| 12e8d11 | André Martins | 04 August 2020, 12:42:30 UTC | refactor desiredPolicyAllowsIdentity out of pkg/endpoint This function can be refactored out of the pkg/endpoint. With this change it is also possible to unit test this function. Signed-off-by: André Martins <andre@cilium.io> | 03 October 2020, 16:00:39 UTC |
| 0fa3561 | André Martins | 28 July 2020, 13:00:53 UTC | k8s/apis: refactor parseToCiliumRule functions This will allow to reuse functions. Signed-off-by: André Martins <andre@cilium.io> | 03 October 2020, 16:00:39 UTC |
| 28d9889 | Jarno Rajahalme | 02 October 2020, 14:43:25 UTC | node: Join a k8s cluster via kvstore Add Cilium agent option `--join-cluster` has the following effects: - agent registers the node in a special `register` key in the kv store - agent waits until kv store updates the registration with a numeric identifier allocated for the node labels Signed-off-by: Jarno Rajahalme <jarno@covalent.io> | 02 October 2020, 21:46:34 UTC |
| a8c83d3 | Jarno Rajahalme | 28 September 2020, 16:13:20 UTC | node: Add NodeIdentity field Add an optional NodeIdentity field to Node and CiliumNode. This can be used to pass the Cilium numeric identity of a node in the cluster. If missing, either NODE or REMOTE_NODE is assumed depending on the Cilium agent configuration. Signed-off-by: Jarno Rajahalme <jarno@covalent.io> | 02 October 2020, 21:46:34 UTC |
| b6f37a1 | Jarno Rajahalme | 02 October 2020, 14:41:12 UTC | bpf: Add support for LOCAL_NODE_ID Add a bpf macro for LOCAL_NODE_ID that is only used when setting the source security ID in encap headers for packets originating from the local node. This defaults to 6, the same value as REMOTE_NODE_ID. Any other value may be used, if set during Cilium agent bootstrap before the node_config.h is written. This allows representing the Cilium node as an endpoint in the cluster, allowing endpoint selector based network policy enforcement for traffic originating from Cilium nodes. Signed-off-by: Jarno Rajahalme <jarno@covalent.io> | 02 October 2020, 21:46:34 UTC |
| b34f99c | Jarno Rajahalme | 02 October 2020, 16:00:50 UTC | operator: Make CEP GC aware of the type of the owner CEP GC used to delete CEPs whenever a Pod resource with the same name no longer exists. Change this to inspect the OwnerReferences of the CEP resource, and keep the existing behavior if CEP is owned by a Pod. If the CEP is owned by a CiliumNode, then check the existence of that instead. Signed-off-by: Jarno Rajahalme <jarno@covalent.io> | 02 October 2020, 21:46:34 UTC |
| 8a5bc17 | Jarno Rajahalme | 23 September 2020, 16:38:24 UTC | build: Suppress warnings about invalid image names When pre-pulling images, detect special characters not allowed in image names to avoid docker warnings about invalid image names. These were caused by using environment variables for image names. Those images will not be pre-pulled. Pre-pulling of docker images used with buildkit builds is a workaround for a docker bug causing images sometimes not being pulled properly. Therefore it is possible that when image names are specified indirectly via an environment variable, and the image is not pre-pulled, then it is possible that the build will fail due to the docker bug. Signed-off-by: Jarno Rajahalme <jarno@covalent.io> | 02 October 2020, 21:46:34 UTC |
| a8b4f16 | Jarno Rajahalme | 02 October 2020, 15:23:54 UTC | vagrant: Share parent of cilium directory if SHARE_PARENT is set Share the parent of the cilium directory if SHARE_PARENT is set. This shares all the cilium repos with one mount, but requires Cilium directory to be named 'cilium'. Signed-off-by: Jarno Rajahalme <jarno@covalent.io> | 02 October 2020, 21:46:34 UTC |
| 28154fa | Jarno Rajahalme | 02 October 2020, 16:50:34 UTC | test: Lauch runtime VM in the same network as k8s for the same job Configure cilium-k8s#{$BUILD_NUMBER}-#{$JOB_NAME}-#{$K8S_VERSION} private network also for the runtime VM so that it has connectivity to k8s nodes when run at the same time. This is needed for VM support testing. Document prevously undocumented options for Vagrantfiles. Signed-off-by: Jarno Rajahalme <jarno@covalent.io> | 02 October 2020, 21:46:34 UTC |
| d315ec3 | Thomas Graf | 29 September 2020, 10:59:26 UTC | doc: Document API rate limiting Signed-off-by: Thomas Graf <thomas@cilium.io> | 02 October 2020, 16:43:28 UTC |
| 6333eaa | Thomas Graf | 29 September 2020, 08:41:29 UTC | agent: Add rate limiting to endpoint API calls Add default rate limiting for all endpoint related API calls with automatic adjustment based on estimated processing duration. Metrics are provided to monitor the rate limiting system: ``` cilium_api_limiter_adjustment_factor api_call="endpoint-create" 0.695787 cilium_api_limiter_processed_requests_total api_call="endpoint-create" outcome="success" 7.000000 cilium_api_limiter_processing_duration_seconds api_call="endpoint-create" value="estimated" 2.000000 cilium_api_limiter_processing_duration_seconds api_call="endpoint-create" value="mean" 2.874443 cilium_api_limiter_rate_limit api_call="endpoint-create" value="burst" 4.000000 cilium_api_limiter_rate_limit api_call="endpoint-create" value="limit" 0.347894 cilium_api_limiter_requests_in_flight api_call="endpoint-create" value="in-flight" 0.000000 cilium_api_limiter_requests_in_flight api_call="endpoint-create" value="limit" 0.000000 cilium_api_limiter_wait_duration_seconds api_call="endpoint-create" value="max" 15.000000 cilium_api_limiter_wait_duration_seconds api_call="endpoint-create" value="mean" 0.000000 cilium_api_limiter_wait_duration_seconds api_call="endpoint-create" value="min" 0.000000 ``` Signed-off-by: Thomas Graf <thomas@cilium.io> | 02 October 2020, 16:43:28 UTC |
| 3141e65 | Thomas Graf | 29 September 2020, 08:22:20 UTC | rate: Add API rate limiting system The API rate limiting system is capable to enforce both rate limiting and maximum parallel requests. Instead of enforcing static limits, the system is capable to automatically adjust rate limits and allowed parallel requests by comparing the provided estimated processing duration with the mean processing duration observed. Usage: ``` var requestLimiter = rate.NewAPILimiter("myRequest", rate.APILimiterParameters{ rate.SkipInitial: 5, rate.RateLimit: 1.0, // 1 request/s rate.ParallelRequests: 2, }, nil) func myRequestHandler() error { req, err := requestLimiter.Wait(context.Background()) if err != nil { // request timed out whie waiting return err } defer req.Done() // Signal that request has been processed // process request .... return nil } ``` Configuration parameters: - EstimatedProcessingDuration time.Duration EstimatedProcessingDuration is the estimated duration an API call will take. This value is used if AutoAdjust is enabled to automatically adjust rate limits to stay as close as possible to the estimated processing duration. - AutoAdjust bool AutoAdjust