| 6b98a0b | Julian Wiedmann | 20 February 2024, 12:49:10 UTC | loader: also populate NATIVE_DEV_IFINDEX for cilium_overlay Avoid any odd surprises when this macro ends up being used by shared nodeport.h code. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> | 04 March 2024, 08:53:19 UTC |
| 127851e | renovate[bot] | 04 March 2024, 01:52:39 UTC | chore(deps): update all github action dependencies Signed-off-by: renovate[bot] <bot@renovateapp.com> | 04 March 2024, 08:34:46 UTC |
| 2d901d7 | Julian Wiedmann | 26 February 2024, 07:23:39 UTC | bpf: lb: simplify handling of stale CT_SERVICE entries lb*_local() currently handles a special case, where the matched CT_SERVICE entry (for some Client -> VIP connection) was created for an *old* service definition. In which case we shouldn't use the cached backend selection, as this backend was associated with the *old* service. Instead we perform a fresh backend selection. But with the infrastructure added by https://github.com/cilium/cilium/pull/27607, we can detect such cases during the actual CT lookup - and not even pass the stale CT entry back to the caller. Instead the CT lookup returns CT_NEW, and the caller just creates a new CT entry (along with selecting a fresh backend). One side effect of this change is that all the other state in the CT entry (eg statistics) also gets reset. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> | 04 March 2024, 08:22:17 UTC |
| 4701512 | Julian Wiedmann | 26 February 2024, 06:58:27 UTC | bpf: lb: let CT lookup update the rev_nat_index for old connections lb*_local() contains some upgrade handling for old connections, where the CT_SERVICE entry was created without populating .rev_nat_index. In this case the .rev_nat_index is updated manually. But as the code path doesn't have direct access to the matched ct_entry, updating it requires an additional lookup in the CT map. Clean this up by pushing the update into __ct_lookup(). Signed-off-by: Julian Wiedmann <jwi@isovalent.com> | 04 March 2024, 08:22:17 UTC |
| c9518a9 | Michi Mutsuzaki | 03 March 2024, 01:28:08 UTC | golangci-lint: Fix goimports local prefix Change the prefix to github.com/cilium/cilium/ to only match packages from github.com/cilium/cilium repository. Signed-off-by: Michi Mutsuzaki <michi@isovalent.com> | 04 March 2024, 04:05:08 UTC |
| d697a14 | Gilberto Bertin | 01 March 2024, 08:23:43 UTC | bpf: nodeport: fix check to forward identity in nodeport_lb4 as the original intent of this logic was to avoid forwarding local identities, fix the check to ensure none of the 8MSB of the identity are set before forwarding the identity Fixes: 490ecc5016b ("bpf: nodeport: don't forward local CIDR identities") Suggested-by: Joe Stringer <joe@cilium.io> Signed-off-by: Gilberto Bertin <jibi@cilium.io> | 01 March 2024, 19:34:21 UTC |
| 136e501 | Gilberto Bertin | 01 March 2024, 08:13:46 UTC | bpf: identity: add identity_is_local Signed-off-by: Gilberto Bertin <jibi@cilium.io> | 01 March 2024, 19:34:21 UTC |
| baf2619 | Gilberto Bertin | 01 March 2024, 08:07:59 UTC | bpf: identity: rename local scope masks rename the IDENTITY_SCOPE_MASK and IDENTITY_SCOPE_REMOTE_NODE constants to IDENTITY_LOCAL_SCOPE_MASK and IDENTITY_LOCAL_SCOPE_REMOTE_NODE, to make it clear these refer to local identities. No functional changes Signed-off-by: Gilberto Bertin <jibi@cilium.io> | 01 March 2024, 19:34:21 UTC |
| cfb1158 | Michi Mutsuzaki | 01 March 2024, 15:08:50 UTC | cli: Replace --cluster-name with --helm-set cluster.name The --cluster-name flag got removed in cilium/cilium-cli#2351. Signed-off-by: Michi Mutsuzaki <michi@isovalent.com> | 01 March 2024, 19:20:36 UTC |
| 25d946d | Anubhab Majumdar | 06 February 2024, 18:44:00 UTC | Update pkg/hubble/parser/parser.go Co-authored-by: Marek Chodor <marqc@users.noreply.github.com> Signed-off-by: Anubhab Majumdar <anubhabmajumdar93@gmail.com> | 01 March 2024, 18:15:39 UTC |
| 8bbfe0b | Anubhab Majumdar | 13 December 2023, 21:53:32 UTC | Add an interface for Parser struct Signed-off-by: Anubhab Majumdar <anmajumdar@microsoft.com> | 01 March 2024, 18:15:39 UTC |
| f7fdeef | Tomoya Fujita | 19 January 2024, 04:42:28 UTC | ipfamily should be set by platform configuration. Signed-off-by: Tomoya Fujita <Tomoya.Fujita@sony.com> | 01 March 2024, 17:51:19 UTC |
| f56e61b | Shunpoco | 24 February 2024, 05:55:49 UTC | ICMP: Use CamelCase for ICMP type messages This commit fixes ICMP type messages to use CamelCase instead of space-separated words. For example, Echo Reply is changed to EchoReply. Signed-off-by: Shunsuke Tokunaga <tkngsnsk313320@gmail.com> | 01 March 2024, 17:33:49 UTC |
| 8b5663e | Shunpoco | 05 February 2024, 22:18:08 UTC | doc: modify upgrade note and comment in code block - Modify comment in upgrade note in order to focus on user-facing CRD change - Fix indentation in code block Signed-off-by: Shunsuke Tokunaga <tkngsnsk313320@gmail.com> | 01 March 2024, 17:33:49 UTC |
| 37d969c | Shunpoco | 02 February 2024, 22:03:11 UTC | doc: modify/add ICMP type change ICMP `type` field is changed to accept both integer and string. This commit updates: - v1.15 Upgrade Notes to add about it. - ICMP part in layer 4 examples Signed-off-by: Shunsuke Tokunaga <tkngsnsk313320@gmail.com> | 01 March 2024, 17:33:49 UTC |
| 5cc5ac9 | Shunpoco | 15 January 2024, 20:39:10 UTC | ICMP: Introduce ICMP type name in ICMPField Currently ICMP only supports ICMP type code (0-255), but ideally it should also support ICMP type names like "Echo", or "Echo Reply". This commit changes the type of ICMPField.Type from uint8 to intstr.IntOrString, and also updates ICMPField.PortProtocol to treat type names. ICMPField treats both ICMP IPv4 and v6, but kubebuilder's validation can't distinguish if the given type name matches with the family (IPv4 or IPv6). So this commit also introduces UnmarshalJSON method for ICMPField. That function checks if the unmarshaled ICMPField's family and type match properly. In addition, this commit changes some tests which use ICMPField, and introduces a unit test for ICMPField's UnmarshalJSON method. Fixes: #23000 Signed-off-by: Shunsuke Tokunaga <tkngsnsk313320@gmail.com> | 01 March 2024, 17:33:49 UTC |
| 76454a2 | Dean | 21 February 2024, 15:50:39 UTC | docs: Correct Hubble Exportor config lines in dynamic example This commit makes corrections to the Hubble Exporter dynamic example. This includes lowercasing the "I" in `IncludeFilters`, as well as removing unnecessary `*`s in the provided filters. Signed-off-by: Dean <22192242+saintdle@users.noreply.github.com> | 01 March 2024, 17:21:19 UTC |
| bb8deb3 | Dean | 21 February 2024, 15:46:11 UTC | docs: Remove erroneous line from Dynamic Hubble Exporter example This commit removes a line that was unnecessarily copied from the static config example into the dynamic config example. Signed-off-by: Dean <22192242+saintdle@users.noreply.github.com> | 01 March 2024, 17:21:19 UTC |
