| 4a03b1a | Joe Stringer | 10 June 2022, 22:01:22 UTC | Prepare for release v1.9.17 Signed-off-by: Joe Stringer <joe@cilium.io> | 10 June 2022, 23:41:33 UTC |
| 5495244 | Tam Mach | 09 June 2022, 21:43:59 UTC | envoy: Bump cilium envoy to latest version v1.21.3 [ upstream commit 85819de7518f411d61df106200dae247973c5117 ] The images digest is coming from below build. https://github.com/cilium/proxy/runs/6816960166?check_suite_focus=true. Release note: https://www.envoyproxy.io/docs/envoy/v1.21.3/version_history/current Signed-off-by: Tam Mach <tam.mach@cilium.io> | 10 June 2022, 09:57:04 UTC |
| 5a9e405 | Paul Chaignon | 24 May 2022, 08:30:44 UTC | docs: Fix incorrect FQDN flag [ upstream commit 9c6e4245f0761d3e8bcf904785290e85f8fd336b ] Fixes: f6ce522d ("FQDN: Added garbage collector functions.") Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Gilberto Bertin <jibi@cilium.io> | 31 May 2022, 14:32:16 UTC |
| 08535f6 | Paul Chaignon | 20 May 2022, 11:12:18 UTC | docs: Fix max SPI value for IPsec key rotations [ upstream commit 54d708e5d812a00451adab99dae01609447de2cf ] The SPI value is expected to take 4 bits at most so it's maximum value should be 15 not 16. Let's fix that in the key rotation documentation. The agent also rejects value 0, so allowed values are [1;15]. Reported-by: Odin Ugedal via Slack Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Gilberto Bertin <jibi@cilium.io> | 31 May 2022, 14:32:16 UTC |
| a3d7371 | Tobias Klauser | 24 May 2022, 07:41:56 UTC | api: change "group not found" log to debug [ upstream commit 80092ce0b2bf5351e4d71527904cbe401c2b8e4b ] Since commit 67f74ff ("images/cilium: remove cilium group from Dockerfile") the cilium group is no longer created in the image running the agent, resulting in the following log message on cilium-agent start: level=info msg="Group not found" error="group: unknown group cilium" file-path=/var/run/cilium/cilium.sock group=cilium subsys=api Change the log message to debug level to avoid confusion. Suggested-by: André Martins <andre@cilium.io> Signed-off-by: Tobias Klauser <tobias@cilium.io> Signed-off-by: Gilberto Bertin <jibi@cilium.io> | 31 May 2022, 14:32:16 UTC |
| 8fe2cbe | Quentin Monnet | 19 May 2022, 14:56:27 UTC | docs: Add docs-builder build as dependency to live preview [ upstream commit 70676ec2c0f50074238b9da9edbe5b38a8f3544d ] With "make render-docs-live-preview", we use the cilium/docs-builder image to build a preview of the documentation, to serve it locally, and to watch the source files for changes to update automatically the preview. When the Docker image is present locally, the command uses it. When this is not the case, it pulls it from Docker, in its ":latest" version by default. This can be an issue due to commit 0da7224218ab ("ci: pin down image for documentation workflow"), where we pinned down the docs-builder image to use in the CI. Since this commit, the reference image is not longer ":latest", but the tag in use in the CI files. As a consequence, the live preview may attempt to use an outdated version of the image. This is currently the case: running the command with no local image raises an error about a missing "myst_parser" extension, which is not present on the version tagged with ":latest". To fix this, we mark builder-image as a dependency for the render-docs-live-preview target, so that the image gets built locally. Reported-by: Yoyo Wu <yoyo19980720@163.com> Signed-off-by: Quentin Monnet <quentin@isovalent.com> Signed-off-by: Gilberto Bertin <jibi@cilium.io> | 31 May 2022, 14:32:16 UTC |
| 38bf905 | Paul Chaignon | 24 June 2021, 16:37:15 UTC | ipsec: Fix off-by-one error on max SPI [ upstream commit c88244cc3be4bbb92cc64714d545b555e4afaeb8 ] We encoded the SPI (aka keyID) on 4 bits [1] in the xfrm and packet marks. The maximum value is therefore 15 and not 16. This commit fixes the check on the maximum keyID value. Note the documentation for IPsec key rotation already has the correct value [2] so there shouldn't be any users with an incorrect keyID. 1 - https://github.com/cilium/cilium/blob/v1.10.1/pkg/datapath/linux/ipsec/ipsec_linux.go#L147-L150 2 - https://docs.cilium.io/en/v1.10/gettingstarted/encryption-ipsec/#key-rotation Fixes: b698972 ("cilium: ipsec, support rolling updates") Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Gilberto Bertin <jibi@cilium.io> | 31 May 2022, 14:32:16 UTC |
| af6ed1e | Chris Tarazi | 05 May 2022, 06:42:39 UTC | fqdn/dnsproxy: Improve error wrapping [ upstream commit 6b57b5257ced34b765bba77e702141541a5ef3b6 ] This commit fixes the error wrapping inside the dnsproxy package. When a DNS response is being processed by the DNS proxy inside NotifyOnDNSMsg(), we check ProxyRequestContext. If the request response timed out, we annotate the metrics specifically to indicate that it timed out. This relies on the errors being properly wrapped. In order to do this, errors.As() is used and all errors are properly wrapped with '%w'. Signed-off-by: Chris Tarazi <chris@isovalent.com> | 31 May 2022, 08:12:25 UTC |
| fd5d932 | André Martins | 23 May 2022, 19:42:03 UTC | images/cilium: remove cilium group from Dockerfile Commit e70a0fe1c217 modified the wrong Dockerfile. Although the main issue was fixed by commit cd2a8ebc4d91, the change performed in this commit is the correct one. [ upstream commit 67f74ff432010770b43286f32110b8f4cd338e1b ] Fixes: e70a0fe1c217 ("images/cilium: remove cilium group from Dockerfile") Reported-by: Joe Stringer <joe@cilium.io> Signed-off-by: André Martins <andre@cilium.io> | 24 May 2022, 07:48:20 UTC |
| 910ad72 | André Martins | 23 May 2022, 19:42:43 UTC | Revert "install: Remove Cilium group from DaemonSet" This reverts commit cd2a8ebc4d91c4a2a1866b9264f5e261d66ccbab. Signed-off-by: André Martins <andre@cilium.io> | 24 May 2022, 07:48:20 UTC |
| dbcb390 | dependabot[bot] | 23 May 2022, 14:15:49 UTC | build(deps): bump actions/upload-artifact from 3.0.0 to 3.1.0 Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 3.0.0 to 3.1.0. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](https://github.com/actions/upload-artifact/compare/6673cd052c4cd6fcf4b4e6e60ea986c889389535...3cea5372237819ed00197afe530f5a7ea3e805c8) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> | 23 May 2022, 20:57:26 UTC |
| af68c64 | dependabot[bot] | 18 May 2022, 14:08:25 UTC | build(deps): bump KyleMayes/install-llvm-action from 1.5.2 to 1.5.3 Bumps [KyleMayes/install-llvm-action](https://github.com/KyleMayes/install-llvm-action) from 1.5.2 to 1.5.3. - [Release notes](https://github.com/KyleMayes/install-llvm-action/releases) - [Commits](https://github.com/KyleMayes/install-llvm-action/compare/v1.5.2...v1.5.3) --- updated-dependencies: - dependency-name: KyleMayes/install-llvm-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> | 23 May 2022, 20:57:00 UTC |
| a9c355d | dependabot[bot] | 06 May 2022, 14:10:07 UTC | build(deps): bump docker/build-push-action from 2.10.0 to 3 Bumps [docker/build-push-action](https://github.com/docker/build-push-action) from 2.10.0 to 3. - [Release notes](https://github.com/docker/build-push-action/releases) - [Commits](https://github.com/docker/build-push-action/compare/ac9327eae2b366085ac7f6a2d02df8aa8ead720a...e551b19e49efd4e98792db7592c17c09b89db8d8) --- updated-dependencies: - dependency-name: docker/build-push-action dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> | 17 May 2022, 18:50:49 UTC |
| ecf810c | Joe Stringer | 14 May 2022, 01:46:19 UTC | docs: Document operator.unmanagedPodWatcher [ upstream commit 75be918a9f5a2f31a3e5efb3404d694415052397 ] Describe what the new operator.unmanagedPodWatcher option does in the upgrade guide. Signed-off-by: Joe Stringer <joe@cilium.io> | 16 May 2022, 22:36:34 UTC |
| d019539 | Joe Stringer | 16 May 2022, 18:26:50 UTC | install: Update image digests for v1.9.16 Generated from https://github.com/cilium/cilium/actions/runs/2333763020. `docker.io/cilium/cilium:v1.9.16@sha256:984fe4256c6a88595c4661ec04a76c51c189a7f50c676f5dbbc0383b82104d78` `quay.io/cilium/cilium:v1.9.16@sha256:984fe4256c6a88595c4661ec04a76c51c189a7f50c676f5dbbc0383b82104d78` `docker.io/cilium/clustermesh-apiserver:v1.9.16@sha256:c66958e4785f609892fa0bd08d1102e816e60c5bcf266de14a1533a8726e0188` `quay.io/cilium/clustermesh-apiserver:v1.9.16@sha256:c66958e4785f609892fa0bd08d1102e816e60c5bcf266de14a1533a8726e0188` `docker.io/cilium/docker-plugin:v1.9.16@sha256:b4d4e191cdc58c53f5ffcd75b79376cc71d986e616605bb5f6caee510f105429` `quay.io/cilium/docker-plugin:v1.9.16@sha256:b4d4e191cdc58c53f5ffcd75b79376cc71d986e616605bb5f6caee510f105429` `docker.io/cilium/hubble-relay:v1.9.16@sha256:1f1fc947bb0315c9d2b38c11a4e8c9158d6d800c81aef7cfd025ce05e63b6958` `quay.io/cilium/hubble-relay:v1.9.16@sha256:1f1fc947bb0315c9d2b38c11a4e8c9158d6d800c81aef7cfd025ce05e63b6958` `docker.io/cilium/operator-aws:v1.9.16@sha256:37b34b522e6008626a403724faae0fa05db5551d8b6b76f16084697d7fa94800` `quay.io/cilium/operator-aws:v1.9.16@sha256:37b34b522e6008626a403724faae0fa05db5551d8b6b76f16084697d7fa94800` `docker.io/cilium/operator-azure:v1.9.16@sha256:e883d83314435e7c9ec7c1815746d63505b28eb97f4eb3f8c87177ef7e62bb18` `quay.io/cilium/operator-azure:v1.9.16@sha256:e883d83314435e7c9ec7c1815746d63505b28eb97f4eb3f8c87177ef7e62bb18` `docker.io/cilium/operator-generic:v1.9.16@sha256:0cd8f0e7de19c873e7c5af02fbfa9f21b50ff4078f4c76dfa439c9a3c249738c` `quay.io/cilium/operator-generic:v1.9.16@sha256:0cd8f0e7de19c873e7c5af02fbfa9f21b50ff4078f4c76dfa439c9a3c249738c` `docker.io/cilium/operator:v1.9.16@sha256:d1fa15e86dd8b2e06d1c918f21a8876b771090bbe11030c1ce15646fffce28f6` `quay.io/cilium/operator:v1.9.16@sha256:d1fa15e86dd8b2e06d1c918f21a8876b771090bbe11030c1ce15646fffce28f6` Signed-off-by: Joe Stringer <joe@cilium.io> | 16 May 2022, 19:17:04 UTC |
