| 383e9cd | renovate[bot] | 25 March 2024, 01:49:33 UTC | chore(deps): update all lvh-images main to bpf-next-20240322.012512 Signed-off-by: renovate[bot] <bot@renovateapp.com> | 25 March 2024, 01:49:33 UTC |
| aefd4ea | Marco Hofstetter | 21 March 2024, 11:13:02 UTC | proxy: remove dns proxy port from config Currently, the proxy config contains the unnecessary field `DNSProxyPort`. DNS Proxy port is allocated and set during DNS boostrap in the agent. Hence, let's remove the field (that wasn't configurable anyway). Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> | 22 March 2024, 15:29:23 UTC |
| 74b4a37 | Marco Hofstetter | 21 March 2024, 11:08:28 UTC | proxy: make port range configurable Currently, the proxy port range for proxy port allocation is hardcoded to `10000` - `20000`. This commit introduces a proper Hive Config for the Cell. This way the range is configuralbe via the flags `--proxy-portrange-min` & `--proxy-portrange-max`. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> | 22 March 2024, 15:29:23 UTC |
| 957b8fd | David Bimmler | 21 March 2024, 14:39:04 UTC | docs: aks: avoid overlapping service and pod CIDRs The default service CIDR of AKS clusters is 10.0.0.0/16 [1]. Cilium's default pod CIDR in cluster pool IPAM is 10.0.0.0/8, which overlaps. This can lead to "fun" situations in which e.g. the kube-dns service ClusterIP is the same as the hubble-relay pod IP, or similar shenanigans. This usually breaks the cluster utterly. The fix is relatively straight-forward: set a pod CIDR for cilium which does not overlap with defaults of AKS. We chose 192.168.0.0/16 as this is what is recommended in [2]. [1]: https://learn.microsoft.com/en-us/azure/aks/configure-kubenet#create-an-aks-cluster-with-system-assigned-managed-identities [2]: https://learn.microsoft.com/en-us/azure/aks/azure-cni-powered-by-cilium#option-1-assign-ip-addresses-from-an-overlay-network Signed-off-by: David Bimmler <david.bimmler@isovalent.com> | 22 March 2024, 14:27:32 UTC |
| ff29e68 | Marco Hofstetter | 21 March 2024, 18:43:18 UTC | proxy: remove unused ifaces and code for proxy <-> endpoint interaction This commit removes unused interfaces and code for the proxy <-> endpoint interaction. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> | 22 March 2024, 13:27:05 UTC |
| c3f8a23 | Chris Tarazi | 07 March 2024, 20:41:40 UTC | controller: Add and use lookup function for controllers This commit has no functional impact, but eases future changes in this code to reuse the lookup function. Signed-off-by: Chris Tarazi <chris@isovalent.com> | 22 March 2024, 11:29:23 UTC |
| dc880e7 | Marco Iorio | 21 March 2024, 14:04:29 UTC | node: add support for injection of optional ipset filter Introduce the possibility of injecting through Hive an optional function to filter out upsertions of IP addresses into the node IPSets, based on node properties, to allow for additional flexibility when consumed by external modules. Deletions are not filtered, as idempotent in case the entry wasn't already present in the first place. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> | 22 March 2024, 10:44:30 UTC |
| 9d43404 | Cilium Imagebot | 21 March 2024, 09:58:13 UTC | images: update cilium-{runtime,builder} Signed-off-by: Cilium Imagebot <noreply@cilium.io> | 22 March 2024, 10:29:42 UTC |
| 62503d5 | Timo Beckers | 20 March 2024, 14:53:40 UTC | images/builder: get rid of annoying git ownership warnings Begone, cumbersome git warnings caused by including Makefile.defs: ``` fatal: detected dubious ownership in repository at '/src' To add an exception for this directory, call: git config --global --add safe.directory /src ``` cilium-builder will be run as root in various contexts, and git repos will be mounted under random paths, so we can't reasonably target them. Just stop the warnings, they're useless in this context. Signed-off-by: Timo Beckers <timo@isovalent.com> | 22 March 2024, 10:29:42 UTC |
| c0676e6 | Timo Beckers | 29 February 2024, 09:43:34 UTC | bpf,metrics: add line/file information to `cilium-dbg bpf metrics list` Fixes #27748 Example output: ``` ~ cilium bpf metrics list REASON DIRECTION PACKETS BYTES LINE FILE Interface INGRESS 151 9368 1092 bpf_host.c Interface INGRESS 731 139248 659 bpf_overlay.c Success EGRESS 137 8212 1531 bpf_host.c Success EGRESS 9 744 1286 bpf_lxc.c Success INGRESS 11 926 86 l3.h Success INGRESS 1403 299078 231 trace.h Unsupported L3 protocol EGRESS 6 460 1466 bpf_lxc.c ``` ``` ~ cilium bpf metrics list -o json { "reason": "Success", "direction": "egress", "packets": 406587, "bytes": 78023315, "line": 40, "file": "encap.h" }, { "reason": "Unsupported L3 protocol", "direction": "egress", "packets": 167, "bytes": 12050, "line": 1466, "file": "bpf_lxc.c" } ``` Signed-off-by: Timo Beckers <timo@isovalent.com> | 22 March 2024, 09:51:42 UTC |
| f88cb0b | Timo Beckers | 29 February 2024, 09:31:51 UTC | bpf: refactor source file name id lookup, always define __MAGIC_FILE__ This commit moves the filename->id lookup machinery around a bit to conform better to the existing structure of the Makefile and checker scripts. bpf/source_names_to_ids.h was moved to bpf/lib/source_info.h, check-sources.sh was moved out of the loader package and into the usual scripts directory in contrib/, and no longer has its own Makefile target. In addition to __MAGIC_FILE__, this commit adds __MAGIC_LINE__ that resolves to 0 in BPF tests, for reasons documented in the source code. A follow-up commit will make use of it. Also fixes all shellcheck warnings in check-sources.sh. Signed-off-by: Timo Beckers <timo@isovalent.com> | 22 March 2024, 09:51:42 UTC |
| b41b78d | Timo Beckers | 28 February 2024, 13:10:01 UTC | metrics: prepare to increase cardinality of BPF metrics key This commit is split off from subsequent commits to backport to 1.15. In a follow-up commit, the reserved space in metricsmap.Key will be used for storing line and file info. Since older versions of Cilium don't decode these fields yet, this either causes duplicate metrics to be displayed, or causes the last metricsmap entry with a given reason/direction combination to overwrite the counters of other entries, resulting in wrong metrics. metricsmapCollector.Collect() was believed to handle this correctly, but the code turned out to be wrong. The updated implementation sums up all values that resolve to the same label set. Various cleanups were made to remove type conversions and improve legibility. Signed-off-by: Timo Beckers <timo@isovalent.com> | 22 March 2024, 09:51:42 UTC |
| 8c1ae0b | naoki-take | 27 February 2024, 07:36:20 UTC | daemon: Use LastSuccessInteraction instead of LastInteraction cilium-agent periodically checks the connectivity to the k8s api-server by "kubernetes" probe. cachedVersion() returns a cached value of the k8s version to the probe if not expired or invalid. The logic for evaluating the validity of the cache is as follows: 1. check if the api-server connectivity is healthy. If the last check was more than k8sMinimumEventHeartbeat(default: 1m) ago, then valid=false is returned. 2. if the api-server connectivity is given, returns valid=false if the last check was more than k8sVersionCheckInterval(default: 15m) ago. 3. otherwise returns the cached value and valid=true. Currently 'k8smetrics.LastInteraction.Time()' is used in the step 1, which is updated periodically regardless of whether the api-server connectivity is alive or not. This commit fixes it to use 'k8smetrics.LastSuccessInteraction.Time()' instead. Signed-off-by: naoki-take <naoki-take@cybozu.co.jp> | 22 March 2024, 09:04:59 UTC |