enables automatic adjustment of the values ParallelRequests, RateLimit, and RateBurst in order to keep the mean processing duration close to EstimatedProcessingDuration - MeanOver int MeanOver is the number of entries to keep in order to calculate the mean processing and wait duration - ParallelRequests int ParallelRequests is the parallel requests allowed. If AutoAdjust is enabled, the value will adjust automatically. - MaxParallelRequests int MaxParallelRequests is the maximum parallel requests allowed. If AutoAdjust is enabled, then the ParalelRequests will never grow above MaxParallelRequests. - MinParallelRequests int MinParallelRequests is the minimum parallel requests allowed. If AutoAdjust is enabled, then the ParallelRequests will never fall below MinParallelRequests. - RateLimit rate.Limit RateLimit is the initial number of API requests allowed per second. If AutoAdjust is enabled, the value will adjust automatically. - RateBurst int RateBurst is the initial allowed burst of API requests allowed. If AutoAdjust is enabled, the value will adjust automatically. - MinWaitDuration time.Duration MinWaitDuration is the minimum time an API request always has to wait before the Wait() function returns an error. - MaxWaitDuration time.Duration MaxWaitDuration is the maximum time an API request is allowed to wait before the Wait() function returns an error. - Log bool Log enables info logging of processed API requests. This should only be used for low frequency API calls. Example: ``` level="info" msg="Processing API request with rate limiter" maxWaitDuration=10ms name=foo parallelRequests=2 subsys=rate uuid=933267c5-01db-11eb-93bb-08002720ea43 level="info" msg="API call has been processed" name=foo processingDuration=10.020573ms subsys=rate totalDuration=10.047051ms uuid=933265c7-01db-11eb-93bb-08002720ea43 waitDurationTotal="18.665µs" level=warning msg="Not processing API request. Wait duration for maximum parallel requests exceeds maximum" maxWaitDuration=10ms maxWaitDurationParallel=10ms name=foo parallelRequests=2 subsys=rate uuid=933269d2-01db-11eb-93bb-08002720ea43 ``` - DelayedAdjustmentFactor float64 DelayedAdjustmentFactor is percentage of the AdjustmentFactor to be applied to RateBurst and MaxWaitDuration defined as a value between 0.0..1.0. This is used to steer a slower reaction of the RateBurst and ParallelRequests compared to RateLimit. - SkipInitial int SkipInitial is the number of API calls to skip before applying rate limiting. This is useful to define a learning phase in the beginning to allow for auto adjustment before imposing wait durations on API calls. - MaxAdjustmentFactor float64 MaxAdjustmentFactor is the maximum adjustment factor when AutoAdjust is enabled. Base values will not adjust more than by this factor. The configuration of API rate limiters is typically provided as-code to establish defaults. A string based configuration option can then be used to adjust defaults. This allows to expose configuration of rate limiting using a single option flag: ``` go l, err = NewAPILimiterSet(map[string]string{ "foo": "rate-limit:2/m,rate-burst:2", }, map[string]APILimiterParameters{ "foo": { RateLimit: rate.Limit(1.0 / 60.0), AutoAdjust: true, }, }, nil) ``` Signed-off-by: Thomas Graf <thomas@cilium.io> | 02 October 2020, 16:43:28 UTC |
| 1010757 | Glib Smaga | 29 September 2020, 18:05:23 UTC | pkg/hubble/filters: Add HTTP method filters Signed-off-by: Glib Smaga <code@gsmaga.com> | 02 October 2020, 13:49:06 UTC |
| cbccac4 | Glib Smaga | 28 September 2020, 22:47:25 UTC | api/v1: Add http method filter entry Signed-off-by: Glib Smaga <code@gsmaga.com> | 02 October 2020, 13:49:06 UTC |
| 98356e2 | Paul Chaignon | 02 October 2020, 12:08:05 UTC | docs: Document make target for operator Docker image Signed-off-by: Paul Chaignon <paul@cilium.io> | 02 October 2020, 12:12:21 UTC |
| 2779bfd | Weilong Cui | 24 September 2020, 04:35:24 UTC | Restores ClusterIP service entry upon LRP removal. Deleting an LRP shadowing a ClusterIP service today will delete such service entry entirely, this is problematic in cases where the original service is still needed, e.g., NodeLocalDNS. This allows for restoring ClusterIP service when correspoding LRP is removed. We acquire original service info from Cilium's service cache and enforce an update event to restore the service entry. With LRP, `cilium service list`: ID Frontend Service Type Backend 1 10.91.240.10:53 LocalRedirect 1 => 10.88.1.242:53 2 10.91.241.27:53 ClusterIP 1 => 10.88.1.117:53 2 => 10.88.0.46:53 3 10.91.240.1:443 ClusterIP 1 => 35.193.66.178:443 4 10.91.254.119:443 ClusterIP 1 => 10.88.1.127:443 After removing the LRP, `cilium service list`: ID Frontend Service Type Backend 2 10.91.241.27:53 ClusterIP 1 => 10.88.1.117:53 2 => 10.88.0.46:53 3 10.91.240.1:443 ClusterIP 1 => 35.193.66.178:443 4 10.91.254.119:443 ClusterIP 1 => 10.88.1.127:443 5 10.91.240.10:53 ClusterIP 1 => 10.88.1.117:53 2 => 10.88.0.46:53 Signed-off-by: Weilong Cui <cuiwl@google.com> | 02 October 2020, 07:57:17 UTC |
| d6ad56b | Paul Chaignon | 01 October 2020, 13:01:29 UTC | test: further increase range of accepted values for bandwidth test Our current range for the 25Mbps target is [18; 32]. We seem to always fall short of the 18 bound. Expected cases of regressions are likely to be either a lack of connectivity or a lack of rate limiting. So with a range [1; 30] we're likely to catch most regression cases without missing on cases where there's no rate limiting (which we could miss if we keep increase the whole range). Fixes: #13062 Co-authored-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: Paul Chaignon <paul@cilium.io> | 02 October 2020, 07:34:33 UTC |
| ca9992e | Lehner Florian | 01 October 2020, 18:08:48 UTC | cleanup: remove unused code Signed-off-by: Lehner Florian <dev@der-flo.net> | 01 October 2020, 19:05:50 UTC |
| 55209b7 | Paul Chaignon | 01 October 2020, 15:38:12 UTC | docs: Move performance guide under Operations Signed-off-by: Paul Chaignon <paul@cilium.io> | 01 October 2020, 18:31:41 UTC |
| e4b3689 | Paul Chaignon | 01 October 2020, 15:15:19 UTC | docs: Move scalability guide under Operations Signed-off-by: Paul Chaignon <paul@cilium.io> | 01 October 2020, 18:31:41 UTC |
| b769c64 | Paul Chaignon | 01 October 2020, 14:52:46 UTC | docs: operations/ dir to match displayed structure Signed-off-by: Paul Chaignon <paul@cilium.io> | 01 October 2020, 18:31:41 UTC |
| 175c7da | Tobias Klauser | 01 October 2020, 13:18:06 UTC | datapath/connector: move CheckLink to daemon/cmd This function is only used in daemon/cmd in a single place, so move it there and unexport it. Signed-off-by: Tobias Klauser <tklauser@distanz.ch> | 01 October 2020, 18:29:39 UTC |