| 518a1eb | Dean | 21 February 2024, 15:44:52 UTC | docs: Add information to disable Hubble Exporter static config Fixes: #30425 Signed-off-by: Dean <22192242+saintdle@users.noreply.github.com> | 01 March 2024, 17:21:19 UTC |
| 8d4db89 | Gray Liang | 20 February 2024, 09:15:48 UTC | bpf/tests: Add IPv6 NDP bpf test This commit adds bpf/tests/ipv6_ndp_from_netdev_test.c to cover two scenarios: 1. from_netdev receives IPv6 NS for a pod IP on the same host 2. from_netdev receives IPv6 NS for the node IP (eth0's addr) For case 1, from_netdev should return a NA on behalf of the target pod to avoid https://github.com/cilium/cilium/issues/30926. for case 2, it must return the NS to stack to address https://github.com/cilium/cilium/issues/14509. Signed-off-by: Zhichuan Liang <gray.liang@isovalent.com> | 01 March 2024, 17:05:01 UTC |
| dc9dfd7 | Gray Liang | 19 February 2024, 08:18:37 UTC | bpf: Re-introduce ICMPv6 NS responder on from-netdev This reverts commit 658071414ca4606e537bc4bbb37dcae5e18cd7dc, to fix the breakage of "IPv6 NS responder for pod" introduced by https://github.com/cilium/cilium/pull/12086 (bpf: Reply NA when recv ND for local IPv6 endpoints). 658071414ca4606e537bc4bbb37dcae5e18cd7dc was merged to solve https://github.com/cilium/cilium/issues/14509. To not revive #14509, this commit also passes through ICMPv6 NS if the target is native node IP (eth0's addr). By letting stack take care of those NS-for-node-IP packets, we managed to: 1. Solve #14509 again, but in a way keeping NS responder. The cause of #14509 was NS responder always generates ND whose source IP is "router_ip" (cilium_internal_ip) rather than "node_ip". Once we pass those NS-for-node-IP packets to stack, the ND response would naturally have "node_ip" as source. 2. Avoid the fib_lookup failure mentioned at https://github.com/cilium/cilium/pull/30837#issuecomment-1960897445. icmp6_host_handle() also has a new parameter `handle_ns` to control if we want NS responder to be active. If it is called from `to-netdev` code path, handle_ns is set to false. This is suggested by julianwiedmann. Signed-off-by: Zhichuan Liang <gray.liang@isovalent.com> | 01 March 2024, 17:05:01 UTC |
| 60c5e76 | Gray Liang | 01 March 2024, 09:12:03 UTC | bpf/tests: Remove SKIP_ICMPV6_NS_HANDLING from tc_nodeport_l3_dev.c SKIP_ICMPV6_NS_HANDLING was there to pass bpf coverage test, which is gone by https://github.com/cilium/cilium/pull/28090. In the meantime, removing SKIP_ICMPV6_NS_HANDLING from tc_nodeport_l3_dev.c prevents "potential missed tailcall" errors introduced by https://github.com/cilium/cilium/pull/30467, as tail_icmp6_handle_ns() doesn't exist when SKIP_ICMPV6_NS_HANDLING is defined, but still gets tail-called by icmp6_handle_ns(). Signed-off-by: Zhichuan Liang <gray.liang@isovalent.com> | 01 March 2024, 17:05:01 UTC |
| 4082bc3 | Daniel Borkmann | 27 February 2024, 10:24:59 UTC | cilium, tests: Do not manually install neigh entries for the backend The agent discovers this automatically now, thus drop this part. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> | 01 March 2024, 07:12:22 UTC |
| 5c207ff | Daniel Borkmann | 06 December 2023, 13:54:06 UTC | pkg/service: Add backends as managed neighbor entry In LB-only mode, push backends as managed neighbors into the Linux kernel's neighboring subsystem. This is needed in particular for XDP since in XDP layer it is not possible to resolve backend L2 addresses if they are in the same L2 domain. For CNI mode this is not an issue since we push down all cluster nodes in the same L2 as managed neighbors anyway. However, in the L4LB case, backend nodes are not in our LB-only cluster. Reuse the same internal infrastructure for managing and pushing down neighbors, so that we do not need to open-code it and improvements benefit both L4LB and CNI mode. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> | 01 March 2024, 07:12:22 UTC |
| 0007e35 | Hemanth Malla | 28 February 2024, 21:31:30 UTC | Adding unit test for PD fallback Signed-off-by: Hemanth Malla <hemanth.malla@datadoghq.com> | 01 March 2024, 02:13:02 UTC |
| 5a487b5 | Hemanth Malla | 27 February 2024, 21:38:58 UTC | Handle InvalidParameterValue as well for PD fallback cilium#30536 prematurely concluded that AWS now uses InsufficientCidrBlocks to indicate the subnet is out of prefixes. Looks like AWS still uses InvalidParameterValue and "There aren't sufficient free Ipv4 addresses or prefixes" to indicate subnet is at capacity. In addition to this InsufficientCidrBlocks is returned when subnet is at capacity potentially due to fragmentation. In either case, it's worth trying to fallback since /32 IPs might still be available compared to /28. See PR for details from AWS support ticket. Signed-off-by: Hemanth Malla <hemanth.malla@datadoghq.com> | 01 March 2024, 02:13:02 UTC |
| 5abe8a8 | Tam Mach | 29 February 2024, 22:18:49 UTC | gha: Re-purpose Conformance Kind proxy test As Envoy DS is the default mode now, we should re-purpose the existing test to embedded mode, so that we still have required coverage. Relates: 21fa2df60abd0f3a5627aca3265347558d170f37 Relates: https://github.com/cilium/cilium/pull/30034 Signed-off-by: Tam Mach <tam.mach@cilium.io> | 01 March 2024, 00:24:50 UTC |
| 8a131c2 | Marco Hofstetter | 20 February 2024, 07:52:51 UTC | cec: timerbased reconcile job as fallback Currently, there might be rare cases were changes to a node's labels lead to errors when applying the Envoy resources of a `CiliumEnvoyConfig` in the xDS cache. With the current implementation of the `LocalNodeStore`, there won't be a retry in these cases. Therefore, this commit adds a timer-job that periodically checks for un-applied configs - and tries to reconcile them. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> | 01 March 2024, 00:12:23 UTC |
| 6b63ea2 | Jarno Rajahalme | 26 February 2024, 15:49:17 UTC | bitlpm: Factor out common code Reduce code repetition by defining a 'traverse' function that is shared between multiple functions. Clarify comments. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> | 29 February 2024, 23:06:01 UTC |
| 21fa2df | Tam Mach | 22 December 2023, 10:52:55 UTC | envoy: Default to daemon set deployment from 1.16 This is to set the default envoy deployment to daemon set mode for new installation. Signed-off-by: Tam Mach <tam.mach@cilium.io> | 29 February 2024, 21:51:23 UTC |
| e1afa06 | Dylan Reimerink | 26 February 2024, 19:24:11 UTC | bpf: Fix missing tail calls The changes to the dead tail call elimination revealed 2 cases of missing tail calls. First is to do with NAT46x64 logic where there still existed a call path from the IPv4 logic which would attempt to tail call into IPv6 to recirculate the packet, even when the IPv6 tail call wasn't compiled in. The second was that when XDP offloaded, the IPv6 logic would tail call into a ICMP6 tail call which is only compiled in for TC programs. This commit fixes both possible missing tail calls. Signed-off-by: Dylan Reimerink <dylan.reimerink@isovalent.com> | 29 February 2024, 21:07:28 UTC |
