| 025fc0f | Marco Iorio | 21 May 2024, 10:13:56 UTC | docs: document the cluster name format Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> | 07 June 2024, 22:08:26 UTC |
| 32e7736 | Marco Iorio | 21 May 2024, 09:12:01 UTC | gha: configure extreme cluster names in conformance clustermesh To detect and prevent possible regressions causing valid names to not be correctly supported. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> | 07 June 2024, 22:08:26 UTC |
| 32416d2 | Marco Iorio | 21 May 2024, 09:05:38 UTC | helm: formalize and validate cluster name format Describe the cluster name specifications, and mimic the same checks performed by the Cilium components, to provide early feedback in case the cluster name is invalid. To enable users performing a smooth transition, helm validation can be skipped setting upgradeCompatibility to 1.15 or earlier. In that case, Cilium components will still emit error logs to warn users in case the cluster name is invalid. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> | 07 June 2024, 22:08:26 UTC |
| e15911e | Marco Iorio | 31 May 2024, 10:20:36 UTC | clustermesh: validate remote cluster name Following the formalization of the cluster name format, let's additionally emit an error log when trying to connect to a cluster associated with an invalid name. Starting from v1.17, Cilium will reject connecting to a cluster with an invalid name. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> | 07 June 2024, 22:08:26 UTC |
| b1f10bc | Marco Iorio | 21 May 2024, 07:54:16 UTC | options: formalize and validate cluster name format Formally define and validate that a cluster name must respect the following constraints: * It must contain at most 32 characters; * It must begin and end with a lower case alphanumeric character; * It may contain lower case alphanumerics and dashes between; * The "default" name is reserved, and forbidden with ClusterID != 0. The specification almost matches the cluster name definition from the Kubernetes multi-cluster services API [1] (except for the shorter maximum length), and derives from the already implicit requirements due to the usage of the cluster name as: * a k8s label value [2] (for CiliumIdentities), * a hostname [3] when configuring the host aliases during clustermesh interconnection; * part of TLS certificates common name [4]. The goal of the explicit validation is to ensure that Cilium components fail to start with a clear error if the cluster name is invalid, rather than failing silently at a later stage. Given the above constraints, the vast majority of existing deployments are not expected to affected by this change. Still, to enable users performing a smooth transition, we currently only emit an error log in case of invalid cluster names. The cluster name format will start being strictly enforced starting from the Cilium version. [1]: https://github.com/kubernetes/enhancements/tree/master/keps/sig-multicluster/1645-multi-cluster-services-api#proposal [2]: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#syntax-and-character-set [3]: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#dns-label-names [4]: https://stackoverflow.com/a/5142550 Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> | 07 June 2024, 22:08:26 UTC |
| c94af82 | Marco Iorio | 31 May 2024, 10:10:30 UTC | clustermesh, operator: slightly rework invoke function registration Directly register the target function, rather than creating a wrapper, both for simplicity, and to make a subsequent introduction of a new parameter in ClusterInfo.Validate transparent from this point of view. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> | 07 June 2024, 22:08:26 UTC |
| 13d257f | Daniel Borkmann | 06 June 2024, 12:10:37 UTC | cilium, docs: Add performance profile recommendation Add a small summary to help guide users. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> | 07 June 2024, 22:00:37 UTC |
| 4fda7ad | Daniel Borkmann | 06 June 2024, 08:55:12 UTC | cilium, docs: Add netkit section to performance doc Add a section on netkit. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> | 07 June 2024, 22:00:37 UTC |
| 073a772 | Daniel Borkmann | 03 May 2024, 13:11:53 UTC | cilium, netkit: Add Helm support Add bpf.datapathMode to Helm, so that netkit can be selected as alternative to veth. Example via Cilium CLI: ./cilium-cli install --wait --chart-directory=install/kubernetes/cilium --helm-set=hubble.eventBufferCapacity=65535 --helm-set=bpf.monitorAggregation=none --helm-set=cluster.name=default --nodes-without-cilium --helm-set-string=kubeProxyReplacement=true --set='' --helm-set=image.repository=localhost:5000/cilium/cilium-dev --helm-set=image.useDigest=false --helm-set=image.tag=local --helm-set=image.pullPolicy=IfNotPresent --helm-set=operator.image.repository=localhost:5000/cilium/operator --helm-set=operator.image.suffix="" --helm-set=operator.image.tag=local --helm-set=operator.image.pullPolicy=IfNotPresent --helm-set=operator.image.useDigest=false --helm-set-string=bpf.datapathMode=netkit --helm-set=ipv6.enabled=true --helm-set=tunnelProtocol=geneve Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> | 07 June 2024, 22:00:37 UTC |
| 895e7f9 | Daniel Borkmann | 07 June 2024, 16:08:28 UTC | cilium, loader: Unify tcx and netkit detach methods Both just remove the link file, therefore create a common helper. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> | 07 June 2024, 22:00:37 UTC |
| fbddb07 | Daniel Borkmann | 03 May 2024, 15:10:39 UTC | cilium, status: Add datapath mode to status Dump the status for the used device mode into cilium status, so that this is picked up by the sysdump. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> | 07 June 2024, 22:00:37 UTC |