| 96648d0 | Tobias Klauser | 01 October 2020, 12:03:19 UTC | datapath/connector: remove unused funcs The last remaining user of DeriveEndpointFrom was removed by commit 532ad9d44a6f ("rm pkg/workloads"). GetNetInfoFromPID and GetVethInfo were only used by DeriveEndpointFrom, so remove them as well. Signed-off-by: Tobias Klauser <tklauser@distanz.ch> | 01 October 2020, 18:29:39 UTC |
| 7257d4a | Ilya Dmitrichenko | 01 October 2020, 09:58:14 UTC | install: RBAC permissions for finalizers subresources Since Cilium sets ownership references on pods, it needs permission to delete pods via finalizers and for that purpose it also needs permissions to set the finalizers on pods. This change is required for OpenShift, however it's based on the GC admission controller that was introduced in Kubernetes 1.5 (https://github.com/kubernetes/kubernetes/pull/34829). Also add explicit permissions for finalizers on all CRs, to ensure that agent and operator can set finalizers on their own resources. Signed-off-by: Ilya Dmitrichenko <errordeveloper@gmail.com> | 01 October 2020, 16:42:55 UTC |
| b6d0054 | Maciej Kwiek | 30 September 2020, 09:45:13 UTC | test: enable operator metrics in stresspolicy suite Signed-off-by: Maciej Kwiek <maciej@isovalent.com> | 01 October 2020, 16:20:30 UTC |
| 657171f | Daniel Borkmann | 01 October 2020, 10:19:16 UTC | vagrant: bump bpf-next vagrant box version Pull in latest BPF kernel features from bpf-next [0]. [0] https://lore.kernel.org/bpf/cover.1601477936.git.daniel@iogearbox.net/ Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> | 01 October 2020, 12:29:36 UTC |
| 18dc9f2 | Jarno Rajahalme | 30 September 2020, 12:03:45 UTC | envoy: Stop using deprecated filter names Stop using deprecated Envlyo filter names in order to get rid of deprecation warning logs. Signed-off-by: Jarno Rajahalme <jarno@covalent.io> | 01 October 2020, 09:27:28 UTC |
| 28b4c96 | Alexandre Perrin | 29 September 2020, 14:41:23 UTC | fsnotify: correctly check for event operation fsnotify Event.Op is a bit mask and testing for strict equality might not detect the event operation correctly. This patch make it so we check for fsnotify event operation consistently as documented at https://github.com/fsnotify/fsnotify. Signed-off-by: Alexandre Perrin <alex@kaworu.ch> | 01 October 2020, 08:56:44 UTC |
| b71cf0d | Joe Stringer | 30 September 2020, 22:13:35 UTC | contrib: Improve start-release.sh script Due to an extra `v` in the branch name, this script would fail with: $ ~/git/cilium/contrib/release/start-release.sh v1.6.12 128 fatal: 'origin/vv1.6' is not a commit and a branch 'pr/prepare-v1.6.12' cannot be created from it Signal ERR caught! Traceback (line function script): 62 main /home/joe/git/cilium/contrib/release/start-release.sh Fix it. While we're at it, update the instructions at the end for next steps, since there's also now a `submit-backport.sh` script to send the PR from the CLI. Signed-off-by: Joe Stringer <joe@cilium.io> | 01 October 2020, 08:11:45 UTC |
| 57d3473 | Gilberto Bertin | 30 September 2020, 13:52:57 UTC | bugtool: get bpffs mountpoint from /proc/self/mounts Rather then hardcoding the /sys/fs/bpf value in bugtool, use the `mountinfo` package (which exposes the information in /proc/self/mounts) to determine the correct mountpoint for the BPF filesystem. Fixes: #13218 Signed-off-by: Gilberto Bertin <gilberto@isovalent.com> | 01 October 2020, 07:50:19 UTC |
| c0236a4 | Joe Stringer | 01 October 2020, 04:51:06 UTC | README: Fix the versions listing An improperly formatted table cause the versions listing to disappear. Fix it up. Fixes: 3bb016ffd4f5 ("Update stable releases") Signed-off-by: Joe Stringer <joe@cilium.io> | 01 October 2020, 07:07:53 UTC |
| b9e44f3 | Daniel Borkmann | 29 September 2020, 09:42:39 UTC | bpf: optimize datapath through host netns Optimize the direct routing host data path via redirect_neigh() helper based on our recent kernel work [0]. As outlined at Plumbers [1] (the first out of the two new helpers), the current routing scheme is suboptimal in that we push skbs up the host stack. This has a huge cost in itself and additionally it also orphans the skb from the socket so that TCP stack does not get right backpressure signal for TSO. With the redirect_neigh() helper we can perform the forwarding in tc layer _only_ while we let kernel handle neighboring subsystem in reply path. This also means we bypass things like netfilter in host netns thus if masquerading is enabled it must be done via BPF. This preserves also skb->sk all the way till qdisc layer which also helps BPF bandwidth manager for FQ. Used agent config on apoc/tank with bpf-next tree each: ./daemon/cilium-agent --identity-allocation-mode=crd --enable-ipv6=true --enable-ipv4=true \ --disable-envoy-version-check=true --tunnel=disabled --k8s-kubeconfig-path=$HOME/.kube/config \ --kube-proxy-replacement=strict --enable-l7-proxy=false --auto-direct-node-routes=true \ --native-routing-cidr=10.217.0.0/16 --enable-bandwidth-manager=true --enable-bpf-masquerade=true Benchmark via direct routing, pod to pod, over wire gives a nice stable improvement that way: * Before: root@apoc:~# kubectl exec -it netperf-5fdd54b4cc-bcqzg -- netperf -H 10.217.1.93 -t TCP_STREAM MIGRATED TCP STREAM TEST from 0.0.0.0 (0.0.0.0) port 0 AF_INET to 10.217.1.93 (10.217.) port 0 AF_INET Recv Send Send Socket Socket Message Elapsed Size Size Size Time Throughput bytes bytes bytes secs. 10^6bits/sec 131072 16384 16384 10.00 9460.80 * After: root@apoc:~# kubectl exec -it netperf-5fdd54b4cc-bcqzg -- netperf -H 10.217.1.93 -t TCP_STREAM MIGRATED TCP STREAM TEST from 0.0.0.0 (0.0.0.0) port 0 AF_INET to 10.217.1.93 (10.217.) port 0 AF_INET Recv Send Send Socket Socket Message Elapsed Size Size Size Time Throughput bytes bytes bytes secs. 10^6bits/sec 131072 16384 16384 10.00 15769.68 This is automatically enabled by having --enable-host-legacy-routing=false as default. If the underlying kernel does not support the new BPF helper, then the agent falls back to --enable-host-legacy-routing=true automatically. Similarly, if a user needs backwards compat --enable-host-legacy-routing=true can be set to opt-out from it. [0] https://lore.kernel.org/bpf/cover.1601477936.git.daniel@iogearbox.net [1] https://linuxplumbersconf.org/event/7/contributions/674/attachments/568/1002/plumbers_2020_cilium_load_balancer.pdf Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> | 01 October 2020, 05:31:32 UTC |
| 692c348 | Daniel Borkmann | 29 September 2020, 08:43:51 UTC | bpf: update/sync helper list Pull in latest BPF uapi helpers. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> | 01 October 2020, 05:31:32 UTC |
| 3bb016f | Joe Stringer | 01 October 2020, 02:42:54 UTC | Update stable releases Signed-off-by: Joe Stringer <joe@cilium.io> | 01 October 2020, 04:47:33 UTC |
| 062c942 | jedsalazar | 11 September 2020, 14:47:24 UTC | improve policy get Signed-off-by: Jed Salazar jed@isovalent.com | 30 September 2020, 23:58:47 UTC |