| 217426a | Dylan Reimerink | 30 January 2024, 10:11:00 UTC | pkg/bpf: Add test for removeUnreachableTailcalls This commit adds a test to verify the behavior of the dead tail call pruning. It consists of 5 tail calls, of which 2 are unreachable. The test asserts that only the unreachable tail calls are removed from the spec. Signed-off-by: Dylan Reimerink <dylan.reimerink@isovalent.com> | 29 February 2024, 21:07:28 UTC |
| 16033b9 | Dylan Reimerink | 26 January 2024, 14:50:13 UTC | pkg/bpf: Implement unreachable tail call pruning This commit implements unreachable tail call pruning. When loading a collection we check if a tail call is reachable. If not, we remove the tail call from the collection. This saves us from having to load the tail call program into the kernel. Previously, we would conditionally not include tail calls in the collection with pre-processor directives. Now that we do it in the loader, we can remove the pre-processor directives. Signed-off-by: Dylan Reimerink <dylan.reimerink@isovalent.com> | 29 February 2024, 21:07:28 UTC |
| c4cbb38 | Dylan Reimerink | 13 February 2024, 13:43:12 UTC | bpf: Modify tail_call_static to emit better parseable assembly Before this change the tail_call_static function would emit the following instructions to perform a tailcall: ``` Mov R1, Rctx Mov R2, Rmap_ptr Mov R3, <slot> Call TailCall ``` Since the second instruction is always a Register to Register move, we would have to backtrack to find the actual map which is being used. These changes makes it so the following instructions are emitted: ``` Mov R1, Rctx Mov R2, 0 ll <calls_map> Mov R3, <slot> Call TailCall ``` By always using a double word immediate, with a relocation entry on the Mov R2 instruction it is much easier to find the actual map which is being used. As a side effect, we usually eliminate an extra instruction clang was otherwise forced to emit. Signed-off-by: Dylan Reimerink <dylan.reimerink@isovalent.com> | 29 February 2024, 21:07:28 UTC |
| 46db413 | Dylan Reimerink | 26 January 2024, 15:09:08 UTC | bpf: Remove `declare_tailcall_if` Remove `declare_tailcall_if`, so we always emit the tailcall programs into the ELF. The followup commit will implement pruning logic based on the actual usage of the tail calls. This means that we will only need the `invoke_tailcall_if` without the need to keep both the declaration and invocation in sync. Signed-off-by: Dylan Reimerink <dylan.reimerink@isovalent.com> | 29 February 2024, 21:07:28 UTC |
| ce25c55 | Dorde Lapcevic | 06 February 2024, 18:13:21 UTC | operator: Implement cache to be used for Cilium Identity management Signed-off-by: Dorde Lapcevic <dordel@google.com> | 29 February 2024, 16:41:03 UTC |
| eb0030c | Dylan Reimerink | 22 February 2024, 14:43:56 UTC | pkg/datapath/linux: Require dead code elimination support This commit adds a test to check for dead code elimination support in the kernel. Support was added in v5.1, our new minimum supported version is v5.4. This feature will be crucial for the datapath to properly function in the future. So assert this kernel feature works on startup. Signed-off-by: Dylan Reimerink <dylan.reimerink@isovalent.com> | 29 February 2024, 16:07:07 UTC |
| b9098e6 | Gilberto Bertin | 29 February 2024, 07:36:40 UTC | bpf: explicitly pass map to policy_can_{in,e}gress{4,6} currently some functions in policy.h reference POLICY_MAP, assuming it's always defined. This prevents including this header in a context where the POLICY_MAP is not defined. To overcome this, remove all the POLICY_MAP references from these functions and always pass the map explicitly in the caller. No functional changes are introduced. Signed-off-by: Gilberto Bertin <jibi@cilium.io> | 29 February 2024, 15:47:00 UTC |
| d7dba5e | Tam Mach | 29 February 2024, 13:50:26 UTC | xds: Avoid xds timeout due to agent restart in envoy DS mode For external envoy, xds server and envoy are having different life cycles i.e. each is running in its own pod, and can be deployed or restarted independently. This commit is to handle the case that xds in cilium agent got restarted, and nonce value is always 0. Sample error ``` 2024-02-05T12:49:51.771714518Z level=warning msg="Regeneration of endpoint failed" bpfCompilation=0s bpfLoadProg=105.68356ms bpfWaitForELF="24.396µs" bpfWriteELF=1.802221ms ciliumEndpointName=cilium-test/client-56f8968958-fqdl4 containerID=245b2aaac2 containerInterface=eth0 datapathPolicyRevision=5 desiredPolicyRevision=6 endpointID=134 error="Error while configuring proxy redirects: proxy state changes failed: context canceled" identity=1713 ipv4=10.244.1.1 ipv6="fd00:10:244:1::9544" k8sPodName=cilium-test/client-56f8968958-fqdl4 mapSync=2.476505ms policyCalculation=1.240346ms prepareBuild="437.049µs" proxyConfiguration="837.119µs" proxyPolicyCalculation="234.369µs" proxyWaitForAck=2m34.697546384s reason="policy rules added" subsys=endpoint total=2m34.818201428s waitingForCTClean=270ns waitingForLock="2.605µs" ``` Signed-off-by: Tam Mach <tam.mach@cilium.io> | 29 February 2024, 15:19:03 UTC |
| cbca369 | Benjamin Leggett | 20 February 2024, 15:25:45 UTC | netns: clean up API, reimplement in pure Go without dependencies The previous netns package had a few problems. It shelled out to iproute2, and it depended on both containernetworking/plugins/pkg/ns and vishvananda/netns, which lead to some idiosyncratic API. This commit addresses these issues and takes care of some much-needed API cleanup: - Create a new netns with New() - Open an existing pinned netns with OpenPinned() - Execute code within the netns with ns.Do() - Close with Close() Pinning network namespaces is not supported, as there is currently little reason for doing so. In case the requirement pops up again later, it can always be added. All tests now use anonymous (non-pinned) network namespaces, and the netns created for cilium-health also no longer leaves an entry in /var/run/netns. Signed-off-by: Benjamin Leggett <benjamin.leggett@solo.io> Co-authored-by: Timo Beckers <timo@isovalent.com> | 29 February 2024, 13:38:41 UTC |
| 2063a21 | Timo Beckers | 20 February 2024, 15:23:34 UTC | cilium-dbg: remove netns cleanup code This was already redundant when running Cilium inside a container, since the nsfs instance inside the container is bound to the container's lifecycle. Running Cilium outside of a container is currently rather involved and not officially supported. Remove the netns cleanup code. When the container exits, cilium-health and its enclosing namespace also disappears. Follow-up commits will remove the code in package netns being called here. Signed-off-by: Timo Beckers <timo@isovalent.com> | 29 February 2024, 13:38:41 UTC |