| cd2a8eb | Joe Stringer | 11 May 2022, 21:08:36 UTC | install: Remove Cilium group from DaemonSet Signed-off-by: Joe Stringer <joe@cilium.io> | 16 May 2022, 19:17:04 UTC |
| 33d1941 | André Martins | 09 May 2022, 22:54:12 UTC | Prepare for release v1.9.16 Signed-off-by: André Martins <andre@cilium.io> | 09 May 2022, 23:55:01 UTC |
| e70a0fe | André Martins | 04 May 2022, 01:23:09 UTC | images/cilium: remove cilium group from Dockerfile [ upstream commit 67f74ff432010770b43286f32110b8f4cd338e1b ] Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Alexandre Perrin <alex@kaworu.ch> | 09 May 2022, 22:22:44 UTC |
| cdd17da | dependabot[bot] | 06 May 2022, 14:10:16 UTC | build(deps): bump docker/login-action from 1.14.1 to 2 Bumps [docker/login-action](https://github.com/docker/login-action) from 1.14.1 to 2. - [Release notes](https://github.com/docker/login-action/releases) - [Commits](https://github.com/docker/login-action/compare/dd4fa0671be5250ee6f50aedf4cb05514abda2c7...49ed152c8eca782a232dede0303416e8f356c37b) --- updated-dependencies: - dependency-name: docker/login-action dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> | 09 May 2022, 10:47:22 UTC |
| 1ee86fb | dependabot[bot] | 06 May 2022, 14:10:12 UTC | build(deps): bump docker/setup-buildx-action from 1.7.0 to 2 Bumps [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action) from 1.7.0 to 2. - [Release notes](https://github.com/docker/setup-buildx-action/releases) - [Commits](https://github.com/docker/setup-buildx-action/compare/f211e3e9ded2d9377c8cadc4489a4e38014bc4c9...dc7b9719a96d48369863986a06765841d7ea23f6) --- updated-dependencies: - dependency-name: docker/setup-buildx-action dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> | 09 May 2022, 10:47:12 UTC |
| 281749e | André Martins | 27 April 2022, 12:30:32 UTC | pkg/k8s: use subresource "nodes/status" to update node annotations [ upstream commit 9014253d3640f1d2df836890f52497ac4072d88d ] We can use the "status" subresource to update node annotations which also allow us to reduce the clusterrole's permissions of the cilium DaemonSet even further. Signed-off-by: André Martins <andre@cilium.io> | 04 May 2022, 22:18:45 UTC |
| 9927cb2 | André Martins | 25 March 2022, 04:11:56 UTC | operator: move certain K8s Node operations to cilium-operator [ upstream commit f612c97aacbb44e6cc7c3587541c53dd0296d5ea ] To decrease the amount of permissions Cilium's requires to operate in a cluster, the node taint removal and the setup of the node condition NetworkUnavailable can be set through cilium-operator. Cilium-operator will set up the NetworkUnavailable node condition to false' once it detects there is a "Ready" Cilium pod in that node. Signed-off-by: André Martins <andre@cilium.io> | 04 May 2022, 22:18:45 UTC |
| f0b1cac | André Martins | 08 March 2022, 01:42:10 UTC | install: default AnnotateK8sNode to true [ upstream commit 73d6cae2c90600cee5c61a0ea452b7a2a3129dd9 ] Since this option only existed to set up annotations in Kubernetes Nodes before the introduction of CiliumNodes, contrary to the upstream commit this option will be kept to 'true' with the possibility for users to change it to 'false'. Signed-off-by: André Martins <andre@cilium.io> | 04 May 2022, 22:18:45 UTC |
| 1a2c052 | André Martins | 02 May 2022, 21:16:11 UTC | install/kubernetes: trimmed down clustermesh-apiserver's ClusterRole Trimmed down clustermesh-apiserver's ClusterRole to the exact permissions that clustermesh-apiserver requires. Signed-off-by: André Martins <andre@cilium.io> | 04 May 2022, 22:18:45 UTC |
| c13258b | André Martins | 08 March 2022, 01:46:48 UTC | install/kubernetes: remove finalizers for Cilium resources [ upstream commit d02833801430125c018d96083881d0387554d053 ] Follow up of 0f4d3a71b055 ("helm: Remove Unnecessary RBAC Permissions for Agent") Signed-off-by: André Martins <andre@cilium.io> | 04 May 2022, 22:18:45 UTC |
| b62bd39 | André Martins | 08 March 2022, 01:19:03 UTC | install/kubernetes: remove update pod from Cilium's clusterrole [ upstream commit 2d63c9b17bdb8838683990d96fda5f579dd56da5 ] Cilium does not need to perform any Pod update thus this permission can be removed from Cilium's Cluster Role. Signed-off-by: André Martins <andre@cilium.io> | 04 May 2022, 22:18:45 UTC |
| 60c810b | André Martins | 07 March 2022, 16:06:02 UTC | pkg/k8s: remove BlockOwnerDeletion: true from CEP [ upstream commit 900f66879ad4c66e62eaa334fe7bd6ab2119e5b1 ] Since Cilium does not set any finalizer in the owner of the CEP, a Pod, it does not make sense to set "BlockOwnerDeletion: true". Regardless of this option being `true` or `false`, the Pod dependent, in this case the CEP, is always* Garbage Collected by Kubernetes. *Only if the user specifies the pod deletion with the "orphan" deletion cascading strategy that the CEP will be kept. However, Cilium Operator will garbage collect orphaned Cilium Endpoints every 5 minutes by default. Signed-off-by: André Martins <andre@cilium.io> | 04 May 2022, 22:18:45 UTC |
| 4c5400a | André Martins | 28 April 2022, 11:13:23 UTC | docs: set the right url for API version check [ upstream commit af8151d730ac48789773ad5c970c6d2858bab76c ] The right format for this field should contain the protocol and a trailing "/" to work properly. Fixes: b3b05029e4c9 ("docs: fix version warning URL to point to docs.cilium.io") Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Aditi Ghag <aditi@cilium.io> | 03 May 2022, 22:04:38 UTC |
| 34a459a | Quentin Monnet | 27 April 2022, 13:13:08 UTC | docs: Update max MTU value for Nodeport XDP on AWS [ upstream commit 1db91caffba860afb81f796ea021f4db0712a42b ] The documentation for setting up Nodeport XDP acceleration on AWS mentions that the MTU for the ena interface must be lower down so that XDP can work. It is indeed necessary; but the value which is provided as the maximal possible MTU is outdated, and not working. After installing the latest kernel through the RPM package kernel-ng (as prescribed in the documentation), the EKS nodes currently end up with Linux 5.10: $ uname -r 5.10.106-102.504.amzn2.x86_64 If we keep on following the docs and lower the MTU to 3818, the Cilium pods fail to get ready, and tell in their logs that the XDP program cannot be set due to the MTU. This is also confirmed from the dmesg of the nodes: [ 3617.059219] ena 0000:00:05.0 eth0: Failed to set xdp program, the current MTU (3818) is larger than the maximum allowed MTU (3498) while xdp is on The value 3818 comes from the legacy definition of ENA_XDP_MAX_MTU, in drivers/net/ethernet/amazon/ena/ena_netdev.h, which used to be defined as such: #define ENA_XDP_MAX_MTU (ENA_PAGE_SIZE - ETH_HLEN - ETH_FCS_LEN - \ VLAN_HLEN - XDP_PACKET_HEADROOM) Where ETH_LEN is 14, ETH_FCS_LEN and VLAN_HLEN are both 4, and XDP_PACKET_HEADROOM is 256. But after Linux commit 08fc1cfd2d25 ("ena: Add XDP frame size to amazon NIC driver"), from Linux 5.8, the definition changed to: #define ENA_XDP_MAX_MTU (ENA_PAGE_SIZE - ETH_HLEN - ETH_FCS_LEN - \ VLAN_HLEN - XDP_PACKET_HEADROOM - \ SKB_DATA_ALIGN(sizeof(struct skb_shared_info))) As a result, the maximum value for the MTU for kernels 5.8+ is 3498 bytes. This is indeed the maximum value that I could use when setting up XDP on an EKS cluster. Let's update the documentation accordingly. Signed-off-by: Quentin Monnet <quentin@isovalent.com> Signed-off-by: Aditi Ghag <aditi@cilium.io> | 03 May 2022, 22:04:38 UTC |
| 8b24ceb | André Martins | 29 April 2022, 00:28:38 UTC | metrics: Add go_* metrics and go_build_info metrics [ upstream commit 6c5e2d66f3e3efcf9723c4cbb19d92ae80bcb1d7 ] [ Backporter's notes: Needed to bump the Prometheus module in order to make the upstream commit pass Go's mod checks. ] Prometheus provides metrics collectors that expose go runtime and go build information, which can be useful to server administrators, lets expose them. Signed-off-by: Chance Zibolski <chance.zibolski@gmail.com> Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Chris Tarazi <chris@isovalent.com> | 03 May 2022, 12:40:53 UTC |
| dd0b5a9 | dependabot[bot] | 28 April 2022, 14:08:49 UTC | build(deps): bump docker/setup-buildx-action from 1.6.0 to 1.7.0 Bumps [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action) from 1.6.0 to 1.7.0. - [Release notes](https://github.com/docker/setup-buildx-action/releases) - [Commits](https://github.com/docker/setup-buildx-action/compare/94ab11c41e45d028884a99163086648e898eed25...f211e3e9ded2d9377c8cadc4489a4e38014bc4c9) --- updated-dependencies: - dependency-name: docker/setup-buildx-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> | 28 April 2022, 22:28:10 UTC |