| 1ed8c87 | jedsalazar | 10 September 2020, 21:57:16 UTC | fixes markdown in hostnet policy troubleshooting Signed-off-by: Jed Salazar jed@isovalent.com | 30 September 2020, 23:58:47 UTC |
| 3179a47 | Thomas Graf | 30 September 2020, 14:07:38 UTC | datapath: Support enable-endpoint-routes with encapsulation It is reasonable to support encapsulation with enable-endpoint-routes. The existing code derived a new datapath mode when enable-endpoint-routes was enabled, which automatically disabled encapsulation. Signed-off-by: Thomas Graf <thomas@cilium.io> | 30 September 2020, 23:53:11 UTC |
| 1f32562 | Timo Beckers | 30 September 2020, 10:02:37 UTC | logfields: remove unused BuildDuration and EndpointRegenerationTime constants As discussed in https://github.com/cilium/cilium/pull/13323, these are unused, we don't explicitly guarantee API compatibility for them, and are not passed to the caller across package boundaries. The goal is to move some packages out of pkg/ to improve clarity around which packages we provide API stability for. Signed-off-by: Timo Beckers <timo@isovalent.com> | 30 September 2020, 22:58:54 UTC |
| 6f8de5a | Timo Beckers | 30 September 2020, 09:31:13 UTC | docs: document policy/endpoint regen metric rename for 1.9 Signed-off-by: Timo Beckers <timo@isovalent.com> | 30 September 2020, 22:58:54 UTC |
| c52ae28 | Timo Beckers | 29 September 2020, 09:28:07 UTC | endpoint: rename policy/endpoint regeneration 'buildDuration' to 'total' The endpoint/policy regeneration time's ambiguous "buildDuration" metric is now called "total", since it spans the full regeneration duration. Before: ``` cilium_endpoint_regeneration_time_stats_seconds scope="buildDuration" status="success" 2.429326 cilium_policy_regeneration_time_stats_seconds scope="buildDuration" status="success" 0.000917 ``` After: ``` cilium_endpoint_regeneration_time_stats_seconds scope="total" status="success" 2.243356 cilium_policy_regeneration_time_stats_seconds scope="total" status="success" 0.000104 ``` Fixes: #13222 Signed-off-by: Timo Beckers <timo@isovalent.com> | 30 September 2020, 22:58:54 UTC |
| 641c0f9 | Paul Chaignon | 30 September 2020, 16:41:01 UTC | maps: Use fmt.Sprint() instead of string() Otherwise, the privileged unit tests fail with: pkg/maps/eppolicymap/eppolicymap_test.go:72:32: conversion from int to string yields a string of one rune, not a string of digits (did you mean fmt.Sprint(x)?) Signed-off-by: Paul Chaignon <paul@cilium.io> | 30 September 2020, 22:13:40 UTC |
| df8238d | Paul Chaignon | 30 September 2020, 07:54:01 UTC | vagrant: Bump all Vagrant box versions Signed-off-by: Paul Chaignon <paul@cilium.io> | 30 September 2020, 22:13:40 UTC |
| 2371071 | Kornilios Kourtis | 30 September 2020, 20:51:32 UTC | Documentation: performance evaluation improvements - Add multi-stream results - Add lower/higher is better labels - use (lat vs batch) and (tput vs batch) plots for TCP_RR - improve text Signed-off-by: Kornilios Kourtis <kornilios@isovalent.com> | 30 September 2020, 21:14:19 UTC |
| bfdaae9 | Joe Stringer | 29 September 2020, 22:38:09 UTC | helm: Always respect global.identityAllocationMode This option was not being respected in the case where the user enables etcd configuration. In this case, when also configuring Cluster Mesh, it is important to manage identities via the kvstore to ensure that remote clusters have access to the identities of the local cluster. However, for users who are not using Cluster Mesh, it is reasonable to run Cilium with identities managed via CRDs, and deployments may already be deployed in this way. Failing to respect the option means that users who upgrade may observe temporary dataplane upgrade during upgrade due to the transition from CRD to kvstore for identity management. To prevent unintentional dataplane outage during upgrade from earlier releases, revert the helm changes from commit 8c9539205edc ("doc: Fix clustermesh documentation to set the correct identityMode"). The above commit already clarified the instructions for clustermesh users, which was the main goal of that commit so no other changes are necessary in this commit. Fixes: 8c9539205edc ("doc: Fix clustermesh documentation to set the correct identityMode") Reported-by: Dan Sexton <dan.b.sexton@gmail.com> Signed-off-by: Joe Stringer <joe@cilium.io> | 30 September 2020, 20:08:14 UTC |
| 285c4e3 | Robin Hahling | 30 September 2020, 11:52:09 UTC | doc: add instructions to configure Hubble in ClusterMesh Signed-off-by: Robin Hahling <robin.hahling@gw-computing.net> | 30 September 2020, 19:02:37 UTC |
| 94a7a89 | Robin Hahling | 30 September 2020, 11:50:14 UTC | doc: add a new Observability subsection in the Concepts section This new section provides information about Hubble, its components and the different modes that can be enabled. It will also allow providing instructions to configure Hubble for specific use-cases. Signed-off-by: Robin Hahling <robin.hahling@gw-computing.net> | 30 September 2020, 19:02:37 UTC |
| 54f2824 | Timo Beckers | 30 September 2020, 11:52:57 UTC | docs: mention install/upgrade.rst in contrib guide Signed-off-by: Timo Beckers <timo@isovalent.com> | 30 September 2020, 12:25:24 UTC |
| 5c6c4a6 | John Fastabend | 21 September 2020, 01:57:18 UTC | cilium: xfrm tests can work with bpf_host loaded now Add test for case with enncryption done in bpf_host. Signed-off-by: John Fastabend <john.fastabend@gmail.com> | 29 September 2020, 23:45:25 UTC |
| 5b83cc1 | John Fastabend | 22 September 2020, 03:21:21 UTC | Revert "daemon: Fatal if IPSec and devices are used together" This reverts commit 8cbd3096a829940035eea95e1e6b10980b07e46e. Now that devices and encryption can coexist we can drop this patch. Signed-off-by: John Fastabend <john.fastabend@gmail.com> | 29 September 2020, 23:45:25 UTC |
| 7ba0e83 | John Fastabend | 17 September 2020, 00:39:02 UTC | cilium: from-netdev and from-network BPF programs conflicting hooks Currently, enabling IPsec and a feature that uses a from-netdev program type may conflict when both attempt to load on the network facing device. If this happens then init.sh will load the ipsec program from-network and then after that the golang bpf loader will replace it with the from-netdev program. Which could be OK if the from-netdev program handled IPsec decryption correctly. Unfortunately, it doesn't and what we get is dropped ESP (IPsec encryption protocol) packets and broken connections. To fix teach from-netdev how to handle ingress IPsec decryption. And while doing this cleanup the encryption code blocks so encryption/decryption logic is split into from_host and from_network parts. This way encrypt piece is used in from_host and decrypt is used in from_network case. Signed-off-by: John Fastabend <john.fastabend@gmail.com> | 29 September 2020, 23:45:25 UTC |