| ed04ccd | Timo Beckers | 05 February 2024, 18:44:14 UTC | link: ignore missing interfaces in DeleteByName This allows surfacing unexpected errors, but ignores interfaces that are already absent. Signed-off-by: Timo Beckers <timo@isovalent.com> | 29 February 2024, 13:38:41 UTC |
| 77053ae | Fabio Falzoi | 14 February 2024, 14:53:37 UTC | iptables: Read CNI chaining mode from CNI config manager CNI chaining mode option has been moved to the CNI cell in commit 1254bf403f. Since it is not a global config option anymore, iptables manager will not see any change to that value, and its field `CNIChainingMode` will always be an empty string. Thus, with the following config option values: - "enable-endpoint-routes": true - "cni-chaining-mode": "aws-cni" the delivery interface referenced in the rules installed by the manager is "lxc+" instead of "eni+". This commit fixes this adding a CNI config manager reference to the iptables manager parameters, in order to read the current setting for the chaining mode during rules installation. Fixes: 1254bf403f ("daemon / cni: move to Cell, watch for changes") Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com> | 29 February 2024, 10:21:41 UTC |
| cd53c4f | Tam Mach | 29 February 2024, 06:12:42 UTC | gateway-api: Correct the null check for GRPRRoute Match The null check for Method should be before the check for Method.Service to avoid NPE. Signed-off-by: Tam Mach <tam.mach@cilium.io> | 29 February 2024, 09:10:04 UTC |
| 5d3c7c3 | Joe Stringer | 28 February 2024, 18:51:20 UTC | bpf: Fix VTEP drop check Commit a94fa56f6713 ("Fix CIDR to World Entity Conversion Bug") seems to have inadvertently swapped a check for "is not world" to a check for "is world" in order to drop. This has likely broken the VTEP feature. Fix it. Fixes: a94fa56f6713 ("Fix CIDR to World Entity Conversion Bug") Reported-by: Jan Hugo Prins <jhp@jhprins.org> Signed-off-by: Joe Stringer <joe@cilium.io> | 29 February 2024, 06:58:49 UTC |
| fe71a4a | David Bimmler | 28 February 2024, 12:21:23 UTC | controlplane: fix mechanism for ensuring watchers I realized that the fix for controlplane tests isn't complete. There is still a (small) race window: The current watch reaction records a watcher as established without "handling" the watch itself, i.e. it lets the default watch reaction actually call 'Watch' on the tracker. This is racy, as things can happen in the window between recordng and actually watching. To fix this, add the recording unconditionally in the existing tracker augmentation. Fixes: ba99d74c44 (controlplane: add mechanism to wait for watchers) Signed-off-by: David Bimmler <david.bimmler@isovalent.com> | 28 February 2024, 19:59:31 UTC |
| badd092 | André Martins | 23 February 2024, 16:26:48 UTC | endpoint: rename GetMetadataValue to GetPropertyValue During the PR review for d735c5017bd1 it was suggested to change the field name from endpoint.Metadata to endpoint.Properties. Unfortunately, this method was missed during the renaming and this commit sets the right name to it. Fixes: d735c5017bd1 ("introduce 'properties' for endpoints") Signed-off-by: André Martins <andre@isovalent.com> Signed-off-by: Gilberto Bertin <jibi@cilium.io> | 28 February 2024, 15:09:29 UTC |
| 44bb357 | Gilberto Bertin | 28 February 2024, 09:02:52 UTC | endpoint: use PropertyCEP{Owner,Name} as CEP owner/name if set this will allow alternative implementations to extend the CiliumEndpoint usage Signed-off-by: André Martins <andre@isovalent.com> Signed-off-by: Gilberto Bertin <jibi@cilium.io> | 28 February 2024, 15:09:29 UTC |
| f2a0940 | André Martins | 27 February 2024, 15:51:50 UTC | operator: gc: don't GC a CEP if its not owned by a pod or node to prevent Cilium Operator from garbage collecting CiliumEndpoints that have an owner reference other than a Pod and CiliumNode, we should default to not garbage collect them Signed-off-by: André Martins <andre@isovalent.com> Signed-off-by: Gilberto Bertin <jibi@cilium.io> | 28 February 2024, 15:09:29 UTC |
| 8bf9fd2 | Tam Mach | 24 February 2024, 11:28:40 UTC | xds: Move MockStream to stream_test.go This commit is to move MockStream struct to stream_test.go as it's only used in unit test. Signed-off-by: Tam Mach <tam.mach@cilium.io> | 28 February 2024, 14:28:39 UTC |
| 6fee46f | Quentin Monnet | 30 January 2024, 16:18:58 UTC | ci/ipsec: Fix downgrade version retrieval Figuring out the right "previous patch release version number" to downgrade to in print-downgrade-version.sh turns out to be more complex than expected [0][1][2][3]. This commit is an attempt to 1) fix issues with the current script and 2) overall make the script clearer, so we can avoid repeating these mistakes. As for the fixes, there are two things that are not correct with the current version. First, we're trying to validate the existence of the tag to downgrade to, in case the script runs on top of a release preparation commit for which file VERSION has been updated to a value that does not yet contains a corresponding tag. This part of the script is actually OK, but not the way we call it in the IPsec workflow: we use "fetch-tags: true" but "fetch-depth: 0" (the default), and the two are not compatible, a shallow clone results in no tags being fetched. To address this, we retrieve the tag differently: instead of relying on "fetch-tags" from the workflow, we call "git fetch" from the script itself, provided the preconditions are met (we only run it from a Git repository, if the "origin" remote is defined). If the tag exists, either locally or remotely, then we can use it. Otherwise, the script considers that it runs from a release preparation Pull Request, and decrements the patch release number. The second issue is that we would return no value from the script if the patch release is zero. This is to avoid any attempt to find a previous patch release when working on a development branch. However, this logics is incorrect (it comes from a previous version of the script where we would always decrement the patch number). After the first release of a new minor version, it's fine to have a patch number at 0. What we should check instead is whether the version ends with "-dev". This commit brings additional changes for clarity: more comments, and a better separation between the "get latest patch release" and "get previous stable branch" cases, moving the relevant code to independent functions, plus better argument handling. We also edit the IPsec workflow to add some logs about the version retrieved. The logs should also display the script's error messages, if any, that are printed to stderr. Sample output from the script: VERSION Tag exists Prevous minor Previous patch release 1.14.3 Y v1.13 v1.14.3 1.14.1 Y v1.13 v1.14.1 1.14.0 Y v1.13 v1.14.0 1.14.1-dev N v1.13 <error> 1.15.0-dev N v1.14 <error> 1.13.90 N v1.12 v1.13.89 <- decremented 2.0.0 N <error> <error> 2.0.1 N <error> v2.0.0 <- decremented 2.1.1 N v2.0 v2.1.0 <- decremented [0] 56dfec2f1ac5 ("contrib/scripts: Support patch releases in print-downgrade-version.sh") [1] 4d7902f54a74 ("contrib/scripts: Remove special handling for patch release number 90") [2] 5581963cbf94 ("ci/ipsec: Fix version retrieval for downgrades to closest patch release") [3] 3803f539a740 ("ci/ipsec: Fix downgrade version for release preparation commits") Fixes: 3803f539a740 ("ci/ipsec: Fix downgrade version for release preparation commits") Signed-off-by: Quentin Monnet <quentin@isovalent.com> | 28 February 2024, 14:11:08 UTC |
