci-lvh-bpf-next
- refs/heads/pr/brb/ci-no-self-hosted
- refs/heads/pr/brb/ci-pass-kernel-env
- refs/heads/pr/brb/ci-prepull-l4lb
- refs/heads/pr/brb/ci-refactor-svc-suite
- refs/heads/pr/brb/ci-rm-smoke-tests
- refs/heads/pr/brb/ci-sanity
- refs/heads/pr/brb/ci-test
- refs/heads/pr/brb/ci-test-2
- refs/heads/pr/brb/ci-test-k8s-vsn-swap
- refs/heads/pr/brb/ci-test-large-runners
- refs/heads/pr/brb/ci-uffff
- refs/heads/pr/brb/ci-upgrade-vol-2
- refs/heads/pr/brb/ci-upgrade-vol-3
- refs/heads/pr/brb/cilium-host-v6-from-ipam
- refs/heads/pr/brb/cli-bump-test
- refs/heads/pr/brb/datapath-loop-dbg
- refs/heads/pr/brb/dbg-ci
- refs/heads/pr/brb/dbg-conformance-gke
- refs/heads/pr/brb/dbg-master-np-vxlan-ipcache-ci
- refs/heads/pr/brb/debug-nodeport-bpf-flake
- refs/heads/pr/brb/do-not-derive-pod-cidrs-from-dev
- refs/heads/pr/brb/do-not-query-dev-for-arping
- refs/heads/pr/brb/docs--wg-what-encrypted
- refs/heads/pr/brb/docs-clarify-egress-gw-ip-addr-dp
- refs/heads/pr/brb/drop-notify
- refs/heads/pr/brb/dsr
- refs/heads/pr/brb/dsr-v2
- refs/heads/pr/brb/dualstack-ci
- refs/heads/pr/brb/enable-ipv6-per-endpoint-routes
- refs/heads/pr/brb/fib-lookup-src
- refs/heads/pr/brb/fix-backend-id-u32
- refs/heads/pr/brb/fix-ci-dp-deprecation-warn
- refs/heads/pr/brb/fix-clang-vsn-regexp
- refs/heads/pr/brb/fix-egress-ip-16147
- refs/heads/pr/brb/fix-external-ip-dp
- refs/heads/pr/brb/fix-maglev-del
- refs/heads/pr/brb/fix-nodeport-hostnetns
- refs/heads/pr/brb/fix-np-redir-l3-to-tunnel
- refs/heads/pr/brb/fix-stale-dsr
- refs/heads/pr/brb/fix-svc-backend-selection
- refs/heads/pr/brb/fix-third-host
- refs/heads/pr/brb/gh-action-cgr
- refs/heads/pr/brb/gh-action-lvh
- refs/heads/pr/brb/gh-install-cli-backup
- refs/heads/pr/brb/ginkgo-kpr-strict
- refs/heads/pr/brb/ginkgo-rm-update-tests
- refs/heads/pr/brb/go-crazy
- refs/heads/pr/brb/hubble-tcp-ack-seq-no
- refs/heads/pr/brb/improve-svc-restore
- refs/heads/pr/brb/istio-getsockopt
- refs/heads/pr/brb/it-cannot-be-truth
- refs/heads/pr/brb/kpr-svc-mesh
- refs/heads/pr/brb/kubeproxy-free-ci
- refs/heads/pr/brb/l7-np-bpf
- refs/heads/pr/brb/l7-rerevert
- refs/heads/pr/brb/lets-be-friends-with-ipsec
- refs/heads/pr/brb/lvh-kind-127
- refs/heads/pr/brb/lvh-kind-ipsec-upgrade
- refs/heads/pr/brb/meyskens/auth-ep-gc-locks
- refs/heads/pr/brb/multi-network
- refs/heads/pr/brb/no-cache-snat
- refs/heads/pr/brb/no-rev-nat-bpf-lxc-ingress
- refs/heads/pr/brb/node-id-per-fam
- refs/heads/pr/brb/nodeport-xlr-flag
- refs/heads/pr/brb/perf-wg
- refs/heads/pr/brb/pin-lvh
- refs/heads/pr/brb/push-ci-charts
- refs/heads/pr/brb/pwru
- refs/heads/pr/brb/rm-arping-l2-addr-check
- refs/heads/pr/brb/rm-no-redirect
- refs/heads/pr/brb/rm-np-deadcode
- refs/heads/pr/brb/rm-partial-host-svc
- refs/heads/pr/brb/rm-test-gke
- refs/heads/pr/brb/test-bpf-masq
- refs/heads/pr/brb/test-ci-e2e
- refs/heads/pr/brb/test-ci-e2e-v1.13
- refs/heads/pr/brb/test-kind
- refs/heads/pr/brb/third-host-more-pain
- refs/heads/pr/brb/timing-l4lb-gh-action
- refs/heads/pr/brb/triage-flake-v2
- refs/heads/pr/brb/triage-lb-flake
- refs/heads/pr/brb/unquarantine-svc
- refs/heads/pr/brb/v1.10-istio-snat
- refs/heads/pr/brb/v1.12-ci-e2e
- refs/heads/pr/brb/v1.12-ci-ipsec-upgrade
- refs/heads/pr/brb/v1.12-test-ipsec-upgrade
- refs/heads/pr/brb/v1.13-ci-e2e
- refs/heads/pr/brb/v1.13-remote-np
- refs/heads/pr/brb/v1.13-upgrade-fixes
- refs/heads/pr/brb/v1.14-ci-e2e-upgrade
- refs/heads/pr/brb/v1.14-drop-notify
- refs/heads/pr/brb/v1.6.9-iptables-W
- refs/heads/pr/brb/v1.8-fix-icmp-port-check
- refs/heads/pr/brb/wg-encrypt-node-test
- refs/heads/pr/brb/wg-hack
- refs/heads/pr/brb/wg-ipam-fix
- refs/heads/pr/brb/wg-kpr
- refs/heads/pr/brb/wg-test
- refs/heads/pr/brb/wip
- refs/heads/pr/brb/wip-ci
- refs/heads/pr/brb/wip-sync-policy-map
- refs/heads/pr/brb/xdp-egress-gw
- refs/heads/pr/brb/xdp-multidev-with-bpf-multihoming
- refs/heads/pr/brb/xdp-multidev-with-bpf-multihoming-v2
- refs/heads/pr/brlbil/ci-remove-unsupported-k8s-version-1.13
- refs/heads/pr/bruno/sleepy-pawn
- refs/heads/pr/bugtool-systemd
- refs/heads/pr/bwm-base2
- refs/heads/pr/bwm-priority
- refs/heads/pr/chancez/add_hubble_l7_dashboard_prometheus_example
- refs/heads/pr/chancez/fix_websocket_l7_policies
- refs/heads/pr/chancez/flow_filter_namespace
- refs/heads/pr/chancez/hubble_cel
- refs/heads/pr/chancez/hubble_plus_plus
- refs/heads/pr/chancez/static_peers_hubble_relay
- refs/heads/pr/christarazi/controlplane-fqdn
- refs/heads/pr/christarazi/ipcache-async-cep-pods-namedports
- refs/heads/pr/christarazi/k8s-1.30
- refs/heads/pr/christarazi/prep-from-cidr-tests
- refs/heads/pr/datapath-opt
- refs/heads/pr/dbkm/nodeport-lb
- refs/heads/pr/debug-dns-timeout
- refs/heads/pr/eproutes-redir
- refs/heads/pr/example/neigh-state-manager
- refs/heads/pr/fastdp
- refs/heads/pr/fastdp2
- refs/heads/pr/fib-consolidation
- refs/heads/pr/fix-aks-workflow
- refs/heads/pr/fix-k8s-all-sha1
- refs/heads/pr/fix-pod-pacing
- refs/heads/pr/fix-tail-call-replace
- refs/heads/pr/fristonio/feat-19038
- refs/heads/pr/fristonio/fix-istio-k8sT
- refs/heads/pr/fristonio/ipv6-masquerading
- refs/heads/pr/fristonio/test-dual-stack
- refs/heads/pr/fristonio/test-ipv6-dualstack
- refs/heads/pr/gandro+brb/fix-monitor-aggregation-np-v2
- refs/heads/pr/gandro+brb/mv-trace-point-to-rev-nodeport
- refs/heads/pr/gandro+brb/wg-host-encryption-v3
- refs/heads/pr/gandro+brb/wg-host2host
- refs/heads/pr/gandro+brb/wg-host2host-kind
- refs/heads/pr/gandro/bump-hubble-2020-03-25
- refs/heads/pr/gandro/ci-conformance-multicluster-fix-log-gathering
- refs/heads/pr/gandro/ci-delete-crds-in-cleanupcomponents
- refs/heads/pr/gandro/ci-fix-status-if-workflows-are-skipped
- refs/heads/pr/gandro/ci-wait-for-all-relevant-images-do-not-merge-test
- refs/heads/pr/gandro/enable-hubble-by-default
- refs/heads/pr/gandro/portmap-refcount
- refs/heads/pr/gandro/re-enable-wireguard-in-multicluster-ci
- refs/heads/pr/gandro/svc-healthchecknodeport
- refs/heads/pr/gc-on-svc-update
- refs/heads/pr/getname-hooks
- refs/heads/pr/giorio94/1.14/test-cilium-cli-2184
- refs/heads/pr/giorio94/main/gha-cluster-name
- refs/heads/pr/giorio94/main/gha-clustermesh-endpointslice-sync
- refs/heads/pr/giorio94/main/gha-fully-qualified-dns
- refs/heads/pr/giorio94/main/test-cilium-cli-2184
- refs/heads/pr/giorio94/main/tests-clustermesh-upgrade-interrupted
- refs/heads/pr/gray/30837-with-pwru
- refs/heads/pr/gray/pwru-action
- refs/heads/pr/health-data-path
- refs/heads/pr/hubble-tls-cert-gen-via-k8s-job
- refs/heads/pr/ianvernon/kvstore-client-type
- refs/heads/pr/ianvernon/kvstore-context
- refs/heads/pr/ianvernon/more-endpoint-cleanup
- refs/heads/pr/ianvernon/resolve-cidr-policy-perf-improvement
- refs/heads/pr/increase-verifier-test-build-timeout
- refs/heads/pr/ipip
- refs/heads/pr/ipip-encap
- refs/heads/pr/ipip-encap2
- refs/heads/pr/ipip2
- refs/heads/pr/ipip4
- refs/heads/pr/ipip6
- refs/heads/pr/jibi/fix-differentiate-udp-tcp-svc-upgrade
- refs/heads/pr/jibi/ip-list-contains-addr
- refs/heads/pr/joamaki/gather-network-info
- refs/heads/pr/joamaki/idless-service-restapi
- refs/heads/pr/joe/ariane-scheduled-cilium-only
- refs/heads/pr/joe/backport-28007-1.11
- refs/heads/pr/joe/bump-ginkgo-seed
- refs/heads/pr/joe/docker-build-log-tracing
- refs/heads/pr/joe/ipcache-cidr-policy
- refs/heads/pr/joe/lost-identity
- refs/heads/pr/joe/sw-quay
- refs/heads/pr/joe/test-lvh-fix
