Skip to main content

Browse the archive

https://github.com/cilium/cilium
09 April 2024, 21:14:05 UTC
sort by:
Revision Author Date Message Commit Date
c092f5a Dmitry Kharitonov 30 August 2022, 10:52:38 UTC hubble-ui: release v0.9.2 [ upstream commit c3feb60e6f63f8a88c668d5e030dd1ac94160395 ] Added `hubble.ui.frontend.server.ipv6.enabled` helm flag to control nginx server ipv6 listener Signed-off-by: Dmitry Kharitonov <dmitry@isovalent.com> Signed-off-by: Jussi Maki <jussi@isovalent.com> 12 September 2022, 16:13:05 UTC
65a0373 Federico Hernandez 22 August 2022, 14:49:11 UTC daemon: Coalesce endpoint CIDRs in ENI mode [ upstream commit c87cdeb2496ed99fe3550efa25b515797fe6ab20 ] Fixes: #18868. Multiple CIDRs are currently not coalesced for the health endpoint when setting up routing the corresponding routing tables. This results in orphaned routing entries that may conflict when IPs are reused for workload pods after an agent restart. Addresses comment https://github.com/cilium/cilium/pull/20112#issuecomment-1180343763 Signed-off-by: Simone Sciarrati <s.sciarrati@gmail.com> Signed-off-by: Federico Hernandez <f@ederi.co> Signed-off-by: Jussi Maki <jussi@isovalent.com> 12 September 2022, 16:13:05 UTC
21833b3 MikeLing 08 August 2022, 12:00:35 UTC pkg/bgpv1/annotations: Optimize annotations Errors [ upstream commit b9e6d8233c9ff12aac08b5a2d0a9b8b13747dc3e ] Avoiding to use fmt.Sprintf() so that Go won't over-allocate the memory. issue reference : cilium#19571 Result: ``` $ go test -v -benchmem -run=^$ -bench 'BenchmarkErrNotVRouterAnnoError' github.com/cilium/cilium/pkg/bgpv1 > BenchmarkErrNotVRouterAnnoError_old.txt $ go test -v -benchmem -run=^$ -bench 'BenchmarkErrErrNoASNAnno' github.com/cilium/cilium/pkg/bgpv1 > BenchmarkErrErrNoASNAnno_old.txt $ go test -v -benchmem -run=^$ -bench 'BenchmarkErrASNAnno' github.com/cilium/cilium/pkg/bgpv1 > BenchmarkErrASNAnno_old.txt $ go test -v -benchmem -run=^$ -bench 'BenchmarkErrNotVRouterAnnoError' github.com/cilium/cilium/pkg/bgpv1 > BenchmarkErrNotVRouterAnnoError_new.txt $ go test -v -benchmem -run=^$ -bench 'BenchmarkErrErrNoASNAnno' github.com/cilium/cilium/pkg/bgpv1 > BenchmarkErrErrNoASNAnno_new.txt $ go test -v -benchmem -run=^$ -bench 'BenchmarkErrASNAnno' github.com/cilium/cilium/pkg/bgpv1 > BenchmarkErrASNAnno_new.txt $ benchcmp BenchmarkErrNotVRouterAnnoError_old.txt BenchmarkErrNotVRouterAnnoError_new.txt benchcmp is deprecated in favor of benchstat: https://pkg.go.dev/golang.org/x/perf/cmd/benchstat benchmark old ns/op new ns/op delta BenchmarkErrNotVRouterAnnoError-12 186 47.2 -74.67% benchmark old allocs new allocs delta BenchmarkErrNotVRouterAnnoError-12 2 1 -50.00% benchmark old bytes new bytes delta BenchmarkErrNotVRouterAnnoError-12 96 80 -16.67% $ benchcmp BenchmarkErrErrNoASNAnno_old.txt BenchmarkErrErrNoASNAnno_new.txt benchcmp is deprecated in favor of benchstat: https://pkg.go.dev/golang.org/x/perf/cmd/benchstat benchmark old ns/op new ns/op delta BenchmarkErrErrNoASNAnno-12 143 45.0 -68.49% benchmark old allocs new allocs delta BenchmarkErrErrNoASNAnno-12 2 1 -50.00% benchmark old bytes new bytes delta $ benchcmp BenchmarkErrASNAnno_old.txt BenchmarkErrASNAnno_new.txt benchcmp is deprecated in favor of benchstat: https://pkg.go.dev/golang.org/x/perf/cmd/benchstat benchmark old ns/op new ns/op delta BenchmarkErrASNAnno-12 252 61.6 -75.59% benchmark old allocs new allocs delta BenchmarkErrASNAnno-12 3 1 -66.67% benchmark old bytes new bytes delta BenchmarkErrASNAnno-12 112 80 -28.57% ``` Signed-off-by: MikeLing <sabergeass@gmail.com> Signed-off-by: Jussi Maki <jussi@isovalent.com> 12 September 2022, 16:13:05 UTC
dc13b76 Timo Beckers 30 August 2022, 09:17:27 UTC datapath: allow packets to and from eni+ container interfaces [ upstream commit 48d46eb621494c09af916d156c286af6aa23e4de ] AWS CNI chaining yields container interface names like 'eni621c0fc8425', not the usual 'lxcXYZ'. This causes packets for local endpoints to be dropped in CILIUM_FORWARD when they are called through a NodePort. Before the patch, the CILIUM_FORWARD chain looks like this: ``` -A CILIUM_FORWARD -o cilium_host -m comment --comment "cilium: any->cluster on cilium_host forward accept" -j ACCEPT -A CILIUM_FORWARD -i cilium_host -m comment --comment "cilium: cluster->any on cilium_host forward accept (nodeport)" -j ACCEPT -A CILIUM_FORWARD -i lxc+ -m comment --comment "cilium: cluster->any on lxc+ forward accept" -j ACCEPT -A CILIUM_FORWARD -i cilium_net -m comment --comment "cilium: cluster->any on cilium_net forward accept (nodeport)" -j ACCEPT -A CILIUM_FORWARD -o lxc+ -m comment --comment "cilium: any->cluster on lxc+ forward accept" -j ACCEPT -A CILIUM_FORWARD -i lxc+ -m comment --comment "cilium: cluster->any on lxc+ forward accept (nodeport)" -j ACCEPT ``` This doesn't match any packets to or from `eni+` container interfaces, letting them fall through to the `KUBE-FORWARD` chain instead: ``` -A FORWARD -m comment --comment "cilium-feeder: CILIUM_FORWARD" -j CILIUM_FORWARD -A FORWARD -m comment --comment "kubernetes forwarding rules" -j KUBE-FORWARD ... -A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP ``` Initial SYN packets go through to the Pod, SYN-ACK responses from local NodePort services are bpf_redirect'ed back out the physical interface to the client, but any follow-up packets from the client arriving at the node are considered invalid by netfilter's conntrack since the reply packet bypassed the stack, and thus dropped. This commit takes care of adding `-i eni+` and `-o eni+` iptables rules to make sure world->container packets are never dropped in the stack. Signed-off-by: Timo Beckers <timo@isovalent.com> Signed-off-by: Jussi Maki <jussi@isovalent.com> 12 September 2022, 16:13:05 UTC
428c6d2 Timo Beckers 30 August 2022, 09:06:15 UTC daemon,pkg: pull cni-chaining-mode configmap key into DaemonConfig [ upstream commit 99114351abd69f8859fd856ec45040002c95bcc0 ] The `cni-chaining-mode` ConfigMap key was introduced with the initial implementation of AWS CNI chaining, b568d2a179 ("cni: Add support for AWS CNI chaining") but was only used as an environment variable in the CNI installer script(s), not in the agent itself. This commit pulls in the key as a DaemonConfig value from the Cilium ConfigMap and removes manual parsing of CILIUM_CNI_CHAINING_MODE. Signed-off-by: Timo Beckers <timo@isovalent.com> Signed-off-by: Jussi Maki <jussi@isovalent.com> 12 September 2022, 16:13:05 UTC
633ae6d Julian Wiedmann 31 August 2022, 09:43:22 UTC datapath: tolerate missing ifaces when setting rp_filter sysctl [ upstream commit 86e736f285c923c144b96b6078ddcd19def59074 ] At the point where systemd-sysctl applies our rp_filter settings, the host might not have any cilium_* and/or lxc_* interfaces yet. But systemd-sysctl treats the failure to resolve these globs as an hard error: systemd-sysctl[9354]: Couldn't resolve glob 'net/ipv4/conf/lxc*/rp_filter': No such file or directory systemd[1]: systemd-sysctl.service: Main process exited, code=exited, status=1/FAILURE systemd[1]: systemd-sysctl.service: Failed with result 'exit-code'. Adding the `-` option makes systemd-sysctl tolerate such errors. Fixes: 6432558898aa ("datapath: Create sysctl `rp_filter` overwrite config on agent init") Suggested-by: Dylan Reimerink <dylan.reimerink@isovalent.com> Signed-off-by: Julian Wiedmann <jwi@isovalent.com> Signed-off-by: Jussi Maki <jussi@isovalent.com> 12 September 2022, 16:13:05 UTC
195d394 André Martins 17 August 2022, 23:32:12 UTC operator: do not GC kvstore nodes if CiliumNodes are not available [ upstream commit 62548f2bc1fad0093b88eef34edc477bd4aad98c ] If users deploy Cilium without creating any CiliumNodes, Cilium Operator will GC all kvstore nodes once it starts. This commits adds a guardrail to prevent such behavior. Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Jussi Maki <jussi@isovalent.com> 12 September 2022, 16:13:05 UTC
1cec6bf Nikhil Sharma 17 August 2022, 00:25:18 UTC proxy: Iterate proxy ports on port open failure [ upstream commit d193526f950d78009cb84aa68cd4d5a32b736a75 ] If the user do not specify a proxy port and it fails to listen on the port, instead of retrying again for that specific one, increment it. Signed-off-by: Nikhil Sharma <nikhilsharma230303@gmail.com> Signed-off-by: Jussi Maki <jussi@isovalent.com> 12 September 2022, 16:13:05 UTC
c1312da Louis DeLosSantos 30 August 2022, 23:27:06 UTC metallb: bump to latest fork version [ upstream commit 4c77f5476fb0d9424bda051612212ae72bc58087 ] bumps to Cilium's latest metallb fork version. this bump alleviates a plain log message which ran in a hot loop. Signed-off-by: Louis DeLosSantos <louis.delos@isovalent.com> Signed-off-by: Jussi Maki <jussi@isovalent.com> 12 September 2022, 16:13:05 UTC
cc01d2f Julian Wiedmann 29 August 2022, 08:09:10 UTC egressgw: reduce log noise in good paths [ upstream commit be641bb60f1d365f8ce0faee1fdc3442e2b0484f ] Demote the various Info() log statements to Debug(), so that we don't spam the logs when everything works as expected. Also fix a typo in one log message. Suggested-by: Bruno M. Custódio <brunomcustodio@gmail.com> Signed-off-by: Julian Wiedmann <jwi@isovalent.com> Signed-off-by: Jussi Maki <jussi@isovalent.com> 12 September 2022, 16:13:05 UTC