| 59a01a8 | Yutaro Hayakawa | 17 March 2024, 16:02:19 UTC | bgpv1: BGP Control Plane metrics Implement following initial metrics for BGP Control Plane. 1. cilium_bgp_control_plane_session_state Gauge that shows session state per vrouter/neighbor. Established (1) or Not Established (0). 2. cilium_bgp_control_plane_advertised_routes Gauge that shows the number of advertised routes per vrouter/neighbor/afi/safi. 3. cilium_bgp_control_plane_received_routes Gauge that shows the number of received routes per vrouter/neighbor/afi/safi. Signed-off-by: Yutaro Hayakawa <yutaro.hayakawa@isovalent.com> | 22 March 2024, 00:57:22 UTC |
| f76d7cf | harsimran pabla | 12 March 2024, 15:17:25 UTC | multicast: add CLIs to configure multicast bpf maps This change adds cilium-dbg commands to manage multicast BPF maps. Following commands are added - cilium-dbg bpf multicast group list - cilium-dbg bpf multicast group add <group> - cilium-dbg bpf multicast group delete <group> - cilium-dbg bpf multicast subscriber list <group|all> - cilium-dbg bpf multicast subscriber add <group> <subscriber> - cilium-dbg bpf multicast subscriber delete <group> <subscriber> Signed-off-by: harsimran pabla <hpabla@isovalent.com> | 21 March 2024, 21:53:56 UTC |
| f8fb8d1 | loomkoom | 13 March 2024, 14:11:21 UTC | chore: update sw + json-mock image Replaced docker.io by quay.io pinned with current latest Docker source is deprecated. Signed-off-by: loomkoom <loomkoom@hotmail.com> | 21 March 2024, 21:53:20 UTC |
| 93f9813 | Marco Iorio | 14 March 2024, 17:38:41 UTC | node: ignore kvstore node events for the local node Let's not propagate node updated/deleted events received from the kvstore for the local node to the NodeManager. This matches the behavior of the corresponding CiliumNode watcher, and prevents the unnecessary increase of the ipcache_errors_total (cannot_overwrite_by_source) metric, caused by information with source=local always taking precedence. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> | 21 March 2024, 21:53:10 UTC |
| 392a50b | Marco Iorio | 19 March 2024, 17:20:27 UTC | gha: fix coredns logs retrieval in conformance-clustermesh The amount of log lines to display is limited to 10 by default when using a label selector. Let's switch to unlimited. --tail=-1: Lines of recent log file to display. Defaults to -1 with no selector, showing all log lines otherwise 10, if a selector is provided. Fixes: b1774e1240e3 ("gha: retrieve additional coredns-related troubleshooting info") Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> | 21 March 2024, 21:52:47 UTC |
| 31a2c2c | David Cheng | 18 March 2024, 07:53:01 UTC | docs: Correct dynamic hubble exporter sample configs example This commit corrects the sample dynamic flow logs configs for hubble exporter. This inserts `dynamic.enabled: true` in helm values because `dynamic.enabled` is false by default. Signed-off-by: David cheng <david2881234@gmail.com> | 21 March 2024, 20:02:51 UTC |
| cfed66e | Quentin Monnet | 19 March 2024, 17:45:01 UTC | Revert "daemon: Forbid IPv6 BPF masquerading with the host firewall" This reverts commit 934e1f2df26c5b27348e7804e6f78b6553c65813. Since commit 9c1031e31719 ("bpf: fix missing ipv6 ct entry for snated traffic"), IPv6 BPF masquerading and the host firewall are compatible in the datapath. Let's allow them to be used together, and use the combination in tests. Signed-off-by: Quentin Monnet <qmo@qmon.net> | 21 March 2024, 17:03:11 UTC |
| ea16b85 | renovate[bot] | 20 March 2024, 18:09:05 UTC | fix(deps): update module github.com/docker/docker to v25.0.5+incompatible [security] Signed-off-by: renovate[bot] <bot@renovateapp.com> | 21 March 2024, 13:46:45 UTC |
| 0b9b390 | Timo Beckers | 20 March 2024, 14:42:43 UTC | bpf: make BPF unit tests reproducible Currently, we develop the datapath against multiple versions of LLVM: various local (host) toolchains during development, CI uses an LLVM version installed by a GH workflow, and the agent uses the cilium-builder container image. This PR changes the BPF unit tests to use cilium-builder by default using the `run_bpf_tests` make target in the root Makefile of the project. Small overview of the changes: - run bpf unit tests CI using the cilium-builder image so we use the same LLVM toolchain across all tests - set -j<numcpu> on the root Docker invocation to build .o's in parallel, as building the tests was becoming rather slow - moved `test/bpf_tests/` to `bpf/tests/bpftest` to keep the BPF test runner closer to the .c test files it's used with - removed the layer of indirection through `test/Makefile`; the root Makefile now calls `bpf/tests/Makefile` directly - added a `run` target to `bpf/tests/Makefile` to make it easier to invoke the tests using the host Go toolchain without rebuilding the world. sudo is now used automatically for 'go test' if `make` is invoked as a non-root user. - cleaned up output generated by bpf/tests/Makefile Signed-off-by: Timo Beckers <timo@isovalent.com> | 21 March 2024, 10:55:54 UTC |
| d3b19d6 | Marco Hofstetter | 19 March 2024, 13:48:13 UTC | cilium-dbg: listing load-balancing configurations displays L7LB proxy port Currently, listing the load-balancing configuration doesn't display the L7LB Proxy Port for services of type `l7-load-balancer`. ``` cilium-dbg bpf lb list SERVICE ADDRESS BACKEND ADDRESS (REVNAT_ID) (SLOT) ... 10.96.193.7:443 0.0.0.0:0 (30) (0) [ClusterIP, non-routable, l7-load-balancer] ``` The only way of retrieving the L7LB proxy port is to list the frontends (`cilium-dbg bpf lb list --frontends`) and manually convert the backend id (union type) to the L7LB proxy port. Therefore, this commit addsd the L7LB proxy port to the output of `cilium-dbg bpf lb list` if the service is of type L7 LoadBalancer. The `--frontends` subcommand still displays the unmapped backend id. ``` cilium-dbg bpf lb list SERVICE ADDRESS BACKEND ADDRESS (REVNAT_ID) (SLOT) 10.96.0.1:443 172.18.0.3:6443 (1) (1) 0.0.0.0:0 (1) (0) [ClusterIP, non-routable] 10.96.252.10:443 172.18.0.2:4244 (22) (1) 0.0.0.0:0 (22) (0) [ClusterIP, InternalLocal, non-routable] 10.96.155.44:80 0.0.0.0:0 (14) (0) [ClusterIP, non-routable] 10.244.1.211:80 (14) (1) 172.18.0.2:32646 0.0.0.0:0 (33) (0) [NodePort, l7-load-balancer] (L7LB Proxy Port: 15735) 10.96.193.7:443 0.0.0.0:0 (30) (0) [ClusterIP, non-routable, l7-load-balancer] (L7LB Proxy Port: 15735) 10.96.122.45:80 10.244.1.250:80 (26) (1) 0.0.0.0:0 (26) (0) [ClusterIP, non-routable] 10.96.102.137:80 0.0.0.0:0 (23) (0) [ClusterIP, non-routable] 10.244.1.126:4245 (23) (1) 10.96.108.180:443 0.0.0.0:0 (17) (0) [ClusterIP, non-routable, l7-load-balancer] (L7LB Proxy Port: 17731) 172.18.255.1:80 0.0.0.0:0 (25) (0) [LoadBalancer, l7-load-balancer] (L7LB Proxy Port: 17731) 0.0.0.0:32646 0.0.0.0:0 (34) (0) [NodePort, non-routable, l7-load-balancer] (L7LB Proxy Port: 15735) 0.0.0.0:31012 0.0.0.0:0 (21) (0) [NodePort, non-routable, l7-load-balancer] (L7LB Proxy Port: 17731) ``` Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> | 21 March 2024, 03:45:18 UTC |
| 1c17fb8 | Julian Wiedmann | 20 March 2024, 14:24:35 UTC | images: update cilium-{runtime,builder} Signed-off-by: Julian Wiedmann <jwi@isovalent.com> | 20 March 2024, 17:23:14 UTC |