- refs/heads/pr/joe/v1.13-stability-check
- refs/heads/pr/joe/v1.7-dev-env
- refs/heads/pr/jrajahalme/gh-filter-test-files
- refs/heads/pr/jrfastab/backport-ooo-ipsec-fixes
- refs/heads/pr/jrfastab/backport-v111-loopback
- refs/heads/pr/jrfastab/backport-v115
- refs/heads/pr/jrfastab/dbgNodeId
- refs/heads/pr/jrfastab/dbgNodeId111
- refs/heads/pr/jrfastab/dbgNodeId111v2
- refs/heads/pr/jrfastab/dbgv114
- refs/heads/pr/jrfastab/eks-encrypt-ipamupdate
- refs/heads/pr/jrfastab/fix-encrypt-subnets
- refs/heads/pr/jrfastab/fix-ixsec-vxlan-remoteIP
- refs/heads/pr/jrfastab/fixes-ipsec-init
- refs/heads/pr/jrfastab/v1.8-fix-ipsec-vxlan-remoteIP
- refs/heads/pr/jrfastab/v1.9-fix-ipsec-vxlan-remoteIP
- refs/heads/pr/jrfastab/v111-debug-ooo
- refs/heads/pr/jrfastab/v111-debug-ooo-v2
- refs/heads/pr/jwi/main/ipsec-rhel8
- refs/heads/pr/jwi/main/test
- refs/heads/pr/jwi/v1.13/test
- refs/heads/pr/jwi/v1.14/test
- refs/heads/pr/jwi/v1.15/bpf-complexity
- refs/heads/pr/jwi/v1.15/test
- refs/heads/pr/k8s-nat46x64
- refs/heads/pr/k8s-nat46x64-2
- refs/heads/pr/kaworu/helm-hubble-cli.yaml
- refs/heads/pr/kkourt/azure-ipam-test-race
- refs/heads/pr/kkourt/bpftool-update
- refs/heads/pr/kkourt/ct-rst-timeout-wip
- refs/heads/pr/kkourt/v1.11-backport-2022-01-26
- refs/heads/pr/kkourt/v1.9-lxc-complexity
- refs/heads/pr/learnitall/add-pprofs-scale-tests
- refs/heads/pr/learnitall/ginkgo-race-workflow
- refs/heads/pr/marga/v1.11-without-deny-precedence
- refs/heads/pr/max/ci-clang-builder
- refs/heads/pr/max/llvm17-fixes-2
- refs/heads/pr/max/llvm17-fixes-3
- refs/heads/pr/max/upgrade-llvm-17-2
- refs/heads/pr/max/upgrade-llvm-17-3
- refs/heads/pr/max/upgrade-llvm-17-3-test
- refs/heads/pr/max/upgrade-llvm-17-3-test-alt
- refs/heads/pr/meyskens/renovate-gha
- refs/heads/pr/mhofstetter/guestbook-registry
- refs/heads/pr/mhofstetter/junit-fetch-nullglob
- refs/heads/pr/mhofstetter/ssh-store-consolelog
- refs/heads/pr/mhofstetter/test-ingress
- refs/heads/pr/michi/circular-struggle
- refs/heads/pr/michi/crdregister
- refs/heads/pr/michi/debug
- refs/heads/pr/michi/description
- refs/heads/pr/michi/dns-refactor12
- refs/heads/pr/michi/l7drop
- refs/heads/pr/michi/majestic-ketchup
- refs/heads/pr/michi/mega-ketchup
- refs/heads/pr/michi/peerapi
- refs/heads/pr/michi/sleep-on-it
- refs/heads/pr/michi/test
- refs/heads/pr/michi/weekly-bot
- refs/heads/pr/monitor-wait-ci
- refs/heads/pr/move-image-to-one-repo
- refs/heads/pr/nat-gw-tests
- refs/heads/pr/nathanjsweet/add-complex-allow-test-to-policy-map-tests
- refs/heads/pr/nathanjsweet/add-lockdown-mode-for-policy-map-overflows
- refs/heads/pr/nathanjsweet/add-packet-size-to-flow-structure
- refs/heads/pr/nathanjsweet/add-policy-port-range-mapping
- refs/heads/pr/nathanjsweet/backport-fix-fqdn-proxy-restore-check-to-1-13
- refs/heads/pr/nathanjsweet/backport-fix-fqdn-proxy-restore-check-to-1-14
- refs/heads/pr/nathanjsweet/backport-fix-fqdn-proxy-restore-check-to-1-15
- refs/heads/pr/nathanjsweet/differentiate-protocol-in-services
- refs/heads/pr/nathanjsweet/document-test-and-fix-descendants-bug
- refs/heads/pr/nathanjsweet/node-port-addresses
- refs/heads/pr/nathanjsweet/refactor-mapstate
- refs/heads/pr/nathanjsweet/update-k8s-control-plane-tests-to-1-27
- refs/heads/pr/nebril/add-dns-concurrency-limit
- refs/heads/pr/nebril/fix-precheck
- refs/heads/pr/nebril/fqdn-proxy-ha
- refs/heads/pr/nebril/fqdn-proxy-interface
- refs/heads/pr/nebril/gke-workflow-migrate-from-cli
- refs/heads/pr/nebril/quarantine-1.14-nodeport
- refs/heads/pr/nebril/test-bottlerocket
- refs/heads/pr/nebril/test-helm-gke-fix
- refs/heads/pr/nebril/test-our-ghaction-shenanigans
- refs/heads/pr/nebril/test-rebase-helm
- refs/heads/pr/nebril/trololo
- refs/heads/pr/nebril/update-cli-9.1-test
- refs/heads/pr/netkit
- refs/heads/pr/netns-switch
- refs/heads/pr/netns-switch-no-peer
- refs/heads/pr/nodeport-fix
- refs/heads/pr/nodeport-improvements2
- refs/heads/pr/nodeport-nat-improvements
- refs/heads/pr/nodeport-nat-improvements2
- refs/heads/pr/nodeport-retry-sport
- refs/heads/pr/pchaigno/deprecate-bpf_network-f
- refs/heads/pr/pchaigno/fix-4.19-bpf-program-size
- refs/heads/pr/pchaigno/hotfix1-ipsec-fix
- refs/heads/pr/pchaigno/hotfix1-ipsec-fix-brb-v0
- refs/heads/pr/pchaigno/ipsec-kpr
- refs/heads/pr/pchaigno/optim-complexity-ipcache-lookup
- refs/heads/pr/pchaigno/rework-config-probes
- refs/heads/pr/pchaigno/tmp-base-branch
- refs/heads/pr/pin-1.10-workflows-k8s-version
- refs/heads/pr/pin-1.11-workflows-k8s-version
- refs/heads/pr/pin-1.12-workflows-k8s-version
- refs/heads/pr/pin-1.13-workflows-k8s-version
- refs/heads/pr/pin-cloud-provider-master-workflows
- refs/heads/pr/pr/fix-ipam-node-manager-semaphore-error-handling
- refs/heads/pr/publish-test-images
- refs/heads/pr/qmonnet/docs-20230224
- refs/heads/pr/qmonnet/docs-bump
- refs/heads/pr/qmonnet/ipsec/no-missed-tail-call-1.13
- refs/heads/pr/qmonnet/ipsec/test-1.13
- refs/heads/pr/qmonnet/ipsec/test-1.14
- refs/heads/pr/qmonnet/ipsec/test-1.15
- refs/heads/pr/qmonnet/ipsec/test-main
- refs/heads/pr/qmonnet/standalone-lb-docs
- refs/heads/pr/qmonnet/sync-joblists
- refs/heads/pr/ray/late-dns-proxy
- refs/heads/pr/rgo3/1.12-run-no-unexpected-drops-for-patch
- refs/heads/pr/rgo3/fix-k8s-vm-provisioning-1.13
- refs/heads/pr/rolinh/better-policy-verdict
- refs/heads/pr/rolinh/hubble-dump-all
- refs/heads/pr/rolinh/hubble-fix-maxflows-rounding
- refs/heads/pr/rolinh/mitchellh
- refs/heads/pr/route-test
- refs/heads/pr/run-tests-in-parallel
- refs/heads/pr/scalability-crd-only
- refs/heads/pr/squeed/make-ccache
- refs/heads/pr/squeed/per-node-config
- refs/heads/pr/squeed/remote-cluster-leak
- refs/heads/pr/stacy/docs-update
- refs/heads/pr/tammach/ci-tunnel
- refs/heads/pr/tammach/cni-logging-improvement
- refs/heads/pr/tammach/envoy-1.28.2
- refs/heads/pr/tammach/fun-with-flake-xds
- refs/heads/pr/tammach/sync-up-gwapi
- refs/heads/pr/tc-np-test
- refs/heads/pr/test-419-ci
- refs/heads/pr/test-increase-update-delete-timeout
- refs/heads/pr/test-k8s-all-tests
- refs/heads/pr/test-lb-super-netperf
- refs/heads/pr/test-nightly
- refs/heads/pr/test-upstream-timeout
- refs/heads/pr/tgraf/chaos-testing
- refs/heads/pr/tgraf/clustermesh-stale-state
- refs/heads/pr/tgraf/eni-ipam
- refs/heads/pr/tgraf/new-endpoint-state
- refs/heads/pr/tgraf/new-policy
- refs/heads/pr/tgraf/remove-tunnel-map
- refs/heads/pr/tgraf/scoped-ipam
- refs/heads/pr/tgraf/sctp
- refs/heads/pr/tgraf/split-lxc-prog
- refs/heads/pr/thorn3r/clustermesh511
- refs/heads/pr/tklauser/labelsfilter-silence-logs
- refs/heads/pr/tklauser/rm-contexthelper
- refs/heads/pr/tklauser/rm-safe-rand
- refs/heads/pr/tommyp1ckles/debugging-aks-conformance
- refs/heads/pr/tp/add-logging-for-wait-for-pods-term-condition
- refs/heads/pr/tp/backport-31380
- refs/heads/pr/tp/bump-cilium-cli
- refs/heads/pr/tp/complexity-issue-verifier-case-main
- refs/heads/pr/tp/eps-modular-health
- refs/heads/pr/tp/fix-stuck-ginko-pod-v2
- refs/heads/pr/tp/forward-hubble-for-e2e
- refs/heads/pr/tp/forward-hubble-for-e2e-v2
- refs/heads/pr/tp/switch-1.24-eks-region
- refs/heads/pr/tp/switch-1.24-eks-region-v1.13
- refs/heads/pr/tp/use-helm-default-vars-for-clustermesh-downgrade-c1
- refs/heads/pr/tweak-github-action-ref
- refs/heads/pr/twpayne/hubble-recent-events-buffer
- refs/heads/pr/twpayne/hubble-ring-buffer-benchmarks
- refs/heads/pr/update-tm-network
