| 2cca191 | Romain Lenglet | 15 May 2018, 04:50:17 UTC | endpoint: Allow traffic in BPF map when transitioning to allow-all When an endpoint's policy was updated from default-deny to allow-all, all traffic was dropped during regeneration between the update of L4 policy BPF maps and the installation of the BPF program which allows all traffic. Instead, in this case, explicitly allow all labels in the BPF maps. This policy map will be applied until the BPF program is installed, and then ignored by that program. The CIDR policy may still drop some ingress traffic from IP addresses outside of the cluster. It wouldn't be sufficient to just add /0 CIDR prefixes into the CIDR BPF map, since the new /0 prefix length would be ignored by the BPF program until the BPF program is regenerated and installed. This will be fixed when CIDR ingress policy enforcement is reimplemented to use label-based enforcement like CIDR egress policy enforcement. Signed-off-by: Romain Lenglet <romain@covalent.io> | 16 May 2018, 23:27:54 UTC |
| 76f6f62 | Jarno Rajahalme | 16 May 2018, 17:01:02 UTC | docs: Remove repetition from Istio GSG. The included gsg_intro.rst already contained the removed paragraphs. Signed-off-by: Jarno Rajahalme <jarno@covalent.io> | 16 May 2018, 22:13:08 UTC |
| b7e3145 | Ian Vernon | 16 May 2018, 19:26:35 UTC | test/k8sT/manifests: re-add l3_l4_policy.yaml This file was symlinked to a file which was deleted. Fixes: dc36592246cc3853574adf587a9f5d6a714f2d56 Signed-off by: Ian Vernon <ian@cilium.io> | 16 May 2018, 21:47:12 UTC |
| dc36592 | ackerman80 | 27 April 2018, 05:54:23 UTC | examples/minikube: delete unused yamls Signed-off-by: Arvind Soni <arvindsoni@gmail.com> | 16 May 2018, 17:54:11 UTC |
| 727f8a5 | ackerman80 | 27 April 2018, 05:49:55 UTC | examples/minikube: update http-sw-app.yaml Update to use apiVersion: extensions/v1beta1 for backward compatibility with K8s before 1.9. When we stop support for the versions before 1.9 we can change to use apiVersion: apps/v1 Signed-off-by: Arvind Soni <arvindsoni@gmail.com> | 16 May 2018, 17:54:11 UTC |
| 3f7f2b7 | Maciej Kwiek | 09 May 2018, 16:00:15 UTC | `cilium monitor` json mode monitor subcommand now has `--json` flag which causes it to parse all node-monitor events and spit out their json representation. This will allow tools like microscope to easily retrieve information about monitor events. json representation was based on existing verbose output to make sure monitor doesn't hide any information we may need later. Signed-off-by: Maciej Kwiek <maciej@covalent.io> | 16 May 2018, 17:51:22 UTC |
| b18a622 | Eloy Coto | 16 May 2018, 14:22:21 UTC | Test: Add more context commands on AfterFailed commands The default AfterFailed commands will be in the Jenkins Junit output, this change provides some command with test context and the output will be useful for quick overview. About Policy dump, I tried a few times, but the output of this can be super verbose, and having a large dump don't help at all. The policy will be retrieved next week in Junit Attachments. Signed-off-by: Eloy Coto <eloy.coto@gmail.com> | 16 May 2018, 15:57:31 UTC |
| 2657e86 | Patrice Peterson | 16 May 2018, 09:48:21 UTC | Various link fixes in documentation. | 16 May 2018, 12:01:26 UTC |
| 9e960a1 | Ray Bejjani | 11 May 2018, 15:03:31 UTC | endpoint: Force regeneration when there are underlying errors A corner case exists where a datapath generation error is logged in endpoint.Status, but later calls to TriggerPolicyUpdates would no-op since the policy is "up-to-date". This will likely be fixed when we transition to desired/realised states. In the meantime, this change allows an endpoint to recover from transient failures. Signed-off-by: Ray Bejjani <ray@covalent.io> | 16 May 2018, 07:54:19 UTC |
| 8d75d4b | Ian Vernon | 15 May 2018, 20:31:02 UTC | test/k8sT: add faliure messages to assertions in validateEgress Signed-off by: Ian Vernon <ian@cilium.io> | 16 May 2018, 07:52:41 UTC |