1cc6fe6 Julian Wiedmann 29 August 2022, 07:32:08 UTC egressgw: reduce log noise when installing IP rules/routes [ upstream commit d741e20bf34fe7c0ff151b836c2b61671c443d06 ] When updating the IP rules/routes, reconcile() tolerates that the first attempt at installing some new rules/routes fails (as they might conflict with existing rules/routes that haven't been removed yet). After removing all unused rules, it calls addMissingIpRulesAndRoutes() again and hopefully succeeds. Adjust the log severity accordingly when encountering errors on the first attempt. It's only a real problem when they occur on the retry. Suggested-by: Bruno M. Custódio <brunomcustodio@gmail.com> Signed-off-by: Julian Wiedmann <jwi@isovalent.com> Signed-off-by: Jussi Maki <jussi@isovalent.com> 12 September 2022, 16:13:05 UTC
b01b561 Maciej Kwiek 05 August 2022, 12:06:16 UTC dnsproxy: add cleanup [ upstream commit 266f70588825716c5ef4d0ceff9201ba8e6fa44b ] This change adds Cleanup function to dnsproxy which is added to daemon cleanup module. The cleanup closes TCP and UDP sockets, which will cause proxy to stop serving DNS traffic before shutdown. Signed-off-by: Maciej Kwiek <maciej@isovalent.com> Signed-off-by: Jussi Maki <jussi@isovalent.com> 12 September 2022, 16:13:05 UTC
19b9e11 Maciej Kwiek 05 August 2022, 11:06:32 UTC dnsproxy: populate DNS clients before proxy start [ upstream commit 588555069ac08bbbd31af77943e33c128c5344e8 ] This change causes DNS clients that dnsproxy uses to connect to upstream DNS servers to be populated before proxy binds to it's sockets. Clients being set after proxy binds might have caused some DNS traffic to be dropped while proxy was starting up. Signed-off-by: Maciej Kwiek <maciej@isovalent.com> Signed-off-by: Jussi Maki <jussi@isovalent.com> 12 September 2022, 16:13:05 UTC
1823586 Tom Hadlaw 23 August 2022, 05:23:00 UTC pkg/k8s/watcher: fix deadlock with service event handler & CES watcher. [ upstream commit 4b87ccc9809bb8a37e51bf5c22726bbff866e541 ] There is a deadlock that can occur when a k8s service update and a policy update occur at the same time. In practice, this can occur in the following situation: 1. CiliumEndpointSlice k8s watcher performs an update due to a new watcher event. The handler logic for this first goes to hold a lock on the IPCache. Next, this triggers an endpoint regeneration via the endpoint manager. Note: This code path will wait for endpoint regeneration to complete via a passed WaitGroup. To complete this task, endpoint manager attempts to lock policyRepository. Effectively, this means that CES handler has locking dependencies on IPCache's lock and policyRepos lock (transitively, by waiting on endpointManager endpoint regeneration). It will not release the IPCache lock until endpoint regen is done, thus waiting on the policyRepo lock. 2. The k8sServiceHandler control loop performs an update due to kube-apiserver service record change (i.e. this is common on EKS where the control plane IPs change often). A new policyRepository.Translator is constructed with k8s.RuleTranslator{} with AllocatedPrefixes being enabled. This implementation of the Translator holds a reference to ipcache and uses that to make necessary prefix updates to ipcache during the translation. This is passed to policyRepository to perform policy rule translation, which locks itself before proceeding to use translator.Translate(...) to perform translation on its state. The k8sServiceHandler now holds nested locks on policyRepo -> ipcache. At this point, let's say codepath 1. can is holding a lock on both ipcache and waiting on a lock for policyRepo (nested ipCache -> policyRepo). At the same time, codepath 2. (i.e. k8sServiceHandler) just grabbed a policyRepo lock and is waiting for the ipcache lock. Codepath 2 (which holds policyRepo) needs ipcache to unlock, which is held by Codepath 1, Which is waiting for policyRepo to unlock. The following is a stack trace of such a case occurring: 101 occurences. Sample stack trace: 6 occurences. Sample stack trace: sync.runtime_SemacquireMutex(0xc0018f0e08?, 0x20?, 0xc000c12740?) /usr/local/go/src/runtime/sema.go:71 +0x25 sync.(*RWMutex).RLock(...) /usr/local/go/src/sync/rwmutex.go:63 github.com/cilium/cilium/pkg/endpoint.(*Endpoint).regeneratePolicy(0xc0010c7c00) /go/src/github.com/cilium/cilium/pkg/endpoint/policy.go:198 +0x11a github.com/cilium/cilium/pkg/endpoint.(*Endpoint).runPreCompilationSteps(0xc0010c7c00, 0xc0005be400) /go/src/github.com/cilium/cilium/pkg/endpoint/bpf.go:814 +0x2c5 github.com/cilium/cilium/pkg/endpoint.(*Endpoint).regenerateBPF(0xc0010c7c00, 0xc0005be400) /go/src/github.com/cilium/cilium/pkg/endpoint/bpf.go:584 +0x189 github.com/cilium/cilium/pkg/endpoint.(*Endpoint).regenerate(0xc0010c7c00, 0xc0005be400) /go/src/github.com/cilium/cilium/pkg/endpoint/policy.go:398 +0x7a5 github.com/cilium/cilium/pkg/endpoint.(*EndpointRegenerationEvent).Handle(0xc0099405b0, 0x2a27540?) /go/src/github.com/cilium/cilium/pkg/endpoint/events.go:53 +0x325 github.com/cilium/cilium/pkg/eventqueue.(*EventQueue).run.func1() /go/src/github.com/cilium/cilium/pkg/eventqueue/eventqueue.go:245 +0x13b sync.(*Once).doSlow(0x2f14d01?, 0x4422a5?) /usr/local/go/src/sync/once.go:68 +0xc2 sync.(*Once).Do(...) /usr/local/go/src/sync/once.go:59 github.com/cilium/cilium/pkg/eventqueue.(*EventQueue).run(0x0?) /go/src/github.com/cilium/cilium/pkg/eventqueue/eventqueue.go:233 +0x45 created by github.com/cilium/cilium/pkg/eventqueue.(*EventQueue).Run /go/src/github.com/cilium/cilium/pkg/eventqueue/eventqueue.go:229 +0x76 1 occurences. Sample stack trace: sync.runtime_Semacquire(0xc0003f44d0?) /usr/local/go/src/runtime/sema.go:56 +0x25 sync.(*WaitGroup).Wait(0xc0003f5420?) /usr/local/go/src/sync/waitgroup.go:136 +0x52 github.com/cilium/cilium/pkg/ipcache.(*IPCache).UpdatePolicyMaps(0xc001003580, {0x3468338, 0xc00007e038}, 0xa?, 0xc008c15e60) /go/src/github.com/cilium/cilium/pkg/ipcache/metadata.go:235 +0xc7 github.com/cilium/cilium/pkg/ipcache.(*IPCache).removeLabelsFromIPs(0xc001003580, 0xc005d73778?, {0x2f35b2b, 0xf}) /go/src/github.com/cilium/cilium/pkg/ipcache/metadata.go:414 +0x7c5 github.com/cilium/cilium/pkg/ipcache.(*IPCache).RemoveLabelsExcluded(0xc001003580, 0xc0000e3110, 0xc001506dd8?, {0x2f35b2b, 0xf}) /go/src/github.com/cilium/cilium/pkg/ipcache/metadata.go:328 +0x1ab github.com/cilium/cilium/pkg/k8s/watchers.(*K8sWatcher).handleKubeAPIServerServiceEPChanges(0xc001586d80, 0xc003ec89b0?) /go/src/github.com/cilium/cilium/pkg/k8s/watchers/endpoint.go:135 +0x5b github.com/cilium/cilium/pkg/k8s/watchers.(*K8sWatcher).addKubeAPIServerServiceEPSliceV1(0xf3c386?, 0xc001ab7d40) /go/src/github.com/cilium/cilium/pkg/k8s/watchers/endpoint_slice.go:205 +0x452 github.com/cilium/cilium/pkg/k8s/watchers.(*K8sWatcher).updateK8sEndpointSliceV1(0xc001586d80, 0xc001ab7d40?, 0xc001ab7d40?) /go/src/github.com/cilium/cilium/pkg/k8s/watchers/endpoint_slice.go:178 +0x69 github.com/cilium/cilium/pkg/k8s/watchers.(*K8sWatcher).endpointSlicesInit.func2({0x2ec7ea0?, 0xc00294c410?}, {0x2ec7ea0, 0xc001ab7d40}) /go/src/github.com/cilium/cilium/pkg/k8s/watchers/endpoint_slice.go:71 +0x125 k8s.io/client-go/tools/cache.ResourceEventHandlerFuncs.OnUpdate(...) /go/src/github.com/cilium/cilium/vendor/k8s.io/client-go/tools/cache/controller.go:239 github.com/cilium/cilium/pkg/k8s/informer.NewInformerWithStore.func1({0x2a4b9c0?, 0xc00057d1e8?}) /go/src/github.com/cilium/cilium/pkg/k8s/informer/informer.go:103 +0x2fe k8s.io/client-go/tools/cache.(*DeltaFIFO).Pop(0xc001b805a0, 0xc000927940) /go/src/github.com/cilium/cilium/vendor/k8s.io/client-go/tools/cache/delta_fifo.go:554 +0x566 k8s.io/client-go/tools/cache.(*controller).processLoop(0xc001bda1b0) /go/src/github.com/cilium/cilium/vendor/k8s.io/client-go/tools/cache/controller.go:184 +0x36 k8s.io/apimachinery/pkg/util/wait.BackoffUntil.func1(0x40d6a5?) /go/src/github.com/cilium/cilium/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:155 +0x3e k8s.io/apimachinery/pkg/util/wait.BackoffUntil(0xed53e5?, {0x343e1c0, 0xc000d50450}, 0x1, 0xc000929980) /go/src/github.com/cilium/cilium/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:156 +0xb6 k8s.io/apimachinery/pkg/util/wait.JitterUntil(0xc001bda218?, 0x3b9aca00, 0x0, 0x30?, 0x7f587b87fd30?) /go/src/github.com/cilium/cilium/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:133 +0x89 k8s.io/apimachinery/pkg/util/wait.Until(...) /go/src/github.com/cilium/cilium/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:90 k8s.io/client-go/tools/cache.(*controller).Run(0xc001bda1b0, 0xc000929980) /go/src/github.com/cilium/cilium/vendor/k8s.io/client-go/tools/cache/controller.go:155 +0x2c5 created by github.com/cilium/cilium/pkg/k8s/watchers.(*K8sWatcher).endpointSlicesInit /go/src/github.com/cilium/cilium/pkg/k8s/watchers/endpoint_slice.go:156 +0x759 1 occurences. Sample stack trace: sync.runtime_SemacquireMutex(0xc000880000?, 0x20?, 0x21?) /usr/local/go/src/runtime/sema.go:71 +0x25 sync.(*RWMutex).RLock(...) /usr/local/go/src/sync/rwmutex.go:63 github.com/cilium/cilium/pkg/ipcache.(*metadata).get(0xc00104f770?, {0xc0069e9160?, 0x9?}) /go/src/github.com/cilium/cilium/pkg/ipcache/metadata.go:90 +0x66 github.com/cilium/cilium/pkg/ipcache.