- refs/heads/pr/v1.10-backport-2022-06-13
- refs/heads/pr/v1.10-backport-2022-10-03
- refs/heads/pr/v1.10-eni-stability-improvements-v1
- refs/heads/pr/v1.10-neigh-clean
- refs/heads/pr/v1.11-backport-2022-10-03
- refs/heads/pr/v1.11-test/issue-692
- refs/heads/pr/v1.12-backport-2023-10-10
- refs/heads/pr/v1.12-test/issue-692
- refs/heads/pr/v1.13-backport-2023-10-31
- refs/heads/pr/v1.13-test/issue-692
- refs/heads/pr/v1.14.1
- refs/heads/pr/v1.7-stability-test
- refs/heads/pr/v1.7.9-hf-13205
- refs/heads/pr/v3-cpu
- refs/heads/pr/v6-host-addr2
- refs/heads/pr/vk/azure/oidc
- refs/heads/pr/vk/doc/ipsec
- refs/heads/pr/vk/ipsec/key/rotate
- refs/heads/regex_improved
- refs/heads/renovate/main-all-dependencies
- refs/heads/renovate/main-all-go-deps-main
- refs/heads/renovate/main-patch-all-lvh-images-main
- refs/heads/renovate/main-patch-go
- refs/heads/renovate/v1.13-all-github-action
- refs/heads/renovate/v1.13-patch-stable-lvh-images
- refs/heads/renovate/v1.14-patch-stable-lvh-images
- refs/heads/renovate/v1.15-patch-stable-lvh-images
- refs/heads/revert-29086-2023-11-09-backport-1.14
- refs/heads/rib
- refs/heads/run-ci-wihout-building-cilium
- refs/heads/sh-dep-test-l4lb
- refs/heads/sidecar-http-proxy
- refs/heads/sockmap-v5
- refs/heads/sockops-build-fix
- refs/heads/tam/integration-tests
- refs/heads/tam/more-ingress-tests
- refs/heads/tam/proxy-tunnel
- refs/heads/tb/bpf-remove-bear
- refs/heads/test-branch
- refs/heads/test-ipsec
- refs/heads/test-sig-bgp-notifs
- refs/heads/test/brlbil/upload
- refs/heads/test/skip-workflows
- refs/heads/test_scale
- refs/heads/testing_envoy_default
- refs/heads/tgraf/process-policy
- refs/heads/tklauser+brb/wip/multi-homing
- refs/heads/unit-test-ipsec
- refs/heads/v0.10
- refs/heads/v0.11
- refs/heads/v0.12
- refs/heads/v0.13
- refs/heads/v0.8
- refs/heads/v0.9
- refs/heads/v1.0
- refs/heads/v1.0.0-rc2
- refs/heads/v1.0.0-rc3
- refs/heads/v1.1
- refs/heads/v1.10
- refs/heads/v1.11
- refs/heads/v1.12
- refs/heads/v1.12.11-base
- refs/heads/v1.13
- refs/heads/v1.14
- refs/heads/v1.15
- refs/heads/v1.2
- refs/heads/v1.3
- refs/heads/v1.3.1
- refs/heads/v1.3.1-release
- refs/heads/v1.3.7-release
- refs/heads/v1.4
- refs/heads/v1.4.5-release
- refs/heads/v1.5
- refs/heads/v1.5.2-rc1-with-clusterip-fix
- refs/heads/v1.5.4-release
- refs/heads/v1.6
- refs/heads/v1.7
- refs/heads/v1.7.9-1
- refs/heads/v1.7.9.1
- refs/heads/v1.8
- refs/heads/v1.9
- refs/heads/verify-external-workload-dns-setup-redux
- refs/heads/vladu/identity-type-metrics
- refs/heads/weavescope
- refs/heads/wip-ktls-tx-rx
- refs/heads/wip-sockmap
- refs/heads/wip-sockmap-v2
- refs/heads/wip-sockmap-v3
- refs/heads/wip-sockmap-v4
- refs/heads/xfrm-subnet-test
- refs/heads/yutaro/bgp-cplane-etp-local/doc
- refs/heads/yutaro/oss/eni-overlapping-mark
- refs/remotes/bruno/hf/v1.10/v1.10.3-bpf-snat-and-masq-fixes
- refs/remotes/joe/submit/quarantine-etcd
- refs/remotes/origin/1.2-backports-18-09-12
- refs/remotes/origin/ipvlan3
- refs/remotes/origin/pr/add-reserved-health
- refs/remotes/origin/pr/brb/nodeport-lb
- refs/remotes/origin/pr/ianvernon/5859
- refs/remotes/origin/pr/ianvernon/dynamic-ep-cfg
- refs/remotes/origin/pr/tgraf/kube-dns-fixed-identity
- refs/semaphoreci/6384f501b324813e55cfbe818c04a40f2a923765
- refs/semaphoreci/7f69b285bac8a1be414e8769799962ae1408d9e1
- refs/semaphoreci/b5eb6622da121ad36b8f375a084392f7feeec64a
- refs/semaphoreci/d9e7e28f39d34a7050a9c1cad2a26d84f5f4eff1
- refs/semaphoreci/f55ec535d85f387ef981265967fabb3c1b5f1ec6
- refs/tags/0.10.1
- refs/tags/1.1.1
- refs/tags/1.9.0-rc0
- refs/tags/v0.11
- refs/tags/v0.12.0
- refs/tags/v0.13.1
- refs/tags/v0.8.0
- refs/tags/v0.8.1
- refs/tags/v0.8.2
- refs/tags/v0.9.0
- refs/tags/v0.9.0-rc1
- refs/tags/v1.0.0-rc2
- Branches list truncated to 652 entries, 4 were omitted.
- v1.11.0-rc0
- v1.11.0
- v1.10.9
- v1.10.8
- v1.10.7
- v1.10.6
- v1.10.5
- v1.10.4
- v1.10.3
- v1.10.20
- v1.10.2
- v1.10.19
- v1.10.18
- v1.10.17
- v1.10.16
- v1.10.15
- v1.10.14
- v1.10.13
- v1.10.12
- v1.10.11
- v1.10.10
- v1.10.1
- v1.10.0-rc2
- v1.10.0-rc1
- v1.10.0-rc0
- v1.10.0
- v1.1.6
- v1.1.5
- v1.1.4
- v1.1.3
- v1.1.2
- v1.1.1
- v1.1.0-rc4
- v1.1.0-rc3
- v1.1.0-rc2
- v1.1.0-rc1
- v1.1.0-rc0
- v1.1.0
- v1.0.7
- v1.0.6
- v1.0.5
- v1.0.4
- v1.0.3
- v1.0.2
- v1.0.1
- v1.0.0-rc9
- v1.0.0-rc8
- v1.0.0-rc7
- v1.0.0-rc6
- v1.0.0-rc5
- v1.0.0-rc4
- v1.0.0-rc14
- v1.0.0-rc13
- v1.0.0-rc11
- v1.0.0-rc10
- v1.0.0-rc1
- v1.0.0
- v0.13.9
- v0.13.8
- v0.13.7
- v0.13.6
- v0.13.5
- v0.13.4
- v0.13.3
- v0.13.28
- v0.13.25
- v0.13.24
- v0.13.23
- v0.13.22
- v0.13.21
- v0.13.20
- v0.13.2
- v0.13.19
- v0.13.18
- v0.13.17
- v0.13.16
- v0.13.15
- v0.13.14
- v0.13.13
- v0.13.12
- v0.13.11
- v0.13.10
- v0.10.0
- 1.9.9
- 1.9.8
- 1.9.7
- 1.9.6
- 1.9.5
- 1.9.4
- 1.9.3
- 1.9.2
- 1.9.18
- 1.9.17
- 1.9.16
- 1.9.15
- 1.9.14
- 1.9.13
- 1.9.12
- 1.9.11
- 1.9.10
- 1.9.1
- 1.9.0-rc3
- 1.9.0-rc2
- 1.9.0-rc1
- 1.9.0
- 1.8.9
- 1.8.8
- 1.8.7
- 1.8.6
- 1.8.5
- 1.8.4
- 1.8.3
- 1.8.2
- 1.8.13
- 1.8.12
- 1.8.11
- 1.8.10
- 1.8.1
- 1.8.0-rc4
- 1.8.0-rc3
- 1.8.0-rc2
- 1.8.0-rc1
- 1.8.0
- 1.7.9
- 1.7.8
- 1.7.7
- 1.7.6
- 1.7.5
- 1.7.4
- 1.7.3
- 1.7.2
- 1.7.16
- 1.7.15
- 1.7.14
- 1.7.13
- 1.7.12
- 1.7.11
- 1.7.10
- 1.7.1
- 1.7.0-rc4
- 1.7.0-rc3
- 1.7.0
- 1.6.9
- 1.6.8
- 1.6.7
- 1.6.6
- 1.6.5
- 1.6.4
- 1.6.3
- 1.6.2
- 1.6.12
- 1.6.11
- 1.6.10
- 1.6.1
- 1.6.0
- 1.5.9
- 1.5.8
- 1.5.7
- 1.5.6
- 1.5.5
- 1.5.4
- 1.5.3
- 1.5.2
- 1.5.13
- 1.5.12
- 1.5.11
- 1.5.10
- 1.5.1
- 1.5.0-rc6
- 1.5.0-rc5
- 1.5.0-rc4
- 1.5.0-rc3
- 1.5.0-rc2
- 1.5.0
- 1.4.9
- 1.4.8
- 1.4.7
- 1.4.6
- 1.4.5
- 1.4.4
- 1.4.3
- 1.4.2
- 1.4.10
- 1.4.1
- 1.4.0-rc9
- 1.4.0-rc8
- 1.4.0-rc7
- 1.4.0-rc6
- 1.4.0-rc5
- 1.4.0-rc2
- 1.4.0
- 1.3.8
- 1.3.7
- 1.3.6
- 1.3.5
- 1.3.4
- 1.3.3
- 1.3.2
- 1.3.1
- 1.3.0-rc5
- 1.3.0-rc4
- 1.3.0
- 1.2.8
- 1.2.7
- 1.2.6
- 1.2.5
- 1.2.4
- 1.2.3
- 1.2.2
- 1.2.1
- 1.2.0-rc3
- 1.2.0-rc2
- 1.2.0-rc1
- 1.2.0
- 1.16.0-pre.1
- 1.16.0-pre.0
- 1.15.3
- 1.15.2
- 1.15.1
- 1.15.0-rc.1
- 1.15.0-rc.0
- 1.15.0-pre.3
- 1.15.0-pre.2
- 1.15.0-pre.1
- 1.15.0-pre.0
- 1.15.0
- 1.14.9
- 1.14.8
- 1.14.7
- 1.14.6
- 1.14.5
- 1.14.4
- 1.14.3
- 1.14.2
- 1.14.1
- 1.14.0-snapshot.4
- 1.14.0-snapshot.3
- 1.14.0-snapshot.2
- 1.14.0-snapshot.1
- 1.14.0-snapshot.0
- 1.14.0-rc.1
- 1.14.0-rc.0
- 1.14.0-pre.2
- 1.14.0
- 1.13.9
- 1.13.8
- 1.13.7
- 1.13.6
- 1.13.5
- 1.13.4
- 1.13.3
- 1.13.2
- 1.13.14
- 1.13.13
- 1.13.12
- 1.13.11
- 1.13.10
- 1.13.1
- 1.13.0-rc5
- 1.13.0-rc4
- 1.13.0-rc3
- 1.13.0-rc2
- 1.13.0-rc1
- 1.13.0-rc0
- 1.13.0
- 1.12.9
- 1.12.8
- 1.12.7
- 1.12.6
- 1.12.5
- 1.12.4
- 1.12.3
- 1.12.2
- 1.12.19
- 1.12.18
- 1.12.17
- 1.12.16
- 1.12.15
- 1.12.14
- 1.12.13
- 1.12.12
- 1.12.11
- 1.12.10
- 1.12.1
- 1.12.0-rc3
- 1.12.0-rc2
- 1.12.0-rc1
- 1.12.0-rc0
- 1.12.0
- 1.11.9
- 1.11.8
- 1.11.7
- 1.11.6
- 1.11.5
- 1.11.4
- 1.11.3
- 1.11.20
- 1.11.2
- 1.11.19
- 1.11.18
- 1.11.17
- 1.11.16
- 1.11.15
- 1.11.14
- 1.11.13
- 1.11.12
- 1.11.11
- 1.11.10
- 1.11.1
- 1.11.0-rc3
- 1.11.0-rc2
- 1.11.0-rc1
- 1.11.0-rc0
- 1.11.0
- 1.10.9
- 1.10.8
- 1.10.7
- 1.10.6
- 1.10.5
- 1.10.4
- 1.10.3
- 1.10.20
- 1.10.2
- 1.10.19
- 1.10.18
- 1.10.17
- 1.10.16
- 1.10.15
- 1.10.14
- 1.10.13
- 1.10.12
- 1.10.11
- 1.10.10
- 1.10.1
- 1.10.0-rc2
- 1.10.0-rc1
- 1.10.0-rc0
- 1.10.0
- 1.1.6
- 1.1.5
- 1.1.4
- 1.1.3
- 1.1.2
- 1.1.0
- 1.0.7
- 1.0.6
- 1.0.5
- 1.0.4
- Releases list truncated to 348 entries, 258 were omitted.