| 9ed106a | John Fastabend | 21 September 2020, 13:32:36 UTC | cilium: create lib for encryption To allow both bpf_network and bpf_host to use the same code add a encrypt.h file to put common routines. Signed-off-by: John Fastabend <john.fastabend@gmail.com> | 29 September 2020, 23:45:25 UTC |
| 0b8148b | Sebastian Wicki | 29 September 2020, 09:03:49 UTC | hubble: Support `--since` requests in combination with follow-mode Previously, the observer implementation assumed time range filters on the request are not compatible with follow-mode. This however is no longer the case, we can now apply the since filter when rewinding the ring buffer. This means that if the user specifies a `since` timestamp, we first dump all flows newer than `since` before we enter follow-mode. Fixes: cilium/hubble#363 Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> | 29 September 2020, 22:20:34 UTC |
| 3cf224e | Jarno Rajahalme | 29 September 2020, 12:45:54 UTC | Envoy: Update to release 1.14.5 Signed-off-by: Jarno Rajahalme <jarno@covalent.io> | 29 September 2020, 21:58:36 UTC |
| bb832bf | Maciej Kwiek | 29 September 2020, 11:24:02 UTC | test: restart pods on GKE Signed-off-by: Maciej Kwiek <maciej@isovalent.com> | 29 September 2020, 18:11:29 UTC |
| 3c77388 | Maciej Kwiek | 29 September 2020, 10:01:32 UTC | use correct test image in nightlies Signed-off-by: Maciej Kwiek <maciej@isovalent.com> | 29 September 2020, 18:11:29 UTC |
| ff3ca77 | Chris Tarazi | 24 September 2020, 21:52:12 UTC | operator: Move CRD registration to operator In pursuit of delegating all cluster operations to cilium-operator from the agent, this commit moves the CRD registration under the purview of cilium-operator. Signed-off-by: Chris Tarazi <chris@isovalent.com> | 29 September 2020, 16:43:59 UTC |
| db9f562 | Chris Tarazi | 24 September 2020, 21:50:37 UTC | operator: Move K8s init logic to function This commit is mostly a refactoring change to ease future commits. It also removes a duplicated `Update()` call which is already done in `Init()`. Signed-off-by: Chris Tarazi <chris@isovalent.com> | 29 September 2020, 16:43:59 UTC |
| 325547f | Chris Tarazi | 27 September 2020, 04:46:39 UTC | operator: Deprecate crd-wait-timeout This commit deprecates the crd-wait-timeout option as the functionality has been removed in the previous commit. This option will be removed in 1.10. This commit also updates the cmdref accordingly. Signed-off-by: Chris Tarazi <chris@isovalent.com> | 29 September 2020, 16:43:59 UTC |
| 8b4b010 | Chris Tarazi | 25 September 2020, 17:09:31 UTC | operator: Revert waiting for CRDs This commit reverts the following two commits, along with the vendored changes that are no longer needed. The rationale is that we no longer need cilium-operator to wait for CRDs as cilium-operator will now register the CRDs (in a future commit), previously done by the agent. --- Commit 5dbe4133a92644278406a47df7892f6e8e7b44c2 ("operator: Make CRD availability timeout configurable") was selectively reverted, only keeping the declarations of the crd-wait-timeout flag, so that they can be deprecated in a future commit. --- Revert "operator: Wait for CRDs before running informers" This reverts commit 8e4f348e1982a081547e90d32221aa058b6fb71c. Signed-off-by: Chris Tarazi <chris@isovalent.com> | 29 September 2020, 16:43:59 UTC |
| 4dd4e0c | Chris Tarazi | 24 September 2020, 22:32:19 UTC | install: Grant operator permissions for CRD ops This commit deprecates the permissions for CRD operations and marks them for removal in v1.10 from the agent. Additionally, this commit grants them to cilium-operator. This commit is a preparatory for a future commit to move the CRD operations to the cilium-operator. Signed-off-by: Chris Tarazi <chris@isovalent.com> | 29 September 2020, 16:43:59 UTC |
| ae5aa9a | Chris Tarazi | 28 September 2020, 22:45:14 UTC | preflight: Use v1beta1 client when appropriate This commit fixes a previously missed instance of using the v1beta1 client as the default when interacting with CRD objects. Since moving to v1 CRDs as the default, we must check if the K8s apiserver understands v1 CRDs. Apiservers <= 1.15 need to use the v1beta1 client. Fixes: c2ca49c4c1 ("k8s: Support v1 & v1beta1 CRDs") Signed-off-by: Chris Tarazi <chris@isovalent.com> | 29 September 2020, 13:55:55 UTC |
| 3bf6ae5 | Robin Hahling | 25 September 2020, 12:16:06 UTC | doc: document how to use custom TLS certificates for Hubble In addition, remove beta warning now that mTLS is supported by Hubble and enabled by default. Signed-off-by: Robin Hahling <robin.hahling@gw-computing.net> | 29 September 2020, 07:59:13 UTC |
| 6950573 | Robin Hahling | 25 September 2020, 12:29:28 UTC | CODEOWNERS: add hubble team for hubble doc Signed-off-by: Robin Hahling <robin.hahling@gw-computing.net> | 29 September 2020, 07:59:13 UTC |
| 9afc0b1 | Deepesh Pathak | 28 September 2020, 13:37:19 UTC | test: use net.JoinHostPort to construct address in tests * This commit fixes an issue in the tests where we were not parsing the IPv6 addresses correctly in tests. The previous implementation joined the string for host and port using ":" delimiter which does not give correct results for IPv6 addresses. Replace these to use net.JoinHostPort for constructing addresses. Signed-off-by: Deepesh Pathak <deepshpathak@gmail.com> | 29 September 2020, 07:36:25 UTC |
| 1b02ca7 | Deepesh Pathak | 24 September 2020, 10:03:42 UTC | test: enable k8s ipv6 dual stack in kubeadm v1beta2 config Signed-off-by: Deepesh Pathak <deepshpathak@gmail.com> | 29 September 2020, 07:36:25 UTC |
| deffa27 | Paul Chaignon | 29 September 2020, 06:35:01 UTC | docs: Clarify session affinity support on <5.7 Because network namespace cookies are only available in v5.7+, on older kernels, all pods on a given node will be serviced by the same backend for a given service, for east-west traffic. Fixes: 864f2f9 ("docs: Update list of optional kernel requirements") Reported-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Paul Chaignon <paul@cilium.io> | 29 September 2020, 07:33:30 UTC |
| 156a111 | Tobias Klauser | 28 September 2020, 10:01:37 UTC | cilium: print names for reserved identities in `cilium ip list` Currently, the identities in the output of `cilium ip list` are always in numeric format: $ cilium ip list IP IDENTITY SOURCE 0.0.0.0/0 2 10.0.0.39/32 1 10.0.0.78/32 4 10.0.0.109/32 61205 k8s 10.0.0.179/32 39864 k8s 10.0.2.15/32 1 10.192.1.86/32 4 10.192.1.110/32 4 10.192.1.144/32 7749 k8s 10.192.1.169/32 4 172.28.128.6/32 1 192.168.9.1/32 1 192.168.36.1/32 7749 k8s 192.168.36.11/32 1 192.168.37.11/32 1 f00d::a0f:0:0:76d5/128 7749 k8s f00d::a0f:0:0:79ba/128 4 f00d::a0f:0:0:9fb8/128 4 f00d::a0f:0:0:f4ec/128 4 fc00::10ca:1/128 7749 k8s Make it easier to immediately recognize reserved identities by their name (without having to remember them) by changing the output to print the name by default: $ cilium ip list IP IDENTITY SOURCE 0.0.0.0/0 world 10.0.0.39/32 host 10.0.0.78/32 health 10.0.0.109/32 61205 k8s 10.0.0.179/32 39864 k8s 10.0.2.15/32 host 10.192.1.86/32 health 10.192.1.110/32 health 10.192.1.144/32 7749 k8s 10.192.1.169/32 health 172.28.128.6/32 host 192.168.9.1/32 host 192.168.36.1/32 7749 k8s 192.168.36.11/32 host 192.168.37.11/32 host f00d::a0f:0:0:76d5/128 7749 k8s f00d::a0f:0:0:79ba/128 health f00d::a0f:0:0:9fb8/128 health f00d::a0f:0:0:f4ec/128 health fc00::10ca:1/128 7749 k8s This behavior can be disabled (i.e. the identities are all printed in numeric format) by specifying the `-n` flag. Signed-off-by: Tobias Klauser <tklauser@distanz.ch> | 28 September 2020, 20:07:56 UTC |