| bd6ca1f | Daniel Borkmann | 29 May 2024, 10:03:20 UTC | cilium, bpf: Handle local Pod redirect for netkit under host routing The programs we attach via tcx on the physical devices are using bpf_redirect_peer() for inbound traffic into netkit device. Similarly, we use bpf_redirect_neigh() for the way out, pushing from netkit peer to phys device directly. For local Pod-Pod on the same node, it is slightly different in that as opposed to veth devices we do not use bpf_redirect_peer() to go from ingress->ingress since we're on egress for the case of netkit. Thus egress->egress needs to use the regular bpf_redirect(). From a performance PoV there is no difference since both cases need to go via per-CPU backlog once. The detection whether we are on ingress or egress side is based on the ingress_ifindex. In case of netkit, it is set to 0 shortly before via skb scrubbing. In case of tcx at the ingress side it's set to the host facing veth (> 0). Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> | 07 June 2024, 22:00:37 UTC |
| 51da8e2 | Daniel Borkmann | 05 April 2024, 11:44:58 UTC | cilium, loader: Wire-up netkit support Add a similar loading mechanism as we recently got with tcx, but for netkit attachments. Given both utilize bpf_mprog underneath the API looks very similar. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> | 07 June 2024, 22:00:37 UTC |
| 6895341 | Daniel Borkmann | 15 March 2024, 16:27:05 UTC | cilium, connector: Add netkit connector Add netkit support to Cilium. netkit is a new, minimal BPF-programmable device we presented at LSF/MM/BPF, LPC and KubeCons some time ago. The core idea is that BPF programs are executed within the drivers xmit routine and therefore e.g. in case of containers/Pods moving BPF processing closer to the source. One of the goals was that in case of Pod egress traffic, this allows to move BPF programs from hostns tcx ingress into the device itself, providing earlier drop or forward mechanisms, for example, if the BPF program determines that the skb must be sent out of the node, then a redirect to the physical device can take place directly without going through per-CPU backlog queue. This helps to shift processing for such traffic from softirq to process context, leading to better scheduling decisions/performance (see measurements in the slides). Going forward, we plan to use netkit devices in Cilium as the main device type for connecting Pods. They will be operated in L3 mode in order to simplify a Pod's neighbor management and the peer will operate in default drop mode, so that no traffic is leaving between the time when a Pod is brought up by the CNI plugin and programs attached by the agent. This PR supports both netkit operation modes with the L3 mode being the main/recommended one. Note: netkit in L3 mode has an all-zero mac, so the eth header has dst == src == zero mac, hence the tests for mac len in the template code as node mac is not needed/used. Also in L3 mode any ARP responder is compiled out as the Pod with netkit does not attempt to resolve mac addresses (it's a NOARP device). Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Link: https://lore.kernel.org/bpf/20231024214904.29825-1-daniel@iogearbox.net Link: https://sched.co/1R2s5 | 07 June 2024, 22:00:37 UTC |
| 5d7d6fd | Daniel Borkmann | 15 March 2024, 16:24:48 UTC | cilium, api: Extend daemon api for netkit mode Add netkit as well as netkit-l2 mode as another option next to veth. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> | 07 June 2024, 22:00:37 UTC |
| ce48c39 | Tam Mach | 07 June 2024, 16:13:01 UTC | precheck: Avoid using unbounded io.ReadAll func Fixes: 48a9976a09015a0e411997780c8b260d59593071 Signed-off-by: Tam Mach <tam.mach@cilium.io> | 07 June 2024, 18:12:51 UTC |
| 48a9976 | Tam Mach | 05 June 2024, 04:11:54 UTC | bugtool: Add post-processing masking function for Envoy This commit is to explicitly mask the below fields from Envoy config dump: - api_key (used in kafka L7 policy) - TLSContext (used in Cilium NetworkPolicy) One round of scanning on existing Cilium protobuf was done. Related docs: https://www.envoyproxy.io/docs/envoy/latest/operations/admin#get--config_dump Signed-off-by: Tam Mach <tam.mach@cilium.io> | 07 June 2024, 15:20:19 UTC |
| 568dbc5 | Tam Mach | 05 June 2024, 05:01:04 UTC | bugtool: Add json masking function This commit is to add a generic json field masking based on the field name. Signed-off-by: Tam Mach <tam.mach@cilium.io> | 07 June 2024, 15:20:19 UTC |
| 4dc5898 | Fabio Falzoi | 05 June 2024, 08:30:13 UTC | k8s: cegp: Use ipv4 as validation format for EgressIP Instead of relying on a regex based kubebuilder validation pattern, use the ipv4 format to validate EgressIP field in CEGP. Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com> | 07 June 2024, 13:16:27 UTC |
| 037623d | Fabio Falzoi | 04 June 2024, 09:10:44 UTC | egressgw: Stop CEGP parsing in case of non-empty invalid EgressIP EgressIP field of CiliumEgressGatewayPolicy spec is optional, but if specified, it is used to SNAT egress traffic. Being an optional parameter, no error is logged in case the conversion to netip.Addr fails, and the field is silently ignored. To inform the user of the failure in setting the requested egress IP, fail the CEGP parsing in case of an invalid non-empty egress IP. Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com> | 07 June 2024, 13:16:27 UTC |
| ec8e73a | dependabot[bot] | 06 June 2024, 23:27:06 UTC | build(deps): bump tornado from 6.3.3 to 6.4.1 in /Documentation Bumps [tornado](https://github.com/tornadoweb/tornado) from 6.3.3 to 6.4.1. - [Changelog](https://github.com/tornadoweb/tornado/blob/master/docs/releases.rst) - [Commits](https://github.com/tornadoweb/tornado/compare/v6.3.3...v6.4.1) --- updated-dependencies: - dependency-name: tornado dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> | 07 June 2024, 13:01:19 UTC |
| f056579 | Lorenz Bauer | 07 June 2024, 09:57:00 UTC | loader: remove datapathSHA256 datapathSHA256 was added in commit a530ac0b70 ("loader: Hash datapath objects and store results"). It is fed into the endpoint / template hash to ensure that templates are recompiled when bundled source code changes. Since at least 48591d8f42 ("loader: simplify template cache invalidation") the endpoint program cache doesn't reuse results from an older / different cilium process. This means that we're always using the correct source code by construction. Remove datapathSHA256 and related machinery. In the process of refactoring it turns out that we swallow errors from WriteNodeConfig in hashDatapath, which has so far obscured failing tests. The comment that writing to an in-memory hash is correct, but misleading. WriteNodeConfig also returns errors when certain devices are missing. Signed-off-by: Lorenz Bauer <lmb@isovalent.com> | 07 June 2024, 11:06:27 UTC |