| 95c491b | André Martins | 25 April 2022, 15:26:43 UTC | docs: fix version warning URL to point to docs.cilium.io [ upstream commit b3b05029e4c955c6014c5778f595af6bbd4db2e8 ] Due to some CORS policy, the requests being performed from docs.cilium.io to readthedocs.org were being denied. This was causing the warning banner to never show up in the documentation. To avoid this problem a page redirect was configured in readthedocs settings to redirect docs.cilium.io/version to readthedocs.org/api/v2/version which will hopefully fix the issue and the API endpoint was set to docs.cilium.io. Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Joe Stringer <joe@cilium.io> | 27 April 2022, 18:18:10 UTC |
| dd3393b | Aditi Ghag | 19 April 2022, 21:46:58 UTC | docs: Update section title to improve readability [ upstream commit 79d53af7d5f0c3b91c17ff7cb5cc0b203d34f1d1 ] Local redirect policy requires Kube-proxy replacement, and the feature flag to be enabled. Rename the section that outlines these steps so that users are less likely to miss them. Suggested-by: Raymond de Jong <raymond.dejong@isovalent.com> Signed-off-by: Aditi Ghag <aditi@cilium.io> Signed-off-by: Joe Stringer <joe@cilium.io> | 27 April 2022, 18:18:10 UTC |
| 74e08ca | Aditi Ghag | 19 April 2022, 21:42:14 UTC | pkg/redirectpolicy: Improve error logs [ upstream commit 6c34c93dce924bc24072c23a154a62cf568b4d38 ] Improve error logs thrown by port validation logic so that user can take necessary actions. Signed-off-by: Aditi Ghag <aditi@cilium.io> Signed-off-by: Joe Stringer <joe@cilium.io> | 27 April 2022, 18:18:10 UTC |
| 2627b7e | Paul Chaignon | 15 April 2022, 14:10:45 UTC | jenkinsfiles: Increase VM boot timeout [ upstream commit cfec27a217259e2002932864fe69e1df072319bc ] [ Backporter's notes: Complete conflict, so I rewrote the patch ] This commit increases the VM boot timeout while decreasing the overall timeout :mindblown: We currently run the vagrant-ci-start.sh script with a 15m timeout and retry twice if it fails. That takes up to 45m in total if all attempts fail, as in frequently happening in CI right now. In particular, if the script simply fails because it's taking on average more than 15m then it is likely to fail all three times. This commit instead increases the timeout from 15m to 25m and removes the retries. The goal is obviously to succeed on the first try :p Ideally, we would investigate why it is now taking longer to start the VM. But this issue has been happening for a long time. And because of the retries, we probably didn't even notice the increase at the beginning: if it takes on average 15min, it might fail half the time and the test might still succeed most of the time. That is, the retries participate to hide the increase. Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Joe Stringer <joe@cilium.io> | 27 April 2022, 18:18:10 UTC |
| f28c24c | Joe Stringer | 19 April 2022, 02:47:02 UTC | install: Update image digests for v1.9.15 Generated from https://github.com/cilium/cilium/actions/runs/2173333393. `docker.io/cilium/cilium:v1.9.15@sha256:20c0f6cedc09a880d76695e7ac70755a662c4bddf6d5197cf609ffe499ab72ce` `quay.io/cilium/cilium:v1.9.15@sha256:20c0f6cedc09a880d76695e7ac70755a662c4bddf6d5197cf609ffe499ab72ce` `docker.io/cilium/clustermesh-apiserver:v1.9.15@sha256:59cabe18234077448b3410a1d9f0ffe9c78a41783e83cc3d80310ddd92b81822` `quay.io/cilium/clustermesh-apiserver:v1.9.15@sha256:59cabe18234077448b3410a1d9f0ffe9c78a41783e83cc3d80310ddd92b81822` `docker.io/cilium/docker-plugin:v1.9.15@sha256:71122d659f0d19e1ea84c9b0a1356d7f1a06054bb6eebcdd297264fb0bc2ddcf` `quay.io/cilium/docker-plugin:v1.9.15@sha256:71122d659f0d19e1ea84c9b0a1356d7f1a06054bb6eebcdd297264fb0bc2ddcf` `docker.io/cilium/hubble-relay:v1.9.15@sha256:748813e49877d66614d947495972f32b7f9675e9c327578c0ea81ca4f7adf322` `quay.io/cilium/hubble-relay:v1.9.15@sha256:748813e49877d66614d947495972f32b7f9675e9c327578c0ea81ca4f7adf322` `docker.io/cilium/operator-aws:v1.9.15@sha256:5ab748219bec4ac0a0e971e53e1b1ba6a569114eb6dea78951c2edb8ae460265` `quay.io/cilium/operator-aws:v1.9.15@sha256:5ab748219bec4ac0a0e971e53e1b1ba6a569114eb6dea78951c2edb8ae460265` `docker.io/cilium/operator-azure:v1.9.15@sha256:b1f236b2c9e99d1ed22ea99e7fcb6bd2f86707825b7c3d271715e6cbc29147d4` `quay.io/cilium/operator-azure:v1.9.15@sha256:b1f236b2c9e99d1ed22ea99e7fcb6bd2f86707825b7c3d271715e6cbc29147d4` `docker.io/cilium/operator-generic:v1.9.15@sha256:5f38912e638b96377f905369035e0afc89b45f24f7f27565b520f3573c4411f1` `quay.io/cilium/operator-generic:v1.9.15@sha256:5f38912e638b96377f905369035e0afc89b45f24f7f27565b520f3573c4411f1` `docker.io/cilium/operator:v1.9.15@sha256:ee3a4a22a4d2df22238db65d9589356e43369335df02437c2cf23af9253f3c87` `quay.io/cilium/operator:v1.9.15@sha256:ee3a4a22a4d2df22238db65d9589356e43369335df02437c2cf23af9253f3c87` Signed-off-by: Joe Stringer <joe@cilium.io> | 19 April 2022, 04:12:48 UTC |
| 29da866 | Joe Stringer | 15 April 2022, 15:24:38 UTC | Prepare for release v1.9.15 Signed-off-by: Joe Stringer <joe@cilium.io> | 15 April 2022, 16:03:05 UTC |
| fa0deae | Nate Sweet | 23 February 2022, 20:30:25 UTC | install/helm: Add Image Override Option to All Images In order to enable offline deployment for certain platforms (like OpenShift) we need to be able to have a universal override for all images so that the OpenShift certified operator can list its "related images"[1][2]. [1]https://docs.openshift.com/container-platform/4.9/operators/operator_sdk/osdk-generating-csvs.html#olm-enabling-operator-for-restricted-network_osdk-generating-csvs [2]https://redhat-connect.gitbook.io/certified-operator-guide/appendix/offline-enabled-operators Signed-off-by: Nate Sweet <nathanjsweet@pm.me> | 15 April 2022, 02:05:55 UTC |
| c100646 | Jarno Rajahalme | 18 March 2022, 16:20:46 UTC | envoy: Limit accesslog socket permissions [ upstream commit 5595e622243948f74187b449186e4575f451b9e5 ] [ Backporter's notes: trivial conflicts in `cilium-agent.md` and `pkg/envoy/accesslog_server.go` due to other changes in the lines right next to this backport since v1.9. ] Limit access to Cilium xDS and access log sockets to root and group 1337 used by Istio sidecars. Fixes: #3131 Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> | 14 April 2022, 18:45:42 UTC |
| 1253e91 | Quentin Monnet | 07 April 2022, 13:32:42 UTC | ci: pin down image for documentation workflow [ upstream commit 0da7224218ab96d5f5a8f7e9d267e9743c07c83a ] [ Backporter's notes: conflicts due to `documentation.yaml` not existing in v1.9. Changes were manually applied to the previous file at `docs.yaml`. The other commit in this PR 5272fceb64bdd0c9609b8b18331a5c99b25ae0a5 was dropped because it cannot be applied to the older version of `docs.yaml` on v1.9. ] Instead of using the ":latest" version of the docs-builder image, pin down the version to indicate a specific version to use. The context for this change is some preparation for updating the version of Sphinx used by the image. Specifying an explicit image to use has the following advantages: - When using ":latest" we have to update the image _and_ the workflow at the same time, or the workflow will break. By contrast, once we pin down the image, we can push a new image on Docker without breaking the workflow, and then update the workflow to switch to the new image, on the same PR that updates the build process. - This helps testing an experimental ":latest" image from a PR, without breaking the workflow on the master branch. - If anything goes wrong, this makes it easier to revert the change by rolling back to a previous pinned image, without having to push again a rolled-back docs-builder image as the new ":latest". Most other workflows, if not all, already pin down the images they use. The pinned image is the current ":latest", so there should be no change to the current state of the workflow. Signed-off-by: Quentin Monnet <quentin@isovalent.com> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> | 14 April 2022, 18:45:42 UTC |
| 7303b8a | Chris Tarazi | 29 March 2022, 18:03:47 UTC | ipcache: Add test asserting out-of-order Kubernetes events [ upstream commit 31a5ff1620e7f3b222af0c884351e161e04539cd ] [ Backporter's notes: the tests had to be adapted because the signature of `IPIdentityCache.Upsert` has been changed in c5d4b7efc978ff4ae99f23bee3078f885a94892f in v1.10, which was not backported to v1.9. ] These tests answer the following questions: * What happens if we receive an add/ update event from k8s with a pod that is using the same IP address of an already-gone-pod-but-delete-event-not-received? * What happens if we receive an delete of an already gone pod after we have received an add/ update from a new pod using that same IP address? What these tests confirm is that Kubernetes events that are out-of-order are handled as they're received. Meaning the ipcache doesn't have any special logic to handle for example whether an ipcache delete for a pod X with IP A is the same pod X (by namespace & name) which previously inserted an ipcache entry. Suggested-by: André Martins <andre@cilium.io> Signed-off-by: Chris Tarazi <chris@isovalent.com> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> | 14 April 2022, 18:45:42 UTC |
| 601a76d | Quentin Monnet | 18 May 2021, 10:06:20 UTC | docs: mark node-to-node IPsec encryption as beta [ upstream commit 7eb7bc6aaff0aa8a3891843348d20249c20e8d50 ] [ Backporter's notes: conflicts due to `encryption-ipsec.rst` not existing in v1.9. Changes were manually applied to the previous file at `encryption.rst`. ] Mark node-to-node encryption explicitly as a beta feature, to indicate that some issues might remain to be fixed. Signed-off-by: Quentin Monnet <quentin@isovalent.com> Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> | 14 April 2022, 18:45:42 UTC |