| 348ef4e | Maciej Kwiek | 28 September 2020, 11:42:37 UTC | ci: Run policy stress tests on a nightly basis Signed-off-by: Maciej Kwiek <maciej@isovalent.com> | 28 September 2020, 19:02:06 UTC |
| 5b68613 | Maxime VISONNEAU | 25 September 2020, 14:18:57 UTC | helm: configurable nodeSelector and tolerations for all charts Added configuration options nodeSelector (deployments) and tolerations (daemonsets and deployments) for all the existing charts: - agent - hubble-relay - hubble-ui - managed-etcd - nodeinit - operator - preflight On the preflight one, I also simplified the tolerations with a single 'operator: Exists'. Other than that, the behaviour with default values should remain identical. Initially, my use case was to be able to avoid having the hubble-relay pods running on tainted nodes. I went forward with updating all the charts as I felt this could probably be useful for others. Signed-off-by: Maxime VISONNEAU <maxime.visonneau@gmail.com> | 28 September 2020, 15:16:22 UTC |
| 758539b | Kornilios Kourtis | 17 September 2020, 10:06:49 UTC | docs: add initial performance guide doc Initial guide with results and some basic tuning options for users. Signed-off-by: Kornilios Kourtis <kornilios@isovalent.com> Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: John Fastabend <john.fastabend@gmail.com> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> | 25 September 2020, 22:14:48 UTC |
| 0090b4d | Robin Hahling | 25 September 2020, 11:17:25 UTC | helm: remove hubble-ca-certs Kubernetes TLS secret This Kubernetes TLS secret is actually unused. Signed-off-by: Robin Hahling <robin.hahling@gw-computing.net> | 25 September 2020, 14:09:59 UTC |
| b3adc4d | André Martins | 18 September 2020, 17:16:07 UTC | k8s: delete IPs from ipcache for no running Pods In Kubernetes, a Job creates a pod which will complete with either the "Succeeded" or "Failed" PodPhase. Kubernetes will leave these Pods around until the Job is deleted by the operator. As soon the pod enters either one of the previously described PodPhases, Kubelet will send a CNI delete event to Cilium agent which will then release the allocated IP addresses of that pod, making the IP address available again. If not disabled, Cilium will create a Cilium Endpoint for each Pod in the cluster that has its network managed by Cilium. Cilium agent populates the ipcache with the information retrieved from Pods and Cilium Endpoints events, in case of duplicated information, ipcache will be stored with the state from Cilium Endpoints. In a unlikely case of Cilium agent not running and the Pod enters the "Succeeded" state, it will mean the Cilium agent will not be available to delete the Cilium Endpoint created for that Pod. To complement this fix, Cilium agents will also prune Cilium Endpoints of not running pods on start up. Signed-off-by: André Martins <andre@cilium.io> | 25 September 2020, 11:37:12 UTC |
| 2988760 | André Martins | 18 September 2020, 16:07:58 UTC | k8s/slim: add PodPhase as part of the slim structures This field is essential to understand if the pod is still running or not. Signed-off-by: André Martins <andre@cilium.io> | 25 September 2020, 11:37:12 UTC |
| f1b61a7 | André Martins | 18 September 2020, 15:21:31 UTC | pkg/k8s: do not watch for CiliumEndpoints if disable-endpoint-crd=true To avoid wasting resources in Cilium and to avoid leftover CiliumEndpoints from populating the ipcache, we should not watch for CiliumEndpoints when disable-endpoint-crd is set to true. Signed-off-by: André Martins <andre@cilium.io> | 25 September 2020, 11:37:12 UTC |
| 0fbd2b4 | André Martins | 22 September 2020, 16:51:44 UTC | Revert "endpointsynchronizer: do not delete CEP when endpoint is deleted" This reverts commit 8068f1a91f043c26ecdc15ad78fe6878a8fc8957. This reverted commit introduces a regression where Cilium Endpoints can be left around after the Cilium Endpoint was locally deleted. Although it was a scale optimization for non existing docker images, the security aspect will overlap the scalability concern initially thought. Signed-off-by: André Martins <andre@cilium.io> | 25 September 2020, 11:37:12 UTC |
| a07c651 | Chris Tarazi | 23 September 2020, 23:02:42 UTC | docs: Add note for users upgrading K8s Updates: https://github.com/cilium/cilium/issues/12737 Signed-off-by: Chris Tarazi <chris@isovalent.com> | 25 September 2020, 09:02:36 UTC |
| c1814ba | André Martins | 06 August 2020, 11:33:37 UTC | pkg/k8s: fix data race in CNP rule validation This change fixes the following data race: ``` ================== WARNING: DATA RACE Write at 0x00c001cbe910 by goroutine 304: github.com/cilium/cilium/pkg/policy/api.(*PortProtocol).sanitize() /go/src/github.com/cilium/cilium/pkg/policy/api/rule_validation.go:393 +0x17a github.com/cilium/cilium/pkg/policy/api.(*PortRule).sanitize() /go/src/github.com/cilium/cilium/pkg/policy/api/rule_validation.go:345 +0xdb github.com/cilium/cilium/pkg/policy/api.(*IngressRule).sanitize() /go/src/github.com/cilium/cilium/pkg/policy/api/rule_validation.go:151 +0xbee github.com/cilium/cilium/pkg/policy/api.Rule.Sanitize() /go/src/github.com/cilium/cilium/pkg/policy/api/rule_validation.go:71 +0x1eb github.com/cilium/cilium/pkg/k8s/apis/cilium.io/v2.(*CiliumNetworkPolicy).Parse() /go/src/github.com/cilium/cilium/pkg/k8s/apis/cilium.io/v2/types.go:251 +0x663 github.com/cilium/cilium/pkg/k8s.(*CNPStatusUpdateContext).prepareUpdate() /go/src/github.com/cilium/cilium/pkg/k8s/cnp.go:144 +0x8d2 github.com/cilium/cilium/pkg/k8s.(*CNPStatusUpdateContext).UpdateStatus() /go/src/github.com/cilium/cilium/pkg/k8s/cnp.go:237 +0x550 github.com/cilium/cilium/pkg/k8s/watchers.(*K8sWatcher).updateCiliumNetworkPolicyV2AnnotationsOnly.func1() /go/src/github.com/cilium/cilium/pkg/k8s/watchers/cilium_network_policy.go:343 +0x7d github.com/cilium/cilium/pkg/controller.(*Controller).runController() /go/src/github.com/cilium/cilium/pkg/controller/controller.go:205 +0xc71 Previous read at 0x00c001cbe910 by goroutine 18: reflect.typedmemmove() /usr/local/go/src/runtime/mbarrier.go:177 +0x0 reflect.packEface() /usr/local/go/src/reflect/value.go:119 +0x126 reflect.valueInterface() /usr/local/go/src/reflect/value.go:1030 +0x1b9 reflect.Value.Interface() /usr/local/go/src/reflect/value.go:1000 +0x3c27 fmt.