| dd693a7 | Michal Siwinski | 06 February 2024, 15:41:53 UTC | Add Hubble metrics HTTP endpoint status metrics This change introduces two new metrics: * hubble_http_handler_requests_total - counter for requests made to the endpoint, grouped by HTTP status code * hubble_http_handler_request_duration_seconds - histogram of latencies for requests made to the endpoint, grouped by HTTP status code This provides option to measure availability of Hubble metrics endpoint on Hubble side. Although similar functionality might be achieved through using metrics of collectors scraping this endpoint, unavailability measured with that approach includes unavailability of the collector itself, which might not be desired in some cases. Signed-off-by: Michal Siwinski <siwy@google.com> | 28 February 2024, 14:02:54 UTC |
| 2534006 | Misha Bragin | 28 February 2024, 12:09:49 UTC | Fix netbird name in the description Signed-off-by: Misha Bragin <bangvalo@gmail.com> | 28 February 2024, 14:08:28 UTC |
| 36006f1 | Misha Bragin | 28 February 2024, 12:08:20 UTC | Add link to the blog post about the usage Signed-off-by: Misha Bragin <bangvalo@gmail.com> | 28 February 2024, 14:08:28 UTC |
| 2b1a281 | Misha Bragin | 28 February 2024, 12:06:25 UTC | Add further description about usage of Cilium in NetBird Signed-off-by: Misha Bragin <bangvalo@gmail.com> | 28 February 2024, 14:08:28 UTC |
| 2a7c0de | Misha Bragin | 06 February 2024, 12:47:54 UTC | Add NetBird to the Cilium user list Signed-off-by: Misha Bragin <bangvalo@gmail.com> | 28 February 2024, 14:08:28 UTC |
| 39637d6 | Marco Iorio | 23 February 2024, 10:17:37 UTC | gha: don't wait for kind clusters to become ready They will never, because no CNI is present at that point. Hence, let's just avoid wasting one minute waiting for the timeout to expire. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> | 28 February 2024, 13:13:33 UTC |
| c442ca5 | Marco Iorio | 22 February 2024, 17:47:21 UTC | renovate: onboard KIND_K8S_IMAGE var and drop kind-config.yaml files Let's make sure that the newly introduced KIND_K8S_IMAGE variable gets automatically updated by renovate. Additionally, the kind configuration files no longer hard-code the kind image, hence they don't need to be automatically renovated anymore. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> | 28 February 2024, 13:13:33 UTC |
| aabdfa7 | Marco Iorio | 22 February 2024, 17:20:43 UTC | gha: migrate workflows to use the global kind-related variables Let's switch all the workflows over to using the globally defined kind-related variables, and remove the workflow specific definitions. This also addresses a few cases which didn't specify any version. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> | 28 February 2024, 13:13:33 UTC |
| 394b3de | Marco Iorio | 22 February 2024, 17:15:28 UTC | gha: centralize kind version and image definition in set-env-variables Let's define kind-related variables (i.e., version, k8s image and k8s version) inside the set-env-variables action. One all consumers will have been migrated through the subsequent commit, this will ensure consistency across workflows, simplify version bumps as well as the introduction of new workflows depending on them. One extra byproduct is that renovate updates will also stop requesting reviews from all the different teams owning each specific workflow. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> | 28 February 2024, 13:13:33 UTC |
| 91fc572 | Marco Hofstetter | 15 February 2024, 08:37:12 UTC | ingress/gateway-api: expose Envoy listeners on subset of nodes This commit adds support for exposing L7 Envoy Listeners only on a subset of Cilium Nodes. This only works in combination with the hostnetwork mode. **Configure node labelselector via Helm** * Ingress Controller: `ingressController.hostNetwork.nodes.matchLabels` * Gateway API: `gatewayAPI.hostNetwork.nodes.matchLabels` ``` ingressController: hostNetwork: nodes: matchLabels: role: infra component: ingress ``` An empty selector selects all Nodes and continues to expose the functionality on all Cilium Nodes. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> | 28 February 2024, 12:27:37 UTC |
| 72da224 | Marco Hofstetter | 12 February 2024, 13:05:08 UTC | ingress/gateway-api: expose listeners on host network This commit adds support for exposing the L7 Envoy Listeners directly on the host network - and no longer use Kubernetes Services of type `LoadBalancer` or `NodePort`. The listener is exposed on all interfaces (`0.0.0.0` for IPv4 and/or `::` for IPv6). **Enable HostNetwork support via Helm** * Ingress Controller: `ingressController.hostNetwork.enabled=true` * Gateway API: `gatewayAPI.hostNetwork.enabled=true` **Configure listener port** * Shared Ingress: configurable via Helm (`ingressController.hostNetwork.sharedHTTPPort` & `ingressController.hostNetwork.sharedTLSPassthroughPort`) * Dedicated Ingress: configurable via Annotation on the resource `Ingress` (`ingress.cilium.io/http-host-port` & `ingress.cilium.io/tls-passthrough-host-port`) * Gateway API: configurable via `spec.listeners.port` on the resource `Gateway` Be aware that missconfiguration might result in port clashes. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> | 28 February 2024, 12:27:37 UTC |
| 3f9e0e9 | Marco Hofstetter | 13 February 2024, 11:16:45 UTC | gateway api: no error if lb service isn't ready yet Currently, the reconciliation of `Gateway` fails with an error if the status of the corresponding loadbalancer service isn't ready. Returning an error leads to an additional reconciliation and logs the error. There are cases (upcoming hostnetwork support) where the status of the loadbalancer service is never set which leads to reconciliation loops. Therefore, with this commit, a missing status no longer results in an error. This should also be enough in all other cases because a reconciliation should be triggered on an update of the loadbalancer service itself. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> | 28 February 2024, 12:27:37 UTC |