Take a new snapshot of a software origin
If the archived software origin currently browsed is not synchronized with its upstream version (for instance when new commits have been issued), you can explicitly request Software Heritage to take a new snapshot of it.
Use the form below to proceed. Once a request has been submitted and accepted, it will be processed as soon as possible. You can then check its processing state by visiting this dedicated page.
Processing "take a new snapshot" request ...
Permalinks
To reference or cite the objects present in the Software Heritage archive, permalinks based on SoftWare Hash IDentifiers (SWHIDs) must be used.
Select below a type of object currently browsed in order to display its associated SWHID and permalink.
| Revision | Author | Date | Message | Commit Date |
|---|---|---|---|---|
| e6befe1 | Thomas Graf | 22 April 2018, 17:23:54 UTC | Prepare for 1.0.0-rc14 release Signed-off-by: Thomas Graf <thomas@cilium.io> | 22 April 2018, 17:59:58 UTC |
| b4cb0ca | Jarno Rajahalme | 20 April 2018, 23:07:28 UTC | envoy: Use distinct Stats stores for each instance of a xDS client. [ upstream commit 2110a64e4b51d1baef6efa21557621b11968cf21 ] Signed-off-by: Jarno Rajahalme <jarno@covalent.io> | 22 April 2018, 04:45:20 UTC |
| 2270bfe | Jarno Rajahalme | 20 April 2018, 23:07:28 UTC | envoy: Minor cleanup. [ upstream commit 181fada8bbe3de78c40ce160b81c61c67cc47d92 ] Signed-off-by: Jarno Rajahalme <jarno@covalent.io> | 22 April 2018, 04:45:20 UTC |
| 2662716 | Jarno Rajahalme | 20 April 2018, 23:07:27 UTC | envoy: Initialize thread local host map with an empty map. [ upstream commit 94be14c72260cde45d1b7a981bb3629e7d54d3f5 ] Initialize with an empty map instead of a nullptr to make it less likely that a null pointer is found when resolving. Due to worker threads possibly initializing later than the main thread it is still possible (at least in theory) that a worker thread resolves before initializing so we still check the value of the thread local pointer. Perform the null pointer check before dereferencing it, as libc++ assertions fail otherwise. Signed-off-by: Jarno Rajahalme <jarno@covalent.io> | 22 April 2018, 04:45:20 UTC |
| 6b3f8cb | Romain Lenglet | 20 April 2018, 21:44:01 UTC | npds: Don't wait for ACK from sidecar proxy with no L7 rules [ upstream commit 0118ac2c39df0070743107f89dc4e1f2e78678f5 ] Signed-off-by: Romain Lenglet <romain@covalent.io> Signed-off-by: Jarno Rajahalme <jarno@covalent.io> | 22 April 2018, 04:45:20 UTC |
| 21742ba | Romain Lenglet | 20 April 2018, 20:32:46 UTC | npds: Don't update NetworkPolicy if none has been calculated [ upstream commit 553ba7163c96e4af595e21af7119c7866168f473 ] Signed-off-by: Romain Lenglet <romain@covalent.io> Signed-off-by: Jarno Rajahalme <jarno@covalent.io> | 22 April 2018, 04:45:20 UTC |
| 7d571e7 | Joe Stringer | 20 April 2018, 17:57:13 UTC | xds: Validate NPHDS updates before upserting [ upstream commit c2adbfe63c7058ffad74dfb8e4ff6006a4fd6386 ] This should catch recent errors such as the one reported in #3825. Signed-off-by: Joe Stringer <joe@covalent.io> Signed-off-by: Jarno Rajahalme <jarno@covalent.io> | 22 April 2018, 04:45:20 UTC |
| cf8c68e | Ian Vernon | 20 April 2018, 17:05:32 UTC | ginkgo-kubernetes-all.Jenkinsfile: increase timeouts [ upstream commit 803bd5437ad4d2a991b472035686f0f46ae32c86 ] Use a more generous timeout to allow for variability in build times. Signed-off by: Ian Vernon <ian@cilium.io> Signed-off-by: Jarno Rajahalme <jarno@covalent.io> | 22 April 2018, 04:45:20 UTC |
| 2172cd1 | Thomas Graf | 20 April 2018, 15:29:05 UTC | workloads: Silence noisy harmless warning [ upstream commit 53065cc51a7ac148571e7bafa160c354d99d3fa7 ] The following warning is repeated up to 20 times when a container create event is being handled but the container has already exited again: level=warning msg="Unable to inspect container, retrying..." containerID=ad5fd3ea00 error="unable to inspect container 'ad5fd3ea0031e00f5d0dbaac16b69bfb6c3b9d2894cbcf326be86ae2dd67df5f': Error: No such container: ad5fd3ea0031e00f5d0dbaac16b69bfb6c3b9d2894cbcf326be86ae2dd67df5f" maxRetry=20 retry=8 subsys=containerd-watcher The warning is absolutely harmless, move it to a debug message. Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: Jarno Rajahalme <jarno@covalent.io> | 22 April 2018, 04:45:20 UTC |
| 92faf3d | André Martins | 20 April 2018, 15:05:00 UTC | k8s: only watch for ingress changes if LB is enabled [ upstream commit 94f9a2cd4c2d24acc5f1159c507a2dc04a36c37f ] Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Jarno Rajahalme <jarno@covalent.io> | 22 April 2018, 04:45:20 UTC |
| b746224 | Joe Stringer | 19 April 2018, 19:00:58 UTC | ipcache: Avoid issuing delete for identity=0 [ upstream commit 3a7ceb132e0b3db1ec4bc7e367dbfdc09087ba70 ] Fixes: b6c5cb0f1bf5 ("ipcache: Shift NPHDS logic to envoy") Signed-off-by: Joe Stringer <joe@covalent.io> Signed-off-by: Jarno Rajahalme <jarno@covalent.io> | 22 April 2018, 04:45:20 UTC |
| f0dfa85 | André Martins | 19 April 2018, 00:00:19 UTC | start.sh: add routes based on VM name [ upstream commit 4923337104969f95825013f1b162ee935dc0d969 ] Add routes without hardcoded VM prefix name Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Jarno Rajahalme <jarno@covalent.io> | 22 April 2018, 04:45:20 UTC |
| ce6b79e | André Martins | 18 April 2018, 23:59:33 UTC | Vagrantfile: re-add workaround for kube-proxy in node-2 [ upstream commit d5795a3405b44cbf2610e1096d397f79f64325c2 ] Since kube-proxy doesn't redirect traffic to the proper interface when translating from service IP to backend IP we need to re-add this workaround. Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Jarno Rajahalme <jarno@covalent.io> | 22 April 2018, 04:45:20 UTC |
| 8183260 | Jarno Rajahalme | 19 April 2018, 01:27:06 UTC | envoy: Manage life-cycles of singleton maps properly. [ upstream commit 3179a2c326762d5c3b3e90a992a75a09b2183940 ] Both policy and host maps are managed as singletons, which are initialized when first required, and destructed when the last listener referring to them via Cilium filter instances is removed. Internally, the maps "post" configuration changes to Envoy worker threads via thread dispatch queues. These changes are packaged as C++ lambda closures. The problem with this is that while the "posts" are queued, it is possible for all the listeners to be removed, and thus the associated singleton maps being freed. If the posted closure refers to the (now stale) map, bad things can happen. Fix this by capturing either a weak or shared pointer to the lambda closure. Signed-off-by: Jarno Rajahalme <jarno@covalent.io> | 22 April 2018, 04:45:20 UTC |
| e63acd9 | Eloy Coto | 19 April 2018, 16:33:15 UTC | Backport: Don't failfast on branch V1.0 Signed-off-by: Eloy Coto <eloy.coto@gmail.com> | 20 April 2018, 18:39:16 UTC |
| 7f322b0 | André Martins | 19 April 2018, 21:56:50 UTC | k8s/specs: update image tag to v1.0.0-rc13 Signed-off-by: André Martins <andre@cilium.io> | 20 April 2018, 16:57:27 UTC |
| a8a85ed | André Martins | 19 April 2018, 21:54:59 UTC | k8s/specs: change imagePullPolicy to IfNotPresent Since we never change the image of docker image releases we can change the imagePullPolicy to IfNotPresent to avoid wasting resources. Signed-off-by: André Martins <andre@cilium.io> | 20 April 2018, 16:57:27 UTC |
| 0361f2b | André Martins | 18 April 2018, 15:23:53 UTC | k8s: add some fixes to the kubernetes spec file This fixes the previous commit which had the RestartAlways set in the wrong place. Restart always will guarantee that kubelet will restart cilium in case of failure. Fixes: (e200aaffc1) k8s: add some fixes to the kubernetes spec file Signed-off-by: André Martins <andre@cilium.io> | 20 April 2018, 16:57:27 UTC |
| d873a25 | Manali Bhutiyani | 18 April 2018, 19:48:26 UTC | Kafka : remove noise from logging EOF messages in Kafka parser We keep seeing a lot of these on normal client (produce/consume) connection close. We should not be logging valid EOF as errors. [ upstream commit d9143000325e61a9ed63817b453f7cffbf76de89 ] level=error msg="Unable to parse Kafka request; closing Kafka request connection" error=EOF id="rx:10.15.161.35:57590->10.15.28.238:10551<->tx:closed" Fixes: #3792 Signed-Off-By: Manali Bhutiyani <manali@covalent.io> Signed-off-by: Ray Bejjani <ray@covalent.io> | 19 April 2018, 18:43:27 UTC |
| cf50c76 | Romain Lenglet | 14 April 2018, 09:26:01 UTC | doc: Fix spelling [ upstream commit e89d35c2a21319b3f5ec2e19405aa6646652b1c4 ] Signed-off-by: Romain Lenglet <romain@covalent.io> Signed-off-by: Ray Bejjani <ray@covalent.io> | 19 April 2018, 18:43:27 UTC |
| c745392 | Romain Lenglet | 12 April 2018, 19:05:14 UTC | doc: Replace cilium-sidecar.yaml with a config map setting [ upstream commit 95d04e633f2e97244c5bc78c4fa0c6052466971d ] Signed-off-by: Romain Lenglet <romain@covalent.io> Signed-off-by: Ray Bejjani <ray@covalent.io> | 19 April 2018, 18:43:27 UTC |