(*pp).printValue() /usr/local/go/src/fmt/print.go:726 +0x3c28 fmt.(*pp).printValue() /usr/local/go/src/fmt/print.go:869 +0xfd2 fmt.(*pp).printValue() /usr/local/go/src/fmt/print.go:810 +0x296e fmt.(*pp).printValue() /usr/local/go/src/fmt/print.go:869 +0xfd2 fmt.(*pp).printValue() /usr/local/go/src/fmt/print.go:810 +0x296e fmt.(*pp).printValue() /usr/local/go/src/fmt/print.go:869 +0xfd2 fmt.(*pp).printValue() /usr/local/go/src/fmt/print.go:810 +0x296e fmt.(*pp).printValue() /usr/local/go/src/fmt/print.go:880 +0x2709 fmt.(*pp).printArg() /usr/local/go/src/fmt/print.go:716 +0x25a fmt.(*pp).doPrintf() /usr/local/go/src/fmt/print.go:1030 +0x311 fmt.Sprintf() /usr/local/go/src/fmt/print.go:219 +0x73 github.com/cilium/cilium/pkg/policy/api.Rules.String() /go/src/github.com/cilium/cilium/pkg/policy/api/rules.go:34 +0x13c github.com/cilium/cilium/daemon/cmd.(*Daemon).policyAdd() /go/src/github.com/cilium/cilium/daemon/cmd/policy.go:265 +0x34b0 github.com/cilium/cilium/daemon/cmd.(*PolicyAddEvent).Handle() /go/src/github.com/cilium/cilium/daemon/cmd/policy.go:217 +0xc9 github.com/cilium/cilium/pkg/eventqueue.(*EventQueue).Run.func1() /go/src/github.com/cilium/cilium/pkg/eventqueue/eventqueue.go:260 +0x25d sync.(*Once).doSlow() /usr/local/go/src/sync/once.go:66 +0x103 sync.(*Once).Do() /usr/local/go/src/sync/once.go:57 +0x68 ``` Signed-off-by: André Martins <andre@cilium.io> | 25 September 2020, 08:44:44 UTC |
| efe593b | André Martins | 06 August 2020, 08:56:19 UTC | pkg/azure: fix data race in shared field Fixes the following race: ``` WARNING: DATA RACE Read at 0x00c0002fe870 by goroutine 460: github.com/cilium/cilium/pkg/azure/ipam.(*Node).ResyncInterfacesAndIPs() /home/travis/gopath/src/github.com/cilium/cilium/pkg/azure/ipam/node.go:162 +0x1a4 github.com/cilium/cilium/pkg/ipam.(*Node).recalculate() /home/travis/gopath/src/github.com/cilium/cilium/pkg/ipam/node.go:357 +0x12b github.com/cilium/cilium/pkg/ipam.(*NodeManager).resyncNode() /home/travis/gopath/src/github.com/cilium/cilium/pkg/ipam/node_manager.go:384 +0x92 github.com/cilium/cilium/pkg/ipam.(*NodeManager).Resync.func1() /home/travis/gopath/src/github.com/cilium/cilium/pkg/ipam/node_manager.go:431 +0xa0 Previous write at 0x00c0002fe870 by goroutine 57: github.com/cilium/cilium/pkg/azure/ipam.(*InstancesManager).Resync() /home/travis/gopath/src/github.com/cilium/cilium/pkg/azure/ipam/instances.go:105 +0x8f9 github.com/cilium/cilium/pkg/ipam.(*NodeManager).instancesAPIResync() /home/travis/gopath/src/github.com/cilium/cilium/pkg/ipam/node_manager.go:186 +0x8b github.com/cilium/cilium/pkg/ipam.NewNodeManager.func1() /home/travis/gopath/src/github.com/cilium/cilium/pkg/ipam/node_manager.go:168 +0x8f github.com/cilium/cilium/pkg/trigger.(*Trigger).waiter() /home/travis/gopath/src/github.com/cilium/cilium/pkg/trigger/trigger.go:206 +0x5b1 ``` Fixes: 3dfd638dcf7b ("ipam: Move iterator logic into generic InstanceMap") Signed-off-by: André Martins <andre@cilium.io> | 25 September 2020, 08:44:44 UTC |
| 229a48d | André Martins | 05 June 2020, 15:37:12 UTC | fqdn/dnsproxy: Close TCP and UDP server after each test To avoid concurrency issues across multiple tests we should shutdown and set up the TCP and UDP servers for each individual test. Signed-off-by: André Martins <andre@cilium.io> | 25 September 2020, 08:44:44 UTC |
| 97d4924 | André Martins | 05 June 2020, 15:06:00 UTC | pkg/idpool: split tests that timeout with race detector set There is a test that times out in travis when running with the race detector set, this is primarily caused by the high amount of go routines started in parallel by such test. To avoid this issue we need to split the test in 2 different files, one that has a lower maxID, and therefore lower number of go routines started, for the builds with the race detection, and another one with the same maxID for the builds without the race detection. Signed-off-by: André Martins <andre@cilium.io> | 25 September 2020, 08:44:44 UTC |
| 9842dd5 | André Martins | 04 June 2020, 11:16:46 UTC | fqdn/dnsproxy: use atomic Store/Load for the rejectReply return code SetRejectReply might set a field that is read from a different go routine. To protect this field against this race condition we need to use the atomic Store/Load and split the tests. Fixes: 1121202121f7 ("fqdn: L3-aware L7 DNS policy enforcement") Signed-off-by: André Martins <andre@cilium.io> | 25 September 2020, 08:44:44 UTC |
| 18981be | André Martins | 04 June 2020, 08:10:38 UTC | identity/cache: close KVStore connection on tear down test Signed-off-by: André Martins <andre@cilium.io> | 25 September 2020, 08:44:44 UTC |
| 597528c | André Martins | 22 September 2020, 13:52:37 UTC | travis: enable race detector in travis Signed-off-by: André Martins <andre@cilium.io> | 25 September 2020, 08:44:44 UTC |
| 5c6aad6 | Chris Tarazi | 23 September 2020, 22:44:08 UTC | k8s: Remove CRD deleting functionality This commit removes the ability to delete CRDs from Cilium because that would delete all the CRs in the cluster. Follow-up from: https://github.com/cilium/cilium/pull/11477#discussion_r487816729 Updates: https://github.com/cilium/cilium/issues/12737 Signed-off-by: Chris Tarazi <chris@isovalent.com> | 24 September 2020, 21:44:23 UTC |
| 4ae7486 | Tobias Klauser | 24 September 2020, 13:49:47 UTC | test, images: update helm to 3.3.4 In the provision script, also remove the downloaded tarball and unarchived directory after installation. Signed-off-by: Tobias Klauser <tklauser@distanz.ch> | 24 September 2020, 21:43:23 UTC |
| 71c5086 | Deepesh Pathak | 15 September 2020, 11:02:27 UTC | test: add IPv6 NodePort services tests Signed-off-by: Deepesh Pathak <deepshpathak@gmail.com> | 24 September 2020, 21:42:56 UTC |
| d888057 | Deepesh Pathak | 14 September 2020, 07:19:10 UTC | bpf: fix nodeport ipv6 service revnat handling * This commit fixes an issue in nodeport service revnat handling where the interface index was not properly restored from the Conntrack state leading to packet redirects to invalid interface. Signed-off-by: Deepesh Pathak <deepshpathak@gmail.com> | 24 September 2020, 21:42:56 UTC |
| 745a26b | Adam Wolfe Gordon | 23 September 2020, 17:38:00 UTC | k8s: Consider session affinity parameters when comparing Services Previously, if the `sessionAffinity` or `sessionAffinityTimeoutSec` of a Service changed, cilium would ignore the change. This meant that even though cilium correctly handles `sessionAffinity`, changing the `sessionAffinity` of a service without any other changes did not cause cilium to change its handling. Add `sessionAffinity` and `sessionAffinityTimeoutSec` handling to the comparator for services, so that cilium will notice affinity changes. Signed-off-by: Adam Wolfe Gordon <awg@digitalocean.com> | 24 September 2020, 09:33:45 UTC |