| 07e8bd4 | Paul Chaignon | 04 June 2021, 17:13:38 UTC | test/helpers: Fix incorrect count of endpoints [ upstream commit c877d325058df31cb6edb8b41f18de4fa56e0553 ] The test helper WaitEndpointsReady waits for all endpoints on the node to be in ready state with a non-init security identity. To that end, it lists all endpoints in the format [container-name]=[state],[identity], transforms that into a Go map m1, and iterates through the map to construct a new map m2 with state => counter. If it counts as many values (endpoints) in m1 as in state m2[ready], then all endpoints are ready. However, the number of values in m1 isn't actually equal to the number of endpoints. The container name, used as the key, may be empty for several endpoints, including the host endpoint and endpoints in init state. The last endpoint with an empty container name will therefore overwrite previous entries in the map. That leads the function to such conclusions as: =ready,5 httpd3=ready,31837 app2=ready,28159 =ready,1 httpd2=ready,4632 app1=ready,49770 httpd1=ready,14980 cilium-health=ready,4 '7' containers are in a 'ready' state of a total of '7' containers." It counts 7 containers in ready state, when there are 8 containers. Here the difference matters because the first container, which got overwritten in the map, shouldn't be considered "ready" by this function since it has the init (5) identity. As a fix, we can use the Cilium endpoint ID as the key to the map, as it is guaranteed to be unique per endpoint, contrary to the container name. Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> | 12 April 2022, 12:53:46 UTC |
| 273f681 | Jarno Rajahalme | 02 April 2022, 08:02:51 UTC | test: Fix whitespace in docker-run-cilium [ upstream commit 262ac5fbbd4270766b639529482121a55e2cbeaa ] Add space between provided and default args. Fixes: #19310 Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> | 12 April 2022, 12:53:46 UTC |
| 610656e | Jarno Rajahalme | 02 April 2022, 00:57:24 UTC | test: Support provisioning in non-vagrant VMs [ upstream commit 43db56895dc5a70d31582688a3b253f81ab31ceb ] Add support for passing VMUSER (which defaults to vagrant) to ease running tests in non-vagrant VMs. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> | 12 April 2022, 12:53:46 UTC |
| 5aea34e | Jarno Rajahalme | 02 April 2022, 00:53:20 UTC | test: Allow runtime tests to use pre-built Cilium image [ upstream commit ea68a7cddfe4e4348a62895bfea7874669f5a601 ] Pass CILIUM_IMAGE and CILIUM_TAG from environment to provisioning. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> | 12 April 2022, 12:53:46 UTC |
| 45a736d | Jarno Rajahalme | 02 April 2022, 08:02:51 UTC | test: Runtime use Cilium docker image [ upstream commit 324228b5a3bad3e65d957ad2895985de2a605cd1 ] Run Cilium in docker container for the Runtime tests. Keep the systemd cilium.service, but uses a new script to run Cilium from a docker container from there. This design has a high degree of compatibility to the prior running cilium-agent directly from cilium.docker. Test scripts are organized so that there is no change when running CIlium in a development VM. There cilium-agent is still run in the host as before. While working with this I noticed that CIlium operator fails to run in Runtime tests as it now assumes to be able to reach k8s api-server. CIlium agent fails after a while due to this if it is using etcd kvstore as the heartbeats are missing. That's why the kvstore needs to return to the default (consul) configuration after the etcd test. Previously this was done after each test, but now this is done after all (two) of the kvstore tests, speeding up the tests a bit. Do not pass explicit options when they are the same as defaults. This also avoids using systemd template where bare Cilium agent options are expected. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> | 12 April 2022, 12:53:46 UTC |
| ecbf5d8 | Jarno Rajahalme | 01 April 2022, 21:34:31 UTC | test: Pull images for runtime or k8s tests, not for both [ upstream commit 9d4b1bb322e955a715b2a2b9ac610e0dfbd2284a ] Runtime tests do not need images used by k8s tests, nor do k8s tests need images used by runtime tests. Pull images only for the test suite in use. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> | 12 April 2022, 12:53:46 UTC |
| da49c17 | dependabot[bot] | 04 April 2022, 14:10:16 UTC | build(deps): bump KyleMayes/install-llvm-action from 1.5.1 to 1.5.2 Bumps [KyleMayes/install-llvm-action](https://github.com/KyleMayes/install-llvm-action) from 1.5.1 to 1.5.2. - [Release notes](https://github.com/KyleMayes/install-llvm-action/releases) - [Commits](https://github.com/KyleMayes/install-llvm-action/compare/v1.5.1...v1.5.2) --- updated-dependencies: - dependency-name: KyleMayes/install-llvm-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> | 04 April 2022, 15:13:24 UTC |
| 6298c86 | Aditi Ghag | 18 March 2022, 19:13:27 UTC | pkg/redirectpolicy, docs: Add missing namespace check [ upstream commit 2efbdd68a7a578874d1a9ecb884bfba4f76e0f0b ] Local Redirect Policy (LRP) namespace needs to match with the backend pods selected by the LRP. This check was missing in the case where backend pods are deployed after an LRP that selects them was applied. Added unit tests. Reported-by: Joe Stringer <joe@covalent.io> Signed-off-by: Aditi Ghag <aditi@cilium.io> Signed-off-by: Quentin Monnet <quentin@isovalent.com> | 30 March 2022, 13:35:00 UTC |
| b6a0831 | Nate Sweet | 07 March 2022, 21:38:21 UTC | helm: Add RBAC Permissions to Clustermesh APIServer Clusterrole [ upstream commit 75f597be318002f0281a64be81666af4f9d5be2d ] The Clustermesh-APIServer creates a CiliumEndPoint and sets a node as its ownerReference, also setting blockOwnerDeletion to "true". If the OwnerReferencesPermissionEnforcement admission controller is enabled (such as in environments like Openshift) then the Clustermesh-APIServer will fail to create the CiliumEndPoint as it has insufficient privileges to set blockOwnerDeletion of a node. It needs to be able to "update" "nodes/finalizers" in order to do this. See #19053 for more details and references. Signed-off-by: Nate Sweet <nathanjsweet@pm.me> Signed-off-by: Quentin Monnet <quentin@isovalent.com> | 30 March 2022, 13:35:00 UTC |
| 66748f2 | Nate Sweet | 07 March 2022, 04:07:29 UTC | helm: Remove Unnecessary RBAC Permissions for Agent [ upstream commit 0f4d3a71b05504ac56d2f9aa38916bb654b61642 ] In October 2020, we made changes[1] to the cilium-agent's ClusterRole to be more permissive. We did this, because Openshift enables[2] the OwnerReferencesPermissionEnforcement[3] admission controller. This admissions controller prevents changes to the metadata.ownerReferences of any object unless the entity (the cilium-agent in this case) has permission to delete the object as well. Furthermore, the controller allows protects metadata.ownerReferences[x].blockOwnerDeletion of a resource unless the entity (again, the cilium-agent) has "update" access to the finalizer of the object having its deletion blocked. The original PR mistakenly assumed we set ownerReferences on pods and expanded cilium-agent's permissions beyond what was necessary. Cilium-agent only sets ownerReferences on a CiliumEndpoint and the blockOwnerDeletion field propagates up to the "owning" pod of the endpoint. Cilium-agent only needs to be able to delete CiliumEndpoints (which it has always been able to) and "update" pod/finalizers (to set the blockOwnerDeletion field on CiliumEndpoints). All other changes contained in #13369 were unnecessary. 1 https://github.com/cilium/cilium/pull/13369 2 https://docs.openshift.com/container-platform/4.6/architecture/admission-plug-ins.html 3 https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement [ Backport notes: The files have been renamed: - install/kubernetes/cilium/templates/cilium-agent/clusterrole.yaml is, on v1.9: install/kubernetes/cilium/templates/cilium-agent-clusterrole.yaml - install/kubernetes/cilium/templates/cilium-preflight/clusterrole.yaml is, on v1.9: install/kubernetes/cilium/templates/cilium-preflight-clusterrole.yaml Additionally, we run the following: make -C install/kubernetes experimental-install quick-install and commit the changes. ] Signed-off-by: Nate Sweet <nathanjsweet@pm.me> Signed-off-by: Quentin Monnet <quentin@isovalent.com> | 30 March 2022, 13:35:00 UTC |