| c52bee9 | Marco Iorio | 04 June 2024, 08:14:03 UTC | clustermesh: periodically enforce cluster config presence Currently, we only write the cluster configuration once, when the clustermesh-apiserver starts and when kvstoremesh connects to a remote cluster. However, the cluster configuration presence is critical, as otherwise remote clusters cannot connect to the given cluster. Hence, let's introduce a periodic enforcement mechanism (every 5 minutes), to ensure that it gets eventually restored in case of external modifications or deletions (e.g., if the associated lease unexpectedly expires). No changes are performed in the cilium operator, as the configuration is already periodically enforced there. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> | 07 June 2024, 10:49:45 UTC |
| 70b592f | Marco Iorio | 04 June 2024, 07:36:04 UTC | clustermesh: add {Get,Set}ClusterConfig unit tests Add basic unit tests to ensure the correct functioning of the GetClusterConfig and SetClusterConfig functions. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> | 07 June 2024, 10:49:45 UTC |
| 9c5ad72 | Marco Iorio | 04 June 2024, 07:13:05 UTC | clustermesh: define reduced clusterConfigBackend interface Instead of using the generic kvstore.Backend interface, to explicit the two methods which are actually used, and simplify mocking them out for testing purposes. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> | 07 June 2024, 10:49:45 UTC |
| 6079830 | hacktivist123 | 07 June 2024, 09:40:44 UTC | chore: replace straight quotes with backticks for commands and functions Signed-off-by: Shedrack Akintayo <akintayoshedrack@gmail.com> | 07 June 2024, 10:43:18 UTC |
| 99f8871 | Yutaro Hayakawa | 04 June 2024, 07:11:06 UTC | helm: Decouple sysctlfix from cgroup.autoMount Currently, the sysctlfix is only enabled when cgroup.autoMount is enabled which is not a directly-related feature. This dependency is introduced because the host procfs mount is only enabled when cgroup.autoMount is enabled. Due to this limitation, we recently observed the issue that disabling cgroup.autoMount in the environment that runs systemd 245+ makes a connectivity loss between nodes in tunnel mode due to the rp_filter. To fix the above issue, introduce a new configuration knob to enable/disable sysctlfix individually. It is enabled by default. Fixes: #20643 Co-authored-by: Nick Young <inocuo@gmail.com> Signed-off-by: Yutaro Hayakawa <yhayakawa3720@gmail.com> | 07 June 2024, 09:13:53 UTC |
| 8401331 | Joe Stringer | 07 June 2024, 04:35:06 UTC | ci: l4lb: Don't hang on gathering logs forever It doesn't make sense to pass `--follow` when the container is still running, this will hang forever and fail to complete the remaining steps in the workflow. Remove the follow flag. Fixes: 93927457779d ("ci: l4lb: gather more infos about docker-in-docker issues") Signed-off-by: Joe Stringer <joe@cilium.io> | 07 June 2024, 08:41:17 UTC |
| 3c3e769 | Gilberto Bertin | 06 June 2024, 12:55:52 UTC | bpf: use tail calls to run host firewall in cil_to_host to tackle the complexity issue introduced by the previous commit in cil_to_host in the bpf_host program, use the already existing CILIUM_CALL_IPV{4,6}_TO_HOST_POLICY_ONLY tail calls to handle the enforcement of the ingress host firewall policies Signed-off-by: Gilberto Bertin <jibi@cilium.io> | 07 June 2024, 07:35:02 UTC |
| ee10671 | Gilberto Bertin | 06 June 2024, 08:32:04 UTC | bpf: allow policy verdict notifications in bpf_host 300236c ("Add the datapath filtering for policy verdict logs.") introduced a mechanism to generate policy verdict logs only if an endpoint has a network policy enforced on the direction of the traffic, to reduce the number of allow events that otherwise would have been notified in case of default allow policies. Unfortunately this logic doesn't take into account the case where send_policy_verdict_notify is called from the bpf_host program (e.g. Host Firewall policies), as POLICY_VERDICT_LOG_FILTER is always set to 0 for that program, resulting in no policy verdicts being notified. This change tries to address this by ignoring the filter if send_policy_verdict_notify is evaluated in the context of bpf_host. Moreover, to prevent a flood of notifications, the ones for default allow policies are ignored. Signed-off-by: Gilberto Bertin <jibi@cilium.io> | 07 June 2024, 07:35:02 UTC |
| 4853fb1 | Maxim Mikityanskiy | 03 June 2024, 19:14:57 UTC | bpf: Use __align_stack_8 on IPv6 structs LLVM 18 doesn't align these structs to 8 by default, and our memcpy implementation fails to pass the verifier when applied to these structs, because the verifier requires stack access to be aligned. Align all affected structs. Signed-off-by: Maxim Mikityanskiy <maxim@isovalent.com> | 07 June 2024, 07:33:31 UTC |
| 4420034 | Maxim Mikityanskiy | 04 June 2024, 17:44:38 UTC | Remove the unused LPM_LOOKUP_FN macro Since commit 7628b19e7313 ("bpf, ipcache: unconditionally assume support for LPM trie maps"), LPM_LOOKUP_FN is only used in its own test. Remove the macro and the test, as it's not used in any actual code, and it causes verifier errors when upgrading to LLVM 18: the verifier can't track a pointer spilled to a map (a global variable). Signed-off-by: Maxim Mikityanskiy <maxim@isovalent.com> | 07 June 2024, 07:33:31 UTC |
| 26e15dc | Joe Stringer | 06 June 2024, 02:52:07 UTC | docs: Document stable release timing We've recently been trending towards a process that looks something like this with for instance a target date of the 15th and a stable branch cutoff date a week prior, such as the 8th (or earlier weekday if it falls on a weekend). Document this in general terms without making hard commitments to ship or not ship any specific change, subject to the discretion of the release team. Signed-off-by: Joe Stringer <joe@cilium.io> | 07 June 2024, 02:56:57 UTC |