| f14a0d1 | renovate[bot] | 18 March 2024, 22:30:46 UTC | chore(deps): update docker.io/library/golang:1.22.1 docker digest to 0b55ab8 Signed-off-by: renovate[bot] <bot@renovateapp.com> | 20 March 2024, 17:23:14 UTC |
| a1777dc | renovate[bot] | 19 March 2024, 09:36:15 UTC | chore(deps): update github/codeql-action action to v3.24.8 Signed-off-by: renovate[bot] <bot@renovateapp.com> | 20 March 2024, 16:41:16 UTC |
| db28554 | renovate[bot] | 12 March 2024, 09:08:50 UTC | chore(deps): update hubble cli to v0.13.2 Signed-off-by: renovate[bot] <bot@renovateapp.com> | 20 March 2024, 16:40:28 UTC |
| 8adde88 | Joe Stringer | 12 March 2024, 21:56:38 UTC | renovate: Drop updates for EOL branch v1.12 Signed-off-by: Joe Stringer <joe@cilium.io> | 20 March 2024, 16:13:14 UTC |
| bd99b26 | Fabio Falzoi | 12 March 2024, 17:25:48 UTC | iptables: Remove unused param from installMasqueradeRules ifName is not needed to install masquerading rules, hence remove it from the function signature. Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com> | 20 March 2024, 15:02:45 UTC |
| 460070d | Fabio Falzoi | 01 March 2024, 15:49:25 UTC | iptables/ipset: Manage IP sets independently Remove IP sets management from iptables manager and use the new cell based on the stateDB reconciler. The node manager has been changed to use the new ipset manager methods. Also, a fake version of the cell has been added to mock the ipset manager in controlplane testing. Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com> | 20 March 2024, 15:02:45 UTC |
| 5aad3d2 | Fabio Falzoi | 01 March 2024, 15:03:37 UTC | iptables/ipset: Add a cell to manage IP sets Add an independent cell to manage IP sets and reconcile them dynamically through the stateDB generic reconciler. The cell manages only two different sets, one related to the Node IPv4 addresses and the other one related to the Node IPv6 addresses. Other sets are not touched in any way. When IP sets are disabled, the IP sets manager tries to clean both Cilium managed IP sets at startup, to avoid leaving stale entries from previous runs. When IP sets are enabled, the IP sets manager exports two methods to add and remove IPs from a named set, respectively. The sets are updated in the relative stateDB table and the kernel state reconciled later using the `ipset` utility. The cell will be plumbed in the iptables cell in a later commit. Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com> | 20 March 2024, 15:02:45 UTC |
| 3acdc1d | Fabio Falzoi | 01 March 2024, 14:34:56 UTC | datapath/tables: Add ipset Table[*Ipset] Add a stateDB table to store IP sets. This will be used in later commits to build an IP sets manager able to dynamically reconcile sets with v4 and v6 node IPs. Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com> | 20 March 2024, 15:02:45 UTC |
| bf649c4 | Jussi Maki | 27 February 2024, 09:36:48 UTC | container: Add ImmSet[T], a slice-backed immutable set Add an immutable set data structure for use in objects stored in StateDB tables. The ImmSet[T] is useful when storing a relatively small set of items (1-1000). Implemented as a sorted slice. Mutations of the set clone the slice and lookups are implemented as binary searches. The benefit of this is a packed presentation, especially for value types (e.g. netip.Addr) which will cause less overhead for GC. Downside is that inserts and deletes become expensive when there are many items. Signed-off-by: Jussi Maki <jussi@isovalent.com> Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com> | 20 March 2024, 15:02:45 UTC |
| bf7de82 | Marco Hofstetter | 18 March 2024, 19:40:06 UTC | envoy: cleanup istio specifics in endpoint package As a follow up of #30130, this commit removes istio specific implementations and/or comments from the endpoint package. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> | 20 March 2024, 12:37:42 UTC |
| 161db0d | Marco Hofstetter | 18 March 2024, 09:30:23 UTC | envoy: cleanup istio specifics As a follow up of #30130, this commit removes istio specific implementations and/or comments from the Envoy module. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> | 20 March 2024, 12:37:42 UTC |
| 79733d2 | Gerald Pape | 05 March 2024, 16:55:57 UTC | helm: Introduce values.schema.json and tooling Auto-generate a values.schema.json file from type annotations in values.yaml.tmpl. Update the helm-toolbox container image to add additional tooling. Fixes cilium#22831 Signed-off-by: Gerald Pape <gerald@giantswarm.io> | 20 March 2024, 11:29:54 UTC |
| afaad0e | renovate[bot] | 18 March 2024, 03:07:24 UTC | chore(deps): update all lvh-images main to bpf-next-20240315.012542 Signed-off-by: renovate[bot] <bot@renovateapp.com> | 20 March 2024, 11:04:23 UTC |
| 6ddd70c | harsimran pabla | 14 March 2024, 15:01:19 UTC | bgpv2: adding pod-cidr advert tests Adding unit tests for pod-cidr advertisement reconciler. Also, introducing fake BGP router layer to decouple lower layer from unit tests of reconcilers. Signed-off-by: harsimran pabla <hpabla@isovalent.com> | 19 March 2024, 17:28:42 UTC |
| 61bf848 | harsimran pabla | 14 March 2024, 15:00:57 UTC | bgpv2: adding pod-cidr advertisement reconciler Introducing pod-cidr advertisement reconciler as well as generic advertisement layer which can be used by other advertisement reconcilers to call lower layer BGP instance for advertising and withdrawing BGP prefixes. Signed-off-by: harsimran pabla <hpabla@isovalent.com> | 19 March 2024, 17:28:42 UTC |
| 959090f | harsimran pabla | 14 March 2024, 14:59:21 UTC | bgpv1: refactor conversion of family types Add conversion of API CiliumBGPFamily to agent family type. Also, refactored gobgp conversions. Signed-off-by: harsimran pabla <hpabla@isovalent.com> | 19 March 2024, 17:28:42 UTC |
| 7a16ef9 | harsimran pabla | 16 February 2024, 13:01:55 UTC | bgpv2: adding generic peer advertisement cell Introducing generic peer advertisement cell which can be used by various advertisement reconcilers to get configured advertisement option per peer per address-family. Signed-off-by: harsimran pabla <hpabla@isovalent.com> | 19 March 2024, 17:28:42 UTC |
| 7162892 | Fabian Fischer | 13 March 2024, 14:17:04 UTC | hubble/relay: Fix certificate reloading in PeerManager This change fixes an issue with the PeerManager that can lead to Relay being unable to reconnect to some or all peers when the client certificate expires or the Certificate Authority is replaced. Before this change, when the client certificate changes, we did not redial or update the exiting gRPC ClientConns. When the old certificate becomes invalid, (expiring, changed CA, or revoked) The connection will eventually fail with a certificate error. However, the gRPC ClientConn is not closed, but treats the certificate error as a transient failure and will retry connecting with the old credentials indefinitely. In most cases this will cause the relay health checks to fail. Relay will restart and successfully reconnect to all peers. However, if a new peer joins between the certificate being updated and the connections failing, Relay may keep on running in a degraded state. This issue was introduced by #28595. Before that change, Relay aggressively closed and re-dialed ClientConns on any error, mitigating this problem. We fix this issue by wrapping the provided gRPC transport credentials and updating the TLS configuration whenever a new TLS connection is established. This means every TLS connection will use up-to-date certificates and gRPC ClientConns will be able to recover when their certificate changes. Fixes: aca4d42ce80d ("hubble/relay: Fix connection leak when reconnecting to peer service") Signed-off-by: Fabian Fischer <fabian.fischer@isovalent.com> | 19 March 2024, 17:28:16 UTC |