| 6c502a1 | André Martins | 28 March 2022, 18:32:10 UTC | install: Update image digests for v1.9.14 Generated from https://github.com/cilium/cilium/actions/runs/2053994470. `docker.io/cilium/cilium:v1.9.14@sha256:2c6ce93fa7e625979043a387eb998c17ad57df8768d89facb9b715da42a4c51c` `quay.io/cilium/cilium:v1.9.14@sha256:2c6ce93fa7e625979043a387eb998c17ad57df8768d89facb9b715da42a4c51c` `docker.io/cilium/clustermesh-apiserver:v1.9.14@sha256:a0da5edf0372899647da51de1b277f0bab8e676d694aee7f939cddfdd3172010` `quay.io/cilium/clustermesh-apiserver:v1.9.14@sha256:a0da5edf0372899647da51de1b277f0bab8e676d694aee7f939cddfdd3172010` `docker.io/cilium/docker-plugin:v1.9.14@sha256:74ae7f865202cbb22029686e5f4484afb57178c67d6daf0d08014bb695b2c9b3` `quay.io/cilium/docker-plugin:v1.9.14@sha256:74ae7f865202cbb22029686e5f4484afb57178c67d6daf0d08014bb695b2c9b3` `docker.io/cilium/hubble-relay:v1.9.14@sha256:fd6ab1aea260abc5f64eca26c1b1e7009983e4aaa8e5d098e8d442f7659603fb` `quay.io/cilium/hubble-relay:v1.9.14@sha256:fd6ab1aea260abc5f64eca26c1b1e7009983e4aaa8e5d098e8d442f7659603fb` `docker.io/cilium/operator-aws:v1.9.14@sha256:8484021ef6a794027b0dae5625d7248402686a7338d6cd36300885cf3d4f5e47` `quay.io/cilium/operator-aws:v1.9.14@sha256:8484021ef6a794027b0dae5625d7248402686a7338d6cd36300885cf3d4f5e47` `docker.io/cilium/operator-azure:v1.9.14@sha256:a118239016a7dab7bc3fedfa3d4f0c632867529e23952b0a0bf5ab2cbaa7d9b2` `quay.io/cilium/operator-azure:v1.9.14@sha256:a118239016a7dab7bc3fedfa3d4f0c632867529e23952b0a0bf5ab2cbaa7d9b2` `docker.io/cilium/operator-generic:v1.9.14@sha256:bdcfd2eade99933f2fda55ef79ea697ddfad3512f65b15bcd0ba7702518c1ba3` `quay.io/cilium/operator-generic:v1.9.14@sha256:bdcfd2eade99933f2fda55ef79ea697ddfad3512f65b15bcd0ba7702518c1ba3` `docker.io/cilium/operator:v1.9.14@sha256:ab416c1759421c2c07ea856b71a5560c1bebc4fe37ec01b4266191a15321c5aa` `quay.io/cilium/operator:v1.9.14@sha256:ab416c1759421c2c07ea856b71a5560c1bebc4fe37ec01b4266191a15321c5aa` Signed-off-by: André Martins <andre@cilium.io> | 28 March 2022, 20:09:50 UTC |
| f444269 | André Martins | 26 March 2022, 00:46:42 UTC | Prepare for release v1.9.14 Signed-off-by: André Martins <andre@cilium.io> | 28 March 2022, 17:54:03 UTC |
| 49e885e | dependabot[bot] | 21 March 2022, 14:10:53 UTC | build(deps): bump actions/cache from 2.1.7 to 3 Bumps [actions/cache](https://github.com/actions/cache) from 2.1.7 to 3. - [Release notes](https://github.com/actions/cache/releases) - [Commits](https://github.com/actions/cache/compare/v2.1.7...v3) --- updated-dependencies: - dependency-name: actions/cache dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> | 26 March 2022, 00:42:33 UTC |
| 5212169 | Joe Stringer | 17 March 2022, 22:41:46 UTC | Update Cilium base images Signed-off-by: Joe Stringer <joe@cilium.io> | 18 March 2022, 19:39:51 UTC |
| 50a44ff | Timo Reimann | 23 February 2022, 11:05:17 UTC | Add metrics for endpoint objects garbage collection [ upstream commit 1b7bce37a929656c4594b591da5815626ec8e1e5 ] Signed-off-by: Timo Reimann <ttr314@googlemail.com> | 17 March 2022, 17:11:16 UTC |
| ca528ad | Timo Reimann | 17 February 2022, 00:40:30 UTC | Prevent CiliumEndpoint removal by non-owning agent [ upstream commit 6f7bf6c51f7a86e458947149a72b4c12f42c331c ] CEPs are creating as well as updated based on informer store data local to an agent's node but (necessarily) deleted globally from the API server. This can currently lead to situations where an agent that does not own a CEP deletes an unrelated CEP. Avoid this problem by having agents maintain the CEP UID and using it as a precondition when deleting CEPs. This guarantees that only the owning agents can delete "their" CEPs. Signed-off-by: Timo Reimann <ttr314@googlemail.com> | 17 March 2022, 17:11:16 UTC |
| f57c600 | dependabot[bot] | 15 March 2022, 14:18:00 UTC | build(deps): bump docker/build-push-action from 2.9.0 to 2.10.0 Bumps [docker/build-push-action](https://github.com/docker/build-push-action) from 2.9.0 to 2.10.0. - [Release notes](https://github.com/docker/build-push-action/releases) - [Commits](https://github.com/docker/build-push-action/compare/7f9d37fa544684fb73bfe4835ed7214c255ce02b...ac9327eae2b366085ac7f6a2d02df8aa8ead720a) --- updated-dependencies: - dependency-name: docker/build-push-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> | 16 March 2022, 11:17:15 UTC |
| 6529b8e | Nicolas Busseneau | 04 February 2022, 17:28:55 UTC | ci: remove box download timeout in upstream tests [ upstream commit 96f4050963881e84ccec0540b78277987c25e360 ] This timeout can be too small when the host has to download all boxes due to not having any of the boxes required for the SHA to be tested. In particular this is prone to happen on backport PRs, since it's more likely for the job to be scheduled on a node that primarily run `master` pipelines up to that point. Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> Signed-off-by: Alexandre Perrin <alex@kaworu.ch> | 15 March 2022, 08:40:24 UTC |
| bede2c7 | Paul Chaignon | 23 February 2022, 14:08:27 UTC | node: Fix incorrect comment for S/GetRouterInfo [ upstream commit d7f64076334d0a62e6c45f4ee42327f173d2b9df ] This function is not specific to ENI IPAM mode anymore since Alibaba and Azure's IPAM modes are also using it. Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Alexandre Perrin <alex@kaworu.ch> | 15 March 2022, 08:40:24 UTC |
| 08cce4c | Paul Chaignon | 23 February 2022, 17:14:50 UTC | linux,ipam: Use subnet IPsec for Azure IPAM [ upstream commit 7bc57616b39502a95cbf97dbf6eda6318506f426 ] When using Azure's IPAM mode, we don't have non-overlapping pod CIDRs for each node, so we can't rely on the default IPsec mode where we use the destination CIDRs to match the xfrm policies. Instead, we need to enable subnet IPsec as in EKS. In that case, the dir=out xfrm policy and state look like: src 0.0.0.0/0 dst 10.240.0.0/16 dir out priority 0 mark 0x3e00/0xff00 tmpl src 0.0.0.0 dst 10.240.0.0 proto esp spi 0x00000003 reqid 1 mode tunnel src 0.0.0.0 dst 10.240.0.0 proto esp spi 0x00000003 reqid 1 mode tunnel replay-window 0 mark 0x3e00/0xff00 output-mark 0xe00/0xf00 aead rfc4106(gcm(aes)) 0x567a47ff70a43a3914719a593d5b12edce25a971 128 anti-replay context: seq 0x0, oseq 0x105, bitmap 0x00000000 sel src 0.0.0.0/0 dst 0.0.0.0/0 As can be seen the xfrm policy matches on a broad /16 encompassing all endpoints in the cluster. The xfrm state then matches the policy's template. Finally, to write the proper outer destination IP, we need to define the IP_POOLS macro in our datapath. That way, our BPF programs will determine the outer IP from the ipcache lookup. Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Alexandre Perrin <alex@kaworu.ch> | 15 March 2022, 08:40:24 UTC |
| 819fae7 | Nicolas Busseneau | 22 February 2022, 18:45:35 UTC | docs: update Azure Service Principal / IPAM documentation [ upstream commit d9d23ba78fe692e2548047af067122017254c2a5 ] When installing Cilium in an AKS cluster, the Cilium Operator requires an Azure Service Principal with sufficient privileges to the Azure API for the IPAM allocator to be able to work. Previously, the `az ad sp create-for-rbac` was assigning by default the `Contributor` role to new Service Principals when none was provided via the optional `--role` flag, whereas it now does not assign any role at all. This of course breaks IPAM allocation due to insufficient permissions, resulting in operator failures of this kind: ``` level=warning msg="Unable to synchronize Azure virtualnetworks list" error="network.VirtualNetworksClient#ListAll: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code=\"AuthorizationFailed\" Message=\"The client 'd09fb531-793a-40fc-b934-7af73ca60e32' with object id 'd09fb531-793a-40fc-b934-7af73ca60e32' does not have authorization to perform action 'Microsoft.Network/virtualNetworks/read' over scope '/subscriptions/22716d91-fb67-4a07-ac5f-d36ea49d6167' or the scope is invalid. If access was recently granted, please refresh your credentials.\"" subsys=azure level=fatal msg="Unable to start azure allocator" error="Initial synchronization with instances API failed" subsys=cilium-operator-azure ``` We update the documentation guidelines for new installations to assign the `Contributor` role to new Service Principals used for Cilium. We also take the opportunity to: - Update Azure IPAM required privileges documentation. - Make it so users can now set up all AKS-specific required variables for a Helm install in a single command block, rather than have it spread over several command blocks with intermediate steps and temporary files. - Have the documentation recommend creating Service Principals with privileges over a restricted scope (AKS node resource group) for increased security. Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> Signed-off-by: Alexandre Perrin <alex@kaworu.ch> | 15 March 2022, 08:40:24 UTC |
| e114e5d | Nicolas Busseneau | 22 February 2022, 16:46:40 UTC | jenkinsfiles: bump runtime tests VM boot timeout [ upstream commit 4c3bd27c275cb16c8d4dca62d7fe51e649ecd98e ] We are hitting this timeout sometimes, and it seems it was previously updated on the regular pipelines (see 31a622ea40ff9b47bb73469b89c51db2d090b0e2) but not on the runtime pipeline. We remove the inner timeout as the outer one is pratically redundant here, as the steps outside of the inner loop are almost instantaneous. Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com> Signed-off-by: Alexandre Perrin <alex@kaworu.ch> | 15 March 2022, 08:40:24 UTC |
| c086753 | dependabot[bot] | 04 March 2022, 03:08:14 UTC | build(deps): bump actions/upload-artifact from 2.3.1 to 3 Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 2.3.1 to 3. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](https://github.com/actions/upload-artifact/compare/82c141cc518b40d92cc801eee768e7aafc9c2fa2...6673cd052c4cd6fcf4b4e6e60ea986c889389535) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> | 04 March 2022, 03:09:12 UTC |