| a863d30 | Ian Vernon | 15 May 2018, 20:27:40 UTC | test/k8sT: use ExpectWithOffset in helper function This is done so errors will appear in relation to the test which uses the helper function. Signed-off by: Ian Vernon <ian@cilium.io> | 16 May 2018, 07:52:41 UTC |
| ab2c0ca | Ian Vernon | 15 May 2018, 20:24:46 UTC | test/k8sT: fix deletion of policy in external services test Move deletion of policy to `AfterEach`. Signed-off by: Ian Vernon <ian@cilium.io> | 16 May 2018, 07:52:41 UTC |
| 436c27e | Ian Vernon | 15 May 2018, 18:24:56 UTC | test/runtime: move policy deletion to AfterEach Do this for the monitor test, as we do not want to create or delete resources within an `It`. Signed-off by: Ian Vernon <ian@cilium.io> | 16 May 2018, 07:52:13 UTC |
| 7e2002e | Ian Vernon | 15 May 2018, 18:22:03 UTC | test: fix CLI resource creation / deletion Move creation and deletion of resources into `BeforeEach` and `AfterEach`. Signed-off by: Ian Vernon <ian@cilium.io> | 16 May 2018, 07:52:13 UTC |
| b0df0ca | Ian Vernon | 15 May 2018, 18:14:43 UTC | test/runtime: move initialize func into BeforeAll Signed-off by: Ian Vernon <ian@cilium.io> | 16 May 2018, 07:52:13 UTC |
| 8cebf58 | Ian Vernon | 15 May 2018, 17:27:15 UTC | test: fix Policy cmd test resource deletion Put creation of resources in \`BeforeEach\`, deletion in \`AfterEach`. Signed-off by: Ian Vernon <ian@cilium.io> | 16 May 2018, 07:52:13 UTC |
| dfcde84 | Joe Stringer | 16 May 2018, 00:05:23 UTC | cmd: Fix `cilium bpf ipcache` The cilium commandline was missing a cobra node for `cilium bpf ipcache` which meant that the help messages were not properly generated for `cilium bpf ipcache list`. Fix this by introducing that node. While we're at it, add some minor UI tidyups. Signed-off-by: Joe Stringer <joe@covalent.io> | 16 May 2018, 07:51:49 UTC |
| fdcf8cc | Joe Stringer | 15 May 2018, 21:44:11 UTC | bpf: Respond to all ARP requests Previously, Cilium would only respond to ARP requests for the gateway IP address. However, in rare cases Cilium could change the gateway IP address upon restart, and this could cause connectivity disruption for existing containers. For instance, if a container has a link scope route for the old gateway G1, and the ARP entry times out, then Cilium is restarted, the new Cilium will install a BPF program that responds to requests for a new gateway G2. However, the endpoint does not have a link scope route for G2. It will ARP for G1, but the new BPF program will only respond to ARP requests for G2. Cilium will forward the ARP request to the Linux stack, but there's no G1 IP configured so Linux does not respond. As a result, the endpoint is stuck without the ability to send any traffic. We really only want to force the endpoint to send traffic through the veth device, and after that point we will route via L3 to the appropriate destination. So, if we respond to ARP requests for all IPs with the mac of the other side of the veth pair, then the endpoint will always see an ARP response for an IP, and it will send the traffic out the veth pair, after which point Cilium can route the traffic. This fixes an issue during Cilium restart where endpoints could lose connectivity and would not get back into a good state without being restarted. Signed-off-by: Joe Stringer <joe@covalent.io> | 16 May 2018, 07:27:57 UTC |
| 552abd5 | Ray Bejjani | 15 May 2018, 19:34:20 UTC | monitor: More correctly cancel contexts on exit We previously used a deferred cancel for the main coordination context. For some reason, the defer was deferred too much and we would see the agent pipe close before we cancel the context. This caused Fatal errors and was unseemly. Signed-off-by: Ray Bejjani <ray@covalent.io> | 15 May 2018, 22:32:28 UTC |