| fbe78c4 | David Bimmler | 19 March 2024, 14:10:10 UTC | AKS: avoid overlapping pod and service CIDRs The default service CIDR of AKS clusters is 10.0.0.0/16 [1]. Unfortunately, we don't set a pod cidr for clusterpool IPAM, and hence use cilium's default of 10.0.0.0/8, which overlaps. This can lead to "fun" situations in which e.g. the kube-dns service ClusterIP is the same as the hubble-relay pod IP, or similar shenanigans. This usually breaks the cluster utterly. The fix is relatively straight-forward: set a pod CIDR for cilium which does not overlap with defaults of AKS. We chose 192.168.0.0/16 as this is what is recommended in [2]. [1]: https://learn.microsoft.com/en-us/azure/aks/configure-kubenet#create-an-aks-cluster-with-system-assigned-managed-identities [2]: https://learn.microsoft.com/en-us/azure/aks/azure-cni-powered-by-cilium#option-1-assign-ip-addresses-from-an-overlay-network Fixes: fbf3d38a4b (ci: add AKS workflow) Co-authored-by: Fabian Fischer <fabian.fischer@isovalent.com> Signed-off-by: David Bimmler <david.bimmler@isovalent.com> | 19 March 2024, 16:18:37 UTC |
| 31be787 | Tam Mach | 18 March 2024, 15:16:41 UTC | cni: Use batch endpoint deletion API in chaining plugin This commit is to leverage new batch endpoint deletion API instead of singular endpoint deletion based on ID. The main reason is to provide backward compatibility on upgrade path. The current CNI attachment ID requires a valid containerIfName attribute, however, the endpoints created by old cilium versions (e.g. <1.15) are not having such details. Any CNI DEL command for these endpoints will lead to invalid lookup (e.g. DeleteEndpointIDNotFoundCode), and prevent cleaning up of related resources such as IP addresses. The impact is only limited to CNI chaining mode, as batch endpoint deletion API is already used cilium-cni/cmd/cmd.go as part of #27351. Old endpoint details without (or empty) ContainerIfName ```json { "ID": 423, "ContainerName": "", "dockerID": "415beb119c4b0910f62634510e921a447893195ebedc30ca0e9cd5bf02569645", "DockerNetworkID": "", "DockerEndpointID": "", "IfName": "eni22524e9e591", "IfIndex": 13, "ContainerIfName": "", "DisableLegacyIdentifiers": false, ... } ``` New endpoint details with valid ContainerIfName (e.g. eth0) ```json { "ID": 3627, "ContainerName": "", "dockerID": "f89ccf654b878248442981d4c56fe3f50fa127f922b46ee6dccc94ae10e94b79", "DockerNetworkID": "", "DockerEndpointID": "", "IfName": "enia67a2d3c27d", "IfIndex": 45, "ContainerIfName": "eth0", "DisableLegacyIdentifiers": false, ... } ``` Relates: #26894, #27351 Suggested-by: Sebastian Wicki <sebastian@isovalent.com> Signed-off-by: Tam Mach <tam.mach@cilium.io> | 19 March 2024, 13:33:39 UTC |
| 9dbf93c | Marco Hofstetter | 19 March 2024, 09:09:57 UTC | ingress: stable address order for Ingress hostnetwork listener addresses Currently, the order of the HostNetwork listener addresses depends on the order of the listeners. This might lead to inconsistent CEC generation that can lead to unnecessary reconciliations. Therefore, this commit fixes this by sorting the listener ports before processing. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> | 19 March 2024, 12:42:39 UTC |
| 9a098ae | Yutaro Hayakawa | 18 March 2024, 16:56:04 UTC | doc: Document APAC community meeting Document APAC community meeting and cleanup document structure. Signed-off-by: Yutaro Hayakawa <yutaro.hayakawa@isovalent.com> | 19 March 2024, 12:03:42 UTC |
| cd7b35c | Marco Hofstetter | 15 March 2024, 10:34:10 UTC | secret-sync: improve logging Currently, the Cilium Operator log might contain some confusing messages about syncing K8s Secrets that arent meant to be synced at all. ``` 2024-03-15T06:31:11.667921121Z level=info msg="Syncing secrets" controller=secret-syncer resource=kube-system/onepassword-credentials subsys=secret-sync 2024-03-15T06:31:11.667931655Z level=info msg="Successfully synced secrets" controller=secret-syncer resource=kube-system/onepassword-credentials subsys=secret-sync ``` Even though these secrets aren't actually synced, the log contains these messages. Therefore, this commit improves the logging. - Rephrasing the log messages to log the start and end of a reconciliation loop (without mentioning the word "sync") - Add a debug message that logs the actual sync (creation/update) of relevant K8s Secrets. - Add the secretsNamespace as logfield to the log messages for creation and deletion of synced Secrets - Add the actual action of the reconciliiatio as logfield to the log message "Successfully reconciled Secret" This results in the following example logs. Secret that doesn't get synced. ``` level=info msg="Reconciling secret" controller=secret-syncer resource=kube-system/sh.helm.release.v1.cilium.v1 subsys=secret-sync level=info msg="Successfully reconciled Secret" action=ignored controller=secret-syncer resource=kube-system/sh.helm.release.v1.cilium.v1 subsys=secret-sync ``` Deleting a Secret that was never synced. ``` level=info msg="Reconciling secret" controller=secret-syncer resource=test-ingress-tls/test-tls subsys=secret-sync level=debug msg="Unable to get Secret - either deleted or not yet available" controller=secret-syncer error="Secret \"test-tls\" not found" resource=test-ingress-tls/test-tls subsys=secret-sync level=info msg="Successfully reconciled Secret" action=ignored controller=secret-syncer resource=test-ingress-tls/test-tls subsys=secret-sync ``` Syncing a K8s Secret ``` level=info msg="Reconciling secret" controller=secret-syncer resource=test-ingress-tls/test-tls subsys=secret-sync level=debug msg="Syncing secret" controller=secret-syncer resource=test-ingress-tls/test-tls secretNamespace=cilium-secrets subsys=secret-sync level=info msg="Successfully reconciled Secret" action=synced controller=secret-syncer resource=test-ingress-tls/test-tls subsys=secret-sync ``` Cleaning up a synced secret ``` level=info msg="Reconciling secret" controller=secret-syncer resource=test-ingress-tls/test-tls subsys=secret-sync level=debug msg="Delete synced secret" controller=secret-syncer resource=test-ingress-tls/test-tls secretNamespace=cilium-secrets subsys=secret-sync level=info msg="Successfully reconciled Secret" action=synced controller=secret-syncer resource=test-ingress-tls/test-tls subsys=secret-sync ``` Suggested-by: Marco Iorio <marco.iorio@isovalent.com> Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> | 19 March 2024, 11:40:03 UTC |
| 9939fa2 | Alexandre Perrin | 06 March 2024, 19:06:43 UTC | hubble: fix traffic direction and reply on encrypted trace notifications Before this patch, Hubble would wrongly report known traffic direction and reply status when IPSec was enabled. Signed-off-by: Alexandre Perrin <alex@isovalent.com> | 19 March 2024, 10:44:34 UTC |
| 31ab355 | renovate[bot] | 18 March 2024, 17:14:25 UTC | fix(deps): update all go dependencies main Signed-off-by: renovate[bot] <bot@renovateapp.com> | 19 March 2024, 09:55:56 UTC |
| 280b69d | Tobias Klauser | 15 March 2024, 15:01:10 UTC | k8s/utils: correctly filter out labels in StripPodSpecialLabels Filter the labels before iterating them, otherwise they are added to sanitizedLabels again. Also remove forbidden keys prefixed with io.cilium.k8s because they are already filtered out by filterPodLabels and inline the check for kubernetes namespace labels. Fixes: ed4e6505c059 ("k8s/utils: filter out cilium-owned labels on pod update") Signed-off-by: Tobias Klauser <tobias@cilium.io> | 19 March 2024, 08:22:31 UTC |