| 73aee34 | dependabot[bot] | 03 March 2022, 14:10:42 UTC | build(deps): bump actions/download-artifact from 2.1.0 to 3 Bumps [actions/download-artifact](https://github.com/actions/download-artifact) from 2.1.0 to 3. - [Release notes](https://github.com/actions/download-artifact/releases) - [Commits](https://github.com/actions/download-artifact/compare/f023be2c48cc18debc3bacd34cb396e0295e2869...fb598a63ae348fa914e94cd0ff38f362e927b741) --- updated-dependencies: - dependency-name: actions/download-artifact dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> | 04 March 2022, 03:08:35 UTC |
| dfea4f5 | dependabot[bot] | 01 March 2022, 23:18:06 UTC | build(deps): bump docker/login-action from 1.14.0 to 1.14.1 Bumps [docker/login-action](https://github.com/docker/login-action) from 1.14.0 to 1.14.1. - [Release notes](https://github.com/docker/login-action/releases) - [Commits](https://github.com/docker/login-action/compare/bb984efc561711aaa26e433c32c3521176eae55b...dd4fa0671be5250ee6f50aedf4cb05514abda2c7) --- updated-dependencies: - dependency-name: docker/login-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> | 04 March 2022, 03:07:57 UTC |
| 37ff807 | dependabot[bot] | 01 March 2022, 23:18:01 UTC | build(deps): bump actions/checkout from 2 to 3 Bumps [actions/checkout](https://github.com/actions/checkout) from 2 to 3. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/v2...v3) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> | 04 March 2022, 03:07:50 UTC |
| bcc2df9 | dependabot[bot] | 28 February 2022, 13:37:38 UTC | build(deps): bump docker/login-action from 1.13.0 to 1.14.0 Bumps [docker/login-action](https://github.com/docker/login-action) from 1.13.0 to 1.14.0. - [Release notes](https://github.com/docker/login-action/releases) - [Commits](https://github.com/docker/login-action/compare/6af3c118c8376c675363897acf1757f7a9be6583...bb984efc561711aaa26e433c32c3521176eae55b) --- updated-dependencies: - dependency-name: docker/login-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> | 01 March 2022, 23:17:29 UTC |
| e53fe0b | dependabot[bot] | 28 February 2022, 13:37:34 UTC | build(deps): bump actions/setup-go from 2.2.0 to 3 Bumps [actions/setup-go](https://github.com/actions/setup-go) from 2.2.0 to 3. - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](https://github.com/actions/setup-go/compare/v2.2.0...v3) --- updated-dependencies: - dependency-name: actions/setup-go dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> | 01 March 2022, 23:17:17 UTC |
| 764445d | dependabot[bot] | 25 February 2022, 14:08:33 UTC | build(deps): bump KyleMayes/install-llvm-action from 1.5.0 to 1.5.1 Bumps [KyleMayes/install-llvm-action](https://github.com/KyleMayes/install-llvm-action) from 1.5.0 to 1.5.1. - [Release notes](https://github.com/KyleMayes/install-llvm-action/releases) - [Commits](https://github.com/KyleMayes/install-llvm-action/compare/v1.5.0...v1.5.1) --- updated-dependencies: - dependency-name: KyleMayes/install-llvm-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> | 28 February 2022, 13:26:45 UTC |
| c5d2713 | dependabot[bot] | 25 February 2022, 14:08:36 UTC | build(deps): bump golangci/golangci-lint-action from 2.5.2 to 3 Bumps [golangci/golangci-lint-action](https://github.com/golangci/golangci-lint-action) from 2.5.2 to 3. - [Release notes](https://github.com/golangci/golangci-lint-action/releases) - [Commits](https://github.com/golangci/golangci-lint-action/compare/v2.5.2...v3) --- updated-dependencies: - dependency-name: golangci/golangci-lint-action dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> | 28 February 2022, 13:26:25 UTC |
| a32bf38 | Joe Stringer | 24 February 2022, 03:17:47 UTC | install: Update image digests for v1.9.13 Generated from https://github.com/cilium/cilium/actions/runs/1890091413. `docker.io/cilium/cilium:v1.9.13@sha256:12752fd66c5448194062befaf59aaefc446cbff729aa8b2d7ea4801113d3a31a` `quay.io/cilium/cilium:v1.9.13@sha256:12752fd66c5448194062befaf59aaefc446cbff729aa8b2d7ea4801113d3a31a` `docker.io/cilium/clustermesh-apiserver:v1.9.13@sha256:3c5ae05e0c10a24a2e1c1d269a8522346dc33671fae82d9b15a4b93f9d25710c` `quay.io/cilium/clustermesh-apiserver:v1.9.13@sha256:3c5ae05e0c10a24a2e1c1d269a8522346dc33671fae82d9b15a4b93f9d25710c` `docker.io/cilium/docker-plugin:v1.9.13@sha256:903def48e38ba32e519950fc119bc8982e84cbfbc5aa2599bf31232a203d1afe` `quay.io/cilium/docker-plugin:v1.9.13@sha256:903def48e38ba32e519950fc119bc8982e84cbfbc5aa2599bf31232a203d1afe` `docker.io/cilium/hubble-relay:v1.9.13@sha256:bd374bd8cd6abccce817f6cfabd5e58f243a7ec8d0fcf4dd22f0713713ab6969` `quay.io/cilium/hubble-relay:v1.9.13@sha256:bd374bd8cd6abccce817f6cfabd5e58f243a7ec8d0fcf4dd22f0713713ab6969` `docker.io/cilium/operator-aws:v1.9.13@sha256:9a3d04b41be1b3d79d079e3ee8021230440845073aa1beca6e7835743fbdc017` `quay.io/cilium/operator-aws:v1.9.13@sha256:9a3d04b41be1b3d79d079e3ee8021230440845073aa1beca6e7835743fbdc017` `docker.io/cilium/operator-azure:v1.9.13@sha256:aab870367b39b7220fcc0997b13a4d5b8f78696ee9e39caf742f90b504a92fa8` `quay.io/cilium/operator-azure:v1.9.13@sha256:aab870367b39b7220fcc0997b13a4d5b8f78696ee9e39caf742f90b504a92fa8` `docker.io/cilium/operator-generic:v1.9.13@sha256:826136116ce840ae37efad5e63d4e2a6d7f47a3277b840ab3d45758f19f1fc78` `quay.io/cilium/operator-generic:v1.9.13@sha256:826136116ce840ae37efad5e63d4e2a6d7f47a3277b840ab3d45758f19f1fc78` `docker.io/cilium/operator:v1.9.13@sha256:18423690655c2c9c4190657608a6b3753b87fd8fd151f112ea216aa9e3cc4fec` `quay.io/cilium/operator:v1.9.13@sha256:18423690655c2c9c4190657608a6b3753b87fd8fd151f112ea216aa9e3cc4fec` Signed-off-by: Joe Stringer <joe@cilium.io> | 24 February 2022, 05:52:51 UTC |
| f2160fc | Joe Stringer | 23 February 2022, 21:03:31 UTC | Prepare for release v1.9.13 Signed-off-by: Joe Stringer <joe@cilium.io> | 23 February 2022, 22:16:26 UTC |
| 4274343 | Jarno Rajahalme | 23 February 2022, 01:46:30 UTC | envoy: Update to 1.21.1 [ upstream commit 571a48430b01230378efce8be9df636b3c2b7777 ] Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> | 23 February 2022, 20:46:47 UTC |
| 7d3e1a8 | Jarno Rajahalme | 12 January 2022, 08:31:12 UTC | envoy: Update to release 1.21.0 [ upstream commit 28f0dae2666d917a818f90a8c84f147fdf977daf ] [ Backporter's notes: Dropped all Envoy API changes, adapted BPF TPROXY compatibility to the older API. ] Envoy Go API is updated to contain the generated validation code. Envoy image is updated to support the new EndpointId option for the bpf_metadata listener filter. NPDS field 'Policy' is renamed as 'EndpointID'. 'Policy' field was not used for anything, so might as well recycle it while this API is not yet public. Envoy retries may fail on "address already in use" when the original source address and port are used on upstream connections. Cilium typically does this in the egress proxy listeners. Fix this by using a Cilium Envoy build that always sets SO_REUSEADDR when original source address and port is used. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> Revert "envoy: Update to release 1.21.0" This reverts commit 377dec2d4eca3f239ff6c72f85b3e9fb9c466d21. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> | 23 February 2022, 20:46:47 UTC |
| de7f9fe | Joe Stringer | 21 February 2022, 23:00:04 UTC | Update Cilium base images Signed-off-by: Joe Stringer <joe@cilium.io> | 22 February 2022, 18:58:26 UTC |
| ab265c7 | dependabot[bot] | 01 February 2022, 14:08:12 UTC | build(deps): bump docker/build-push-action from 2.8.0 to 2.9.0 Bumps [docker/build-push-action](https://github.com/docker/build-push-action) from 2.8.0 to 2.9.0. - [Release notes](https://github.com/docker/build-push-action/releases) - [Commits](https://github.com/docker/build-push-action/compare/1814d3dfb36d6f84174e61f4a4b05bd84089a4b9...7f9d37fa544684fb73bfe4835ed7214c255ce02b) --- updated-dependencies: - dependency-name: docker/build-push-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> | 21 February 2022, 19:19:16 UTC |
| f83dcb3 | dependabot[bot] | 09 February 2022, 14:09:13 UTC | build(deps): bump actions/setup-go from 2.1.5 to 2.2.0 Bumps [actions/setup-go](https://github.com/actions/setup-go) from 2.1.5 to 2.2.0. - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](https://github.com/actions/setup-go/compare/v2.1.5...v2.2.0) --- updated-dependencies: - dependency-name: actions/setup-go dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> | 21 February 2022, 19:19:00 UTC |
| 912bb78 | dependabot[bot] | 17 February 2022, 14:06:59 UTC | build(deps): bump docker/login-action from 1.12.0 to 1.13.0 Bumps [docker/login-action](https://github.com/docker/login-action) from 1.12.0 to 1.13.0. - [Release notes](https://github.com/docker/login-action/releases) - [Commits](https://github.com/docker/login-action/compare/42d299face0c5c43a0487c477f595ac9cf22f1a7...6af3c118c8376c675363897acf1757f7a9be6583) --- updated-dependencies: - dependency-name: docker/login-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> | 21 February 2022, 19:18:43 UTC |