| acdd363 | Joe Stringer | 06 June 2024, 02:40:29 UTC | docs: Document feature release process Document the process that the Cilium release team typically follows around publishing prereleases and release candidates, and outline the expectations around feature freeze / thaw. Signed-off-by: Joe Stringer <joe@cilium.io> | 07 June 2024, 02:56:57 UTC |
| 9c36c72 | Joe Stringer | 06 June 2024, 01:55:42 UTC | docs: Remove unrelated paragraph for releases This paragraph doesn't make sense in context of releases, as release management is a task for maintainers / committers of the project. Signed-off-by: Joe Stringer <joe@cilium.io> | 07 June 2024, 02:56:57 UTC |
| fbb1e8a | Joe Stringer | 06 June 2024, 01:48:27 UTC | docs: Fix organization docs flow This page referred to GitHub projects being used for tracking upcoming work, but in general we don't have mechanisms in the project to reliably track work in this manner. The projects tooling we were using is also being deprecated in favor of a newer tool in GitHub, so the links etc. will stop working soon. We can always re-introduce that wording if we find a good way to maintain and manage such projects. Additionally, there is some minor wording improvements we can make to the release cadence to clarify the statements according to the way we manage releases as a project. Signed-off-by: Joe Stringer <joe@cilium.io> | 07 June 2024, 02:56:57 UTC |
| df03e88 | André Martins | 06 June 2024, 12:12:31 UTC | remove release scripts These scripts will only be available under github.com/cilium/release to avoid any confusion when performing releases. Signed-off-by: André Martins <andre@cilium.io> | 07 June 2024, 01:47:19 UTC |
| 129a200 | André Martins | 06 June 2024, 12:03:42 UTC | remove unused files Signed-off-by: André Martins <andre@cilium.io> | 07 June 2024, 01:47:19 UTC |
| 55bf8fa | Marcel Zieba | 04 June 2024, 10:37:26 UTC | Cleanup leftovers from node statuses in CNP/CCNP Fixes: #29590 Signed-off-by: Marcel Zieba <marcel.zieba@isovalent.com> | 06 June 2024, 19:25:24 UTC |
| 4ee8ae5 | harsimran pabla | 04 June 2024, 19:49:08 UTC | bgp/configmap: remove unnecessary else statement Making BGP config-map settings similar to how rest of the feature flags are deduced. Signed-off-by: harsimran pabla <hpabla@isovalent.com> | 06 June 2024, 19:24:40 UTC |
| c269031 | Fabio Falzoi | 03 June 2024, 15:31:34 UTC | iptables: Remove unneeded cell.Health param The cell.Health reporter is not needed anymore, since one it is already provided to the job registered in the manager by the JobGroup. Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com> | 06 June 2024, 19:24:26 UTC |
| e1eb623 | Marco Iorio | 27 May 2024, 07:43:45 UTC | clustermesh: drop clustermesh/remoteCluster circular reference Currently, the remoteCluster struct holds a reference to the clustermesh object, leading to a sort of circular dependency. Let's simplify this by explicitly propagating only the necessary parameters, for improved separation and clarity. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> | 06 June 2024, 19:24:08 UTC |
| b43dd5f | Marco Hofstetter | 30 May 2024, 10:50:04 UTC | daemon: cleanup daemon fields This commit cleans up the fields from the daemon and daemonParams struct: - EgressGatewayManager (unused - removed from daemon and daemonParams) - HealthProvider (unused - removed from daemon and daemonParams) - DeviceManager (keep in daemonParams) - EndpointManager (set when initializing daemon struct) Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> | 06 June 2024, 19:23:50 UTC |
| 6ece4c9 | Julian Wiedmann | 18 May 2024, 12:15:15 UTC | bpf: tests: add test for encrypted overlay Exercise the whole codepath in to-netdev that's needed for encrypted overlay. This allows us to validate the whole machinery of packet rewrites and IPsec-related context in the skb mark/cb. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> | 06 June 2024, 17:04:20 UTC |
| c55d352 | Julian Wiedmann | 18 May 2024, 12:15:00 UTC | bpf: tests: add helper to insert NODE_MAP entry This will be used in a subsequent patch. Also clean up the existing usage. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> | 06 June 2024, 17:04:20 UTC |
| b38d139 | Julian Wiedmann | 18 May 2024, 11:37:48 UTC | bpf: tests: add endpoint parameter for security identity Enable a subsequent patch to specify the security identity of an inserted endpoint. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> | 06 June 2024, 17:04:20 UTC |
| fec6a95 | hacktivist123 | 06 June 2024, 11:09:55 UTC | documentation: fix AKS note positioning Signed-off-by: Shedrack Akintayo <akintayoshedrack@gmail.com> Signed-off-by: Quentin Monnet <qmo@qmon.net> | 06 June 2024, 15:19:19 UTC |
| 378e881 | hacktivist123 | 06 June 2024, 10:53:07 UTC | documentation: embed eCHO episodes in Cilium docs Signed-off-by: Shedrack Akintayo <akintayoshedrack@gmail.com> Signed-off-by: Quentin Monnet <qmo@qmon.net> | 06 June 2024, 15:19:19 UTC |
| 38e1001 | Tam Mach | 05 June 2024, 13:20:51 UTC | envoy: Bump envoy version to v1.29.5 This commit is to bump envoy version to v1.29.5 for below CVEs: - [CVE-2024-34362: Crash (use-after-free) in EnvoyQuicServerStream](https://togithub.com/envoyproxy/envoy/security/advisories/GHSA-hww5-43gv-35jv) - [CVE-2024-34363: Crash due to uncaught nlohmann JSON exception](https://togithub.com/envoyproxy/envoy/security/advisories/GHSA-g979-ph9j-5gg4) - [CVE-2024-34364: Envoy OOM vector from HTTP async client with unbounded response buffer for mirror response, and other components](https://togithub.com/envoyproxy/envoy/security/advisories/GHSA-xcj3-h7vf-fw26) - [CVE-2024-32974: Crash in EnvoyQuicServerStream::OnInitialHeadersComplete()](https://togithub.com/envoyproxy/envoy/security/advisories/GHSA-mgxp-7hhp-8299) - [CVE-2024-32975: Crash in QuicheDataReader::PeekVarInt62Length()](https://togithub.com/envoyproxy/envoy/security/advisories/GHSA-g9mq-6v96-cpqc) - [CVE-2024-32976: Endless loop while decompressing Brotli data with extra input](https://togithub.com/envoyproxy/envoy/security/advisories/GHSA-7wp5-c2vq-4f8m) - [CVE-2024-23326: Envoy incorrectly accepts HTTP 200 response for entering upgrade mode](https://togithub.com/envoyproxy/envoy/security/advisories/GHSA-vcf8-7238-v74c) Upstream release: https://github.com/envoyproxy/envoy/releases/tag/v1.29.5 Signed-off-by: Tam Mach <tam.mach@cilium.io> | 06 June 2024, 12:24:52 UTC |