| f2296eb | Fabio Falzoi | 29 February 2024, 16:57:08 UTC | iptables: Remove ingress/egress flag from InstallProxyRules The exported iptables manager method that allows to install the rules needed to redirect traffic to a proxy requires a flag to specify the proxy traffic direction. Since the installed rules do not depend on the traffic direction, there is no need to require that flag in the InstallProxyRules method signature. The relevant interfaces and mock implementations are updated accordingly. Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com> | 19 March 2024, 08:13:39 UTC |
| d71f590 | Fabio Falzoi | 29 February 2024, 16:55:07 UTC | iptables: Unify ingress/egress proxy rules handling The proxy rules installed by the iptables manager are the same regardless of the traffic direction (ingress or egress). So, there is no point in having separate functions to install them, nor passing a boolean flag indicating the traffic direction of the proxy. Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com> | 19 March 2024, 08:13:39 UTC |
| b639eab | Paul Chaignon | 17 March 2024, 17:05:08 UTC | docs: Warn on key rotations during upgrades In general, it is not recommended to carry several admin. operations on the cluster at the same time, as it can make troubleshooting in case of issues a lot more complicated. Mixing operations is also less likely to be covered in CI so more likely to hit corner cases. Performing IPsec key rotations during Cilium up/downgrades is one such case. Let's document it explicitly to discourage users from doing that. Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com> | 19 March 2024, 06:50:26 UTC |
| 5e5f0fe | Michi Mutsuzaki | 18 March 2024, 21:57:15 UTC | Update --nodes-without-cilium flag The --nodes-without-cilium flag type changed from string slice to boolean in cilium/cilium-cli#2427. Signed-off-by: Michi Mutsuzaki <michi@isovalent.com> | 19 March 2024, 01:41:53 UTC |
| 1d79d4e | renovate[bot] | 18 March 2024, 21:52:31 UTC | chore(deps): update dependency cilium/cilium-cli to v0.16.3 Signed-off-by: renovate[bot] <bot@renovateapp.com> | 19 March 2024, 01:41:53 UTC |
| c1bfbed | Tam Mach | 17 March 2024, 12:47:53 UTC | gha: Remove manual device setting This is in favour of recent work on auto device detection. Signed-off-by: Tam Mach <tam.mach@cilium.io> | 19 March 2024, 00:01:37 UTC |
| c80018e | Aditi Ghag | 14 March 2024, 17:41:44 UTC | agent: Wrap propagating errors Code involving regeneration of endpoints checks for context cancellations before logging errors for failed scenarios. These errors are flagged in CI runs during tear down phases leading to flakes. Wrap these errors so that the call site can check for valid non-error conditions. Relates: https://github.com/cilium/cilium/issues/31147 Signed-off-by: Aditi Ghag <aditi@cilium.io> | 18 March 2024, 23:22:31 UTC |
| 44e9005 | Tom Hadlaw | 08 March 2024, 21:09:21 UTC | hive/cell/health: don't warn when reporting on stopped reporter. Currently in cases where reporters emit status on stopped reporters, a warning is logged. This causes failures in CI related to endpoints, as those close their reporters after endpoint is deleted. This scenario is probably not a valuable log for users and generally such occurrences should be harmless. This moves the log to debug level. Fixes: #31147 Signed-off-by: Tom Hadlaw <tom.hadlaw@isovalent.com> | 18 March 2024, 23:02:22 UTC |
| d6666ed | Marco Hofstetter | 15 March 2024, 13:02:19 UTC | bpf: fix go testdata Currently, check-go-testdata.sh doesn't work as expected on CI. It reports the following error and the GitHub action (Go Precheck) succeeds without error. ``` contrib/scripts/check-go-testdata.sh make[1]: Entering directory '/home/runner/work/cilium/cilium/src/github.com/cilium/cilium/pkg/bpf/testdata' docker run -it --rm -v /home/runner/work/cilium/cilium/src/github.com/cilium/cilium:/cilium quay.io/cilium/cilium-builder:819a4f1e57eaacb6aabfc6a1a39d11d4fd794a88@sha256:24781dc80f2be2d8fd66b0ce1405e1f117a3a0ef388758b1ede7831778e3a4f7 clang -target bpf -Wall -O2 -g -I -I/usr/include -I/cilium/bpf -I/cilium/bpf/include -c /cilium/pkg/bpf/testdata/unreachable-tailcall.c -o /cilium/pkg/bpf/testdata/unreachable-tailcall.o the input device is not a TTY make[1]: *** [Makefile:9: build] Error 1 make[1]: Leaving directory '/home/runner/work/cilium/cilium/src/github.com/cilium/cilium/pkg/bpf/testdata' ``` This commit fixes the following issues: - Don't execute docker interactive - Use 'set -e' in check script Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> | 18 March 2024, 22:23:29 UTC |
| cdd3fad | renovate[bot] | 18 March 2024, 00:56:06 UTC | chore(deps): update gcr.io/distroless/static-debian11:nonroot docker digest to 55c6361 Signed-off-by: renovate[bot] <bot@renovateapp.com> | 18 March 2024, 16:57:03 UTC |
| 495f228 | Marco Hofstetter | 18 March 2024, 10:03:09 UTC | envoy: support configurable Envoy base id for embedded mode Currently, the Envoy base id (https://www.envoyproxy.io/docs/envoy/latest/operations/cli#cmdoption-base-id) is only configurable for the Envoy DaemonSet mode. As a follow-up of #30466, this commit makes the Envoy base id configurable for the embedded mode too. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> | 18 March 2024, 15:51:18 UTC |
| fc1f87b | renovate[bot] | 18 March 2024, 03:08:27 UTC | fix(deps): update all go dependencies main Signed-off-by: renovate[bot] <bot@renovateapp.com> | 18 March 2024, 12:53:07 UTC |
| e1d7c99 | renovate[bot] | 18 March 2024, 04:12:40 UTC | chore(deps): update all github action dependencies Signed-off-by: renovate[bot] <bot@renovateapp.com> | 18 March 2024, 12:07:00 UTC |
| a0e0055 | Marco Hofstetter | 18 March 2024, 07:41:25 UTC | envoy: skip secretsyncer initialization if not running in k8s Currently, the Envoy SecretSyncer (K8s TLS Secret -> Envoy SDS) fails if Cilium isn't running in a K8s cluster. Therefore, this commit doesn't initialize the SecretSyncer if Cilium is not running in a K8s cluster. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> | 18 March 2024, 10:55:02 UTC |
| 4d6255f | Marco Hofstetter | 18 March 2024, 07:28:22 UTC | envoy: register secret syncer if only CEC is enabled too Currently, the Envoy SecretSyncer (K8s TLS Secret -> Envoy SDS) only gets registered if either Ingress Controller or Gateway API is enabled. Hence Secrets aren't available via SDS in cases where only CiliumEnvoyConfig is enabled (`--enable-envoy-config`). This commit fixes this by registering the SecretSyncer also in cases where only CiliumEnvoyConfig is enabled (without Ingress Controller and/or Gateway API being enabled). Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> | 18 March 2024, 10:55:02 UTC |
| b1774e1 | Marco Iorio | 13 March 2024, 17:00:17 UTC | gha: retrieve additional coredns-related troubleshooting info This workflow is currently plagued by a flake where one of the pods cannot reach an external endpoint, with curl timing out due to DNS: curl: (28) Resolving timed out after 2000 milliseconds\n" Let's try to gather more info to understand if the issue is related to Cilium or not. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> | 18 March 2024, 10:40:07 UTC |