| c336bc6 | Marco Hofstetter | 12 February 2024, 12:59:47 UTC | ingress: remove unused parameters from IngressPassthrough Ingestion of an Passthrough listener (`IngressPassthrough`) never uses the parameters `defaultSecretNamespace` and `defaultSecretName`. Therefore, this commit removes these from the function signature. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> | 28 February 2024, 12:27:37 UTC |
| bd537a3 | Tam Mach | 25 February 2024, 11:48:50 UTC | envoy: Avoid duplicated upstream callback This commit is to manually bump envoy image hash to pick up the below fix. Relates: https://github.com/cilium/proxy/pull/564 Related build: https://github.com/cilium/proxy/actions/runs/8000821761/job/21850879597 Signed-off-by: Tam Mach <tam.mach@cilium.io> | 28 February 2024, 09:05:19 UTC |
| c59b409 | Tam Mach | 27 February 2024, 22:30:23 UTC | gateway: Sync up the experimental conformance test This is to fix the below issue, which was missed in the PR #31005. ``` experimental_conformance_test.go:117: error creating experimental conformance test suite: no kind is registered for the type v1.CustomResourceDefinitionList in scheme "k8s.io/client-go/kubernetes/scheme/register.go:80" --- FAIL: TestExperimentalConformance (0.00s) ``` Fixes: https://github.com/cilium/cilium/pull/31005 Signed-off-by: Tam Mach <tam.mach@cilium.io> | 28 February 2024, 02:24:12 UTC |
| 9620979 | André Martins | 22 February 2024, 14:56:12 UTC | pkg/endpoint: remove reserved:init from endpoints Previously, a bug introduced in e43b759bab69 caused the 'reserved:init' label to persist even after an endpoint received its security identity labels. This resulted in endpoints being unable to send or receive any network traffic. This fix ensures that the 'reserved:init' label is properly removed once initialization is complete. Fixes: e43b759bab69 ("pkg/endpoint: keep endpoint labels for their original sources") Signed-off-by: André Martins <andre@cilium.io> | 27 February 2024, 23:13:39 UTC |
| 6b83c4e | Marco Iorio | 27 February 2024, 09:09:40 UTC | loader: add cilium_per_cluster_snat to the list of ignored ELF prefixes This prevents warning messages like: level=warning msg="Skipping symbol substitution" symbol=cilium_per_cluster_snat_v4_external Fixes: 03c195ecc6e6 ("bpf: Introduce per-cluster NAT maps") Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> | 27 February 2024, 15:37:42 UTC |
| e17039a | Tam Mach | 27 February 2024, 11:53:00 UTC | gateway-api: Bump to latest version from upstream This is as part of regular update, also to pick up the latest conformance tests. Signed-off-by: Tam Mach <tam.mach@cilium.io> | 27 February 2024, 14:57:09 UTC |
| e656746 | David Bimmler | 26 February 2024, 13:58:22 UTC | statedb/reflector: fix race condition in test The test assumed that the initial list and watch of the underlying k8s reflector would complete before the 'Get' query would establish, but that wasn't guaranteed. Instead, explicitly synchronise for this case. Fixes: 0554ca6811 (statedb/reflector: Add Kubernetes to StateDB reflector) Signed-off-by: David Bimmler <david.bimmler@isovalent.com> | 27 February 2024, 14:34:49 UTC |
| 1eb12e0 | Marco Iorio | 26 February 2024, 11:10:47 UTC | wireguard: unconditionally add NodeInternalIPs to allowed IPs Currently, we add the remote NodeInternalIPs to the list of allowed IPs associated with a given WireGuard peer only in certain circumstances, and more specifically when either tunneling or node to node encryption are enabled. However, this logic doesn't practically buy us anything in terms of additional security, but causes potential traffic disruption in case users want to enable/disable node2node encryption in a running cluster. Hence, let's just get rid of it, and unconditionally add NodeInternalIPs to the list of allowed IPs. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> | 27 February 2024, 14:34:29 UTC |
| ee6b688 | renovate[bot] | 26 February 2024, 21:13:40 UTC | fix(deps): update module golang.org/x/crypto to v0.20.0 Signed-off-by: renovate[bot] <bot@renovateapp.com> | 27 February 2024, 12:25:30 UTC |
| f0856f3 | renovate[bot] | 26 February 2024, 14:37:17 UTC | chore(deps): update all lvh-images main Signed-off-by: renovate[bot] <bot@renovateapp.com> | 27 February 2024, 10:47:33 UTC |
| ed817e6 | Marcel Zieba | 14 February 2024, 11:30:31 UTC | Remove additional endpoint status options. Additional Endpoint status options were able to easily overload k8s control plane nodes with additional updates meant only for debugging purposes. This PR removes `--endpoint-status` option from cilium-agent and `endpointStatus` from helm values. Instead of these options, users should rely on metrics provided by cilium-agent to check if Cilium is operating correctly. All of this in-detail information is still available through `cilium-dbg endpoint get` command for debugging purposes. For monitoring cluster and node level information, we recommend using following metrics: - EndpointStatus policy - `cilium_policy` and `cilium_policy_endpoint_enforcement_status` metrics - EndpointStatus controllers - `cilium_controllers_failing` - EndpointStatus state - still available in Endpoint CRD status and also in `cilium_endpoint_state` metric - EndpointStatus log - logs still available through `cilium-dbg` - EndpointStatus health - it was a more detailed state so users could still rely on `cilium_endpoint_state` for general health, but it could make sense to follow-up with the creation of a new metric `cilium_endpoint_health`. Fixes #29804 Signed-off-by: Marcel Zieba <marcel.zieba@isovalent.com> | 27 February 2024, 09:49:00 UTC |
| 29a7918 | Andrew Titmuss | 26 February 2024, 13:16:17 UTC | helm: Probe Envoy DaemonSet localhost IP directly On IPv6-only clusters, querying localhost for the health check could attempt to check 127.0.0.1, presumable depending on host DNS configuration. As the health check does not listen on IPv4 when .Values.ipv4.enabled is false, this health check could fail. This patch uses the same logic as the bootstrap-config.json file to ensure a valid IP is always used for the health check. Fixes: #30968 Fixes: 859d2a9676c4 ("helm: use /ready from Envoy admin iface for healthprobes on daemonset") Signed-off-by: Andrew Titmuss <iandrewt@icloud.com> | 27 February 2024, 04:15:51 UTC |
| cb108f2 | renovate[bot] | 26 February 2024, 20:58:56 UTC | chore(deps): update actions/download-artifact action to v4.1.3 Signed-off-by: renovate[bot] <bot@renovateapp.com> | 26 February 2024, 22:29:21 UTC |
| 0b7f202 | renovate[bot] | 26 February 2024, 15:15:30 UTC | fix(deps): update module github.com/aliyun/alibaba-cloud-sdk-go to v1.62.681 Signed-off-by: renovate[bot] <bot@renovateapp.com> | 26 February 2024, 20:55:16 UTC |
| b64330d | Aditi Ghag | 22 February 2024, 23:48:04 UTC | LRP: Use hive cell infra Use the hive cell infra for wiring up the LRP manager. Signed-off-by: Aditi Ghag <aditi@cilium.io> | 26 February 2024, 17:21:57 UTC |