(*IPCache).GetIDMetadataByIP(...) /go/src/github.com/cilium/cilium/pkg/ipcache/metadata.go:86 github.com/cilium/cilium/pkg/ipcache.(*IPCache).AllocateCIDRs(0xc001003580, {0xc008680cf0, 0x2, 0x0?}, {0x0, 0x0, 0x0?}, 0x0) /go/src/github.com/cilium/cilium/pkg/ipcache/cidr.go:57 +0x22b github.com/cilium/cilium/pkg/k8s.RuleTranslator.generateToCidrFromEndpoint({0xc001003580, {{0xc005bb63c0, 0xa}, {0xc005bb6378, 0x7}}, {0xc008c15e00}, 0xc001905e60, 0x0, 0x1}, 0xc001f667e0, ...) /go/src/github.com/cilium/cilium/pkg/k8s/rule_translate.go:124 +0xb3 github.com/cilium/cilium/pkg/k8s.RuleTranslator.populateEgress({0xc001003580, {{0xc005bb63c0, 0xa}, {0xc005bb6378, 0x7}}, {0xc008c15e00}, 0xc001905e60, 0x0, 0x1}, 0xc001f667e0, ...) /go/src/github.com/cilium/cilium/pkg/k8s/rule_translate.go:62 +0x172 github.com/cilium/cilium/pkg/k8s.RuleTranslator.TranslateEgress({0xc001003580, {{0xc005bb63c0, 0xa}, {0xc005bb6378, 0x7}}, {0xc008c15e00}, 0xc001905e60, 0x0, 0x1}, 0xc001f667e0, ...) /go/src/github.com/cilium/cilium/pkg/k8s/rule_translate.go:51 +0x18e github.com/cilium/cilium/pkg/k8s.RuleTranslator.Translate({0xc001003580, {{0xc005bb63c0, 0xa}, {0xc005bb6378, 0x7}}, {0xc008c15e00}, 0xc001905e60, 0x0, 0x1}, 0xc001c66750, ...) /go/src/github.com/cilium/cilium/pkg/k8s/rule_translate.go:33 +0x117 github.com/cilium/cilium/pkg/policy.(*Repository).TranslateRules(0xc0003f5490, {0x3440260, 0xc0025fd280}) /go/src/github.com/cilium/cilium/pkg/policy/repository.go:627 +0x10b github.com/cilium/cilium/pkg/k8s/watchers.(*K8sWatcher).k8sServiceHandler.func1({0x0, {{0xc005bb63c0, 0xa}, {0xc005bb6378, 0x7}}, 0xc0015f0c80, 0x0, 0xc003165f50, 0xc001bc9c80}) /go/src/github.com/cilium/cilium/pkg/k8s/watchers/watcher.go:586 +0xc9e github.com/cilium/cilium/pkg/k8s/watchers.(*K8sWatcher).k8sServiceHandler(0xc001586d80) /go/src/github.com/cilium/cilium/pkg/k8s/watchers/watcher.go:623 +0x9f created by github.com/cilium/cilium/pkg/k8s/watchers.(*K8sWatcher).RunK8sServiceHandler /go/src/github.com/cilium/cilium/pkg/k8s/watchers/watcher.go:629 +0x56 This commit solves this situation by moving the IPCache allocation out of the k8s.RuleTranslator Translator implementation. Thus moving the responsibility of the IPCache updating out of the translator. This removes the nested policyRepo -> ipcache locks in translator. So, in situations like the one described, the translation no longer has a dependency on ipcache. Codepath 2 will be able to complete, releasing the policyRepo lock and allowing Codepath 1 to proceed. Note: Rule translation prefixes are not used in other usages of k8s.RuleTranslator called from endpoint watcher handler. So we don't have to add the same ipcache logic as in k8sServiceHandler. Signed-off-by: Tom Hadlaw <tom.hadlaw@isovalent.com> Reported-by: Michi Mutsuzaki <michi@isovalent.com> Signed-off-by: Jussi Maki <jussi@isovalent.com> 12 September 2022, 16:13:05 UTC
b9f3004 André Martins 25 August 2022, 12:59:47 UTC pkg/k8s: fix node update sync from k8s to kvstore [ upstream commit 062549799357504bb13ceb1e7854aef56ecf6130 ] This commit simplifies the synchronization between the k8s node and kvstore. The local node state has all the information up to date so whenever we want to update it to the KVStore, or re-push it to the CiliumNode CRD, we should use this information. Fixes: 01cbc595ad48 ("k8s: keep CiliumNode labels synced with Node object") Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Jussi Maki <jussi@isovalent.com> 12 September 2022, 16:13:05 UTC
f72d62b Simone Sciarrati 08 June 2022, 10:11:53 UTC Coalesce of health endpoint CIDRs [ upstream commit 10f1193f887b11629c6c3bde4bc2f5bdc13c8358 ] Fixes: #18868. Multiple CIDRs are currently not coalesced for the health endpoint when setting up routing the corresponding routing tables. This results in orphaned routing entries that may conflict when IPs are reused for workload pods after an agent restart. Signed-off-by: Simone Sciarrati <s.sciarrati@gmail.com> Signed-off-by: Federico Hernandez <f@ederi.co> Signed-off-by: Jussi Maki <jussi@isovalent.com> 12 September 2022, 16:13:05 UTC
521f6e6 Tobias Klauser 07 September 2022, 14:48:53 UTC Update Go to 1.18.6 This version fixes a security issue in the net/http package. See the release notes [1] for more details [1] https://go.dev/doc/devel/release#go1.18.6 Signed-off-by: Tobias Klauser <tobias@cilium.io> 09 September 2022, 08:43:28 UTC
6511bda André Martins 26 August 2022, 12:29:51 UTC test: update k8s versions to the latest patched releases Also update k8s libraries to v0.24.4 Signed-off-by: André Martins <andre@cilium.io> 08 September 2022, 18:58:55 UTC
f67b975 Nate Sweet 19 August 2022, 19:51:17 UTC Caveat Differences Between K8s and Cilium Network Policies [ upstream commit 2fe9888090cf9de72d5fca272bce9ea3e62f7075 ] K8s Network Policies do have functionality that Cilium lacks. These limitations should be documented for a variety of reasons. Signed-off-by: Nate Sweet <nathanjsweet@pm.me> Signed-off-by: Glib Smaga <code@gsmaga.com> 06 September 2022, 07:49:29 UTC
2eb2753 André Martins 25 August 2022, 11:43:21 UTC pkg/endpoint: set labels for local node from k8s events [ upstream commit 90f41f02d422c6913aceb99dfa75bb46af7f95c8 ] Not setting these labels in the local node can cause the node to be out-of-sync in the KVStore. When IPSec configuration changes, Cilium will propagate these changes into the KVStore by executing [1] which eventually calls [2]. If the node labels are not up to date, Cilium will never be able to have this information in the KVStore as it will always re-use the labels fetched when Cilium started. [1] https://github.com/cilium/cilium/blob/dc0f7aa7687bf37078bc3db93161e936efb9cb94/pkg/datapath/linux/ipsec/ipsec_linux.go#L698 [2] https://github.com/cilium/cilium/blob/9fd55dd7e849ee5edaf72d75d339213e10b97940/pkg/nodediscovery/nodediscovery.go#L247 Fixes: 8d0211c37537 ("pkg/identity: Watch and update labels for the host") Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Glib Smaga <code@gsmaga.com> 06 September 2022, 07:49:29 UTC
4d912c3 André Martins 25 August 2022, 11:38:23 UTC pkg/nodediscovery: protect variable against concurrent access [ upstream commit b0f7b91bdaece8e54e52077206d0a0111cd6b3a8 ] This variable can be accessed concurrently since controllers run on a separate go routine. Using its mutex and performing a DeepCopy will help protecting it against concurrent access. Fixes: e52fe1d59d1c ("nodediscovery: Make LocalNode object private") Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Glib Smaga <code@gsmaga.com> 06 September 2022, 07:49:29 UTC
48a3f79 Joe Stringer 23 August 2022, 20:37:33 UTC docs: Update ToServices docs section [ upstream commit 124357f3754b24f036d2cb1dd3febea485b1456d ] Update this section to highlight the limitation, improve wording, and remove future-looking statements. Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Glib Smaga <code@gsmaga.com> 06 September 2022, 07:49:29 UTC
54aedb5 Joe Stringer 24 August 2022, 19:45:07 UTC docs/contrib: Add extra guidance on large PRs [ upstream commit 0acee007c2718000b5f1e883306b9925f8c0ea0d ] Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Glib Smaga <code@gsmaga.com> 06 September 2022, 07:49:29 UTC
690b615 Joe Stringer 23 August 2022, 22:56:20 UTC docs/contrib: Update hat duties guide [ upstream commit 5092e14fe22c08203062c9d843ef57786b604546 ] The three hats were combined into the "top" hat some time back. Update these instructions to reflect the single duty. Most notably, we changed from having the tophat own backport PRs beyond their assigned week to instead handing the backport PRs over to the next tophat to resolve and merge (subject to negotiation with the subsequent hatter) Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Glib Smaga <code@gsmaga.com> 06 September 2022, 07:49:29 UTC
07dd6c9 Joe Stringer 23 August 2022, 22:17:41 UTC docs/contrib: Add suggestions for review focus [ upstream commit ffd0db59f1eaa8be25a898042b930c0cfd2a0356 ] This is just documenting a process that we have used regularly during Cilium development over the past years. Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Glib Smaga <code@gsmaga.com> 06 September 2022, 07:49:29 UTC
58ddb39 Joe Stringer 23 August 2022, 22:08:36 UTC docs/contrib: Improve paragraph formatting [ upstream commit cf343d5bc1805eb1ad9ceafe795139acdb83e202 ] The contributors' guide was using ordered lists in places where they don't make sense or don't format correctly. Shuffle the formatting a bit to more clearly denote where things are intended as an ordered list of tasks or just a general description of how the process works. Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Glib Smaga <code@gsmaga.com> 06 September 2022, 07:49:29 UTC
ba7463a Joe Stringer 23 August 2022, 21:27:13 UTC docs/ci: Update triage steps for current practice [ upstream commit e5e801a66813f2ee6ad482215b4a48aeb90e8aac ] We use the "#testing" channel on Slack to coordinate testing issues, and we no longer use the CI triage project to track flakes. Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Glib Smaga <code@gsmaga.com> 06 September 2022, 07:49:29 UTC