| a3dafbd | André Martins | 06 June 2024, 09:08:32 UTC | .github: fix renovate GitHub workflow config The renovate config had some errors, as pointed out by GitHub, this commit fixes the errors. Fixes: 38e90f3f15f0 ("Renovate SPIRE images in makefile values") Signed-off-by: André Martins <andre@cilium.io> | 06 June 2024, 09:45:25 UTC |
| 38e90f3 | Maartje Eyskens | 09 January 2024, 14:13:07 UTC | Renovate SPIRE images in makefile values This points the Renovate SPIRE update to the Makefile.values file. After the version update Renovate will run the Makefile to update the Helm charts. Signed-off-by: Maartje Eyskens <maartje@eyskens.me> | 06 June 2024, 09:02:37 UTC |
| f1d7e56 | Maartje Eyskens | 10 January 2024, 15:23:31 UTC | Add Renovate GHA file This adds a file that is similar to the one in the cilium/tetragon repo to run a self hosted Renovate bot inside GitHub Actions Signed-off-by: Maartje Eyskens <maartje@eyskens.me> | 06 June 2024, 09:02:37 UTC |
| 65bdb0c | Maartje Eyskens | 09 January 2024, 12:33:16 UTC | Add validation on change of Renovate config This change adds a GHA to validate the Renovate configuration when it is changed inside a PR. This is analog to the one in the Tetragon repository Signed-off-by: Maartje Eyskens <maartje@eyskens.me> | 06 June 2024, 09:02:37 UTC |
| 5ee8be7 | Jarno Rajahalme | 21 May 2024, 16:06:19 UTC | datapath: Deprecate trace reason REOPENED Datapath no longer returns a trace reason for REOPENED. Keep the Go symbol for compatibility with older datapaths, but rename it to mark it as deperecated. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> | 06 June 2024, 07:36:10 UTC |
| dcc3dcf | Jarno Rajahalme | 05 June 2024, 10:55:19 UTC | bpf: Remove CT_REOPENED, return CT_NEW instead CT_REOPENED was originally added in https://github.com/cilium/cilium/pull/13340 to emit policy verdicts for apparently re-opened TCP connections, which are in fact more likely to be newly opened TCP connections rather than re-opened ones, as the CT entries may live minutes after the TCP state from the endpoints has already timed out. This added complexity to call sites, forcing differentiation between CT_NEW and CT_REOPENED. In all cases some CT entry field values were left stale, e.g., 'proxy_redirect' after a policy change. Instead of adjusting each call site to behave properly for CT_REOPENED, return CT_NEW instead, and make the observable CT lookup behavior the same as for CT_NEW in that case, most notably by not updating the passed in `*ct_state'. This change fixes proxy redirection bug where return packets are not redirected to an L7 proxy when (a stale) CT entry is missing the 'proxy_redirect' flag. Fixes: #27762 Fixes: #13340 Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> | 06 June 2024, 07:36:10 UTC |
| e43e299 | Feroz Salam | 05 June 2024, 09:45:33 UTC | ci: remove container scanning workflow The results of this workflow are not being actively reviewed, remove it for now. Signed-off-by: Feroz Salam <feroz.salam@isovalent.com> | 05 June 2024, 20:34:43 UTC |
| ce59386 | Andrei Kvapil | 27 May 2024, 10:28:10 UTC | Introduce --force-device-detection option This commit introduces the --force-device-detection option, which can be used together with --devices to enrich user specified devices with automatically detected devices. When this option is enabled, the system not only uses the devices explicitly specified by the user but also includes devices that are automatically detected. This ensures comprehensive network device management, particularly useful in dynamic environments where network interfaces may change or new interfaces may be added post-initial configuration. Fixes: #32721 Signed-off-by: Andrei Kvapil <kvapss@gmail.com> | 05 June 2024, 19:01:13 UTC |
| c77d1a3 | Casey Callendrello | 04 June 2024, 10:26:36 UTC | ipcache: skip prefix update when metadata unchanged If a particular upsert operation is a no-op, then there's no point in enqueuing a prefix update for it. Signed-off-by: Casey Callendrello <cdc@isovalent.com> | 05 June 2024, 17:27:20 UTC |
| c95ee60 | Casey Callendrello | 04 June 2024, 10:02:56 UTC | ipcache: split queued updates in to chunks If a large number of prefixes are queued for update, then we should not update all at the same time. This is because outgoing identities are only released at the end of doInjectLabels(), which means we could double the set of in-use identities while application is happening. The only exception is for the first run, in which case there is no point in dividing, as no identities will be released. Signed-off-by: Casey Callendrello <cdc@isovalent.com> | 05 June 2024, 17:27:20 UTC |
| 3ac9cbc | Casey Callendrello | 04 June 2024, 10:01:19 UTC | mechanical: ipc.InjectLabels() -> ipc.doInjectLabels() This is a private function that should never be called directly. Signed-off-by: Casey Callendrello <cdc@isovalent.com> | 05 June 2024, 17:27:20 UTC |
| 86b0d55 | Casey Callendrello | 04 June 2024, 09:56:59 UTC | ipcache: correctly handle failed allocation It turns out that label injection panics if identity allocation fails. This code-path is not practically reachable, as we would need to run out of local identities. Still good to clean up, though. Signed-off-by: Casey Callendrello <cdc@isovalent.com> | 05 June 2024, 17:27:20 UTC |
| 118a64b | Cilium Imagebot | 05 June 2024, 07:10:44 UTC | images: update cilium-{runtime,builder} Signed-off-by: Cilium Imagebot <noreply@cilium.io> | 05 June 2024, 16:56:38 UTC |
| 0de75f4 | renovate[bot] | 05 June 2024, 00:21:40 UTC | chore(deps): update go to v1.22.4 Signed-off-by: renovate[bot] <bot@renovateapp.com> | 05 June 2024, 16:56:38 UTC |
| 7dbd76c | Julian Wiedmann | 03 June 2024, 06:49:22 UTC | bpf: s/NODE_MAC/THIS_INTERFACE_MAC This value is *not* some generic, node-wide MAC address. Rather it is the MAC address of the specific interface that the BPF program is attached to. Align the naming with the THIS_MTU macro. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> | 05 June 2024, 15:21:16 UTC |