| 40070a9 | renovate[bot] | 26 February 2024, 01:18:27 UTC | chore(deps): update gcr.io/distroless/static-debian11:nonroot docker digest to 49af061 Signed-off-by: renovate[bot] <bot@renovateapp.com> | 26 February 2024, 16:23:59 UTC |
| 11d0ff0 | Loïc Blot | 22 February 2024, 16:34:22 UTC | docs: add Veepee as cilium USERS Signed-off-by: Loïc Blot <nerzhul@users.noreply.github.com> | 26 February 2024, 15:55:04 UTC |
| 6b3a6f2 | David Bimmler | 23 February 2024, 11:55:44 UTC | bandwidth: test: don't unlock os thread too early The idea of freshNetNS is to create a new network namespace to isolate the test from the system at large. In order to do so in Go, one must also lock the current goroutine to a specific OS thread and prevent other goroutines from being scheduled on that OS thread. Conveniently, runtime.LockOSThread does exactly that. However, freshNetNS was flawed in that it called runtime.UnlockOSThread too early - creation of the network namespace was locked to the current OS thread, but unlocking it means that the goroutine may be scheduled to another at any point, as well as other goroutines potentially interfering with "our" network namespace, as they are scheduled on "our" OS thread. Fix this by calling UnlockOSThread only after the test has completed, via t.Cleanup. Fixes: 450a541849 (bandwidth: Reconciler for qdisc setup) Signed-off-by: David Bimmler <david.bimmler@isovalent.com> | 26 February 2024, 13:09:35 UTC |
| 5dcf274 | Julian Wiedmann | 10 February 2024, 11:33:28 UTC | bpf: lb: rely on CT tuple for loopback RevDNAT When RevDNATing a reply for a loopback connection, take the current daddr from the CT tuple (and not the packet header). This matches what we do for the packet's saddr. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> | 26 February 2024, 12:48:09 UTC |
| 33c71a2 | Julian Wiedmann | 10 February 2024, 11:25:59 UTC | bpf: lb: default to REV_NAT_F_TUPLE_SADDR in RevNAT handling All callers of lb*_rev_nat() now pass this flag. So make it the default behaviour, and trust that callers pass a CT tuple which matches the packet headers. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> | 26 February 2024, 12:48:09 UTC |
| e332533 | Julian Wiedmann | 10 February 2024, 11:20:13 UTC | bpf: lxc: pass REV_NAT_F_TUPLE_SADDR for IPv4 loopback replies We're working with a proper CT tuple, where we can trust that tuple->saddr holds the source address of the packet header. Avoid the extra ctx_load_bytes(). Signed-off-by: Julian Wiedmann <jwi@isovalent.com> | 26 February 2024, 12:48:09 UTC |
| b388632 | Julian Wiedmann | 10 February 2024, 11:17:09 UTC | bpf: lxc: clarify loopback reply RevDNAT handling When from-container handles reply traffic, we *only* want to RevDNAT the replies of a backend for a loopback connection. All "normal" reply traffic will instead get its RevDNAT processing in the client's to-container program / tail-call. Current code implements this split by assuming that *only* loopback connections will have a `rev_nat_index` in this code path, as the CT entry inherits it when initially creating the CT entry. Bake this condition into the code. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> | 26 February 2024, 12:48:09 UTC |
| 76cc2cb | Julian Wiedmann | 10 February 2024, 10:59:24 UTC | bpf: lxc: pass REV_NAT_F_TUPLE_SADDR for lb6_rev_nat() lb6_rev_nat() handles RevDNAT of service replies, as they flow towards the client. To update the packet's csum after rewriting the saddr, it can obtain the old saddr from either the packet headers, or from the CT tuple. In the case of ipv6_policy(), we don't need to access the packet headers but can rely on the CT tuple. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> | 26 February 2024, 12:48:09 UTC |
| 223a5e0 | Tam Mach | 29 January 2024, 00:53:25 UTC | ingress: Add check for kpr and nodeport Ingress Controller and Gateway API requires either KPR or NodePort to be enabled to work properly. Similar validation was done in helm via validate.yaml script, however, user might not use helm as a method of installation. Suggested-by: Paul Chaignon <paul.chaignon@gmail.com> Signed-off-by: Tam Mach <tam.mach@cilium.io> | 26 February 2024, 09:23:34 UTC |
| 3d8daa6 | renovate[bot] | 26 February 2024, 06:57:53 UTC | chore(deps): update all github action dependencies Signed-off-by: renovate[bot] <bot@renovateapp.com> | 26 February 2024, 09:22:15 UTC |
| c092f67 | Aditi Ghag | 23 February 2024, 19:39:44 UTC | test: [regression] Re-enable tests on non-AKS platforms The tests were incorrectly skipped on non-AKS platforms due to the regression introduced recently that flipped the conditions to skip the test on the AKS platform. Fixes: 0a92cc57a0 (test: remove references to v4.19) Signed-off-by: Aditi Ghag <aditi@cilium.io> | 26 February 2024, 08:45:33 UTC |
| 213c128 | renovate[bot] | 26 February 2024, 01:20:57 UTC | fix(deps): update all go dependencies main Signed-off-by: renovate[bot] <bot@renovateapp.com> | 26 February 2024, 08:37:41 UTC |
| 3b8d95c | chaunceyjiang | 05 February 2024, 06:13:55 UTC | Egress rule supports CiliumCIDRGroup Fixes: #30597 Signed-off-by: chaunceyjiang <chaunceyjiang@gmail.com> | 26 February 2024, 08:33:25 UTC |
| b463146 | harsimran pabla | 22 February 2024, 14:02:57 UTC | bgpv2: update advertisement CRD to include service options Define service options field (optional) in Advertisement struct. This will be used to add additional metadata related to advertisement type Service. In this case, we add additional advertisement sub-types like LoadBalancerIP, ClusterIP and ExternalIP for a service to be advertised via BGP. This change also fixes minor typos and renaming of exported fields in BGP advertisement file to have consistent prefix. Signed-off-by: harsimran pabla <hpabla@isovalent.com> | 26 February 2024, 08:32:27 UTC |