| fb02c6e | Chris Tarazi | 17 February 2022, 07:10:32 UTC | pkg/datapath/linux: Fix asymmetric IPsec logic on delete [ upstream commit 0bd4e04b15d136e54c3930b60e5c4c129ec869ef ] With ENI IPAM mode and IPsec enabled, users were reporting cases where connectivity to particular pods breaks, and correlated with those drops, the following error msg: ``` Unable to delete the IPsec route OUT from the host routing table ``` In addition, it was also reported that the connectivity outage would only last for a few minutes before resolving itself. The issue turned out to be that upon node deletion, the logic to handle the IPsec cleanup is asymmetric with the IPsec logic to handle a node create / update. Here's how: * With ENI mode and IPsec, subnet encryption mode is enabled implicitly. * Background: Users can explicitly enable subnet encryption mode by configuring `--ipv4-pod-subnets=[cidr1,cidr2,...]`. * Background: ENIs are part of subnet(s). * Cilium with ENI mode automatically appends the node's ENIs' subnets' CIDRs to this slice. * For example, node A has ENI E which is a part of subnet S with CIDR C. Therefore, `--ipv4-pod-subnets=[C]`. * This means that each node should have an IPsec OUT routes for each pod subnet, i.e. each ENI's subnet, as shown by (*linuxNodeHandler).nodeUpdate() which contains the IPsec logic on a node create / update. * Upon a node delete [(*linuxNodeHandler).nodeDelete()], we clean up the "old" node. When it gets to the IPsec logic, it removes the routes for the pod subnets as well, i.e. removes the route to the ENI's subnet from the local node. From the example above, it'd remove the route for CIDR C. * This is problematic because in ENI mode, different nodes can share the same ENI's subnet, meaning subnets are NOT exclusive to a node. For example, a node B can also have ENI E with a subnet C attached to it. * As for how the nodes were fixing themselves, it turns out that (*Manager).backgroundSync() runs on an interval which calls NodeValidateImplementation() which calls down to (*linuxNodeHandler).nodeUpdate() thereby running the IPsec logic of a node create / update which reinstates the missing routes. Therefore, we shouldn't be deleting these routes because pods might still be relying on them. By comparing the IPsec delete logic with [1], we see that they're asymmetric. This commit fixes this asymmetry. [1]: Given subnetEncryption=true, notice how we only call enableSubnetIPsec() if the node is local. That is not the case on node delete. ``` func (n *linuxNodeHandler) nodeUpdate(oldNode, newNode *nodeTypes.Node, firstAddition bool) error { ... if n.nodeConfig.EnableIPSec && !n.subnetEncryption() && !n.nodeConfig.EncryptNode { n.enableIPsec(newNode) newKey = newNode.EncryptionKey } ... if n.nodeConfig.EnableIPSec && !n.subnetEncryption() { n.encryptNode(newNode) } if newNode.IsLocal() { isLocalNode = true ... if n.subnetEncryption() { n.enableSubnetIPsec(n.nodeConfig.IPv4PodSubnets, n.nodeConfig.IPv6PodSubnets) } ... return nil } ``` Fixes: 645de9dee63 ("cilium: remove encryption route and rules if crypto is disabled") Co-authored-by: John Fastabend <john@isovalent.com> Signed-off-by: Chris Tarazi <chris@isovalent.com> | 21 February 2022, 19:18:21 UTC |
| c4c8566 | Chris Tarazi | 17 February 2022, 07:18:25 UTC | pkg/datapath/linux: Add CIDR logfield to IPsec route logs [ upstream commit e41aea01908e49381e4dae10fface2a48f230731 ] This helps in scenarios where the user reports this log msg, but we are missing the actual CIDR from the route that failed to be deleted or created. Signed-off-by: Chris Tarazi <chris@isovalent.com> | 21 February 2022, 19:18:21 UTC |
| f55b5e2 | Chris Tarazi | 17 February 2022, 01:01:04 UTC | pkg/datapath/linux: Remove unnecessary branch in IPsec route functions [ upstream commit 7e5022e5086e109ffdbc385a1789df498006be0e ] These if-statements are unnecessary because upon code analysis, we can tell that it's not possible for the input to be nil. Remove these statements to simplify the flow of the function. In other words, now we know for a fact that calling these function will result in a route insert. Signed-off-by: Chris Tarazi <chris@isovalent.com> | 21 February 2022, 19:18:21 UTC |
| cc23064 | Chris Tarazi | 17 February 2022, 01:00:12 UTC | pkg/datapath, pkg/node/manager: Clarify NodeValidateImplementation godoc [ upstream commit a6e847766e012074aa14fa98ea0a5185434f0f0c ] Document the intent of NodeValidateImplementation(). Signed-off-by: Chris Tarazi <chris@isovalent.com> | 21 February 2022, 19:18:21 UTC |
| 1838771 | Joe Stringer | 11 February 2022, 00:08:25 UTC | ipcache: Reduce identity scope for other "hosts" [ upstream commit f6a4104253f90dd71a99b83393dc048e9ed1d807 ] This patch updates the Cilium logic for handling remote node identity updates to ensure that when Cilium's '--enable-remote-node-identity' flag is configured, each Cilium node will consistently consider all other nodes as having the "remote-node" identity. This fixes an issue where users reported policy drops from remote nodes -> pods, even though the policy appeared to allow this. The issue was limited to kvstore configurations of Cilium, and does not affect configurations where CRDs are used for sharing information within the cluster. For background: When Cilium starts up, it locally scans for IP addresses associated with the node, and updates its own IPcache to associate those IPs with the "host" identity. Additionally, it will also publish this information to other nodes so that they can make policy decisions regarding traffic coming from IPs attached to nodes in the cluster. Before commit 7bf60a59f072 ("nodediscovery: Fix local host identity propagation"), Cilium would propagate the identity "remote-node" as part of these updates to other nodes. After that commit, it would propagate the identity "host" as part of these updates to other nodes. When receiving these updates, Cilium would trust the identity directly and push IP->Identity mappings like this into the datapath, regardless of whether the '--enable-remote-node-identity' setting was configured or not. As such, when the above commit changed the behaviour, it triggered a change in policy handling behaviour. The '--enable-remote-node-identity' flag was initially introduced to allow the security domain of remote nodes in the cluster to be considered differently vs. the local host. This can be important as Kubernetes defines that the host should always have access to pods on the node, so if all nodes are considered the same as the "host", this can represent a larger open policy surface for pods than necessary in a zero trust environment. Given the potential security implications of this setting, at the time that it was introduced, we introduced mitigations both in the control plane and in the data plane. Whenever the datapath is configured with --enable-remote-node-identity=true, it will also distrust any reports that peer node identities are "host", even if the ipcache itself reports this. In this situation, the datapath does not accept that the traffic is from the "host". Rather, it demotes the identity of the traffic to considering it as part of the "world". The motivation behind this is that allowing "world" is a very permissive policy, so if the user is OK with allowing "world" traffic then it is likely that they will be OK with accepting any traffic like this which purports to be coming from a "host" in the cluster. As a result of the above conditions, users running in kvstore mode who upgraded from earlier Cilium versions to 1.9.12, 1.10.6 or 1.11.0 (and other releases up until this patch is released as part of an official version) could observe traffic drops for traffic from nodes in the cluster towards pods on other nodes in the cluster. Hubble would report that the traffic is coming "from the world" (identity=2), despite having a source address of another node in the cluster. We considered multiple approaches to solving this issue: A) Revert the commit that introduced the issue (see GH-18763). * Evidently, by this point there are multiple other codepaths relying on the internal storage of the local node's identity as Host, which would make this more difficult. B) Ensure that the kvstore propagation code propagates the current node's identity as "remote-node", as other nodes may expect. * In cases of versions with mixed knowledge of remote-node-identity (for instance during upgrade), then newer nodes could end up propagating the new identity, but old nodes would not understand how to calculate policy with this identity in consideration, so this could result in similar sorts of policy drops during upgrade. C) In the case when --enable-remote-node-identity=true, ensure that when Cilium receives updates from peer nodes, it demotes the "host" identity reported by peer nodes down to "remote-node" for the associated IP addresses. This way, the impact of the flag is limited to the way that the current node configures itself only. If the datapath is then informed (via ipcache) that thes IPs correspond to "remote-node", then the policy will be correctly assessed. This commit takes approach (C). Fixes: 7bf60a59f072 ("nodediscovery: Fix local host identity propagation") Co-authored-by: André Martins <andre@cilium.io> Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Gilberto Bertin <gilberto@isovalent.com> | 15 February 2022, 09:11:39 UTC |
| fc65b58 | Dmitry Kharitonov | 08 February 2022, 14:57:40 UTC | ui: update envoy config to work with v1.18.4 envoy current config is not compatible with 1.18.4 envoy version Signed-off-by: Dmitry Kharitonov <dmitry@isovalent.com> | 10 February 2022, 12:13:51 UTC |