| 42c04e9 | Casey Callendrello | 05 June 2024, 07:29:21 UTC | policy: rename test helper function .Add to .mustAdd, strictly validate This is a convenience test function, there's no need for it to be exported. The one external use is easily removed. Also, add a panic() to ensure tests do not accidentally rely on invalid data, which has happened in the past. Signed-off-by: Casey Callendrello <cdc@isovalent.com> | 05 June 2024, 14:37:21 UTC |
| 6ebddc9 | Casey Callendrello | 05 June 2024, 06:55:04 UTC | policy: require valid policies for tests We were accidentally adding policies that did not pass validation. Rename the test-only function AddList to MustAddList, reject invalid policies. Add the additional helper addInvalidRules() which accepts invalid policies. Signed-off-by: Casey Callendrello <cdc@isovalent.com> | 05 June 2024, 14:37:21 UTC |
| dd088df | Casey Callendrello | 05 June 2024, 07:17:29 UTC | test: fix invalid network policies There were some tests that supplied invalid network policies. Fix them. Unfortunately, there is one disallowed case we would still like to test, so add an option to override that particular validation check in test mode. Signed-off-by: Casey Callendrello <cdc@isovalent.com> | 05 June 2024, 14:37:21 UTC |
| 5f18d88 | Julian Wiedmann | 05 June 2024, 10:01:21 UTC | docs: ipsec: remove limitation for native-routing with L7 egress policy This was addressed by https://github.com/cilium/cilium/pull/32683. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> | 05 June 2024, 13:55:23 UTC |
| 0cbd730 | Tam Mach | 17 March 2024, 14:51:26 UTC | ingress: Add CNP example for default deny Relates: #28254 Signed-off-by: Tam Mach <tam.mach@cilium.io> | 05 June 2024, 12:12:56 UTC |
| 8848188 | Tam Mach | 17 March 2024, 13:46:51 UTC | docs: Lift and shift CNP page for Ingress This is move external lockdown policy section to its own page, so that we can have more rooms for other CNP examples. Signed-off-by: Tam Mach <tam.mach@cilium.io> | 05 June 2024, 12:12:56 UTC |
| f9ee4bc | Arthur Outhenin-Chalandre | 15 May 2024, 17:18:09 UTC | clustermesh: fix a few misc issue in the new mcs api controller This commit does 3 small fixes: - Use the correct upstream MCS-API controller. The controller used is now the ones that sync the service IP to the ServiceImport resources. The rest of the controllers are Cilium specific and will (or already is) be implemented soon. - Also add a shortcut on creation to save a delete/recreate on of the derived service if there is no ServiceImport and the local is headless. - Fix the watch on Services to also issue a reconcile if the locally exported Service has changed Signed-off-by: Arthur Outhenin-Chalandre <arthur@cri.epita.fr> | 05 June 2024, 08:33:17 UTC |
| 1ce4c7f | gray | 13 May 2024, 09:45:42 UTC | proxy/routes: Also routes egress proxy's return traffic to 2005 This commit installs "0xb00/0xf00 lookup 2005" routing rule when IPsec is enabled with native routing and envoy. This is a necessary step towards fixing encryption leaks, otherwise egress proxy's return traffic gets no chance to be set IPsec mark. The new routing rule ensures these packets are routed to cilium_host, where we have bpf_host to handle encryption datapath. This patch uses a different condition from requireFromProxyRoutes() to determine whether to install the new routing rule, otherwise we will see breakage on IPsec=off + envoy=on. Specially, the new routing rule is isolated to IPsec only. Signed-off-by: gray <gray.liang@isovalent.com> | 05 June 2024, 08:05:03 UTC |
| 3384d73 | gray | 13 May 2024, 09:51:31 UTC | iptables: Ensure iptables masquerading works for proxy traffic After https://github.com/cilium/proxy/pull/742, proxy traffic keeps original pod IP as source IP for to-world packets, which must be masqueraded to eth0 IP. There is no issue for now, but the new routing rule (0xb00 lookup 2005) to be added for https://github.com/cilium/cilium/issues/31984 will cause a side effect breaking masquerading. This patch fixes the that side effect as a precaution, otherwise git-bisect breaks. The new routing rule (0xb00 lookup 2005) will cause proxy packets going through POSTROUTING for twice: first time happens when proxy sends packets which are routed to cilium_host, these are hitting OUTPUT + **POSTROUTING**; the second time takes place after packets ingressed from cilium_net, these skbs will traverse PREROUTING + FORWARD + **POSTROUTING**. However, due to kernel's implementation details, an skb won't be processed by nat POSTROUTING for twice: after the first POSTROUTING check, skb's ct `(struct nf_conn*)(skb->_nfct & ~7)` has a status IPS_SRC_NAT_DONE to skip the further traversal at all. [1] To avoid being set the IPS_SRC_NAT_DONE flag, this patch adds an iptables rule `--mark 0xb00 -j CT --notrack` at OUTPUT to skip the first round iptables ct, just for proxy traffic which is characterized by 0xb00 mark. [1] https://elixir.bootlin.com/linux/v6.6.2/source/net/netfilter/nf_nat_core.c#L825 [1] https://elixir.bootlin.com/linux/v6.6.2/source/include/net/netfilter/nf_nat.h#L111 Signed-off-by: gray <gray.liang@isovalent.com> | 05 June 2024, 08:05:03 UTC |