bd0414c Joe Stringer 23 August 2022, 21:26:33 UTC docs/ci: Fix triage link location [ upstream commit 449cbb962e01f0416364eb84c6b77b0ff2432659 ] This link was pointing to jobs rather than the triage step, which is what other parts of the docs are referring to when they link to this section. Move the link to point to the correct title. Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Glib Smaga <code@gsmaga.com> 06 September 2022, 07:49:29 UTC
235b6d2 Tam Mach 21 August 2022, 15:05:38 UTC helm: Add check for apparmor annotations [ upstream commit 5b8f0925ae6a3527dffc5a0160c37640d7587a67 ] These two initContainers might be optional based on some conditions, it is better to guard apparmor annotations with the same condition. Fixes: #21007 Signed-off-by: Tam Mach <tam.mach@cilium.io> Signed-off-by: Glib Smaga <code@gsmaga.com> 06 September 2022, 07:49:29 UTC
cb7728a Tobias Klauser 24 August 2022, 22:17:19 UTC clustermesh-apiserver: fix key name for delete during k8s->kvstore sync [ upstream commit af2dc7494f536e91c611e5212811dc75602b3356 ] The handler which synchronizes CiliumNodes from k8s to the KV store includes the cluster name in the update operation but not the delete operation. This might lead to nodes not being correctly deleted from the KV store when they disappear. Follows commit 0ea6cba801d4 ("operator: fix key name for delete during k8s->kvstore sync") which did the same for the operator. Signed-off-by: Tobias Klauser <tobias@cilium.io> Signed-off-by: Glib Smaga <code@gsmaga.com> 06 September 2022, 07:49:29 UTC
a298057 Andrey Klimentyev 24 August 2022, 07:41:21 UTC Do not enable health checks on Terminating backends [ upstream commit c462868b82a0d0019fb45d40440329a362dde90d ] Previously cilium-agent did not switch off the health check server if only Terminating Endpoints are present on a Node with trafficPolicy: Local Service. Fixes: #21061 Signed-off-by: Andrey Klimentyev <andrey.klimentyev@flant.com> Signed-off-by: Glib Smaga <code@gsmaga.com> 06 September 2022, 07:49:29 UTC
15ed2cb Nikhil Sharma 23 August 2022, 02:44:02 UTC add kvstore TTL flag in cilium-operator [ upstream commit e5b902054b6036bdff625828810051473b2d5390 ] Signed-off-by: Nikhil Sharma <nikhilsharma230303@gmail.com> Signed-off-by: Glib Smaga <code@gsmaga.com> 06 September 2022, 07:49:29 UTC
9b4f631 André Martins 19 August 2022, 21:22:37 UTC pkg/endpoint: change CEP policy status message [ upstream commit ca023707153d26e1a548ee94c48a43ef6db2c937 ] To make it clear to users that only the status of the policy enforcement is not enabled this commit changes the message wording from "disabled" to "<status disabled>". Fixes: 5452034199d2 ("kubectl get cep returns empty columns of policies statuses") Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Glib Smaga <code@gsmaga.com> 06 September 2022, 07:49:29 UTC
bfa10aa Julian Wiedmann 04 August 2022, 11:44:40 UTC datapath: avoid delete/add flap for cilium_vxlan on startup [ upstream commit f4942353a58939ce076835f856152515019f63a6 ] In a configuration with EgressGW and direct-routing, cilium still uses a cilium_vxlan interface to transport the EgressGW traffic between source nodes and Gateway nodes. If no --tunnel-port is configured we stick to the default value (0) instead of using the VXLAN default port (8472), and when bpf/init.sh later tries to create the interface with port 0 the kernel simply falls back to using port 8472 instead. But if cilium_vxlan already exists from a previous run, the corresponding check in bpf/init.sh fails (as we look for dstport 0, but find cilium_vxlan with dstport 8472). So we delete the interface, just to add it again in the same effective configuration. Avoid the overhead (and flapping ifindex) by initializing c.TunnelPort with the VXLAN port, even when the user didn't select tunneling mode. Fixes: 030077272e9c ("datapath: Add a flag to set VXLAN and Geneve ports") Signed-off-by: Julian Wiedmann <jwi@isovalent.com> Signed-off-by: Glib Smaga <code@gsmaga.com> 06 September 2022, 07:49:29 UTC
3b66de7 Michi Mutsuzaki 31 August 2022, 23:32:08 UTC Update wrk2 repository It's been moved to quay.io/isovalent-dev/wrk2. Signed-off-by: Michi Mutsuzaki <michi@isovalent.com> 02 September 2022, 19:05:21 UTC
da8a59f dependabot[bot] 01 September 2022, 14:46:55 UTC build(deps): bump github/codeql-action from 2.1.21 to 2.1.22 Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.21 to 2.1.22. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/c7f292ea4f542c473194b33813ccd4c207a6c725...b398f525a5587552e573b247ac661067fafa920b) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> 01 September 2022, 15:13:08 UTC
a770aec dependabot[bot] 25 August 2022, 14:39:20 UTC build(deps): bump github/codeql-action from 2.1.20 to 2.1.21 Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.20 to 2.1.21. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/7fee4ca032ac341c12486c4c06822c5221c76533...c7f292ea4f542c473194b33813ccd4c207a6c725) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> 29 August 2022, 09:31:36 UTC
4260f47 dependabot[bot] 22 August 2022, 14:49:30 UTC build(deps): bump actions/cache from 3.0.7 to 3.0.8 Bumps [actions/cache](https://github.com/actions/cache) from 3.0.7 to 3.0.8. - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](https://github.com/actions/cache/compare/a7c34adf76222e77931dedbf4a45b2e4648ced19...fd5de65bc895cf536527842281bea11763fefd77) --- updated-dependencies: - dependency-name: actions/cache dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> 24 August 2022, 22:16:05 UTC
4c8af7c André Martins 16 August 2022, 22:14:02 UTC pkg/identity: fix identity garbage collection in clustermesh Since the identity.MinimalAllocationIdentity and identity.MaximumAllocationIdentity variables are initialized before the option.Config.ClusterID is set and their values will be 256 and 65535 respectively. This will prevent Cilium Operator from garbage collecting identities in the clusters, in a clustermesh environment, where their cluster-id is not 0. Fixes: bb6ad22f14a0 ("operator: fix identity GC collection") Signed-off-by: André Martins <andre@cilium.io> 24 August 2022, 16:48:01 UTC
0f435b7 André Martins 16 August 2022, 22:10:33 UTC pkg/identity: refactor function to set min and max identities This will allow to initialize the MinimalAllocationIdentity and MaximumAllocationIdentity without executing InitWellKnownIdentities. Signed-off-by: André Martins <andre@cilium.io> 24 August 2022, 16:48:01 UTC
e9f8d21 dependabot[bot] 22 August 2022, 21:54:44 UTC build(deps): bump 8398a7/action-slack from 3.13.0 to 3.13.2 Bumps [8398a7/action-slack](https://github.com/8398a7/action-slack) from 3.13.0 to 3.13.2. - [Release notes](https://github.com/8398a7/action-slack/releases) - [Commits](https://github.com/8398a7/action-slack/compare/a74b761b4089b5d730d813fbedcd2ec5d394f3af...22048831299719d772f51719ca7384e34b4cc61d) --- updated-dependencies: - dependency-name: 8398a7/action-slack dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> 24 August 2022, 11:17:17 UTC
f4ec972 dependabot[bot] 23 August 2022, 14:50:09 UTC build(deps): bump actions/setup-go from 3.2.1 to 3.3.0 Bumps [actions/setup-go](https://github.com/actions/setup-go) from 3.2.1 to 3.3.0. - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](https://github.com/actions/setup-go/compare/84cbf8094393cdc5fe1fe1671ff2647332956b1a...268d8c0ca0432bb2cf416faae41297df9d262d7f) --- updated-dependencies: - dependency-name: actions/setup-go dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> 24 August 2022, 09:55:01 UTC
612f3d7 Tom Hadlaw 18 August 2022, 22:01:01 UTC spanstat: fix flakey test case. [ upstream commit 8ce927aa08c847a8c1d76d4df00282f0af3f4167 ] This test case fails often when running this test. Add small sleep duration to ensure that second measure can be identified as distinct from first. Signed-off-by: Tom Hadlaw <tom.hadlaw@isovalent.com> Signed-off-by: Aditi Ghag <aditi@cilium.io> 24 August 2022, 00:48:32 UTC
de53d5d Tom Hadlaw 18 August 2022, 16:42:17 UTC metrics: fix ts_events API timestamp and scope label cardinality. [ upstream commit 1cc489d9617b9804b7e94457c5323952b904a899 ] Regression caused ts_events gauge to be scoped with url path including url parameter causing high cardinality metrics. This fixes that to follow the same scoping as the API metrics middleware histogram metrics. As well fixes ts_events metrics only ever being reported as 0. Also adds unit test for metrics middleware. Fixes: #20967 Signed-off-by: Tom Hadlaw <tom.hadlaw@isovalent.com> Signed-off-by: Aditi Ghag <aditi@cilium.io> 24 August 2022, 00:48:32 UTC
bc6700e Julian Wiedmann 22 August 2022, 13:10:21 UTC gh/workflows: stop using ubuntu-18.04 runner [ upstream commit 05091f874fcd24e036ff1712c62a89e60c64174d ] The ubuntu-18.04 runner is deprecated, and GH has introduced brownouts so that users start to migrate. Move on to ubuntu-20.04. See https://github.com/actions/runner-images/issues/6002 Signed-off-by: Julian Wiedmann <jwi@isovalent.com> Signed-off-by: Aditi Ghag <aditi@cilium.io> 24 August 2022, 00:48:32 UTC
7e90b13 kikiodazie 21 July 2022, 12:52:36 UTC docs: Add eCHO episode 8: Exploring the Cilium CLI [ upstream commit 6aaa55e4effc4b61c48f1f5988834df97bcf94f7 ] Signed-off-by: Divine Odazie <dodazie@gmail.com> Signed-off-by: Aditi Ghag <aditi@cilium.io> 24 August 2022, 00:48:32 UTC