| 5067744 | chaunceyjiang | 12 March 2024, 02:24:36 UTC | bgpv1: Add the documentation for using serviceAdvertisements Signed-off-by: chaunceyjiang <chaunceyjiang@gmail.com> | 18 March 2024, 10:39:50 UTC |
| 726f15f | Marco Iorio | 15 March 2024, 09:29:40 UTC | test: drop the etcd test from the Ginkgo suite The conformance clustermesh E2E test has been recently extended to additionally cover Cilium operating in kvstore mode [1]. Hence let's get rid of this legacy test, which is now superseded. [1]: 403b3a265085 ("gha: extend conformance clustermesh to also cover external kvstores") Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> | 18 March 2024, 10:32:01 UTC |
| 0fb203e | Marco Iorio | 15 March 2024, 13:59:39 UTC | gha: disable fail-fast on integration tests So that the failure of one matrix entry (e.g., caused by a flake) doesn't cancel the other ongoing tests, if any. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> | 18 March 2024, 09:34:07 UTC |
| 5884af1 | Tam Mach | 10 March 2024, 04:22:49 UTC | ci-e2e: Add matrix for bpf.tproxy This is to make sure that we have the coverage for bpf.tproxy enabled. The first step is to test it with Ingress Controller enabled, we can add more settings if required later. Relates: #30331, #30404 Suggested-by: Marco Hofstetter <marco.hofstetter@isovalent.com> Signed-off-by: Tam Mach <tam.mach@cilium.io> | 18 March 2024, 08:37:50 UTC |
| efa2eed | Marco Hofstetter | 13 March 2024, 08:28:35 UTC | config: remove unused EnvoySecretNamespaces option This commit removes the unused option `EnvoySecretNamespaces` from the global config. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> | 18 March 2024, 04:00:20 UTC |
| c4bd58d | Marco Hofstetter | 12 March 2024, 13:30:31 UTC | envoy: move config values from global config into hive cell Currently, most of the Envoy related config values are in the global config struct. This commit moves the config properties into the Envoy Hive Cell. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> | 18 March 2024, 04:00:20 UTC |
| e8bed8d | Tam Mach | 10 March 2024, 03:42:39 UTC | gateway-api: Retrieve LB service from same namespace This commit is to add the same namespace while listing generated LB service, the main reason is to avoid wrong status update for gateways having the same name, but belonged to different namespace. Testing was done locally as per below: Before the fix: ``` $ kg gateway -A NAMESPACE NAME CLASS ADDRESS PROGRAMMED AGE another my-gateway cilium 10.110.222.237 True 4s default my-gateway cilium 10.110.222.237 True 56s ``` After the fix: ``` $ kg gateway -A NAMESPACE NAME CLASS ADDRESS PROGRAMMED AGE another my-gateway cilium 10.102.170.180 True 14m default my-gateway cilium 10.110.222.237 True 14m $ kg services -A NAMESPACE NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE another cilium-gateway-my-gateway LoadBalancer 10.102.170.180 10.102.170.180 80:31424/TCP 15m default cilium-gateway-my-gateway LoadBalancer 10.110.222.237 10.110.222.237 80:31889/TCP 15m ... ``` Fixes: https://github.com/cilium/cilium/issues/31270 Signed-off-by: Tam Mach <tam.mach@cilium.io> | 16 March 2024, 12:06:34 UTC |
| 1ca6141 | Tom Hadlaw | 21 July 2023, 17:52:28 UTC | ipam: fix azure ipam test panics due to shared pointers. pkg/ipam/types.(*InstanceMap).DeepCopy(...) will iterate for all instances/interfaces in order to copy the data. However, unlike what the name suggests, underlying instance pkg/ipam/types.Interface pointers are copied and shared in the returned instance map. In some cases, this case result in memory corruption issues resulting in confusing panics while running tests such as: ``` panic: runtime error: makeslice: cap out of range goroutine 1366 [running]: strconv.appendQuotedWith({0xc000576208, 0x0, 0x3f?}, {0x1000000, 0x100000001000000}, 0x22, 0x0, 0x0) /opt/hostedtoolcache/go/1.22.0/x64/src/strconv/quote.go:35 +0x85 strconv.AppendQuote(...) ... ``` Capturing such an event in a debugger you would see a AzureInterface struct such as this with the IP string memory being corrupt (likely due to an interleaved read/write) being passed to logrus causing a crash. ``` github.com/cilium/cilium/pkg/azure/types.AzureAddress { IP: "\x10\x01\x00\x00\x00\x00\x00\x00\x10\x01\x00\x00\x00\x00\x00\x007d�_\x02\b\b\x19\x00\x00\x00\x00\x00\x00\x00\x00�\x1f�\x03\x00\x00\x00\x00W�\b\x00\x00\x00\x00\x00\x00p \x03\x00\x00\x00\x00�qi\x03\x00\x00\x00\x00...+51559946186908214 more", Subnet: "subsys", State: "instanceID",} ``` This ensures that the revision interface is correctly deepcopied such that the underlying resource is also safely copied. Fixed: #31059 Signed-off-by: Tom Hadlaw <tom.hadlaw@isovalent.com> | 15 March 2024, 19:46:45 UTC |
| 9e011ea | Anton Ippolitov | 30 January 2024, 16:04:13 UTC | pkg/kvstore/allocator: Standardize usage of logfields Signed-off-by: Anton Ippolitov <anton.ippolitov@datadoghq.com> | 15 March 2024, 15:12:09 UTC |
| a215c0e | Marco Hofstetter | 15 March 2024, 09:48:09 UTC | bpf: update unreachable-tailcall.o after updating CILIUM_BUILDER_IMAGE Currently, check-go-testdata.sh (and therefore `make`) fails due to diffs in the file `pkg/bpf/testdata/unreachable-tailcall.o`. Probably due to updating the cilium builder image in #31275 - with potential changes in the clang toolchain. Therefore, this commit is manually updating the file. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> | 15 March 2024, 15:10:55 UTC |
| 6436447 | Kornilios Kourtis | 15 March 2024, 10:07:42 UTC | loader: add message if error is ENOTSUP I was trying to install cilium in a machine without a vxlan module available. Add a helpful message for the next time this happens. Tested by running: > PRIVILEGED_TESTS=1 go test -test.v -test.run TestSetupTunnelDevice on said machine, and got the following output: ... ``` Error: Received unexpected error: setting up vxlan device: creating vxlan device: creating device cilium_vxlan: operation not supported, maybe kernel module for vxlan is not available? Test: TestSetupTunnelDevice/Vxlan ``` Signed-off-by: Kornilios Kourtis <kornilios@isovalent.com> | 15 March 2024, 14:35:06 UTC |
| 069d11a | Tobias Klauser | 13 March 2024, 14:22:57 UTC | fqdn: avoid expensive sort/unique of names during GC Return the names affected by GC in a set instead of a slice. This avoids having to repeatedly sort and unique the slice which is a potentially expensive operation if there are many FQDN names to garbage collect. The consumer in `(*NameManager).GC` will expect a `sets.Set` already anyway. Signed-off-by: Tobias Klauser <tobias@cilium.io> | 15 March 2024, 11:17:33 UTC |