| f93a40c | gray | 28 May 2024, 07:57:23 UTC | Don't set 0x200 mark for proxy to world traffic in iptables PREROUTING We have an iptables rule to set 0x200 mark for transparent socket: ``` *mangle -A PREROUTING -m comment --comment "cilium-feeder: CILIUM_PRE_mangle" -j CILIUM_PRE_mangle -A CILIUM_PRE_mangle -m socket --transparent -m mark ! --mark 0xe00/0xf00 -m comment --comment "cilium: any->pod redirect proxied traffic to host proxy" -j MARK --set-xmark 0x200/0xffffffff ``` This rule is in the mangle PREROUTING which checks packets ingressed from a netdev. Let's then focus on the pod to world traffic when IPsec=on + proxy=on + tunnel=off. Currently, a pod-to-world packet will go through the path: 1. from_lxc@lxc: skb->mark is set to 0x200 and returned to stack 2. iptables: skb is hijacked by tproxy (due to 0x200), to be accepted by proxy 3. proxy process: the old skb is consumed by proxy, an new skb is sent to upstream (world) 4. stack routing: the new skb is routed to eth0 5. stack iptables: the new skb is traversing OUTPUT chain and POSTROUTING chain 6. to_netdev@eth0: the new skb is going to world Please note the new skb won't hit PREROUTING chain, where there is a rule setting skb->mark=0x200. To fix https://github.com/cilium/cilium/issues/31984, we are going to change the routing for packets from egress proxy; consequently, on the step 4 above, the new skb will be routed to cilium_host instead: 4. stack routing: the new skb is routed to cilium_host 5. from_host@cilium_host: the new skb is returned to stack 6. to_host@cilium_net: the new skb is returned to stack 7. stack: PREROUTING, routing, FORWARD, POSTROUTING Look at step 7, we are hitting PREROUTING! Because of https://github.com/cilium/proxy/pull/742, this to-world skb is also linked to a transparent socket, matching the "-m socket --transparent" condition, the packet will fortunately have the 0x200 mark. If we do nothing, this to-world skb marked with 0x200 will then hit routiong rule "from all fwmark 0x200/0xf00 lookup 2004" and be routed to local. It should have gone to the world. This patch fixes this future issue as a precaution (otherwise we'll break git-bisect). This patch provides a straightforward solution: at step 5 from_host@cilium_host, we set a specical mark 0x800 (MARK_MAGIC_PROXY_TO_WORLD), then iptables can exclude this mark using "-m mark ! --mark 0x800/0xf00". Signed-off-by: gray <gray.liang@isovalent.com> | 05 June 2024, 08:05:03 UTC |
| 729fee6 | renovate[bot] | 03 June 2024, 19:08:06 UTC | fix(deps): update all go dependencies main Signed-off-by: renovate[bot] <bot@renovateapp.com> | 05 June 2024, 07:33:34 UTC |
| bcbc4c4 | Casey Callendrello | 31 May 2024, 09:36:24 UTC | cleanup: remove commented-out test function I commented it out but forgot to remove it in a prior PR. Signed-off-by: Casey Callendrello <cdc@isovalent.com> | 05 June 2024, 02:07:43 UTC |
| 75345de | Casey Callendrello | 22 May 2024, 09:11:45 UTC | cleanup: disentagle policy trifecta The dependencies aren't actually as complicated as the code makes them out to be. We can construct them iteratively without mutation, now that we no longer need the cache to list reserved identities. This is a no-op change. Signed-off-by: Casey Callendrello <cdc@isovalent.com> | 05 June 2024, 02:07:43 UTC |
| 57b085f | Casey Callendrello | 22 May 2024, 08:51:12 UTC | mechanical: move cache.IdentityCache to identity package This utility type doesn't belong in an implementation package. Signed-off-by: Casey Callendrello <cdc@isovalent.com> | 05 June 2024, 02:07:43 UTC |
| 6beaea1 | Casey Callendrello | 22 May 2024, 07:21:57 UTC | mechanical: remove unused parameter to SelectorCache We no longer allocate identities in the SelectorCache; stop plumbing it through. Signed-off-by: Casey Callendrello <cdc@isovalent.com> | 05 June 2024, 02:07:43 UTC |
| 8de7a90 | Tam Mach | 04 June 2024, 13:32:43 UTC | gha: Correct skipped test name in GatewayAPI This commit is to skip MeshConsumerRoute related test, just a note that Gateway API 1.0.0 didn't have MeshConsumerRoute feature flag, so we need to use HTTPRouteResponseHeaderModification instead. Relates: 4121a2f7814f38791f114bca9767e6787a04b5dc Signed-off-by: Tam Mach <tam.mach@cilium.io> | 04 June 2024, 16:32:11 UTC |
| 5124385 | Louis DeLosSantos | 01 May 2024, 17:24:15 UTC | bpf: redirect decrypted overlay traffic This commit updates bpf_host to identify decrypted overlay traffic and redirect it to the VXLAN device for decapsulation. After this decapsulation the original payload will be delivered to the destination. Without a redirect the decrypted packet comes back around into the stack and the stack drops the packet in the XFRM hooks within the UDP receive portion of the input path. A redirect seems to clear the XFRM state associated with the skb and allows the stack to process the packet as if the input device was the VXLAN device. Signed-off-by: Louis DeLosSantos <louis.delos@isovalent.com> | 04 June 2024, 15:10:01 UTC |
| 1025121 | harsimran pabla | 03 April 2024, 17:30:19 UTC | workflow: update ipsec e2e tests to account for encrypt overlay rules Encrypt overlay feature when enabled, will add 2 IPv4 xfrm state rules per node. This change modifies the test script to account for additional rules when this feature is enabled. Signed-off-by: harsimran pabla <hpabla@isovalent.com> | 04 June 2024, 15:10:01 UTC |
| 68f5f41 | harsimran pabla | 02 April 2024, 15:53:31 UTC | xfrm: provide req id in UpsertIPsecEndpoint Provide req id parameter in UpsertIPsecEndpoint, which can be used to override default req ID '1'. This is useful in cases where we install feature specific xfrm rules and want graceful cleanup of those rules when feature is disabled. Signed-off-by: harsimran pabla <hpabla@isovalent.com> | 04 June 2024, 15:10:01 UTC |
| 4121a2f | Nick Young | 28 May 2024, 03:13:49 UTC | Completed GAMMA implementation, includes basic docs Updates Gateway API conformance tests to include Mesh tests. GAMMA conformance requires supporting the Port field in parentRef. This adds support for this for GAMMA only. This change also does groundwork necessary to support the Gateway API feature `HTTPRouteListenerPortMatching` for regular Gateway API objects, which allows HTTPRoutes to select Gateway parents using the Port field in parentRef. A followup PR will implement this feature. As part of the GAMMA work, we now support the GatewayPort8080 Gateway API feature as well, so that is now added to the conformance test workflow. The `MeshConsumerRoute` feature cannot be supported without significant changes to the model (it requires _egress_ CiliumEnvoyConfigs, which are still being worked on.) Mesh examples are left for a followup PR. Dedicated Ingresses using a Nodeport need to _not_ have the port set in their CiliumEnvoyConfig. Added a test to verify this for the future. Signed-off-by: Nick Young <nick@isovalent.com> | 04 June 2024, 12:17:03 UTC |