| 600202a | Ray Bejjani | 15 May 2018, 16:45:59 UTC | monitor: Fatal on critical errors instead of panic The monitor would throw a panic when the BPF perf ring buffer or the cilium-agent events pipe would return errors. This was causing our CI panic checkers to trigger. Switching to Fatal avoids the panic, but keeps it clear that this is a bad event. Fatal does a exit(1). Signed-off-by: Ray Bejjani <ray@covalent.io> | 15 May 2018, 22:32:28 UTC |
| c5c56fc | Ian Vernon | 10 May 2018, 21:28:41 UTC | pkg/endpoint: specify why local copy of DesiredL4Policy is made Signed-off by: Ian Vernon <ian@cilium.io> | 15 May 2018, 22:20:00 UTC |
| d32091d | Ian Vernon | 03 May 2018, 20:51:52 UTC | pkg/policy: remove Consumable Signed-off by: Ian Vernon <ian@cilium.io> | 15 May 2018, 22:20:00 UTC |
| 7ff2745 | Ian Vernon | 03 May 2018, 20:49:25 UTC | pkg/endpoint: remove Consumable from Endpoint Signed-off by: Ian Vernon <ian@cilium.io> | 15 May 2018, 22:20:00 UTC |
| 673df3c | Ian Vernon | 03 May 2018, 20:48:19 UTC | pkg/endpoint: check SecurityIdentity instead of Consumable ID Signed-off by: Ian Vernon <ian@cilium.io> | 15 May 2018, 22:20:00 UTC |
| 4322ac2 | Ian Vernon | 03 May 2018, 20:47:15 UTC | pkg/endpoint: do not populate endpoint policy model with Consumable info Signed-off by: Ian Vernon <ian@cilium.io> | 15 May 2018, 22:20:00 UTC |
| 232c952 | Ian Vernon | 03 May 2018, 19:58:41 UTC | pkg/endpoint: remove use of Consumable in regeneratePolicy Signed-off by: Ian Vernon <ian@cilium.io> | 15 May 2018, 22:20:00 UTC |
| 2546120 | Ian Vernon | 03 May 2018, 19:56:34 UTC | pkg/endpoint: add Iteration to Endpoint Move this from Consumable to Endpoint. Signed-off by: Ian Vernon <ian@cilium.io> | 15 May 2018, 22:20:00 UTC |
| 9299c9a | Ian Vernon | 03 May 2018, 19:49:33 UTC | pkg/endpoint: check if endpoint SecurityIdentity is nil in TriggerPolicyUpdatesLocked Signed-off by: Ian Vernon <ian@cilium.io> | 15 May 2018, 22:20:00 UTC |
| 1082928 | Ian Vernon | 03 May 2018, 19:45:32 UTC | pkg/endpoint: check SecurityIdentity directly in regenerateBPF Signed-off by: Ian Vernon <ian@cilium.io> | 15 May 2018, 22:20:00 UTC |
| 67f0f84 | Ian Vernon | 03 May 2018, 19:35:36 UTC | endpoint: remove consumable checks * remove check for nil Consumable from HastGlobalCT * remove Consumable check and lock from writeL4Policy * remove Consumable check from base64() * remove check for Consumable before calling updateNetworkPolicy - Accordingly, add check for nil SecurityIdentity in updateNetworkPolicy. * remove use of Consumable in LeaveLocked * remove Consumable check from EnableConntrackGC Signed-off by: Ian Vernon <ian@cilium.io> | 15 May 2018, 22:20:00 UTC |
| f79e856 | Ian Vernon | 03 May 2018, 03:05:32 UTC | pkg/endpoint: add DesiredL4Policy field for endpoint Signed-off by: Ian Vernon <ian@cilium.io> | 15 May 2018, 22:20:00 UTC |
| 8c8b167 | Ian Vernon | 03 May 2018, 03:03:53 UTC | pkg/endpoint: rename L4Policy field to RealizedL4Policy Signed-off by: Ian Vernon <ian@cilium.io> | 15 May 2018, 22:20:00 UTC |
| a04c37a | Ian Vernon | 03 May 2018, 17:56:00 UTC | pkg/bpf: update comment to reflect current behavior Signed-off by: Ian Vernon <ian@cilium.io> | 15 May 2018, 22:20:00 UTC |
| f7da79a | Ian Vernon | 03 May 2018, 17:22:03 UTC | pkg/endpoint: refactor label-based L3 policy determination * remove \"evaluating context\" logs - Whenever policy is evaluated for a given endpoint, these log messages clog up Cilium's logs. They aren't very helpful, so remove them. * factor out generation of L3-only policy into separate function. Signed-off by: Ian Vernon <ian@cilium.io> | 15 May 2018, 22:20:00 UTC |