| 6e18eb0 | Maxim Mikityanskiy | 14 March 2024, 22:39:51 UTC | bpf: Fix compatibility with Clang 17 in __lb6_affinity_backend_id The K8sAgentPerNodeConfigTest fails on Clang 17 because of its new optimizations. The verifier error ends like this: 451: (85) call bpf_map_lookup_elem#1 invalid indirect read from stack off -56+8 size 24 processed 2101 insns (limit 1000000) max_states_per_insn 3 total_states 135 peak_states 133 mark_read 34 It happens because `struct lb6_affinity_key key` turns out to be not fully initialized in the call chain __sock6_xlate_fwd -> lb6_affinity_backend_id_by_netns -> __lb6_affinity_backend_id. More specifically, union lb6_affinity_client_id has two fields: client_ip (16 bytes) and client_cookie (8 bytes). __sock6_xlate_fwd initializes only 8 bytes (client_cookie), but __lb6_affinity_backend_id attempts to copy the whole 16 bytes by using ipv6_addr_copy_unaligned. Clang can track that the latter 8 bytes are not initialized, and it decides that there is no need to copy garbage if the latter 8 bytes of key.client_id.client_ip already contain some (other) garbage. These 8 bytes end up not initialized by the time we approach map_lookup_elem. Old Clang 10 also performs the optimization of ipv6_addr_copy_unaligned, but at the same time it empty-initializes key beforehands, while Clang 17 looks ahead and skips parts of empty-initialization that are going to be overwritten by garbage. Fix it by copying client_cookie or client_ip depending on the actual value in the union. If it's the smaller 8-byte client_cookie, the latter 8 bytes will be zero-initialized, because key has a designated initializer, which doesn't explicitly mention the client_id field, therefore, it's empty-initialized, which for a union means that its first member (the 16-byte one) is empty-initialized. Signed-off-by: Maxim Mikityanskiy <maxim@isovalent.com> | 15 March 2024, 11:15:29 UTC |
| b910469 | Maxim Mikityanskiy | 27 February 2024, 18:08:30 UTC | datapath: Ignore new debug ELF prefixes Cilium compiled with LLVM 17 generates new .debug_addr and .debug_str_offsets sections. Signed-off-by: Maxim Mikityanskiy <maxim@isovalent.com> | 15 March 2024, 11:15:29 UTC |
| 003fb4a | Maxim Mikityanskiy | 07 February 2024, 19:35:48 UTC | .github: Trigger ci-verifier and lint-bpf-checks on image changes Signed-off-by: Maxim Mikityanskiy <maxim@isovalent.com> | 15 March 2024, 11:15:29 UTC |
| ed4e650 | Tobias Klauser | 14 March 2024, 16:46:06 UTC | k8s/utils: filter out cilium-owned labels on pod update Currently `io.cilium.k8s.*` pod labels are only filtered out on pod creation. On pod update, they are currently not filtered which leads to a situation where no pod label update is reflected in the endpoint anymore in case of a `io.cilium.k8s.*` label set on the pod: $ cat <<EOF | kubectl apply -f - apiVersion: v1 kind: Pod metadata: name: foo namespace: default labels: app: foobar io.cilium.k8s.something: bazbar spec: containers: - name: nginx image: nginx:1.25.4 ports: - containerPort: 80 EOF $ kubectl -n kube-system exec -it cilium-nnnn -- cilium-dbg endpoint list ENDPOINT POLICY (ingress) POLICY (egress) IDENTITY LABELS (source:key[=value]) IPv6 IPv4 STATUS ENFORCEMENT ENFORCEMENT 252 Disabled Disabled 50316 k8s:app=foobar fd00:10:244:1::8b69 10.244.1.78 ready k8s:io.cilium.k8s.namespace.labels.kubernetes.io/metadata.name=default k8s:io.cilium.k8s.policy.cluster=kind-kind k8s:io.cilium.k8s.policy.serviceaccount=default k8s:io.kubernetes.pod.namespace=default $ kubectl label pods foo app=nothing --overwrite $ kubectl describe pod foo [...] Labels: app=nothing io.cilium.k8s.something=bazbar [...] $ kubectl describe cep foo [...] Labels: app=foobar io.cilium.k8s.something=bazbar [...] $ kubectl -n kube-system exec -it cilium-nnnn -- cilium-dbg endpoint list ENDPOINT POLICY (ingress) POLICY (egress) IDENTITY LABELS (source:key[=value]) IPv6 IPv4 STATUS ENFORCEMENT ENFORCEMENT 252 Disabled Disabled 50316 k8s:app=foobar fd00:10:244:1::8b69 10.244.1.78 ready k8s:io.cilium.k8s.namespace.labels.kubernetes.io/metadata.name=default k8s:io.cilium.k8s.policy.cluster=kind-kind k8s:io.cilium.k8s.policy.serviceaccount=default k8s:io.kubernetes.pod.namespace=default 1285 Disabled Disabled 1 reserved:host ready 1297 Disabled Disabled 4 reserved:health fd00:10:244:1::ebfb 10.244.1.222 ready Note that the `app` label didn't change from `foobar` to `nothing` in the endpoint and the CiliumEndpoint CRD This is because the filtered labels are passed wrongly passed to `(*Endpoint).ModifyIdentityLabels` which in turn calls `e.OpLabels.ModifyIdentityLabels` which checks whether all of the deleted labels (which contains the filtered label on pod update for the example above) were present before, i.e. on pod creation. This check fails however because the labels were filtered out on pod creation. Fix this issue by also filtering out the labels on pod update and thus allowing the label update to successfully complete in the presence of filtered labels. After this change, the labels are correctly updated on the endpoint and the CiliumEndpoint CRD: $ kubectl label pods foo app=nothing --overwrite $ kubectl describe pod foo [...] Labels: app=nothing io.cilium.k8s.something=bazbar [...] $ kubectl describe cep foo [...] Labels: app=nothing io.cilium.k8s.something=bazbar [...] $ kubectl -n kube-system exec -it cilium-x2x5r -- cilium-dbg endpoint list ENDPOINT POLICY (ingress) POLICY (egress) IDENTITY LABELS (source:key[=value]) IPv6 IPv4 STATUS ENFORCEMENT ENFORCEMENT 57 Disabled Disabled 56486 k8s:app=nothing fd00:10:244:1::71b7 10.244.1.187 ready k8s:io.cilium.k8s.namespace.labels.kubernetes.io/metadata.name=default k8s:io.cilium.k8s.policy.cluster=kind-kind k8s:io.cilium.k8s.policy.serviceaccount=default k8s:io.kubernetes.pod.namespace=default 201 Disabled Disabled 4 reserved:health fd00:10:244:1::c8de 10.244.1.221 ready 956 Disabled Disabled 1 reserved:host ready Fixes: 599dde3b91b3 ("k8s: Filter out cilium owned from pod labels") Signed-off-by: Tobias Klauser <tobias@cilium.io> | 15 March 2024, 09:07:16 UTC |
| 5508746 | Tobias Klauser | 14 March 2024, 16:16:37 UTC | k8s/watchers: set unfiltered pod labels on CEP on pod update The labels on the CEP are set to the unfiltered pod labels on CEP creation, see [1]. On any label update where labels contain filtered labels, e.g. io.cilium.k8s.* labels or labels filtered out by the user by means of the --label and/or --label-prefix-file agent options the current logic would wrongly remove the filtered labels from the CEP labels. Fix this by always using the unfiltered pod labels. [1] https://github.com/cilium/cilium/blob/b58125d885edbb278f11f84303c0e7c934ca7ea4/pkg/endpointmanager/endpointsynchronizer.go#L185-L187 Signed-off-by: Tobias Klauser <tobias@cilium.io> | 15 March 2024, 09:07:16 UTC |
| 2309805 | Tobias Klauser | 14 March 2024, 16:45:07 UTC | k8s: move filterPodLabels to k8s/utils package for SanitizePodLabels Currently GetPodMetadata is the only caller of SanitizePodLabels but other callers will be introduced in successive changes. This change ensures the io.cilium.k8s.* labels are filtered for these callers as well. Signed-off-by: Tobias Klauser <tobias@cilium.io> | 15 March 2024, 09:07:16 UTC |
| 9a26446 | Tobias Klauser | 14 March 2024, 16:16:32 UTC | k8s/watchers: warn when endpoint label update fails on pod update Currently, failure to update endpoint labels based on pod labels on pod update is silently ignored by the callers or only reflected in error count metrics. Report a warning to clearly indicate that pod and endpoint labels might be out of sync. Signed-off-by: Tobias Klauser <tobias@cilium.io> | 15 March 2024, 09:07:16 UTC |
| bba0ff5 | Tobias Klauser | 14 March 2024, 16:16:29 UTC | k8s/watchers: inline single-use updateEndpointLabels The functions updateEndpointLabel is only used in one place. Inline it to improve readability and simplify changes in successive commits. Signed-off-by: Tobias Klauser <tobias@cilium.io> | 15 March 2024, 09:07:16 UTC |
| 8c23fa8 | Julian Wiedmann | 04 March 2024, 07:43:32 UTC | gh: workflows: clarify reference to issue #23283 Clarify that while the issue was closed as resolved, this actually only applies to scenarios where the kind.sh script is used. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> | 15 March 2024, 09:02:08 UTC |