| 4058f10 | Tam Mach | 23 September 2020, 22:49:04 UTC | test(smoketest): Run smoketest with kube 1.19.x This commit is to upgrade the k8s version to 1.19.1 for smoketest. - Bump kind version to 0.9.0 - Bump kind-action to v1.0.0 - Add nodeversion in kind-config-*.yaml Signed-off-by: Tam Mach <sayboras@yahoo.com> | 24 September 2020, 08:04:27 UTC |
| 97362f4 | Maciej Kwiek | 23 September 2020, 12:08:46 UTC | test: check logs of operator and hubble relay This change expands Cilium logs checking at the end of the tests to also check operator and hubble relay logs for bad log messages. Signed-off-by: Maciej Kwiek <maciej@isovalent.com> | 24 September 2020, 07:58:40 UTC |
| 815be6a | Quentin Monnet | 10 September 2020, 15:43:14 UTC | iptables: comment on xt_connmark requirement for EKS rules EKS requires some specific rules for asymmetric routing with multi-node NodePort traffic. These rules relies on the xt_connmark kernel module, which is usually loaded by iptables when necessary. The rules are installed when the selected IPAM is ENI, meaning they are installed on AWS (but not only EKS). The xt_connmark module should be loaded in a similar way, unless loading modules after boot has been disabled, in which case the setup fails and the agent crashes. Add a comment to at least help debug the issue. Longer term, we may want to add more explicit hints to the logs if too many users hit the issue, but that would require parsing iptables' output for the specific error, so let's see how it goes with a simple comment in the code for now. Signed-off-by: Quentin Monnet <quentin@isovalent.com> | 24 September 2020, 02:20:42 UTC |
| a301853 | Quentin Monnet | 10 September 2020, 20:37:43 UTC | iptables, loader: use interface with default route for EKS rules Multi-node NodePort traffic on EKS needs specific rules regarding asymmetric routing. These rules were implemented for the eth0 interface (namely), because this is what EKS uses. With the default Amazon Linux 2 distribution. But EKS can also run with Ubuntu for example, and the name of the interface is not the same in that case. Instead of "eth0", use the interface with the dafault route. This is a quick fix, and longer term we want to add the rules to all relevant interfaces, as discussed in #12770. Fixes: #12770 Fixes: #13143 Signed-off-by: Quentin Monnet <quentin@isovalent.com> | 24 September 2020, 02:20:42 UTC |
| 09e9a46 | Quentin Monnet | 09 September 2020, 10:56:15 UTC | iptables, loader: skip rules for EKS asymmetric routing if !IPv4 EKS needs some specific rules for asymmetric routing with multi-node NodePort traffic. These rules are implemented only for IPv4, so we can avoid installing them when IPv4 is disabled. This is what this commit does. Note that this check is, in fact, not necessary at the moment, because as the config package says: "IPv6 cannot be enabled in ENI IPAM mode". So we always run with IPv4. But let's have it for good measure, to avoid issues if IPv6 support comes in the future. For the same reason, we also do not have to implement equivalent rules for IPv6 at the moment. Signed-off-by: Quentin Monnet <quentin@isovalent.com> | 24 September 2020, 02:20:42 UTC |
| 01f8dcc | Quentin Monnet | 09 September 2020, 09:24:34 UTC | loader: move ENI rules for asymmetric routing to dedicated function EKS needs some specific rules for NodePort traffic (see PR #12770, or comments in the code, for details). The addition of part of these rules were added to the body of the Reinitialize() function in the loader. To make them easier to maintain or extend, let's move them to a dedicated function called by Reinitialize(). No functional change. Signed-off-by: Quentin Monnet <quentin@isovalent.com> | 24 September 2020, 02:20:42 UTC |
| 510566a | Kornilios Kourtis | 16 September 2020, 10:41:54 UTC | docs: backport documentation additions Signed-off-by: Kornilios Kourtis <kornilios@isovalent.com> Co-authored-by: Joe Stringer <joe@cilium.io> | 23 September 2020, 13:14:42 UTC |
| 511b15d | Sebastian Wicki | 22 September 2020, 14:16:48 UTC | hubble: Fix filter by reply reporting flows with unknown reply state This fixes a bug in the reply filter on `reply=false` would report flows for which we actually do not know if they were replies or not. Not all trace points have connection tracking state available, thus looking at the reply flag alone is not sufficent to tell if something a flow was a reply or not. Ideally, we would fix this in the parser and make the `reply` an optional boolean, so we can distinguish between a `false` value and an absent value. This however is a breaking change in the Hubble API, which we want to avoid. Therefore, this commit modifies the reply filter to only report flows here for which we know that the reply field is reliable. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> | 23 September 2020, 12:43:18 UTC |
| 8e24ea3 | Sebastian Wicki | 22 September 2020, 14:15:12 UTC | monitor: Add helper to determine if a trace point has conn state Not all trace observation points have access to the connection tracking state and populate the `Reason` field of `TraceNotify` accordingly. This commit extracts a helper function to determine which trace points currently do have access to connection tracking state. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> | 23 September 2020, 12:43:18 UTC |
| 6953fe8 | Alexandre Perrin | 21 September 2020, 12:30:06 UTC | test: ensure that hubble has tls enabled Signed-off-by: Alexandre Perrin <alex@kaworu.ch> | 23 September 2020, 10:07:07 UTC |
| 6e1342a | Alexandre Perrin | 21 September 2020, 12:29:32 UTC | test: enable hubble tls Signed-off-by: Alexandre Perrin <alex@kaworu.ch> | 23 September 2020, 10:07:07 UTC |
| aa26f0c | Tobias Klauser | 21 September 2020, 13:45:26 UTC | envoy: don't use deprecated listener and HTTP filter names While running runtime FQDN tests, the following deprecation warnings appeared in the logs: 15:39:07 Top 3 errors/warnings: 15:39:07 [[bazel-out/k8-opt/bin/external/envoy/source/extensions/common/_virtual_includes/utility_lib/extensions/common/utility.h:65] Using deprecated extension name 'envoy.router' for 'envoy.filters.http.router'. This name will be removed from Envoy soon. Please see https://www.envoyproxy.io/docs/envoy/latest/intro/deprecated for details. 15:39:07 [[bazel-out/k8-opt/bin/external/envoy/source/extensions/common/_virtual_includes/utility_lib/extensions/common/utility.h:65] Using deprecated extension name 'envoy.listener.tls_inspector' for 'envoy.filters.listener.tls_inspector'. This name will be removed from Envoy soon. Please see https://www.envoyproxy.io/docs/envoy/latest/intro/deprecated for details. Fix them by using the canonical names as suggested in https://www.envoyproxy.io/docs/envoy/latest/version_history/v1.14.0#deprecated Signed-off-by: Tobias Klauser <tklauser@distanz.ch> | 23 September 2020, 10:05:32 UTC |