| a6cfc85 | Ian Vernon | 03 May 2018, 21:22:31 UTC | policy: factor out endpoint PolicyMap updates into controller Before this change, PolicyMap updates were done alongside policy regeneration for a given endpoint. When a PolicyMap update failed, an error was returned. PolicyMap cleanup / updating was never done until the next call to regenerate policy for an endpoint. This change now refactors the code to generate the desired set of PolicyMap keys for the given endpoint when policy is generated. This desired set of PolicyMap keys is now contained within the Endpoint structure itself, along with a set of realized keys, or keys that have been successfully added into the endpoint's PolicyMap. Once policy is recomputed for an endpoint, a controller is spawned for that endpoint which periodically tries to ensure that the state of the endpoint's PolicyMap is in sync with the set of desired PolicyMap keys. Any keys which are not present in this set of keys are attempted to be removed from the map. To move to this controller-based PolicyMap synchronization, all PolicyMap-related data, apart from L4Policy, is moved out of the Consumable type, and is now taken care of on a per-endpoint basis within the aforementioned controller. This goes in line with the effort to move away from the Consumable. With regard to the actual function which synchronizes with the datapath, it is also called synchronously during regenerateBPF, so that the program for an endpoint is not regenerated if any map update fails. It is still called in regeneratePolicy for an endpoint so that the desired state is attempted to be realized for the endpoint with respect to the policy maps. This maintains the same behavior that has previously existed for regenerating an endpoint's program. This also changes functions performed upon the PolicyMap type to assume that the provided port argument is already in network-byte order. Signed-off by: Ian Vernon <ian@cilium.io> | 15 May 2018, 22:20:00 UTC |
| d4d8a0b | Ian Vernon | 04 May 2018, 17:32:33 UTC | pkg/maps/policymap: export PolicyKey type This will allow the PolicyKey type to be used outside of this package. Signed-off by: Ian Vernon <ian@cilium.io> | 15 May 2018, 22:20:00 UTC |
| 5c248c9 | André Martins | 23 April 2018, 20:13:42 UTC | docs: list dep in dependencies list Signed-off-by: André Martins <andre@cilium.io> | 15 May 2018, 21:40:00 UTC |
| ca7621c | André Martins | 23 April 2018, 18:04:16 UTC | vendor.conf to golang/dep * Kept all direct dependencies with the same version defined in the old vendor.conf. For the containerd integration the following dependencies will be prematurely updated: - etcd library was updated to 3.2.20 * All transient dependencies were automatically delt by dep. Signed-off-by: André Martins <andre@cilium.io> | 15 May 2018, 21:40:00 UTC |
| 250f7c0 | Joe Stringer | 14 May 2018, 22:32:08 UTC | bpf: Fix failure handling in CreateMap When the Golang syscall returns an fd plus an error, it is possible for the fd to be negative (which indicates an error), along with a non-nil error. Previously, if the call returned a negative FD, then we would not treat this as an error, because we did the fd check first and returned it with no error if it was nonzero. Instead, check the error first and return an error if it is non-nil. This avoids the bad file descriptor being passed further down into the map pinning syscall, which would subsequently fail, but hiding the original problem. Signed-off-by: Joe Stringer <joe@covalent.io> | 15 May 2018, 21:16:45 UTC |
| 0da4df3 | André Martins | 14 May 2018, 13:31:31 UTC | daemon: move daemon's config to option/config Signed-off-by: André Martins <andre@cilium.io> | 15 May 2018, 19:43:15 UTC |
| 7050b6c | André Martins | 14 May 2018, 13:30:38 UTC | endpoint: move endpoint's library option to pkg/option Signed-off-by: André Martins <andre@cilium.io> | 15 May 2018, 19:43:15 UTC |
| 69f71c9 | André Martins | 14 May 2018, 13:30:03 UTC | daemon: move daemon's libray option to pkg/option Signed-off-by: André Martins <andre@cilium.io> | 15 May 2018, 19:43:15 UTC |
| bb64315 | André Martins | 14 May 2018, 13:21:51 UTC | pkg/option: move endpoint library options to option package Signed-off-by: André Martins <andre@cilium.io> | 15 May 2018, 19:43:15 UTC |
| 1e8c89c | André Martins | 14 May 2018, 10:34:20 UTC | pkg/option: move pkg/option/config to pkg/option/map_options.go Signed-off-by: André Martins <andre@cilium.io> | 15 May 2018, 19:43:15 UTC |