| afbdc30 | Nick Young | 22 May 2024, 07:21:34 UTC | Initial working implementation, passes half of the conformance tests This also adds the HTTPRoute as a second source to each Listener in the model.Model, which allows the HTTPRoute to be set as the owner of the generated CiliumEnvoyConfig. Signed-off-by: Nick Young <nick@isovalent.com> | 04 June 2024, 12:17:03 UTC |
| 6e8751d | Nick Young | 15 May 2024, 07:19:52 UTC | Add support for GAMMA ingestion GAMMA objects will now be correctly ingested, with predicates added to both the GAMMA ingestion and the standard Gateway API ingestion to ensure that each only sees relevant HTTPRoute updates. Signed-off-by: Nick Young <nick@isovalent.com> | 04 June 2024, 12:17:03 UTC |
| 363fdd4 | Nick Young | 13 May 2024, 06:57:52 UTC | Add GAMMA support to Cilium Operator This first commit adds support for reconciling GAMMA HTTPRoute objects, updates the status. Also adds GAMMA reconciler parent checks. Signed-off-by: Nick Young <nick@isovalent.com> | 04 June 2024, 12:17:03 UTC |
| 1b987b6 | Jarno Rajahalme | 04 June 2024, 07:28:09 UTC | envoy: Update to pick up fixes Update Envoy image to pick up fixes: - reopen bpf ipcache map on network policy stream restart Fixes the problem where cilium agent restart creates a new bpf ipcache map and (daemonset) cilium-envoy keeps using the old one. - change original destination cluster to not create different Host instances for the same destination Fixes the problem where multiple Host instances are created when two worker threads access the same destination at the same time, and then one of them fails to create an upstream connection due to source port bind failure. - update Go dependencies Fixes CVEs for the proxylib. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> | 04 June 2024, 12:15:35 UTC |
| bb947ca | Isala Piyarisi | 03 June 2024, 12:09:23 UTC | Add WSO2 to cilium users Signed-off-by: Isala Piyarisi <isala@wso2.com> | 04 June 2024, 10:31:21 UTC |
| 76be3e8 | André Martins | 03 June 2024, 23:19:44 UTC | README: Update releases Signed-off-by: André Martins <andre@cilium.io> | 04 June 2024, 10:05:54 UTC |
| 20c1f36 | Marco Hofstetter | 30 May 2024, 15:28:23 UTC | cgroup: introduce noop cgroup manager implementation Currently, the implementation of the CGroupManager also handles the cases if socket lb tracing isn't enabled or the setup failed to lookup the cgroup path provider. To ease the understanding of the actual implementation (aside from testing and the mentioned cases where the feature is disabled), this commit introduces a `noopCgroupManager` that is provided as implementation in cases where the feature isn't enabled. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> | 04 June 2024, 10:05:26 UTC |
| dd5709a | Marco Hofstetter | 30 May 2024, 13:08:25 UTC | daemon: remove unused method GetParentPodMetadata This commit removes the unused daemon method `GetParentPodMetadata` that introduced an unnecessary dependency to the CGroupManager. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> | 04 June 2024, 10:05:26 UTC |
| 50bb65d | Marco Hofstetter | 30 May 2024, 13:06:13 UTC | cgroup: use injected logger in cgroup manager This commit introduces an Hive Dependency from the cgroup manager to a logger and replaces the static logger. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> | 04 June 2024, 10:05:26 UTC |
| 4a464e7 | Marco Hofstetter | 30 May 2024, 13:03:42 UTC | cgroup: introduce hive cell for cgroup manager This commit introduces a hive cell for the cgroup manager and replaces the explicit initialization (and shutdown) in the daemon. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> | 04 June 2024, 10:05:26 UTC |
| 8cd748d | Yusuke Suzuki | 20 May 2024, 02:00:02 UTC | docs: remove incompatibility with L7 policy Signed-off-by: Yusuke Suzuki <yusuke.suzuki@isovalent.com> | 04 June 2024, 09:31:30 UTC |
| a8df4c5 | Yusuke Suzuki | 20 May 2024, 01:56:17 UTC | egressgw: remove warning of incompatibility with L7 policy Signed-off-by: Yusuke Suzuki <yusuke.suzuki@isovalent.com> | 04 June 2024, 09:31:30 UTC |
| 060e0f0 | Yusuke Suzuki | 20 May 2024, 01:38:35 UTC | egressgw: add bpf unit test to check the redirection from bpf_host Signed-off-by: Yusuke Suzuki <yusuke.suzuki@isovalent.com> | 04 June 2024, 09:31:30 UTC |
| 218649f | Yusuke Suzuki | 17 May 2024, 06:51:28 UTC | egressgw: support egress gw handling at bpf_host Currently packets from Pods selected by an egress gateway policy will not be forwarded to a gateway if there's an L7 policy applied to those packets. That's because we apply the egress gateway policy at bpf_lxc right after the L7 policy redirection. Therefore the Egress Gateway logic will be skipped if packets are redirected to the L7 proxy. This commit adds the egress gateway handling code at to-netdev@bpf_host so that packets from the L7 proxy can be properly redirected to an egress gw. We will keep the egress gw code in from-container@bpf_lxc around until v1.17 to avoid disruption of traffic to egress gateway. It’s possible that the datapath becomes an incomplete state where bpf_lxc has been upgraded while bpf_host hasn't during the upgrade. If that situation were to occur, traffic destined for egress gateway would be broken for that period of time. So we will keep the egress gateway code at both bpf_lxc and bpf_host to avoid this scenario. Fixes: cilium/cilium#19642 Signed-off-by: Yusuke Suzuki <yusuke.suzuki@isovalent.com> | 04 June 2024, 09:31:30 UTC |
| 00df387 | Yusuke Suzuki | 30 May 2024, 10:01:30 UTC | egressgw: return value as is from egress_gw_request_needs_redirect_hook egress_gw_request_needs_redirect* functions already returun proper error code. So don't need to return DROP_NO_EGRESS_GATEWAY from the caller side. Signed-off-by: Yusuke Suzuki <yusuke.suzuki@isovalent.com> | 04 June 2024, 09:31:30 UTC |
| cce4080 | Tam Mach | 21 May 2024, 13:05:52 UTC | ingress: Support headless service Currently, we don't inject headless endpoints into envoy XDS, hence the response is coming with error `no healthy upstream`. This commit is to explicitly handle headless service in CEC controller. One point worth noting is that k8s.Endpoint watcher is used as it's a wrapper for both k8s Endpoint and EndpointSlice. Signed-off-by: Tam Mach <tam.mach@cilium.io> | 04 June 2024, 07:48:02 UTC |