5c02291 Nikhil Sharma 19 August 2022, 14:11:43 UTC document all available options for annotations in ingress implementation [ upstream commit 720803f1c3c1daa243b30a047303c7e04ef0823a ] Signed-off-by: Nikhil Sharma <nikhilsharma230303@gmail.com> Signed-off-by: Aditi Ghag <aditi@cilium.io> 24 August 2022, 00:48:32 UTC
7b0a78a Yuan Liu 12 August 2022, 00:21:05 UTC don't merge stderr into iptable stdout [ upstream commit c8d5d28ae30f5a4de666581b6c37c4c182da45c6 ] runProgCombinedOutput merges stdout and stderr of iptables into a single string and parse iptables rules out from it. But stderr is never rules but warnings/errors. For example, stderr can be "# Warning: iptables-legacy tables present, use iptables-legacy-save to see them" This commit changes it to use exec.Output but merge stderr into err. Fixes: #20894 Signed-off-by: Yuan Liu <liuyuan@google.com> Signed-off-by: Aditi Ghag <aditi@cilium.io> 24 August 2022, 00:48:32 UTC
b6a54f1 kikiodazie 26 July 2022, 11:55:05 UTC docs: Add talks to reference further reading [ upstream commit 6117e7ed2ddc4e9e690fd8522138abf233174181 ] Signed-off-by: Divine Odazie <dodazie@gmail.com> Signed-off-by: Aditi Ghag <aditi@cilium.io> 24 August 2022, 00:48:32 UTC
05efc85 kikiodazie 21 July 2022, 12:52:36 UTC docs: Add eCHO episode 8: Exploring the Cilium CLI [ upstream commit 6aaa55e4effc4b61c48f1f5988834df97bcf94f7 ] Signed-off-by: Divine Odazie <dodazie@gmail.com> Signed-off-by: Aditi Ghag <aditi@cilium.io> 24 August 2022, 00:48:32 UTC
b0b47fe kikiodazie 18 July 2022, 13:09:17 UTC docs: add KubeCon talk on Better Bandwidth Management [ upstream commit 1c0589e1a31198d1e128c901292fe0c7e1d74acc ] Signed-off-by: Divine Odazie <dodazie@gmail.com> Signed-off-by: Aditi Ghag <aditi@cilium.io> 24 August 2022, 00:48:32 UTC
d32e5e3 kikiodazie 18 July 2022, 11:50:11 UTC docs: Add AWS VPC CNI to Cilium migration video [ upstream commit 8804f7f813a4f2a3be777ebced8d823960d8f6d2 ] Signed-off-by: Divine Odazie <dodazie@gmail.com> Signed-off-by: Aditi Ghag <aditi@cilium.io> 24 August 2022, 00:48:32 UTC
0196ecd kikiodazie 15 July 2022, 21:21:33 UTC docs: add eCHO Episode 40 [ upstream commit f0ed135f65c932e917b0c30c6f9face2ad9110f1 ] Signed-off-by: Divine Odazie <dodazie@gmail.com> Signed-off-by: Aditi Ghag <aditi@cilium.io> 24 August 2022, 00:48:32 UTC
afe1770 kikiodazie 15 July 2022, 20:17:40 UTC docs: add eCHO episode 39 [ upstream commit 61c302790872f602e1831d4c3782a8e06acacbdf ] Signed-off-by: Divine Odazie <dodazie@gmail.com> Signed-off-by: Aditi Ghag <aditi@cilium.io> 24 August 2022, 00:48:32 UTC
ed41090 kikiodazie 02 August 2022, 17:45:57 UTC docs: Add known Argo CD issues to docs [ upstream commit e295f1f8d220ebb552237700486988882356a769 ] Signed-off-by: Divine Odazie <dodazie@gmail.com> Signed-off-by: Aditi Ghag <aditi@cilium.io> 24 August 2022, 00:48:32 UTC
0a83ad2 André Martins 15 August 2022, 22:04:12 UTC pkg/endpoint: set namedPortsGetter interface on ParseEndpoint [ upstream commit 7eb68cb0270443e8dc682ef83487ace126f3cbeb ] When restoring endpoints from the state directory we need to also initialize their internal "getters" as they will not be initialized on restore. This prevents Cilium from crashing upon initialization when a CNP with a named port is available on the cluster. ``` goroutine 827 [running]: github.com/cilium/cilium/pkg/endpoint.(*Endpoint).GetNamedPortLocked(0xc00024a000, 0x50?, {0xc000ba1cd0, 0x9}, 0xc0?) /go/src/github.com/cilium/cilium/pkg/endpoint/policy.go:68 +0x4f github.com/cilium/cilium/pkg/policy.(*L4Filter).ToMapState(0xc001080000, {0x3434870, 0xc00024a000}, 0x1) /go/src/github.com/cilium/cilium/pkg/policy/l4.go:345 +0x2c3 github.com/cilium/cilium/pkg/policy.(*EndpointPolicy).computeDirectionL4PolicyMapEntries(0xc0019e8540, 0xc0019e8540?, 0xc0019e80d8?, 0x40?) /go/src/github.com/cilium/cilium/pkg/policy/resolve.go:171 +0xba github.com/cilium/cilium/pkg/policy.(*EndpointPolicy).computeDesiredL4PolicyMapEntries(0xc0019e8540) /go/src/github.com/cilium/cilium/pkg/policy/resolve.go:164 +0x56 github.com/cilium/cilium/pkg/policy.(*selectorPolicy).DistillPolicy(0xc000d180c0, {0x3434870?, 0xc00024a000}, 0x0) /go/src/github.com/cilium/cilium/pkg/policy/resolve.go:141 +0x105 github.com/cilium/cilium/pkg/policy.(*cachedSelectorPolicy).Consume(0xc000123770?, {0x3434870?, 0xc00024a000?}) /go/src/github.com/cilium/cilium/pkg/policy/distillery.go:202 +0x35 github.com/cilium/cilium/pkg/endpoint.(*Endpoint).regeneratePolicy(0xc00024a000) /go/src/github.com/cilium/cilium/pkg/endpoint/policy.go:234 +0x3f7 github.com/cilium/cilium/pkg/endpoint.(*Endpoint).runPreCompilationSteps(0xc00024a000, 0xc000399400) /go/src/github.com/cilium/cilium/pkg/endpoint/bpf.go:814 +0x2c5 github.com/cilium/cilium/pkg/endpoint.(*Endpoint).regenerateBPF(0xc00024a000, 0xc000399400) /go/src/github.com/cilium/cilium/pkg/endpoint/bpf.go:584 +0x189 github.com/cilium/cilium/pkg/endpoint.(*Endpoint).regenerate(0xc00024a000, 0xc000399400) /go/src/github.com/cilium/cilium/pkg/endpoint/policy.go:398 +0x7a5 github.com/cilium/cilium/pkg/endpoint.(*EndpointRegenerationEvent).Handle(0xc0014a2b70, 0x29fef80?) /go/src/github.com/cilium/cilium/pkg/endpoint/events.go:53 +0x325 ``` Example of such CNP: ``` apiVersion: cilium.io/v2 kind: CiliumNetworkPolicy metadata: namespace: cilium-test name: client-egress-to-echo-deny-named-port spec: endpointSelector: matchLabels: kind: client egressDeny: - toPorts: - ports: - port: "http-8080" protocol: TCP toEndpoints: - matchLabels: io.kubernetes.pod.namespace: cilium-test kind: echo ``` Fixes: 6e7e9468be4b ("endpoint: Remove references to global ipcache") Reported-by: Tam Mach <tam.mach@isovalent.com> Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Aditi Ghag <aditi@cilium.io> 24 August 2022, 00:48:32 UTC
481d6cc Jaff Cheng 11 August 2022, 06:35:35 UTC k8s/watchers: fix panic in CiliumEndpoint labels update [ upstream commit c8b6d2eb82c067403d0d9dad255d6e74e847008c ] Cilium agent would panic if the assiciated k8s pod of CiliumEndpoint is nil: panic: runtime error: invalid memory address or nil pointer dereference [signal SIGSEGV: segmentation violation code=0x1 addr=0x30 pc=0x2154821] goroutine 1499073313 [running]: github.com/cilium/cilium/pkg/k8s/watchers.updateCiliumEndpointLabels.func1(0x2f1c050, 0xc0346c6a40, 0x428e6e0, 0x455600) /go/src/github.com/cilium/cilium/pkg/k8s/watchers/pod.go:483 +0x341 github.com/cilium/cilium/pkg/controller.(*Controller).runController(0xc0299d3d40) /go/src/github.com/cilium/cilium/pkg/controller/controller.go:217 +0xb29 created by github.com/cilium/cilium/pkg/controller.(*Manager).updateController /go/src/github.com/cilium/cilium/pkg/controller/manager.go:122 +0xbd2 This patch adds a check for the pod. Fixes: 732188fb47b2 ("pkg/k8s: mirror parent pod labels to cilium endpoints") Signed-off-by: Jaff Cheng <jaff.cheng.sh@gmail.com> Signed-off-by: Aditi Ghag <aditi@cilium.io> 24 August 2022, 00:48:32 UTC
cf2ec85 dependabot[bot] 22 August 2022, 14:49:35 UTC build(deps): bump github/codeql-action from 2.1.19 to 2.1.20 Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.19 to 2.1.20. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/f5d217be74900c6ac8fbbe53f3c10376ba4e64da...7fee4ca032ac341c12486c4c06822c5221c76533) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> 22 August 2022, 21:54:00 UTC
a7675d1 Rahul Joshi 09 August 2022, 22:07:59 UTC Fix typos in FQDN semaphore metric enablement. [ upstream commit 2a1c607b879bc98022cbc8b491c837166de9c54a ] Signed-off-by: Rahul Joshi <rkjoshi@google.com> Signed-off-by: Tobias Klauser <tobias@cilium.io> 22 August 2022, 14:35:22 UTC
0818807 Paul Chaignon 14 August 2022, 09:14:49 UTC ipsec: Fix incorrect parsing of SPI from mark [ upstream commit dc0f7aa7687bf37078bc3db93161e936efb9cb94 ] Commit b2331289c70 introduced helpers to set and retrieve the SPI from the XFRM mark. The SPI number is encoded into 4 bits at positions 12-15 (LSB first). However, function ipSecXfrmMarkGetSPI extracts 8 bits at positions 12-19 instead of 4. This commit fixes it. This bug would only have an impact if some other software used the 4 upper bits; no such case is currently known. Fixes: b2331289c70 ("ipsec: add ipSecXfrmMark{Set,Get}SPI helpers") Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Tobias Klauser <tobias@cilium.io> 22 August 2022, 14:35:22 UTC
b986246 Quentin Monnet 11 August 2022, 11:48:51 UTC docs: Switch to our own fork of sphinxcontrib-openapi [ upstream commit 4f893e8d3e0fa7e3a5204d3ccf132a2d2eaf530f ] Sphinxcontrib-openapi relies on m2r. But m2r is unmaintained [0]. It relies on mistune, but is not compatible with mistune versions >= 2.0 [1]. This makes it impossible to update mistune, even though there is a CVE in the old versions of the package [2]. Switch to sphinx-mdinclude instead. There is also m2r2, but it is not a suitable alternative because they simply force the use of an older mistune version [3]. [0] https://github.com/sphinx-contrib/openapi/issues/123 [1] https://github.com/miyakogi/m2r/issues/66 [2] https://github.com/advisories/GHSA-fw3v-x4f2-v673 [3] https://github.com/CrossNox/m2r2/pull/43 Signed-off-by: Quentin Monnet <quentin@isovalent.com> Signed-off-by: Tobias Klauser <tobias@cilium.io> 22 August 2022, 14:35:22 UTC