| e200aaf | André Martins | 18 April 2018, 15:23:53 UTC | k8s: add some fixes to the kubernetes spec file Restart always will guarantee that kubelet will restart cilium in case of failure. Signed-off-by: André Martins <andre@cilium.io> | 19 April 2018, 04:15:01 UTC |
| 87aa854 | Jarno Rajahalme | 16 April 2018, 23:06:15 UTC | docs: Refine backporting instructions. [ upstream commit 9f25a9058963800edf3b368aa9d617856f121f1c ] Refine backporting instructions by explicitly specifying how to use GitHub labels. Signed-off-by: Jarno Rajahalme <jarno@covalent.io> | 19 April 2018, 03:41:11 UTC |
| 64c03f0 | Joe Stringer | 17 April 2018, 22:13:47 UTC | policy: Support reserved:cluster entity [ upstream commit 45038629e6e7a881bf6f8a3f91ed34f8a6e61828 ] The support for this entity was already plumbed through most of Cilium, it just wasn't exposed in the API. Expose it there. Signed-off-by: Joe Stringer <joe@covalent.io> Signed-off-by: Jarno Rajahalme <jarno@covalent.io> | 19 April 2018, 03:41:11 UTC |
| 8a9a6a5 | Joe Stringer | 17 April 2018, 16:55:39 UTC | monitor: Fix CT entry dst port printing [ upstream commit 1355c81a101fc489eaa083b9946874d0d186b2e2 ] Ports were not being printed correctly for ports in CT entry monitoring output. Fix it. Signed-off-by: Joe Stringer <joe@covalent.io> Signed-off-by: Jarno Rajahalme <jarno@covalent.io> | 19 April 2018, 03:41:11 UTC |
| aadca0d | Joe Stringer | 17 April 2018, 06:51:57 UTC | xds: Add tests for cache.Lookup [ upstream commit c6612a9c6a69bc5e3cffe91d74afd5f4c53267f1 ] Signed-off-by: Joe Stringer <joe@covalent.io> Signed-off-by: Jarno Rajahalme <jarno@covalent.io> | 19 April 2018, 03:41:11 UTC |
| 7ae3ba6 | Joe Stringer | 13 April 2018, 18:34:32 UTC | daemon: Push reserved IP->Identity mappings to XDS [ upstream commit 11c8f3923fb538a583a3e45c9cf1530e9f6312b1 ] Previously we were only handling the BPF case and missing these IPs in XDS, so presumably we would not apply L3/L4 policies correctly for the XDS (eg Envoy sidecar) case. CC: Ian Vernon <ian@cilium.io> Fixes: 7448e41aa047 ("endpoint: sync endpoint IP-SecID map to kvstore") Signed-off-by: Joe Stringer <joe@covalent.io> Signed-off-by: Jarno Rajahalme <jarno@covalent.io> | 19 April 2018, 03:41:11 UTC |
| 9ea1c96 | Joe Stringer | 16 April 2018, 21:35:20 UTC | envoy: Handle IP->ID deletes inside cache [ upstream commit e24b30d6dc2dce7cd5866f7cdb78958f4fe94296 ] Don't reach back up to the ipcache to handle deletes like this, rather look through the cache and update the entries in place. Signed-off-by: Joe Stringer <joe@covalent.io> Signed-off-by: Jarno Rajahalme <jarno@covalent.io> | 19 April 2018, 03:41:11 UTC |
| 36bbfe5 | Joe Stringer | 13 April 2018, 07:26:37 UTC | ipcache: Shift NPHDS logic to envoy [ upstream commit b6c5cb0f1bf5b8496c89c89ffaff4c2740fe3ba5 ] There was a bunch of Network Policy Hosts Discovery Service logic littering the ipcache logic, shift it into envoy. Signed-off-by: Joe Stringer <joe@covalent.io> Signed-off-by: Jarno Rajahalme <jarno@covalent.io> | 19 April 2018, 03:41:11 UTC |
| 7a4b94e | Ian Vernon | 17 April 2018, 19:55:04 UTC | pkg/envoy: always use dport in proxy statistics [ upstream commit a1e7a25405a8a65285af4a1dd00b8c93d478ec17 ] Even on egress, rules are always defined with 'ToPorts'; thus, in proxy statistics, only use the port to which traffic is flowing (destination port). Signed-off by: Ian Vernon <ian@cilium.io> Signed-off-by: Jarno Rajahalme <jarno@covalent.io> | 19 April 2018, 03:41:11 UTC |
| 860c19f | Joe Stringer | 16 April 2018, 22:42:17 UTC | bpf: Fix log message about not supporting CIDR [ upstream commit f3ca26e764ce25d9c8f946ec8088cd295e4d0815 ] Signed-off-by: Joe Stringer <joe@covalent.io> Signed-off-by: Jarno Rajahalme <jarno@covalent.io> | 19 April 2018, 03:41:11 UTC |
| 8989880 | Ian Vernon | 05 April 2018, 21:12:51 UTC | bpf/lib: unconditionally create ipcache bpf map in datapath [ upstream commit b2e94027ec0f901a189380f1b22740a960cd760c ] In case the opening and creating of the map in userspace fails, it now will be unconditionally created in the datapath. This will not affect the datapath because the lookup into the map is only performed when egress policy is enabled in the datapath for a specific endpoint. Signed-off by: Ian Vernon <ian@cilium.io> Signed-off-by: Jarno Rajahalme <jarno@covalent.io> | 19 April 2018, 03:41:11 UTC |
| 4155c14 | Ian Vernon | 04 April 2018, 20:37:05 UTC | pkg/bpf: add additional logging and error handling [ upstream commit 5df8397ee957021550e21997e4c1e3f8ac4a06a7 ] * Add logs for when we append to list of maps to open after bpffs is mounted. * Log errors that occur when opening / creating maps which are stored in list of maps to open after bpffs is mounted. Signed-off by: Ian Vernon <ian@cilium.io> Signed-off-by: Jarno Rajahalme <jarno@covalent.io> | 19 April 2018, 03:41:11 UTC |
| f612888 | Ian Vernon | 06 April 2018, 07:58:01 UTC | pkg/logging/logfields: add log field for BPF map name [ upstream commit 09f1936d39f21704036385286e5d72a90c3eb393 ] Signed-off by: Ian Vernon <ian@cilium.io> Signed-off-by: Jarno Rajahalme <jarno@covalent.io> | 19 April 2018, 03:41:11 UTC |
| 030f253 | Ian Vernon | 04 April 2018, 19:20:33 UTC | pkg/maps/ipcache: log if map unable to be opened [ upstream commit 11091ed6611867a8274d55e798f1973777b6d79f ] Signed-off by: Ian Vernon <ian@cilium.io> Signed-off-by: Jarno Rajahalme <jarno@covalent.io> | 19 April 2018, 03:41:11 UTC |
| cf4887c | Thomas Graf | 18 April 2018, 21:25:45 UTC | Disable code owners reviews in 1.0 branch Signed-off-by: Thomas Graf <thomas@cilium.io> | 18 April 2018, 22:22:03 UTC |
| 02bea38 | Ray Bejjani | 17 April 2018, 12:08:21 UTC | scripts: contrib/backports/check_stable prints PR link [ upstream commit 63b39052f349da7c87c5f4a8d1a7c02e823fe5e2 ] Signed-off-by: Ray Bejjani <ray@covalent.io> | 17 April 2018, 18:49:49 UTC |
| ecdc2d2 | Ray Bejjani | 17 April 2018, 12:05:26 UTC | scripts: contrib/backports/check_stable handles backports-done label [ upstream commit 29cab3a38109a5349fc37e0dfa55b64ae291fd9f ] We sometimes leave the "stable/backport-done" label on PRs. Instead of confusing ourselves, we now filter these out. Signed-off-by: Ray Bejjani <ray@covalent.io> | 17 April 2018, 18:49:49 UTC |
| ff19397 | Eloy Coto | 16 April 2018, 14:13:14 UTC | Test: Increase logs for Kube-dns issues [ upstream commit 25c80eb7b366977f6d2696d0bc19bd110d1e0647 ] - Added kubedns logs in reportFailed. - Added a new fallback option in `WaitForKubeDNSEntry` to know in case of fail if the issue is that the DNS entry does not exits, or cannot connect to kube-dns service. - Use service IP instead of the kube-dns pod IP. Signed-off-by: Eloy Coto <eloy.coto@gmail.com> Signed-off-by: Ray Bejjani <ray@covalent.io> | 17 April 2018, 18:49:49 UTC |
| 62c48d7 | Thomas Graf | 15 April 2018, 16:50:03 UTC | Prepare for 1.0.0-rc13 Signed-off-by: Thomas Graf <thomas@cilium.io> | 16 April 2018, 03:29:04 UTC |
| 2e0c7fa | Thomas Graf | 15 April 2018, 02:02:09 UTC | policy: Add TestWildcardL4RulesIngress and TestWildcardL4RulesEgress [ upstream commit 82950581c84eec44bfbc3209db0f8de80344a8aa ] Signed-off-by: Thomas Graf <thomas@cilium.io> | 16 April 2018, 03:13:58 UTC |
| 5f4e908 | Ian Vernon | 13 April 2018, 04:08:19 UTC | pkg/policy: change parser type logic for merging L4Filter [ upstream commit 3ebcca016553f7e9bd80b512f9e9471f5df9d0c6 ] If any L4Filters being merged together have rules on L7, even if one of the rules allows all on L7, allow all on L7, but set the parser type of the be the L7Parser type of the L4Filter which contains L7-related rules. Signed-off by: Ian Vernon <ian@cilium.io> Signed-off-by: Thomas Graf <thomas@cilium.io> | 16 April 2018, 03:13:58 UTC |
| 4d664df | Ian Vernon | 12 April 2018, 17:37:54 UTC | pkg/policy: do not use length checks on L4Filter.Endpoints [ upstream commit 030fea128ec7636fcc374f608842b5e25803287a ] Length of this slice is not a reliable indicator of what information is encoded in the slice anymore because we now use the WildcardEndpointSelector within this slice to represent that the L4Filter selects all endpoints. Signed-off by: Ian Vernon <ian@cilium.io> Signed-off-by: Thomas Graf <thomas@cilium.io> | 16 April 2018, 03:13:58 UTC |
| 7ca251e | Ian Vernon | 12 April 2018, 17:24:10 UTC | pkg/policy: remove redundant length check in AllowsAllAtL3 [ upstream commit 62db3530301bd6f93e803a5a20da19ecfbb0fb7d ] This length check is performed within EndpointSelectorSlice.SelectsAllEndpoints, so just remove it from AllowsAllAtL3. Signed-off by: Ian Vernon <ian@cilium.io> Signed-off-by: Thomas Graf <thomas@cilium.io> | 16 April 2018, 03:13:58 UTC |
| 9474fd5 | Romain Lenglet | 14 April 2018, 11:26:25 UTC | test: Force using IPv4 for egress connections to google.com [ upstream commit 232274b5a25fc847644a8aefed88b85a6b4ec91f ] Signed-off-by: Romain Lenglet <romain@covalent.io> Signed-off-by: Thomas Graf <thomas@cilium.io> | 16 April 2018, 03:13:58 UTC |