| f61651f | Tom Hadlaw | 07 March 2024, 00:02:05 UTC | operator: fix errors/warnings metric. This was broken during transition of pkg/metrics to integrate with Hive where relevant operator metrics where never initialized. This adds a init func specific for operator and cleans up the "flush" logic used as a work around for errors/warnings emitted prior to agent starting (in the case of the operator). Addresses: #29525 Signed-off-by: Tom Hadlaw <tom.hadlaw@isovalent.com> | 15 March 2024, 06:34:11 UTC |
| e929947 | soggiest | 05 March 2024, 23:15:56 UTC | labelsfilter: Ensure entity relevant labels are always applied Entities are special selectors used by network policies. The Cluster entity relies on the `io.cilium.k8s.policy.cluster` label which is removed by Cilium if a strict identity label configuration is applied. This PR adds the relevant Cilium policy label to the list of default labels so it will always be applied regardless of configuration, and includes this label to the associated test file. Fixes: #18878 Signed-off-by: soggiest <nicholas@isovalent.com> | 15 March 2024, 06:32:55 UTC |
| 4ba7e6a | Paul Chaignon | 12 March 2024, 11:22:09 UTC | datapath: Remove unnecessary IPsec code Commit 891fa78474 ("bpf: Delete obsolete do_netdev_encrypt_pools()") removed the special code we had to rewrite the IPsec outer header. The code removed in the present commit is therefore not required anymore. Fixes: 891fa78474 ("bpf: Delete obsolete do_netdev_encrypt_pools()") Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com> | 15 March 2024, 06:32:12 UTC |
| a5eafe0 | Yutaro Hayakawa | 14 March 2024, 04:32:32 UTC | ci: Bump lvh-kind ssh-startup-wait-retries Recently, we frequently see the CI failure with lvh-kind startup failure with exit code 41. This indicates the timeout of the task waiting for the SSH startup. Bump the timeout (retry) to 600 (10min) as a workaround. Fixes: #31336 Signed-off-by: Yutaro Hayakawa <yutaro.hayakawa@isovalent.com> | 15 March 2024, 02:43:29 UTC |
| 65bbf3f | Chris Tarazi | 12 March 2024, 23:27:03 UTC | policy: Fix missing labels from SelectorCache selectors During the refactor of the below commit, it seems the labels were left out inadvertently, breaking the `cilium policy selectors` command that displays the labels/name of the policy from which the selectors originate from. Fixes: 501944c35d ("policy/selectorcache: invert identitySelector interface") Signed-off-by: Chris Tarazi <chris@isovalent.com> | 14 March 2024, 23:41:28 UTC |
| 787858c | harsimran pabla | 13 March 2024, 15:49:20 UTC | bgpv2/ci: added watch reactor for bgp cluster config Signed-off-by: harsimran pabla <hpabla@isovalent.com> | 14 March 2024, 22:12:53 UTC |
| 95c916d | Casey Callendrello | 01 March 2024, 12:16:00 UTC | test: add ginkgo default-allow tests Add some tests that create various mixtures of default-allow and default-deny policies. It is important that default-deny policies always take precedence over default-allow. It is also important that Deny rules take precedence over default-allow. These need to be integration tests, since they rely on specific interactions between the userspace and bpf policy engines. Signed-off-by: Casey Callendrello <cdc@isovalent.com> | 14 March 2024, 19:32:03 UTC |
| ace9740 | Casey Callendrello | 01 February 2024, 10:28:03 UTC | policy: implement non-default-deny policies This adjust the policy rule generation to take in to account non-default-deny policies. As before, an endpoint is normally in a policy-disabled state. If any policies select this endpoint, then policy is enabled and all non-allowed traffic is dropped. If, however, an endpoint is only selected by default-allow policies, then policy is enabled, but a special wildcard allow policy is inserted. Since wildcard polcies have very low precedence, this ensures that any Deny or L7-proxy rules will still take effect. This commit also fixes tests that incorrectly failed to sanitize rules before adding to the policy repository, leading to a nil pointer exception. Production code *always* sanitizes rules before adding. Signed-off-by: Casey Callendrello <cdc@isovalent.com> | 14 March 2024, 19:32:03 UTC |
| 315dc38 | Casey Callendrello | 29 February 2024, 11:13:32 UTC | policy/api: change Rule.Sanitize() to pointer receiver Methods called by Sanitize() may alter the underlying structures. For example. selectors are aggregated and address families are upper-cased. However, top-level fields can't be written by Sanitize. In the future, we'd like to do that. So, give it a pointer receiver. Signed-off-by: Casey Callendrello <cdc@isovalent.com> | 14 March 2024, 19:32:03 UTC |
| 75ac5d0 | Casey Callendrello | 01 February 2024, 10:09:09 UTC | policy/api: add EnableDefaultDeny field This adds a new field, EnableDefaultDeny, to CiliumNetworkPolicy and CiliumClusterwideNetworkPolicy, that controls whether or not the subject endpoints of this policy should drop unselected peer traffic. By default, endpoints are in a default-allow mode. When the first policy applies to an endpoint, it flips it to a default-deny mode. This option allows disabling that behavior. If not specified, the existing behavior remains: for each direction, traffic is allowed unless at least one policy rule applies to that endpoint. If multiple policies select an endpoint, then default-deny takes precedence. It is useful in heterogeneous environments, it may not be desirable to implicitly drop all non-matching traffic. Consider, for example, the case where an administrator wishes to ensure a monitoring service can access all namespaces. If they create a cluster-wide policy allowing access from the monitoring service, it may create a deny policy where none was previously; unexpectedly dropping traffic. See: https://github.com/cilium/design-cfps/blob/main/cilium/CFP-30572-non-default-deny-policies.md This commit contains only the API changes; a subsequent commit will introduce the implementation. Signed-off-by: Casey Callendrello <cdc@isovalent.com> | 14 March 2024, 19:32:03 UTC |
| b741a58 | Julian Wiedmann | 14 March 2024, 15:12:24 UTC | bpf: add node_key to alignchecker This struct is also used by the agent. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> | 14 March 2024, 16:53:16 UTC |
| b58125d | Marco Hofstetter | 13 March 2024, 13:20:52 UTC | kind: reset sysctl net.ipv4.ip_unprivileged_port_start to 1024 Currently, kind clusters running with docker have sysctl `net.ipv4.ip_unprivileged_port_start` set to `0`. This is the default of docker. ``` root@kind-worker:/home/cilium# sysctl net.ipv4.ip_unprivileged_port_start net.ipv4.ip_unprivileged_port_start = 0 ``` This can lead to wrong assumptions and differ from the default of most k8s setups - where binding to privileged ports (<1024) requires the capability `NET_BIND_SERVICE`. Therefore, this commit resets the sysctl `net.ipv4.ip_unprivileged_port_start` to `1024`. This way the dev environment matches the default on most k8s environments. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> | 14 March 2024, 15:00:51 UTC |
| 4f4b0a7 | Marcel Zieba | 13 March 2024, 14:33:57 UTC | bpf, maps: Don't propagate nodeID to bpf map when allocation fails. When we run out of IDs to allocate for nodes, we were propagating zero ID to bpf map. Now we just simply return error and not modify bpf map instead. Also clean up incorrectly mapped nodeids on startup in case that happened. Signed-off-by: Marcel Zieba <marcel.zieba@isovalent.com> | 14 March 2024, 10:26:47 UTC |