d364d76 Raphaël Pinson 16 August 2022, 10:50:27 UTC docs(bandwidth-manager): add note on per-pod limits [ upstream commit 0fdd2908550e8ed10b12d75b87eaec32cbdef985 ] Signed-off-by: Raphaël Pinson <raphael@isovalent.com> Co-authored-by: Paul Chaignon <paul@cilium.io> Co-authored-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: Tobias Klauser <tobias@cilium.io> 22 August 2022, 14:35:22 UTC
32ce957 Joe Stringer 11 August 2022, 18:25:52 UTC docs: Apply crd schema update to local tree [ upstream commit 13d6778802281c954f9de0ba18fbf6d3d943fe8b ] During the release process, we occasionally execute the latest version of this script from one path in the filesystem, expecting the changes to apply within the current directory for an older branch. Update the script to ensure that any files updated in-place are updated in the local directory, not the directory where the script is invoked from. Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Tobias Klauser <tobias@cilium.io> 22 August 2022, 14:35:22 UTC
91c4d68 Joe Stringer 11 August 2022, 18:13:34 UTC docs: Ignore newlines in crd compat file listing [ upstream commit 5cdc987ce3743756e20f8e34c443d69823b111ba ] This should fix an issue where the commands wrap multiple lines and hence can't be copy/pasted correctly. Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Tobias Klauser <tobias@cilium.io> 22 August 2022, 14:35:22 UTC
0ffd9a7 Joe Stringer 11 August 2022, 18:14:14 UTC docs: Set -e in crd compat script [ upstream commit 03fd6cbc9d421d610850d119258f3a016f13b1ca ] This script seemed to be missing the option to enable failing out on errors, so add it in to prevent silently ignoring issues. Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Tobias Klauser <tobias@cilium.io> 22 August 2022, 14:35:22 UTC
982863b Anurag Aggarwal 20 June 2022, 19:37:44 UTC docs: Added `Default` column in metrics details [ upstream commit 1133bd5d30b55049a74414a3fb369926e1cb1d7c ] This commit adds a new column `Default` to metrics details which distinguishes if the metric is enabled by default or not. Fixes: #20235 Signed-off-by: Anurag Aggarwal <kanurag94@gmail.com> Signed-off-by: Tobias Klauser <tobias@cilium.io> 22 August 2022, 14:35:22 UTC
83797ae romanspb80 27 July 2022, 19:02:20 UTC kubectl get cep returns empty columns of policies statuses [ upstream commit 5452034199d271bdd5ae181c6c4caa8d02356ee8 ] This patch set "disabled" for the fields INGRESS ENFORCEMENT, EGRESS ENFORCEMENT, VISIBILITY POLICY if Cilium run with --endpoint-status disabled. $ kubectl get cep NAME ENDPOINT ID IDENTITY ID INGRESS ENFORCEMENT EGRESS ENFORCEMENT VISIBILITY POLICY ENDPOINT STATE IPV4 IPV6 deathstar-f694cf746-f2tf4 1239 28002 disabled disabled disabled ready 10.11.0.52 fd04::6e90 deathstar-f694cf746-gnrg6 3603 28002 disabled disabled disabled ready 10.11.0.78 fd04::6dd9 tiefighter 810 35802 disabled disabled disabled ready 10.11.0.72 fd04::3ccb xwing 1629 58767 disabled disabled disabled ready 10.11.0.136 fd04::bc93 56 58767 Status N.A. Status N.A. Status N.A. ready 10.11.0.53 fd04::d70d Fixes: #17880 Signed-off-by: Roman Ptitcyn <romanspb@yahoo.com> Signed-off-by: Tobias Klauser <tobias@cilium.io> 22 August 2022, 14:35:22 UTC
dacb945 Chris Tarazi 16 June 2022, 19:50:30 UTC docs: Document existing FQDN metrics [ upstream commit 7dae6aa81a30ed27408a71794cd476dfc50c5efc ] Signed-off-by: Chris Tarazi <chris@isovalent.com> Signed-off-by: Tobias Klauser <tobias@cilium.io> 22 August 2022, 14:35:22 UTC
64c60f5 Chris Tarazi 16 June 2022, 19:41:31 UTC docs: Add enabled by default column to FQDN metrics [ upstream commit fa4e8a1047637b3b60c5433bb9093a4f7ac997a2 ] This will make it easier to see which metrics are enabled by default and which ones the user must configure Cilium manually to enable. Signed-off-by: Chris Tarazi <chris@isovalent.com> Signed-off-by: Tobias Klauser <tobias@cilium.io> 22 August 2022, 14:35:22 UTC
aeb18a6 Chris Tarazi 16 June 2022, 19:35:56 UTC docs: Fix typo in FQDN metric name [ upstream commit f44e7ec3a04fae002423754da2150c44761d56d2 ] Signed-off-by: Chris Tarazi <chris@isovalent.com> Signed-off-by: Tobias Klauser <tobias@cilium.io> 22 August 2022, 14:35:22 UTC
9c9fba5 Tobias Klauser 18 August 2022, 10:54:24 UTC operator: fix key name for delete during k8s->kvstore sync [ upstream commit 0ea6cba801d482d70ef24678641e2a488381ff3a ] The handler which synchronizes CiliumNodes from k8s to the KV store includes the cluster name in the update operation but not the delete operation. This might lead to nodes not being correctly deleted from the KV store when they disappear. Signed-off-by: Tobias Klauser <tobias@cilium.io> 22 August 2022, 14:16:38 UTC
86a67bf dependabot[bot] 19 August 2022, 14:38:15 UTC build(deps): bump github/codeql-action from 2.1.18 to 2.1.19 Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.18 to 2.1.19. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/2ca79b6fa8d3ec278944088b4aa5f46912db5d63...f5d217be74900c6ac8fbbe53f3c10376ba4e64da) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> 19 August 2022, 15:08:42 UTC
b7d6e8c Joe Stringer 16 August 2022, 17:28:05 UTC install: Update image digests for v1.12.1 Generated from https://github.com/cilium/cilium/actions/runs/2869795287. `docker.io/cilium/cilium:v1.12.1@sha256:ea2db1ee21b88127b5c18a96ad155c25485d0815a667ef77c2b7c7f31cab601b` `quay.io/cilium/cilium:v1.12.1@sha256:ea2db1ee21b88127b5c18a96ad155c25485d0815a667ef77c2b7c7f31cab601b` `docker.io/cilium/cilium:stable@sha256:ea2db1ee21b88127b5c18a96ad155c25485d0815a667ef77c2b7c7f31cab601b` `quay.io/cilium/cilium:stable@sha256:ea2db1ee21b88127b5c18a96ad155c25485d0815a667ef77c2b7c7f31cab601b` `docker.io/cilium/clustermesh-apiserver:v1.12.1@sha256:c80a8d6ffdf7cab4699441496f628a09a31d0300e623cadb2837c86fa368c02f` `quay.io/cilium/clustermesh-apiserver:v1.12.1@sha256:c80a8d6ffdf7cab4699441496f628a09a31d0300e623cadb2837c86fa368c02f` `docker.io/cilium/clustermesh-apiserver:stable@sha256:c80a8d6ffdf7cab4699441496f628a09a31d0300e623cadb2837c86fa368c02f` `quay.io/cilium/clustermesh-apiserver:stable@sha256:c80a8d6ffdf7cab4699441496f628a09a31d0300e623cadb2837c86fa368c02f` `docker.io/cilium/docker-plugin:v1.12.1@sha256:cb30dd4f9942fc86f2e65a837d331656d1ece9163680bc36d970a729976ce13a` `quay.io/cilium/docker-plugin:v1.12.1@sha256:cb30dd4f9942fc86f2e65a837d331656d1ece9163680bc36d970a729976ce13a` `docker.io/cilium/docker-plugin:stable@sha256:cb30dd4f9942fc86f2e65a837d331656d1ece9163680bc36d970a729976ce13a` `quay.io/cilium/docker-plugin:stable@sha256:cb30dd4f9942fc86f2e65a837d331656d1ece9163680bc36d970a729976ce13a` `docker.io/cilium/hubble-relay:v1.12.1@sha256:646582b22bf41ad29dd7739b12aae77455ee5757b9ee087f2d45d684afef5fa1` `quay.io/cilium/hubble-relay:v1.12.1@sha256:646582b22bf41ad29dd7739b12aae77455ee5757b9ee087f2d45d684afef5fa1` `docker.io/cilium/hubble-relay:stable@sha256:646582b22bf41ad29dd7739b12aae77455ee5757b9ee087f2d45d684afef5fa1` `quay.io/cilium/hubble-relay:stable@sha256:646582b22bf41ad29dd7739b12aae77455ee5757b9ee087f2d45d684afef5fa1` `docker.io/cilium/operator-alibabacloud:v1.12.1@sha256:a5ae07d5866c3299f6ff2d00634fa500b911fe2629dcabfcd119026aa8062b58` `quay.io/cilium/operator-alibabacloud:v1.12.1@sha256:a5ae07d5866c3299f6ff2d00634fa500b911fe2629dcabfcd119026aa8062b58` `docker.io/cilium/operator-alibabacloud:stable@sha256:a5ae07d5866c3299f6ff2d00634fa500b911fe2629dcabfcd119026aa8062b58` `quay.io/cilium/operator-alibabacloud:stable@sha256:a5ae07d5866c3299f6ff2d00634fa500b911fe2629dcabfcd119026aa8062b58` `docker.io/cilium/operator-aws:v1.12.1@sha256:cbd07141fb2c6ef172b3241d4cf3edac21922959b9325ef1f2d12d9f67e13ea3` `quay.io/cilium/operator-aws:v1.12.1@sha256:cbd07141fb2c6ef172b3241d4cf3edac21922959b9325ef1f2d12d9f67e13ea3` `docker.io/cilium/operator-aws:stable@sha256:cbd07141fb2c6ef172b3241d4cf3edac21922959b9325ef1f2d12d9f67e13ea3` `quay.io/cilium/operator-aws:stable@sha256:cbd07141fb2c6ef172b3241d4cf3edac21922959b9325ef1f2d12d9f67e13ea3` `docker.io/cilium/operator-azure:v1.12.1@sha256:73f3ecfc331a3bd3017017492489c45979cf43103d61c6eb6af1662e28e499ac` `quay.io/cilium/operator-azure:v1.12.1@sha256:73f3ecfc331a3bd3017017492489c45979cf43103d61c6eb6af1662e28e499ac` `docker.io/cilium/operator-azure:stable@sha256:73f3ecfc331a3bd3017017492489c45979cf43103d61c6eb6af1662e28e499ac` `quay.io/cilium/operator-azure:stable@sha256:73f3ecfc331a3bd3017017492489c45979cf43103d61c6eb6af1662e28e499ac` `docker.io/cilium/operator-generic:v1.12.1@sha256:93d5aaeda37d59e6c4325ff05030d7b48fabde6576478e3fdbfb9bb4a68ec4a1` `quay.io/cilium/operator-generic:v1.12.1@sha256:93d5aaeda37d59e6c4325ff05030d7b48fabde6576478e3fdbfb9bb4a68ec4a1` `docker.io/cilium/operator-generic:stable@sha256:93d5aaeda37d59e6c4325ff05030d7b48fabde6576478e3fdbfb9bb4a68ec4a1` `quay.io/cilium/operator-generic:stable@sha256:93d5aaeda37d59e6c4325ff05030d7b48fabde6576478e3fdbfb9bb4a68ec4a1` `docker.io/cilium/operator:v1.12.1@sha256:137be4e4b293558e763648b8242f3d351a3edf3709c8362a62a998487e32cf82` `quay.io/cilium/operator:v1.12.1@sha256:137be4e4b293558e763648b8242f3d351a3edf3709c8362a62a998487e32cf82` `docker.io/cilium/operator:stable@sha256:137be4e4b293558e763648b8242f3d351a3edf3709c8362a62a998487e32cf82` `quay.io/cilium/operator:stable@sha256:137be4e4b293558e763648b8242f3d351a3edf3709c8362a62a998487e32cf82` Signed-off-by: Joe Stringer <joe@cilium.io> 16 August 2022, 18:09:32 UTC