| 7e8491d | Romain Lenglet | 14 April 2018, 08:18:40 UTC | test: Always execute "cilium endpoint get" with -o json [ upstream commit 5dc1865b7527e324d8cc142446441742c447ff8a ] Signed-off-by: Romain Lenglet <romain@covalent.io> Signed-off-by: Thomas Graf <thomas@cilium.io> | 16 April 2018, 03:13:58 UTC |
| 0b2517e | Romain Lenglet | 14 April 2018, 07:12:55 UTC | policy: Replace adding L3-only rules into L4PolicyMap with extra loop [ upstream commit 6b0115c81e38f06feac767f4a1f656c2518742d7 ] Signed-off-by: Romain Lenglet <romain@covalent.io> Signed-off-by: Thomas Graf <thomas@cilium.io> | 16 April 2018, 03:13:58 UTC |
| e5938c4 | Romain Lenglet | 13 April 2018, 22:37:56 UTC | policy: Synthesize wildcard L7 rules for L3-only rules [ upstream commit 8c0ba61abf47844e27252b64f3a912fbc1fc23c8 ] Signed-off-by: Romain Lenglet <romain@covalent.io> Signed-off-by: Thomas Graf <thomas@cilium.io> | 16 April 2018, 03:13:58 UTC |
| aef393c | Romain Lenglet | 12 April 2018, 18:44:27 UTC | test: Fix Star Wars demo test [ upstream commit 9da6d710df4a286dc35c2aee61264b85ebceb3fc ] Signed-off-by: Romain Lenglet <romain@covalent.io> Signed-off-by: Thomas Graf <thomas@cilium.io> | 16 April 2018, 03:13:58 UTC |
| 10724e7 | André Martins | 14 April 2018, 00:04:33 UTC | test: fix star wars demo [ upstream commit 645afa10741355d6fcd09c316ac01def0024a928 ] Once a new endpoint is created, it can trigger regeneration for all the remaining endpoints. By not checking if all of them were in ready state before testing the connection all the traffic could potentially be dropped until the security labels are assigned to that particular endpoint. Since the communication was always denied, before the endpoint had its security ID assigned, the tests would always fail as it was expecting the connection to be successfull. For this reason we should wait for all endpoints to be in ready state before testing out any connection tests. As an example for endpoint 36125 the monitor would show the following: ``` <- endpoint 36125 flow 0xfd750d60 identity 0->0 state new ifindex 0: 9a:1a:e4:12:33:29 -> ff:ff:ff:ff:ff:ff ARP -> lxc8d11b: ca:f4:2e:75:46:11 -> 9a:1a:e4:12:33:29 ARP <- endpoint 36125 flow 0xae0d91ac identity 0->0 state new ifindex 0: 10.1.139.2:45668 -> 172.20.0.10:53 udp xx drop (Policy denied (L3)) flow 0xae0d91ac to endpoint 0, identity 0->0: 10.1.139.2:45668 -> 172.20.0.10:53 udp <- endpoint 36125 flow 0xae0d91ac identity 0->0 state new ifindex 0: 10.1.139.2:45668 -> 172.20.0.10:53 udp xx drop (Policy denied (L3)) flow 0xae0d91ac to endpoint 0, identity 0->0: 10.1.139.2:45668 -> 172.20.0.10:53 udp <- endpoint 36125 flow 0xae0d91ac identity 0->0 state new ifindex 0: 10.1.139.2:45668 -> 172.20.0.10:53 udp xx drop (Policy denied (L3)) flow 0xae0d91ac to endpoint 0, identity 0->0: 10.1.139.2:45668 -> 172.20.0.10:53 udp <- endpoint 36125 flow 0xae0d91ac identity 0->0 state new ifindex 0: 10.1.139.2:45668 -> 172.20.0.10:53 udp xx drop (Policy denied (L3)) flow 0xae0d91ac to endpoint 0, identity 0->0: 10.1.139.2:45668 -> 172.20.0.10:53 udp >> Endpoint regenerated: 36125 (k8s:class=spaceship,k8s:org=alliance,k8s:io.kubernetes.pod.namespace=default) <- endpoint 56687 flow 0xb1f87f1 identity 21577->0 state new ifindex 0: fe80::c41d:a6ff:fef1:7998 -> ff02::2 RouterSolicitation ``` Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Thomas Graf <thomas@cilium.io> | 16 April 2018, 03:13:58 UTC |
| 34846e9 | Jarno Rajahalme | 13 April 2018, 23:30:38 UTC | bpf: Make all funtions in lib/policy.h conditional on DROP_ALL [ upstream commit 786376ee9c1489505f722f20e5b20e35f7b7e9ad ] Make all policy decision functions conditional on DROP_ALL to avoid regressions in future. Suggested-by: Thomas Graf <thomas@cilium.io> Signed-off-by: Jarno Rajahalme <jarno@covalent.io> Signed-off-by: Thomas Graf <thomas@cilium.io> | 16 April 2018, 03:13:58 UTC |
| a068821 | Jarno Rajahalme | 13 April 2018, 23:02:04 UTC | bpf: Honor DROP_ALL also in ingress to a container. [ upstream commit ce741afa31adcc7fb39939112f64fc2e3c757d0d ] Even if DROP_ALL is defined, the bpf program can be compiled so that the actual ingress policy check returns OK (e.g., POLICY_INGRESS not defined). Check for DROP_ALL in higher level code that is not conditional to any other compile time definitions. Fixes: https://github.com/cilium/cilium/issues/3731 Signed-off-by: Jarno Rajahalme <jarno@covalent.io> Signed-off-by: Thomas Graf <thomas@cilium.io> | 16 April 2018, 03:13:58 UTC |
| 6a127e9 | Jarno Rajahalme | 13 April 2018, 20:13:56 UTC | envoy: Remove assert, reduce logging. [ upstream commit 1e1fbbd899c625f809ab12d794e8c5c2b32f46e7 ] Signed-off-by: Jarno Rajahalme <jarno@covalent.io> Signed-off-by: Thomas Graf <thomas@cilium.io> | 16 April 2018, 03:13:58 UTC |
| 9ea7a10 | Thomas Graf | 13 April 2018, 06:44:46 UTC | policy: Do not wildcard CIDR 0/0 for world and all entity [ upstream commit 118ad8232628214938e3955cb14bf43cce55b482 ] With the introduction of label based egress including the world and all identity, it is no longer required to whitelist CIDR 0/0 for the world and all entity as it is covered by the identity based policy map which also supports L4. This allows to define rules such as: [{ "endpointSelector": {"matchLabels": {}}, "egress": [{ "toEntities": ["world"], "toPorts": [ {"ports":[ {"port": "80", "protocol": "TCP"}, {"port": "53", "protocol": "UDP"} ]} ] }] }] Signed-off-by: Thomas Graf <thomas@cilium.io> | 16 April 2018, 03:13:58 UTC |
| e1a49d9 | Jarno Rajahalme | 12 April 2018, 22:32:21 UTC | daemon: Regenerate endpoint in PATCH handler also when endpoint is in waiting-for-identity state. [ upstream commit 3ba379a817e50a1b79192ff5cae48a647a832545 ] commit 41c08396ce ("daemon: Only regenerate in PATCH from valid state") intended to limit endpoint regeneration calls from the API PATCH endpoint handler to valid endpoint states, but inadvertently limited the allowed states only to waiting-to-regenerate, while the endpoint should also be built while in the waiting-for-identity state. The symptom was that endpoints created via docker never built the initial drop-all bpf program while waiting for identity. This commit allows endpoint regeneration via the PATCH endpoint API also when the endpoint is in wairing-for-identity state. Fixes: 41c08396ce ("daemon: Only regenerate in PATCH from valid state") Signed-off-by: Jarno Rajahalme <jarno@covalent.io> Signed-off-by: Thomas Graf <thomas@cilium.io> | 16 April 2018, 03:13:58 UTC |
| 1384437 | Joe Stringer | 12 April 2018, 18:05:30 UTC | tunnel: Remove old tunnel map upon upgrade. [ upstream commit b1955077d001b7570ac26d0131cb535a780bb795 ] This fixes up #3681 to ensure we don't end up with extraneous map entries on the filesystem after upgrade. Signed-off-by: Joe Stringer <joe@covalent.io> Signed-off-by: Thomas Graf <thomas@cilium.io> | 16 April 2018, 03:13:58 UTC |
| 36deff3 | André Martins | 11 April 2018, 12:45:23 UTC | test: update kubedns to 1.14.9 [ upstream commit d0b8fe7be293f0c2c4e6253a7859a1aa507d33e9 ] Since kubedns 1.14.9 contains bug fixes it might help in kube-dns issues the CI is having Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Thomas Graf <thomas@cilium.io> | 16 April 2018, 03:13:58 UTC |
| d93418d | Joe Stringer | 12 April 2018, 04:26:20 UTC | bpf: Rename tunnel_endpoint_map -> cilium_tunnel_map [ upstream commit f117836ffaeb381b7db5d05f44843fc82a2586f5 ] Rename the tunnel endpoint map so it has the same prefix as all of the other cilium maps. Signed-off-by: Joe Stringer <joe@covalent.io> Signed-off-by: Thomas Graf <thomas@cilium.io> | 16 April 2018, 03:13:58 UTC |
| 94f2e03 | Jarno Rajahalme | 11 April 2018, 22:59:46 UTC | envoy: Pass 'non-redirect' http traffic through. [ upstream commit 768fbdfc3163eea0289f6564ee8bf6db8f376ab1 ] Cilium only creates a host proxy redirect when the relevant policy has http rules. A sidecar proxy gets also traffic that would not have been redirected with a host proxy. To emulate the host proxy behavior we pass (allow) traffic through a sidecar if it is passed through by the bpf datapath and would not have been redirected to a host proxy. There are two cases in cilium network policy enforcement where we can detect that the given packet would not have been forwarded to a host proxy: 1. There is no port policy that covers this connection. Cilium always configures a port policy for a redirect, and hence if we find that there is no applicable port policy, the connection must have been passed by the bpf datapath to a sidecar and the sidecar proxy should pass it through, i.e., consider the decision made by the bpf datapath final. 2. There is a port policy, but it does not have any http rules. Again, in this case this request would not have been redirected to a host proxy, and we must consider bpf datapath policy decision as final by passing the request through the sidecar proxy. There changes are marked with TODOs as they will need to be reconsidered when a non-bpf datapaths are supported. Suggested-by: Romain Lenglet <romain@covalent.io> Signed-off-by: Jarno Rajahalme <jarno@covalent.io> Signed-off-by: Thomas Graf <thomas@cilium.io> | 16 April 2018, 03:13:58 UTC |