| 8fcfad9 | Marco Iorio | 16 February 2024, 08:38:57 UTC | bpf: correctly encapsulate pod to node traffic with kube-proxy+hostfw When the host firewall is enabled in tunneling mode, pod to node traffic needs to be forwarded through the tunnel in order to preserve the security identity (as otherwise the source IP address would be SNATted), which is required to enforce ingress host policies. One tricky case is represented by node (or hostns pod) to pod traffic via services with local ExternalTrafficPolicy, when KPR is disabled. Indeed, in this case, the SYN packet is routed natively (as both the source and the destination are node IPs) to the destination node, and then DNATted to one of the backend IPs, without being SNATted at the same time. Yet, the SYN+ACK packet would then be incorrectly redirected through the tunnel (as the destination is a node IP, associated with a tunnel endpoint in the ipcache), hence breaking the connection, while it should be passed to the stack to be rev DNATted and then forwarded accordingly. In detail, reporting the description from c8052a1fab8b, the broken packet path is node1 --VIP--> pod@node2 (VIP is node2IP): - SYN leaves node1 via native device with node1IP -> VIP - SYN is DNATed on node2 to node1IP -> podIP - SYN is delivered to lxc device with node1IP -> podIP - SYN+ACK is sent from lxc device with podIP -> node1IP - SYN+ACK is redirected in BPF directly to cilium_vxlan - SYN+ACK arrives on node1 via tunnel with podIP -> node1IP - RST is sent because podIP doesn't match VIP c8052a1fab8b attempted to fix this issue for the kube-proxy+hostfw (and IPSec) scenarios by always passing the packets to the stack, so that it doesn't bypass conntrack. The IPSec specific workaround got then removed in 0a8f2c4ee43e, as that path asymmetry is no longer present. However, always passing packets to the stack breaks the host firewall policy enforcement for pod to node traffic, as at that point there's no route which redirects these packets back to the tunnel to preserve the security identity, and they get simply masqueraded and routed natively. To prevent this issue, let's pass packets to the stack only if they are a reply with destination identity matching a remote node, as in that case they may need to be rev DNATted. There are two possibilities at that point: (a) the destination is a CiliumInternalIP address, and the reply needs to go through the tunnel -- node routes ensure that the packet is first forwarded to cilium_host, before being redirected through the tunnel; (b) the destination is one of the other node addresses, and the reply needs to be forwarded natively according to the local routing table (as node to pod/node traffic never goes through the tunnel unless the source is a CiliumInternalIP address). Overall, this change addresses the externalTrafficPolicy=local service case, while still preserving encapsulation in all other cases. As a side effect, it also improves the performance in the kube-proxy + hostfw case, as pod to pod traffic gets now also redirected immediately through the tunnel, instead of being sent via the stack. Fixes: c8052a1fab8b ("bpf: Do not bypass conntrack if running kube-proxy+hostfw or IPSec") Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> | 26 February 2024, 08:32:20 UTC |
| 1907334 | David Bimmler | 21 February 2024, 13:44:59 UTC | identitybackend: clean up TestGetIdentity The previous patch explains and fixes a flake, this patch removes some of the remaining cruft from earlier attempts at fixing said flake, as well as running the test in parallel (for efficiency). Signed-off-by: David Bimmler <david.bimmler@isovalent.com> | 23 February 2024, 18:34:51 UTC |
| deb0687 | David Bimmler | 21 February 2024, 13:32:57 UTC | identitybackend: address race condition in test TestGetIdentity has been unreliable, even withstanding some previous attempts at deflaking. The issue lies in the use of the k8s fake infrastructure: the simple testing object tracker of client-go does _not_ set the ResourceVersion for resources created. This interacts badly with the logic of the client-go reflector's ListAndWatch method, which relies on the resource version to close the racy window between its List and Watch calls. The real k8s api-server will replay events which occur after the completion of List and before the establishment of the Watch, thanks to the ResourceVersion. The object tracker's Watch implementation, however, does (and can) not do so, as it doesn't have a resource version to determine which events it would need to replay. Notably, the HasSynced method of the informer will return true once the initial List has succeeded. This isn't a guarantee for the Watch to be established (and indeed, the reflector establishes the Watch _after_ the list). This is fine for reality, again thanks to the resource version and the api-server replaying. The race, hence, is that the creation of the identities can happen concurrently to the establishment of the watch (HasSynced guarantees that it happens _after_ the list), and thus we race the creation of the "RaceFreeWatcher" in the object tracker. If the watcher is late, it misses the creation of an identity, and we time out waiting on the wait group. To fix this, instead of attempting to wait for the Watch establishment (which doesn't seem easy, on first glance), just create the resources _before_ list and watch is started, so that they are returned in the initial list call. Prior to this patch, the following commandline typically failed quickly: while true; do go test ./pkg/k8s/identitybackend -run 'TestGetIdentity' -v -count=1 -timeout=10s || break; done After this patch, it ran thousands of times reliably. Co-authored-by: Fabian Fischer <fabian.fischer@isovalent.com> Signed-off-by: David Bimmler <david.bimmler@isovalent.com> | 23 February 2024, 18:34:51 UTC |
| 6b2d186 | David Bimmler | 23 February 2024, 08:09:28 UTC | job: avoid a race condition in ExitOnCloseFnCtx The test attempted to avoid closing a channel multiple times by setting 'started' to nil. However, since the outer scope will wait on 'started', if started is set to nil before the outer scope waits, it will wait indefinitely - resulting in a time out of the test. Fixes: daa85a0f4a (jobs,test: Fix TestTimer_ExitOnCloseFnCtx channel close panic) Signed-off-by: David Bimmler <david.bimmler@isovalent.com> | 23 February 2024, 17:27:16 UTC |
| 0c77529 | Ondrej Blazek | 23 February 2024, 08:37:55 UTC | test: l4lb switch k8s-node-port type to lb With the recent changes in NodePort reconciliation (see https://github.com/cilium/cilium/pull/30374) it is needed to switch service type from --k8s-node-port to --k8s-load-balancer as the VIP is not assigned to the node. Signed-off-by: Ondrej Blazek <ondrej.blazek@firma.seznam.cz> | 23 February 2024, 12:38:35 UTC |
| e17cf21 | Marco Iorio | 23 February 2024, 08:15:38 UTC | gha: drop unused check_url environment variable This variable used to be used in combination with the Sibz/github-status-action action, which we replaced with myrotvorets/set-commit-status-action when reworking the workflows to be triggered by Ariane [1]. Given it is now unused, let's get rid of the leftover environment variable, so that we also stop copying it to new workflows. [1]: 9949c5a1891a ("ci: rework workflows to be triggered by Ariane") Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> | 23 February 2024, 10:50:46 UTC |
| 0fa767a | Lorenz Bauer | 21 February 2024, 17:00:11 UTC | datapath/linux: require HAVE_LARGE_INSN_LIMIT Signed-off-by: Lorenz Bauer <lmb@isovalent.com> | 23 February 2024, 09:39:18 UTC |
| 4d2c576 | Lorenz Bauer | 21 February 2024, 16:58:54 UTC | datapath/linux: move creation of features.h to daemon startup Remove another side-effect from CheckRequirements. Signed-off-by: Lorenz Bauer <lmb@isovalent.com> | 23 February 2024, 09:39:18 UTC |