cf8932e Martynas Pumputis 16 August 2022, 12:44:11 UTC test: Switch to kindest/node:v1.24.3 See [1] and [2] for motivation. [1]: https://github.com/cilium/cilium/pull/20682 [2]: https://github.com/cilium/cilium/pull/20834 Signed-off-by: Martynas Pumputis <m@lambda.lt> 16 August 2022, 13:00:59 UTC
4c9a630 Joe Stringer 15 August 2022, 23:29:39 UTC Prepare for release v1.12.1 Signed-off-by: Joe Stringer <joe@cilium.io> 16 August 2022, 00:11:16 UTC
fe49b55 Gilberto Bertin 12 August 2022, 15:17:38 UTC iptables: skip NOTRACK rules deletion [ upstream commit 4bd2478db37a6859c57372dcc97ac43922d26e90 ] The Iptables version shipped with Cilium (1.8.4) does not fully support the iptables-legacy - nft translation of NOTRACK rules, which in turn causes the agent to crash whenever it tries to delete any old/backup ruleset. This commit introduces a workaround for this by ignoring the `-j NOTRACK` and `-j CT --notrack` rules when deleting all rules belonging to an old/backup ruleset. This is not an issue (although it's not optimal) as eventually the agent will just flush and remove all the Cilium managed Iptables chains. Fixes: #20714 Signed-off-by: Gilberto Bertin <jibi@cilium.io> Signed-off-by: Joe Stringer <joe@cilium.io> 15 August 2022, 16:58:28 UTC
5420f5c ArthurChiao 07 May 2022, 08:16:07 UTC ipcache/kvstore: fix panic when processing ip=<nil> entries [ upstream commit 630b219cb229c91d61c928f8927b0471ee32b874 ] This problem was introduced in 6cbf5daf46d, which results in a "nil pointer dereference" panic. Signed-off-by: ArthurChiao <arthurchiao@hotmail.com> Signed-off-by: Tobias Klauser <tobias@cilium.io> 12 August 2022, 18:46:31 UTC
354f751 André Martins 10 August 2022, 10:13:57 UTC cilium-health: fix probing for IPv6-only clusters [ upstream commit 862e191b3574e4a7c5d2046d28d980c163b50a6f ] Due some refactoring done in ed934cb958c5, a bug was introduced in the code that overwrote the IP address used to perform health checks. In IPv6-only clusters, this IP address was overwritten by an empty IPv4 address which would then be used to perform health checks. Obviously failing to perform such health checks since the address was "<nil>", Cilium would report that `cilium-health-ep` controllers were failing. Fixes: ed934cb958c5 ("health: Move endpoint IP to node package") Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Tobias Klauser <tobias@cilium.io> 12 August 2022, 18:46:31 UTC
641b3af Michi Mutsuzaki 09 August 2022, 16:16:57 UTC helm: Refer to the correct Helm value [ upstream commit 07ea75249f682e1224d0e68c27d2dddaeac07b81 ] The operator deployment template was incorrectly referring to dnsPolicy instead of operator.dnsPolicy. Fixes: 307df356c2 ("helm: Make DNS policy for agent and operator configurable") Signed-off-by: Michi Mutsuzaki <michi@isovalent.com> Signed-off-by: Tobias Klauser <tobias@cilium.io> 12 August 2022, 18:46:31 UTC
c7e493a Joe Stringer 08 August 2022, 22:35:55 UTC docs: Clarify identity table for reserved identities [ upstream commit c59864a83658993ececfb4d080e29779880154d6 ] Reserved identities take up the first 255 values (per pkg/identity/numericidentity.go), as already described in this document. Add these to the table for completeness. I didn't bother to fully explain this point for clustermesh but in practice this range (0x00xx0001->0x00xx00FF) is reserved in each cluster. These are not synchronized across all clusters. Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Tobias Klauser <tobias@cilium.io> 12 August 2022, 18:46:31 UTC
9744b0e Martynas Pumputis 08 August 2022, 12:48:44 UTC gh/workflows: Do not disable IPv6 in the LB-only suite [ upstream commit e6bc8ec74cabd9589a708dc130d944f36c9c9d87 ] Enabling allows us to check whether the LB-only program with the IPv6 processing parts can be accepted by the BPF verifier. Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Tobias Klauser <tobias@cilium.io> 12 August 2022, 18:46:31 UTC
eab9c90 Nikhil Jha 08 August 2022, 00:43:32 UTC ingress: add websockets configuration [ upstream commit 234f9a8878fc87b736c7acf674a1a25a542d44fb ] Some popular web software (e.x. Jupyterhub, Home Assistant) requires websocket support from the ingress. This commit provides an annotation to enable this support in Envoy. It is enabled by default to be in-line with other popular Ingress implementations (Traefik, ingress-nginx). Fixes: #20427 Signed-off-by: Nikhil Jha <hi@nikhiljha.com> Signed-off-by: Tobias Klauser <tobias@cilium.io> 12 August 2022, 18:46:31 UTC
beda2c1 Chris Tarazi 02 August 2022, 19:14:45 UTC pkg/netns: Expand godoc on ReplaceNetNSWithName [ upstream commit 8940bf0c4ba29b8d618f4d5e5d647ba7f5db8ed2 ] It is useful to have an example usage of how ReplaceNetNSWithName() is typically used so developers don't have to research how to use network namespaces in Go again. Signed-off-by: Chris Tarazi <chris@isovalent.com> Signed-off-by: Tobias Klauser <tobias@cilium.io> 12 August 2022, 18:46:31 UTC
a426a8c Chris Tarazi 01 August 2022, 18:53:35 UTC daemon/cmd: Add new privileged test suite [ upstream commit a0c0732eb380108d12702ffd7935edf8402edb72 ] This test suite can be used to unit test the daemon code under daemon/cmd/daemon.go. As a first attempt, sanity check tests for removing old router (cilium_host) state have been added. This is intended not to be exhaustive for now. Signed-off-by: Chris Tarazi <chris@isovalent.com> Signed-off-by: Tobias Klauser <tobias@cilium.io> 12 August 2022, 18:46:31 UTC
b0541a2 Chris Tarazi 04 August 2022, 22:38:24 UTC pkg/datapath/loader: Export SetupBaseDevice [ upstream commit 205810f2785ec09f149251ec827a880ff7560e26 ] This is useful for the upcoming new privileged daemon test suite. Signed-off-by: Chris Tarazi <chris@isovalent.com> Signed-off-by: Tobias Klauser <tobias@cilium.io> 12 August 2022, 18:46:31 UTC
364764f Chris Tarazi 01 August 2022, 19:25:24 UTC daemon/cmd: Fix complaint about nil IP address on restore of cilium_host [ upstream commit 08205dde0f6dad5cfaf18a947d17e7c67f60cbcc ] Previously, the msg "Failed to remove old router IPs (restored IP: <nil>) from cilium_host. Manual intervention is required to remove all other old IPs." would pollute the logs for no good reason. This commit prevents this log from being printed by avoiding the condition. The condition is when the cilium_host device has been removed and there are no IPs detected to restore. The following commit will add unit tests to verify this behavior. Fixes: fcd00390c30 ("daemon, node: Remove old, discarded router IPs from `cilium_host`") Signed-off-by: Chris Tarazi <chris@isovalent.com> Signed-off-by: Tobias Klauser <tobias@cilium.io> 12 August 2022, 18:46:31 UTC
e1c497f Vincent Li 21 July 2022, 00:39:09 UTC ipvlan: clean up leftovers in setupBaseDevice() [ upstream commit 9ef7f24103aef25264e2f51748eaec8f35f16a8f ] commit c3adaec9dc06a68 removed IPVLAN code, cleanup setupBaseDevice(). found this through https://github.com/cilium/cilium/issues/20603 don't think setupBaseDevice() IPVLAN leftover code is related to that issue. Signed-off-by: Vincent Li <v.li@f5.com> Signed-off-by: Tobias Klauser <tobias@cilium.io> 12 August 2022, 18:46:31 UTC
2494ce4 Tam Mach 12 July 2022, 07:45:55 UTC k8s: Filter out cilium owned from pod labels This commit is to make sure that any of cilium owned labels (i.e. prefix by io.cilium.k8s.*) should be filtered out if available in pod labels. The main reason is to prevent any malicious injection of cilium labels especially io.cilium.k8s.namespace.labels.*. Test Application ```yaml --- apiVersion: apps/v1 kind: Deployment metadata: labels: io.cilium.k8s.namespace.labels.foo.bar/baz: malicious-pod-level-override io.cilium.k8s.namespace.labels.kubernetes.io/metadata.name: kube-system io.cilium.k8s.policy.cluster: minikube-bad io.cilium.k8s.policy.serviceaccount: root io.cilium.k8s.namespace.labels.random: foo app: netshoot name: netshoot spec: selector: matchLabels: io.cilium.k8s.namespace.labels.foo.bar/baz: malicious-pod-level-override io.cilium.k8s.namespace.labels.kubernetes.io/metadata.name: kube-system io.cilium.k8s.policy.cluster: minikube-bad io.cilium.k8s.policy.serviceaccount: root io.cilium.k8s.namespace.labels.random: foo app: netshoot replicas: 1 template: metadata: labels: io.cilium.k8s.namespace.labels.foo.bar/baz: malicious-pod-level-override io.cilium.k8s.namespace.labels.kubernetes.io/metadata.name: kube-system io.cilium.k8s.policy.cluster: minikube-bad io.cilium.k8s.policy.serviceaccount: root io.cilium.k8s.namespace.labels.random: foo app: netshoot spec: containers: - name: netshoot args: - sleep - infinity image: nicolaka/netshoot:latest ``` Before: ``` 31978 k8s:app=netshoot k8s:io.cilium.k8s.namespace.labels.foo.bar/baz=malicious-pod-level-override k8s:io.cilium.k8s.namespace.labels.kubernetes.io/metadata.name=default k8s:io.cilium.k8s.namespace.labels.random=foo k8s:io.cilium.k8s.policy.cluster=default k8s:io.cilium.k8s.policy.serviceaccount=default k8s:io.kubernetes.pod.namespace=default ``` After: ``` 768 k8s:app=netshoot k8s:io.cilium.k8s.namespace.labels.kubernetes.io/metadata.name=default k8s:io.cilium.k8s.policy.cluster=default k8s:io.cilium.k8s.policy.serviceaccount=default k8s:io.kubernetes.pod.namespace=default ``` Signed-off-by: Tam Mach <tam.mach@cilium.io> 11 August 2022, 23:50:28 UTC