| 0df6e7b | Jarno Rajahalme | 12 April 2018, 17:44:03 UTC | endpoint: Fix label replacement. [ upstream commit 8515b21011f2969f85c29f41957f2def6513f590 ] Fix bugs in label updates: - Information labels were never deleted - Information label assignments were logged even when nothing changed - Identity label updates never updated the Source or Value of an existing label Add unit test for label updates. Signed-off-by: Jarno Rajahalme <jarno@covalent.io> Signed-off-by: Thomas Graf <thomas@cilium.io> | 16 April 2018, 03:13:58 UTC |
| 0c78c4a | Ian Vernon | 11 April 2018, 18:28:51 UTC | test/k8sT: do not access redis-master via hostname, only service IP [ upstream commit 99297d4143ac5717e6c172f2be41350ae2c33763 ] In K8s 1.7 tests, there are issues accessing redis-master via hostname. Disable accessing redis-master via its hostname until K8s 1.7 is updated in CI to a newer version. See GH-3462 for more information. Signed-off by: Ian Vernon <ian@cilium.io> Signed-off-by: Eloy Coto <eloy.coto@gmail.com> | 13 April 2018, 07:38:24 UTC |
| 4dcac3d | Eloy Coto | 11 April 2018, 10:27:31 UTC | Test: Add separate logs per each cilium pod [ upstream commit b97c14d3fc13f1435fe0c510fee36b037dd5138d ] Fix 3636 Signed-off-by: Eloy Coto <eloy.coto@gmail.com> | 13 April 2018, 07:38:24 UTC |
| 72942f6 | Ian Vernon | 10 April 2018, 18:24:00 UTC | pkg/endpoint: log what caused policy changes [ upstream commit 1df6acc7e545ae8a2be4c9cb9af008dbfb72d493 ] Before this commit, we only logged whether policy was changed or not for a given endpoint or consumable, not what caused the policy change itself. To get more visibility into what might trigger regenerations, log at debug level what causes policy changes. Signed-off by: Ian Vernon <ian@cilium.io> Signed-off-by: Eloy Coto <eloy.coto@gmail.com> | 13 April 2018, 07:38:24 UTC |
| e29063f | Romain Lenglet | 11 April 2018, 19:13:38 UTC | doc: Use K8s-version-specific YAML files in Istio GSG [ upstream commit 323973b644944944fa1b98a6e6abccbd2f148d2a ] Signed-off-by: Romain Lenglet <romain@covalent.io> Signed-off-by: Eloy Coto <eloy.coto@gmail.com> | 13 April 2018, 07:38:24 UTC |
| cd684ef | Romain Lenglet | 10 April 2018, 09:46:26 UTC | examples/kubernetes: Generate daemon sets defs for sidecar mode [ upstream commit b542e40b54331f131c9c013274642555ac0869da ] Clean up examples/kubernetes/Makefile. Add support for V=0 quiet option. Add support for multiple daemon set definitions for each Kubernetes version. Generate */cilium-sidecar*.yaml daemon set files for running Cilium along with Istio. Signed-off-by: Romain Lenglet <romain@covalent.io> Signed-off-by: Eloy Coto <eloy.coto@gmail.com> | 13 April 2018, 07:38:24 UTC |
| 00c2154 | Romain Lenglet | 04 April 2018, 15:48:16 UTC | doc: Update Istio GSG for Istio 0.7.0 [ upstream commit a04087ac01560b6cb0070049e029ced2710d3ece ] Signed-off-by: Romain Lenglet <romain@covalent.io> Signed-off-by: Eloy Coto <eloy.coto@gmail.com> | 13 April 2018, 07:38:24 UTC |
| f5715e8 | André Martins | 10 April 2018, 23:58:42 UTC | examples/k8s: fix 1.8 spec files Signed-off-by: André Martins <andre@cilium.io> | 11 April 2018, 22:56:08 UTC |
| 3a20bad | André Martins | 10 April 2018, 17:06:04 UTC | examples/k8s: change image to point to 1.0 Signed-off-by: André Martins <andre@cilium.io> | 11 April 2018, 22:56:08 UTC |
| 3e2f87a | Eloy Coto | 03 April 2018, 10:29:14 UTC | Test: trigger AfterFailed before AfterEach when is in Context [ upstream commit cb9020a3996555ab7444d44c1434f863dea1340b ] When a context is defined with a AfterEach the AfterEach function will be called before `JustAfterEach` and `AfterFailed` and some info cannot be retrieved correctly because no longer exits. With this commit all the `JustAfterEach` and `AfterFailed` will be called just before the AfterEach. Fix #3481 Signed-off-by: Eloy Coto <eloy.coto@gmail.com> | 11 April 2018, 21:50:19 UTC |
| 446c56e | Thomas Graf | 10 April 2018, 22:30:15 UTC | health: Do sanity checking on health response [ upstream commit c9b0328ba5aeff9cf201972a78c3791c41978045 ] Check all fields for potential nil pointers. Some of the fields can be omitted if the health API is triggered while the agent is still bootstrapping. Fixes: #3628 Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: Eloy Coto <eloy.coto@gmail.com> | 11 April 2018, 21:50:19 UTC |
| cb8c413 | André Martins | 11 April 2018, 11:40:18 UTC | pkg/node: fix nil pointer dereference [ upstream commit 7a733601f25665637e5a6d760d33bfcda0ae1dad ] If a node doesn't have any IPv6 address cilium can panic while trying to delete the IPv6 routes of that node. Signed-off-by: André Martins <andre@cilium.io> Reported-by: Markus Padourek <markus.padourek@gmail.com> Signed-off-by: Eloy Coto <eloy.coto@gmail.com> | 11 April 2018, 21:50:19 UTC |
| d602827 | Romain Lenglet | 09 April 2018, 20:53:32 UTC | proxy: Create access log file and setup notifier at startup [ upstream commit 1024913b09ee4a76511e9f7028fdd5528b6df649 ] Move the access log file and notifier and metadata configuration at daemon startup instead of when creating the first redirect, so access logging is usable with sidecar proxies, for which Cilium doesn't create redirects. Signed-off-by: Romain Lenglet <romain@covalent.io> Signed-off-by: Thomas Graf <thomas@cilium.io> | 11 April 2018, 02:12:46 UTC |
| ab265e9 | Eloy Coto | 10 April 2018, 11:09:54 UTC | Bugtool: Add gops output [ upstream commit 4fa2bcad0d1c92e12dffdf89513fb59aff915003 ] - Add gops output for cilium agent to know what happens to the agent in case of something wrong. Signed-off-by: Eloy Coto <eloy.coto@gmail.com> Signed-off-by: Thomas Graf <thomas@cilium.io> | 11 April 2018, 02:12:46 UTC |
| 999dfc4 | Thomas Graf | 10 April 2018, 07:41:48 UTC | agent: Provide non-blocking agent status [ upstream commit 56d43d548e721d1fed50fb55ed2c00e8b4f789b9 ] Signed-off-by: Thomas Graf <thomas@cilium.io> | 11 April 2018, 02:12:46 UTC |
| f2144f4 | Thomas Graf | 10 April 2018, 01:26:38 UTC | bpf: Remove connection tracking entries on policy deny [ upstream commit 9095ef8918e38645be1e8a94342d84ea1978306f ] Signed-off-by: Thomas Graf <thomas@cilium.io> | 11 April 2018, 02:12:46 UTC |
| 9017181 | Thomas Graf | 10 April 2018, 01:48:13 UTC | policy: Remove connection tracking cleanup on policy change [ upstream commit 4d8b510195807cf5a4c5e1f81c3b182a4a3c58f6 ] Signed-off-by: Thomas Graf <thomas@cilium.io> | 11 April 2018, 02:12:46 UTC |
| d6bead6 | Joe Stringer | 09 April 2018, 21:46:03 UTC | policy: Log errors inserting CIDR entries [ upstream commit 51fdcf01048a439b335c671a25db4954d7e20557 ] Signed-off-by: Joe Stringer <joe@covalent.io> Signed-off-by: Thomas Graf <thomas@cilium.io> | 11 April 2018, 02:12:46 UTC |
| e10e079 | Joe Stringer | 09 April 2018, 22:19:37 UTC | cidrmap: Allow insert of any length of CIDR [ upstream commit 3ce8067d1b0fa810d3b2690efb2bde2e20cff78c ] Previously, when attempting to insert CIDRs that differ in length from the maximum prefix length of the protocol type (32 for IPv4, 128 for IPv6), we could end up rejecting the CIDR. Tweak it so that it will accept different CIDR lengths unless the CIDRMap is created without dynamic prefix length (The special XDP prefilter case). Signed-off-by: Joe Stringer <joe@covalent.io> Signed-off-by: Thomas Graf <thomas@cilium.io> | 11 April 2018, 02:12:46 UTC |
| c1be0f8 | Thomas Graf | 09 April 2018, 22:39:00 UTC | policy: Do not make initial endpoint DROP_ALL mode dependent on policy option [ upstream commit b35644e0d05c74b0cc6697f3b5680b666aab4991 ] The current code only puts a DROP_ALL in place if the endpoint has ingress or egress policy enforcement enabled. This option is derived based on policies which select the endpoint so the option is likely still disabled at the time we determine this for the first time. This leaves the endpoint unprotected until the labels have been derived and thus policy could have been inspected to affect the ingress/egress policy enforcement bits. Signed-off-by: Thomas Graf <thomas@cilium.io> | 11 April 2018, 02:12:46 UTC |
| 71a537f | Thomas Graf | 09 April 2018, 21:26:05 UTC | bpf: Remove proxy_port from conntrack table [ upstream commit 8152d64a1bdf49b3476cc141f1895cf87e3f0c11 ] It is no longer required as the policy map is used to derived the proxy port and the reverse translation occurs via proxymap. Signed-off-by: Thomas Graf <thomas@cilium.io> | 11 April 2018, 02:12:46 UTC |
| b2e7426 | Thomas Graf | 09 April 2018, 21:36:05 UTC | policy: Remove logic to reset proxy port [ upstream commit ca1f1fe757f03e5f3791cd0553fd65196fd635ce ] Since commit 52a948c40 ("bpf: Derive proxy_port from policy rather than CT"), the proxy port is always derived from the policy table. This makes it unnecessary to clean up the proxy_port in the connection tracking table and all of the logic can be removed. Signed-off-by: Thomas Graf <thomas@cilium.io> | 11 April 2018, 02:12:46 UTC |