| 5f4bec2 | Tom Payne | 01 February 2022, 15:58:59 UTC | labelfilter: Refine default label regexps [ upstream commit 422d7fc95c7bdb5acf37094b47a2ed92cc245fd3 ] Cilium treats label patterns as regular expressions. The existing default labels, e.g. "!k8s.io", used a '.', which matches any character. This led to the default labels being too permissive in their matching and consequently labels like "k8sXo" being excluded from the identity, with consequent security implications. This commit properly escapes the regular expressions used in the default labels. Signed-off-by: Tom Payne <tom@isovalent.com> Signed-off-by: Jussi Maki <jussi@isovalent.com> | 09 February 2022, 14:34:46 UTC |
| c8a5d8b | Thi Van Le | 21 January 2022, 16:44:09 UTC | feat: add hands-on tutorials [ upstream commit e83c81882b4a87a54ab52355eae32ec073cea22d ] Add the following text to documentation: Hands-on tutorial in a live environment to quickly get started with Cilium. Signed-off-by: Van Le <vannnyle@gmail.com> Signed-off-by: Jussi Maki <jussi@isovalent.com> | 09 February 2022, 14:34:46 UTC |
| fea52f1 | Joe Stringer | 23 November 2021, 21:46:51 UTC | contrib: Fix backport submission for own PRs [ upstream commit 1b42f7a0cb61208d9070313e526a769983fe5b59 ] On GitHub, one cannot request oneself to review one's own PR. This results in the following problem when submitting a backport PR: $ submit-backport Using GitHub repository joestringer/cilium (git remote: origin) Sending PR for branch v1.10: v1.10 backports 2021-11-23 * #17788 -- Additional FQDN selector identity tracking fixes (@joestringer) Once this PR is merged, you can update the PR labels via: ```upstream-prs $ for pr in 17788; do contrib/backporting/set-labels.py $pr done 1.10; done ``` Sending pull request... remote: remote: Create a pull request for 'pr/v1.10-backport-2021-11-23' on GitHub by visiting: remote: https://github.com/joestringer/cilium/pull/new/pr/v1.10-backport-2021-11-23 remote: Error requesting reviewer: Unprocessable Entity (HTTP 422) Review cannot be requested from pull request author. Signal ERR caught! Traceback (line function script): 58 main /home/joe/git/cilium/contrib/backporting/submit-backport Fix this by excluding ones own username from the reviewers list. Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Glib Smaga <code@gsmaga.com> | 01 February 2022, 17:29:46 UTC |
| a8d2ae9 | André Martins | 22 January 2022, 01:37:09 UTC | update k8s library versions k8s 1.19.16 Signed-off-by: André Martins <andre@cilium.io> | 25 January 2022, 08:50:36 UTC |
| f8a0671 | Joe Stringer | 19 January 2022, 01:06:59 UTC | install: Update image digests for v1.9.12 Generated from https://github.com/cilium/cilium/actions/runs/1715602995. `docker.io/cilium/cilium:v1.9.12@sha256:7d4ef9dc7e504ba1a55a01dd743260daced11ded02fc268965ef2c98eb8b8bde` `quay.io/cilium/cilium:v1.9.12@sha256:7d4ef9dc7e504ba1a55a01dd743260daced11ded02fc268965ef2c98eb8b8bde` `docker.io/cilium/clustermesh-apiserver:v1.9.12@sha256:f9eba125ca3d9e9014613a8e43e92afd635320e82736e75d9329de5054076449` `quay.io/cilium/clustermesh-apiserver:v1.9.12@sha256:f9eba125ca3d9e9014613a8e43e92afd635320e82736e75d9329de5054076449` `docker.io/cilium/docker-plugin:v1.9.12@sha256:2ceaf31e8e66a050992cfc02b1c0cdffe29df2f787ca86a8448b6fb7aebbeca6` `quay.io/cilium/docker-plugin:v1.9.12@sha256:2ceaf31e8e66a050992cfc02b1c0cdffe29df2f787ca86a8448b6fb7aebbeca6` `docker.io/cilium/hubble-relay:v1.9.12@sha256:67c5ce60e2f7cfd6f28b68b164bb910c41be365b9e17553c8a963dd456de204f` `quay.io/cilium/hubble-relay:v1.9.12@sha256:67c5ce60e2f7cfd6f28b68b164bb910c41be365b9e17553c8a963dd456de204f` `docker.io/cilium/operator-aws:v1.9.12@sha256:5702f3e1195e3ba7dfadeb6dd6eeb585af6051abf81fb633dc796489660d1b8b` `quay.io/cilium/operator-aws:v1.9.12@sha256:5702f3e1195e3ba7dfadeb6dd6eeb585af6051abf81fb633dc796489660d1b8b` `docker.io/cilium/operator-azure:v1.9.12@sha256:0e3e1e07f4b0847b26363d6100e57a743963307a2f781a292d5831046b4e51f7` `quay.io/cilium/operator-azure:v1.9.12@sha256:0e3e1e07f4b0847b26363d6100e57a743963307a2f781a292d5831046b4e51f7` `docker.io/cilium/operator-generic:v1.9.12@sha256:b89b16476cf6500d68763a70fb3d449e0309296bd00122cbe24f306c7e5e5180` `quay.io/cilium/operator-generic:v1.9.12@sha256:b89b16476cf6500d68763a70fb3d449e0309296bd00122cbe24f306c7e5e5180` `docker.io/cilium/operator:v1.9.12@sha256:ba08cb3378e6b254d96029fa971e3314c8e8c23f322cfcb004b242d1b03bbf19` `quay.io/cilium/operator:v1.9.12@sha256:ba08cb3378e6b254d96029fa971e3314c8e8c23f322cfcb004b242d1b03bbf19` Signed-off-by: Joe Stringer <joe@cilium.io> | 19 January 2022, 01:58:09 UTC |
| d12a812 | Joe Stringer | 18 January 2022, 23:27:56 UTC | Prepare for release v1.9.12 Signed-off-by: Joe Stringer <joe@cilium.io> | 19 January 2022, 00:41:46 UTC |
| 98e7eba | dependabot[bot] | 18 January 2022, 14:08:43 UTC | build(deps): bump docker/build-push-action from 2.7.0 to 2.8.0 Bumps [docker/build-push-action](https://github.com/docker/build-push-action) from 2.7.0 to 2.8.0. - [Release notes](https://github.com/docker/build-push-action/releases) - [Commits](https://github.com/docker/build-push-action/compare/a66e35b9cbcf4ad0ea91ffcaf7bbad63ad9e0229...1814d3dfb36d6f84174e61f4a4b05bd84089a4b9) --- updated-dependencies: - dependency-name: docker/build-push-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> | 18 January 2022, 20:58:38 UTC |
| 1a51596 | Joe Stringer | 14 January 2022, 22:31:04 UTC | docs: Fix cilium-runtime image bump instructions This is a process that reliably works, unlike the previous one which relies on Quay.io's ability to pull images from DockerHub. It does require a core maintainer to prepare the changes, but that's fine for now since v1.9 should change infrequently now. Signed-off-by: Joe Stringer <joe@cilium.io> | 17 January 2022, 16:41:27 UTC |
| 298d8e5 | Joe Stringer | 14 January 2022, 22:41:46 UTC | Update Cilium base images Signed-off-by: Joe Stringer <joe@cilium.io> | 14 January 2022, 23:08:57 UTC |
| 6374259 | Maciej Kwiek | 11 January 2022, 17:38:22 UTC | ci: use python3 instead of python [ upstream commit dddbbe709e2827873420fef9b635152340f37f91 ] Our CI nodes no longer have `python` binary, python3 is available instead. Signed-off-by: Maciej Kwiek <maciej@isovalent.com> Signed-off-by: Paul Chaignon <paul@cilium.io> | 11 January 2022, 18:30:33 UTC |
| e527987 | Daniel Borkmann | 05 January 2022, 21:16:57 UTC | bpf: Reset Pod's queue mapping in host veth to fix phys dev mq selection [ upstream commit ecdff123780dcc50599e424cbbc77edf2c70e396 ] Fix TX queue selection problem on the phys device as reported by Laurent. At high throughput, they noticed a significant amount of TCP retransmissions that they tracked back to qdic drops (fq_codel was used). Suspicion is that kernel commit edbea9220251 ("veth: Store queue_mapping independently of XDP prog presence") caused this due to its unconditional skb_record_rx_queue() which sets queue mapping to 1, and thus this gets propagated all the way to the physical device hitting only single queue in a mq device. Lets have bpf_lxc reset it as a workaround until we have a kernel fix. Doing this unconditionally is good anyway in order to avoid Pods messing with TX queue selection. Kernel will catch up with fix in 710ad98c363a ("veth: Do not record rx queue hint in veth_xmit"). Fixes: #18311 Reported-by: Laurent Bernaille <laurent.bernaille@datadoghq.com> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Tested-by: Laurent Bernaille <laurent.bernaille@datadoghq.com> Link (Bug): https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=edbea922025169c0e5cdca5ebf7bf5374cc5566c Link (Fix): https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next.git/commit/?id=710ad98c363a66a0cd8526465426c5c5f8377ee0 Signed-off-by: Paul Chaignon <paul@cilium.io> | 11 January 2022, 17:53:10 UTC |
| 807cc54 | necatican | 28 December 2021, 10:45:17 UTC | docs: improve Kubespray installation guide [ upstream commit d8577ff9a9fe2dee7a684130346d695e092025a1 ] Previously, the Kubespray documentation recommended changing the role variables. However, changing the role files in an Ansible playbook could lead to problems. So, with this commit, the documentation recommends using the extra variables or editing the group_vars files. Co-authored-by: Yasin Taha Erol <yasintahaerol@gmail.com> Signed-off-by: necatican <necaticanyildirim@gmail.com> Signed-off-by: Paul Chaignon <paul@cilium.io> | 11 January 2022, 17:53:10 UTC |
| 3a16f37 | dependabot[bot] | 10 January 2022, 14:08:22 UTC | build(deps): bump 8398a7/action-slack from 3.12.0 to 3.13.0 Bumps [8398a7/action-slack](https://github.com/8398a7/action-slack) from 3.12.0 to 3.13.0. - [Release notes](https://github.com/8398a7/action-slack/releases) - [Commits](https://github.com/8398a7/action-slack/compare/c9ff874f8549f97317ec9f6162d5449ee77bc984...a74b761b4089b5d730d813fbedcd2ec5d394f3af) --- updated-dependencies: - dependency-name: 8398a7/action-slack dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> | 10 January 2022, 17:00:39 UTC |
| 4594244 | dependabot[bot] | 05 January 2022, 19:05:48 UTC | build(deps): bump actions/setup-go from 2.1.4 to 2.1.5 Bumps [actions/setup-go](https://github.com/actions/setup-go) from 2.1.4 to 2.1.5. - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](https://github.com/actions/setup-go/compare/v2.1.4...v2.1.5) --- updated-dependencies: - dependency-name: actions/setup-go dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> | 05 January 2022, 21:35:10 UTC |