0a26852 Tam Mach 12 July 2022, 07:47:10 UTC k8s: Add unit test for GetPodMetadata labels Signed-off-by: Tam Mach <tam.mach@cilium.io> 11 August 2022, 23:50:28 UTC
7066e2c Tam Mach 11 July 2022, 12:28:25 UTC k8s: Add cilium Label prefix This commit is to add const for io.cilium.k8s. Signed-off-by: Tam Mach <tam.mach@cilium.io> 11 August 2022, 23:50:28 UTC
cee2229 dependabot[bot] 11 August 2022, 14:49:23 UTC build(deps): bump actions/cache from 3.0.6 to 3.0.7 Bumps [actions/cache](https://github.com/actions/cache) from 3.0.6 to 3.0.7. - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](https://github.com/actions/cache/compare/f4278025ab0f432ce369118909e46deec636f50c...a7c34adf76222e77931dedbf4a45b2e4648ced19) --- updated-dependencies: - dependency-name: actions/cache dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> 11 August 2022, 17:58:06 UTC
649e1f0 Joe Stringer 09 August 2022, 04:14:17 UTC ipcache: Fix lock leak [ upstream commit 9238841856546e250ce919b59534a525f24a6903 ] Commit 40e13ea2a5a9 ("ipcache: Fix race in identity/ipcache release") unintentionally took the lock on the IPCache and failed to release it if the loop returned in the middle. This case is a bit unusual given that allocation fails in this case. Fix it. Found by inspection. Fixes: 40e13ea2a5a9 ("ipcache: Fix race in identity/ipcache release") Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> 11 August 2022, 09:18:34 UTC
0b12ed3 Daniel Borkmann 09 August 2022, 10:30:15 UTC tests: Small extension to nat46x64 test suite to check maglev content [ upstream commit e0c07f3d10dc47c09d95aecdb4eb28307ecabc94 ] Small assertion that Maglev BPF map in both NAT46 and NAT64 is empty for the IPv4 case and populated for IPv6. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> 11 August 2022, 09:18:34 UTC
dccbd68 Daniel Borkmann 09 August 2022, 09:47:23 UTC bugtool: Add maglev map list to bugtool dump [ upstream commit 2d27cc5547e2552ffc8914f53e90cad5057475c7 ] Useful for debugging state of the maglev table. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> 11 August 2022, 09:18:34 UTC
30bffc0 Daniel Borkmann 08 August 2022, 21:55:21 UTC maglev: Don't populate v4 inner table upon nat46 service [ upstream commit c1932b072f525ce6c409e7396ca2ef21c0294e9d ] [ backporter's notes: fixed `GetOrderedBackends` conflict in `lbmap.go` due to 3f1e808ee96e672f516fa891932f01eae9854e1b not having been backported to `v1.12`.] The UpsertMaglevLookupTable() call to populate the inner table should be moved under the backendsOk boolean. For NAT46, populating the IPv4 table doesn't make sense since we redirect to the IPv6 datapath anyway, thus it is unnecessary memory overhead. The situation is analog to the random backend selection - there we do not populate the backends for the svc map for NAT46 under v4 either. Example: # cilium service list ID Frontend Service Type Backend 1 1.1.1.1:80 ExternalIPs 1 => [f00d::1]:80 (active) # cilium bpf lb list SERVICE ADDRESS BACKEND ADDRESS (REVNAT_ID) (SLOT) [1.1.1.1]:80 [f00d::1]:80 (1) (1) [::]:0 (1) (0) [ExternalIPs, 46x64] 1.1.1.1:80 0.0.0.0:0 (1) (0) [ExternalIPs, 46x64] Before: # cilium bpf lb maglev list SVC ID LOOKUP TABLE [1]/v4 [1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 [...]] [1]/v6 [1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 [...]] After: # cilium bpf lb maglev list SVC ID LOOKUP TABLE [1]/v6 [1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 [...]] Also tested that restoration upon agent restart works. Fixes: 9898cb6 ("cilium: Initial implementation of agent NAT46/64 handling") Co-authored-by: Julian Wiedmann <jwi@isovalent.com> Signed-off-by: Julian Wiedmann <jwi@isovalent.com> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> 11 August 2022, 09:18:34 UTC
e53d75e André Martins 08 August 2022, 21:36:05 UTC fix k8s latency metrics label cardinality [ upstream commit 4ad5e94f0c0c99fee6ebcaf4bb2ab3933a17c7d0 ] The functionality provided by the finalURLTemplate is still used by Cilium to track the request latency for requests performed to Kubernetes. Until this is reverted upstream we will maintain this fork with this change so that we can still used the functionality provided by finalURLTemplate. This functionality prevents the explosion of label cardinality in prometheus metrics since it aggregates in a way that common URLs requests will be reported as being the same. Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> 11 August 2022, 09:18:34 UTC
c62c7c6 Joe Stringer 29 July 2022, 20:35:55 UTC fqdn: Upsert all identities to ipcache [ upstream commit e6ad7438357da93e5c5dbf823e71ae349adde61d ] Previously, the logic would only upsert identities into the IPCache if the identity was newly allocated. Logically this makes sense, as the relationship between a CIDR identity and the ipcache should be tightly coupled. However, we have observed in some user environments that ipcache entries may end up being removed from the datapath and the corresponding identity would remain allocated in userspace. As a result, the next time a DNS request arrives which intends to make use of that identity for subsequent connection attempts, it would not populate the ipcache with the identity, leading to packet loss on the connection allowed by ToFQDNs policy. In order to mitigate this issue, ensure that all identities used in DNS responses are populated into the datapath, and track a metric for any cases where this occurs for identities that we expect to already be present in the IPCache. This way, active issues should be mitigated, but we also still have a way to detect whether this mitigation is necessary and whether we need to further investigate the root cause of this issue. Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> 11 August 2022, 09:18:34 UTC
faefee7 Joe Stringer 29 July 2022, 19:39:41 UTC ipcache: Fix race in identity/ipcache release [ upstream commit 40e13ea2a5a944a45761fc433c4c971536957f4b ] Create a critical section for identity release + removal from ipcache. Otherwise, it's possible to trigger the following race condition: Goroutine 1 | Goroutine 2 ---------------------------+-------------------------------------- releaseCIDRIdentities() | AllocateCIDRs() -> Release(..., id, ...) | | -> allocate(...) | -> ipc.UpsertGeneratedIdentities(...) -> ipc.deleteLocked(...) | In this case, the expectation from Goroutine 2 is that a new identity is allocated and that identity is inserted into the ipcache, but the result is that the identity is allocated but the ipcache entry is missing. This is partly because the identity released in goroutine 1 is different from the newly allocated identity in goroutine 2, however goroutine 1 will delete the ipcache entry based on the prefix and not the identity. Therefore it's possible for goroutine 1 to delete the ipcache entry corresponding to the identity allocated in goroutine 2. Note that for balancing the upsert / release, we perhaps should cover the entire allocation + ipcache push in Upsert() with the same locking. However, on upsert there is an optional feature of the API to defer the ipcache upsert to a later point, governed by the caller. There is currently no way to extend the locking over that much longer time period, so we only cover the allocation step there. This should still be safe, as one of the following cases should occur: Goroutine 1 | Goroutine 2 ---------------------------+-------------------------------------- Lock | Release() | deleteLocked() | Unlock | | Lock | ipc.allocate() | Unlock | .... (repeat below) | Lock | Upsert | Unlock Goroutine 1 | Goroutine 2 ---------------------------+-------------------------------------- | Lock | ipc.allocate() (increment refcount) | Unlock Lock | Release() | (no deleteLocked()() due | to refcount from (2)) | Unlock | | .... (repeat below) | Lock | Upsert | Unlock Found by code inspection. Suggested-by: Jarno Rajahalme <jarno@isovalent.com> Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> 11 August 2022, 09:18:34 UTC
f2a80cc Joe Stringer 29 July 2022, 21:01:42 UTC ipcache: Add metrics for upsert/delete/recover [ upstream commit 044cd8f23cc531d7441127a15832c39fc43d159d ] These errors, total metrics will help users and developers to gather understanding about ipcache operations at runtime. One specific "recover" error that will occur at runtime will be measured in an upcoming commit. This is the primary motivation for introducing these metrics. Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> 11 August 2022, 09:18:34 UTC
7e36e89 Tam Mach 03 August 2022, 16:11:12 UTC envoy: Bump envoy version to 1.21.5 [ upstream commit 3c4efc66a2f916ebe362e13722428c1500c3ac69 ] This new image digest is coming from below build. Also, I take this change to upgrade cilium/proxy in go.mod as well. https://github.com/cilium/proxy/runs/7656147038?check_suite_focus=true Signed-off-by: Tam Mach <tam.mach@cilium.io> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> 11 August 2022, 09:18:34 UTC
back to top