| 78648e6 | Michal Rostecki | 09 April 2018, 09:36:44 UTC | daemon/endpoint: Handle DeleteElement error properly [ upstream commit 0b19157050c95049bc23e9ca55936002d064b615 ] Error from lxcmap.DeleteElement should be added to the slice of errors, not override it. Signed-off-by: Michal Rostecki <mrostecki@suse.com> Signed-off-by: Thomas Graf <thomas@cilium.io> | 11 April 2018, 02:12:46 UTC |
| e69cc64 | Michal Rostecki | 09 April 2018, 09:42:57 UTC | pkg/endpoint: Don't declare errs variable in function scope [ upstream commit 5937a3262f482b1bf96bf71ad24f0f53510fdad1 ] errs variables are used only to get the result of applyNewFilter method and it should be declred in the smallest scope possible. Signed-off-by: Michal Rostecki <mrostecki@suse.com> Signed-off-by: Thomas Graf <thomas@cilium.io> | 11 April 2018, 02:12:46 UTC |
| bca8c4e | Michal Rostecki | 09 April 2018, 10:01:21 UTC | pkg/envoy/xds: Assign value to ip variable only if it's used [ upstream commit c9e509b0193dbc91b264d94fc8bbe0560b3b8049 ] `ip` variable is used only once, so there is no need of assigning the value of IstioNodeToIP everytime. Signed-off-by: Michal Rostecki <mrostecki@suse.com> Signed-off-by: Thomas Graf <thomas@cilium.io> | 11 April 2018, 02:12:46 UTC |
| 8dee87c | Michal Rostecki | 09 April 2018, 10:18:11 UTC | pkg/ip: Assign value to allowedCIDRs variable only if it's used [ upstream commit e0e78841e2cfb90babd3c452b622235ef3f73658 ] The first value returned by RemoveCIDRs is not always used and it can be skipped once. Signed-off-by: Michal Rostecki <mrostecki@suse.com> Signed-off-by: Thomas Graf <thomas@cilium.io> | 11 April 2018, 02:12:46 UTC |
| 5ab6ad6 | Michal Rostecki | 09 April 2018, 10:35:11 UTC | pkg/policy: Don't assingn unused variables [ upstream commit 816f2cfaea5171f350fe6d1bbbc32704e5f9fd84 ] Before this change, this package assigned `err` or any other vabiables regardless of whether they are actually used. In some cases, `err` variables were assigned properly, but they weren't checked. Signed-off-by: Michal Rostecki <mrostecki@suse.com> Signed-off-by: Thomas Graf <thomas@cilium.io> | 11 April 2018, 02:12:46 UTC |
| 01053b2 | Michal Rostecki | 09 April 2018, 10:38:38 UTC | pkg/k8s: Remove unused `node` variable assignment [ upstream commit 9b1a40384bb2f718b760dcf720ea3876b31c4f4a ] Signed-off-by: Michal Rostecki <mrostecki@suse.com> Signed-off-by: Thomas Graf <thomas@cilium.io> | 11 April 2018, 02:12:46 UTC |
| 6335188 | Michal Rostecki | 09 April 2018, 10:49:07 UTC | pkg/k8s: Assign value to `rules` variable only if it's used [ upstream commit c98584bdc55c59191c4b7d1a60d60076cc5177cf ] Signed-off-by: Michal Rostecki <mrostecki@suse.com> Signed-off-by: Thomas Graf <thomas@cilium.io> | 11 April 2018, 02:12:46 UTC |
| b9edd95 | Michal Rostecki | 09 April 2018, 11:21:49 UTC | pkg/kvstore: Handler error from Get method properly [ upstream commit 5316859b64e9ec9fe89d40968493eb5651892bc2 ] Signed-off-by: Michal Rostecki <mrostecki@suse.com> Signed-off-by: Thomas Graf <thomas@cilium.io> | 11 April 2018, 02:12:46 UTC |
| 85b39ad | Thomas Graf | 10 April 2018, 00:54:15 UTC | Prepare for 1.0.0-rc11 release Signed-off-by: Thomas Graf <thomas@cilium.io> | 10 April 2018, 01:03:34 UTC |
| 1245007 | Thomas Graf | 06 April 2018, 21:03:18 UTC | policy: Apply wildcarded source L7 rules to all sources [ upstream commit 7803dfab1e49eb99ff50ed64244deb799a02655c ] GetRelevantRules() encoded the following logic so for: 1. Find L3 source dependent L7 rules, if found, return 2. Otherwise fall back to wildcard section This is incorrect and not as permissive as needed. Wildcarded rules should apply regardless of the L3 source. Hence append the list of L7 rules regardless of the source Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: Jarno Rajahalme <jarno@covalent.io> | 07 April 2018, 00:49:04 UTC |
| aeafb99 | Jarno Rajahalme | 04 April 2018, 00:51:36 UTC | envoy: Update generated go-files for Cilium HTTP filter. [ upstream commit 7a2a21a0861136b8d8632f8a701383bba628f912 ] cilium_l7policy.proto was missing from Makefile.api, causing the HTTP filter configuration .pb.go files not being regenerated after recent changes. This has no functional impact due to Envoy APIs encoding filter configurations as embedded json structs, in order to allow a degress of extensibility without "changing the API". Hence we open-code the go structures needed for the filter configurations rather than relying on the generated .pb.go files. Signed-off-by: Jarno Rajahalme <jarno@covalent.io> | 07 April 2018, 00:49:04 UTC |
| 7e16062 | Manali Bhutiyani | 04 April 2018, 20:12:14 UTC | docs: Correct spelling mistakes in the docs Fixes: #3523 Signed-Off-By: Manali Bhutiyani <manali@covalent.io> [ upstream commit 6142443cc87146cc66e0abe302f140a3d40f53e7 ] Signed-off-by: Jarno Rajahalme <jarno@covalent.io> | 07 April 2018, 00:49:04 UTC |
| 784406f | Thomas Graf | 05 April 2018, 06:49:35 UTC | cilium: Make cilium endpoint list resilient [ upstream commit a996c8ae21fbe47a66b412fa14422c4ee73f5370 ] ``` [signal SIGSEGV: segmentation violation code=0x1 addr=0x20 pc=0x1715922] goroutine 1 [running]: github.com/cilium/cilium/cilium/cmd.listEndpoint(0xc4200fba00, 0xc421670b20, 0x1b96abb, 0xd, 0x1b8dc8d, 0x9) /go/src/github.com/cilium/cilium/cilium/cmd/endpoint_list.go:56 +0x42 github.com/cilium/cilium/cilium/cmd.printEndpointList(0xc4200fba00, 0xc42043f920, 0x5, 0x6) /go/src/github.com/cilium/cilium/cilium/cmd/endpoint_list.go:117 +0x131 github.com/cilium/cilium/cilium/cmd.listEndpoints() /go/src/github.com/cilium/cilium/cilium/cmd/endpoint_list.go:79 +0x126 github.com/cilium/cilium/cilium/cmd.glob..func23(0x2a62ba0, 0x30654a8, 0x0, 0x0) /go/src/github.com/cilium/cilium/cilium/cmd/endpoint_list.go:43 +0x20 github.com/cilium/cilium/vendor/github.com/spf13/cobra.(*Command).execute(0x2a62ba0, 0x30654a8, 0x0, 0x0, 0x2a62ba0, 0x30654a8) /go/src/github.com/cilium/cilium/vendor/github.com/spf13/cobra/command.go:648 +0x234 github.com/cilium/cilium/vendor/github.com/spf13/cobra.(*Command).ExecuteC(0x2a66940, 0x0, 0xc420000260, 0xc4207cdf40) /go/src/github.com/cilium/cilium/vendor/github.com/spf13/cobra/command.go:735 +0x2fe github.com/cilium/cilium/vendor/github.com/spf13/cobra.(*Command).Execute(0x2a66940, 0x0, 0x172df96) /go/src/github.com/cilium/cilium/vendor/github.com/spf13/cobra/command.go:693 +0x2b github.com/cilium/cilium/cilium/cmd.Execute() /go/src/github.com/cilium/cilium/cilium/cmd/root.go:46 +0x31 main.main() ``` Fixes: #3543 Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: Jarno Rajahalme <jarno@covalent.io> | 07 April 2018, 00:49:04 UTC |
| b2a7818 | André Martins | 05 April 2018, 13:52:24 UTC | docs: update k8s dependencies to 1.10.0 [ upstream commit 9d6f7ac0ad6541878ac5513dbb031107fc38da86 ] Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Jarno Rajahalme <jarno@covalent.io> | 07 April 2018, 00:49:04 UTC |
| 03beddb | André Martins | 05 April 2018, 13:26:36 UTC | vendor: update k8s dependencies to 1.10.0 [ upstream commit e856b95bc73e212f31b4d79510c160e0a0ff821a ] Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Jarno Rajahalme <jarno@covalent.io> | 07 April 2018, 00:49:04 UTC |
| 78400a3 | Joe Stringer | 04 April 2018, 23:19:14 UTC | daemon: Sync loadbalancer BPF maps from goroutine [ upstream commit 0ed89f975883b8c20b519d817df8156860a291c8 ] In setups with several cilium nodes, we have observed cilium startup blocking for significant periods (eg, one minute or more). One of the few points that blocks during startup for potentially long times is the synchronization of existing BPF loadbalancer maps with the KVStore on restart. If this takes too long, then in kubernetes environments cilium may end up being killed because it's not serving the Cilium API while this is happening. To work around such issues, run this logic in a separate goroutine in the background. In future, we can improve the logic to speed it up (see #3533). Signed-off-by: Joe Stringer <joe@covalent.io> Signed-off-by: Jarno Rajahalme <jarno@covalent.io> | 07 April 2018, 00:49:04 UTC |
| 0e264b2 | Ray Bejjani | 04 April 2018, 10:14:22 UTC | api: Switch API version from v1beta to v1 [ upstream commit f3376543097590d6cbb1b1488e486ce10fe5de41 ] Signed-off-by: Jarno Rajahalme <jarno@covalent.io> | 07 April 2018, 00:49:04 UTC |
| 8367094 | Eloy Coto | 06 April 2018, 16:21:12 UTC | Test: Do not gather envoy.log [ upstream commit fad2e59d6b72b04ee8e2f1aedddafa760bca4f55 ] Due adeacc11586b2529385924a72702d102fa8fe20b gather envoy log is not longer needed. Signed-off-by: Eloy Coto <eloy.coto@gmail.com> Signed-off-by: Jarno Rajahalme <jarno@covalent.io> | 07 April 2018, 00:49:04 UTC |
| 9e82119 | Joe Stringer | 06 April 2018, 00:22:17 UTC | docs: Document consistent CIDR policy [ upstream commit bdbccc5e142d0955a3769794880fb7aaf6a9ad5b ] See github issue #3565 for an extended discussion on the motivation of this change. Signed-off-by: Joe Stringer <joe@covalent.io> Signed-off-by: Jarno Rajahalme <jarno@covalent.io> | 07 April 2018, 00:49:04 UTC |