| 08de14a | Eloy Coto | 14 May 2018, 15:30:36 UTC | Test: Append the AfterFailed commands to the Jenkins Output. Signed-off-by: Eloy Coto <eloy.coto@gmail.com> | 15 May 2018, 19:42:52 UTC |
| c9492c4 | Eloy Coto | 08 May 2018, 07:27:44 UTC | Test: Improved Ginkgo logs - Duplicated the ginkgoWriter output to log. So in the test-output the GinkgoWriter data will be in there. - Updating By function, to use local GinkgoWriter - Moved ginkgo Scope to helpers. - Moved helpers.Writer to GinkgoExt. - Rewrite all By messages to use %q and no fmt.Sprintf Signed-off-by: Eloy Coto <eloy.coto@gmail.com> | 15 May 2018, 19:42:52 UTC |
| 30d7c7d | Ian Vernon | 25 April 2018, 18:14:59 UTC | pkg/policy/api: add basic HTTP Rule sanitization Check whether the HTTP Path and Method are regular expressions per golang's regexp.Compile(). While Envoy uses ECMAScript for regular expression matching, which does not correspond fully to golang's regexp library's regular expression matching, it's best that we have at least some type of regular expression validation for now for fields requiring regular expressions in HTTP Rules. A future fix would be to validate against ECMAScript. See: http://en.cppreference.com/w/cpp/regex/ecmascript Signed-off by: Ian Vernon <ian@cilium.io> | 15 May 2018, 18:07:58 UTC |
| 7533ea1 | André Martins | 15 May 2018, 11:12:16 UTC | pkg/ip: fix getNextIP for IPv4 Fix getNextIP for IPv4 addresses that had a length of 4 bytes. Fixes: ee23ad0b3e6386427ba0207a381de583a6fc934a Signed-off-by: André Martins <andre@cilium.io> | 15 May 2018, 17:44:10 UTC |
| 7330215 | Daniel Borkmann | 15 May 2018, 10:56:03 UTC | bpf: remove geneve TLV options We currently do not use geneve TLV options, we do however add a TLV option via BPF for encoding the endpoint security identity, but then on decap this info is neither checked nor further processed after parsing it. So it's effectively dead code. Yet causing problems like in #4103 and in the past as fixed in 923850fb03e5 ("bpf: geneve: Fix convertion of identity ID to hex"). Also, the info we encode we already have via vni in SECLABEL, so it's also duplicate. Lets get rid of it. Fixes: #4103 Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> | 15 May 2018, 14:37:08 UTC |
| 61ad3ca | Eloy Coto | 15 May 2018, 09:34:28 UTC | Test: CMDSuccess fix typos Signed-off-by: Eloy Coto <eloy.coto@gmail.com> | 15 May 2018, 14:35:47 UTC |
| 6d89f74 | Eloy Coto | 14 May 2018, 15:01:06 UTC | Test: Clean all res.CombineOutput in all ResCmd asserts Signed-off-by: Eloy Coto <eloy.coto@gmail.com> | 15 May 2018, 14:35:47 UTC |
| 8253486 | Eloy Coto | 14 May 2018, 14:42:52 UTC | Test: Use helpers.CMDSuccess in ExpectWithOffset Updated some test to use CMDSuccess instead of `res.WasSuccessfull()` Signed-off-by: Eloy Coto <eloy.coto@gmail.com> | 15 May 2018, 14:35:47 UTC |
| e95fe0e | Eloy Coto | 14 May 2018, 11:35:06 UTC | Test: CMDSuccess Matcher With this change, the output of the resCMD.ExpectSuccess will be the following: Example code: ``` vm.Exec("ls /tmp/").ExpectFail("Can access to /tmp/ when it should not") ``` Example output: ``` /home/eloy/.go/src/github.com/cilium/cilium/test/ginkgo-ext/scopes.go:280 validates basic service management functionality [It] /home/eloy/.go/src/github.com/cilium/cilium/test/ginkgo-ext/scopes.go:312 Can access to /tmp/ when it should not Expected command: ls /tmp/ To fails, but it was successful: Exitcode: 0 Stdout: hsperfdata_vagrant provision vagrant-shell Stderr: ``` Fixes #4038 Signed-off-by: Eloy Coto <eloy.coto@gmail.com> | 15 May 2018, 14:35:47 UTC |
| 2ebe215 | Thomas Graf | 15 May 2018, 09:48:44 UTC | agent: Fix indentation of loopback address Fix this: cilium-agent[636]: level=info msg=" IPv6 router address: f00d::a0f:0:0:8ad6" cilium-agent[636]: level=info msg="Initializing identity allocator" cilium-agent[636]: level=info msg=" Loopback IPv4: 10.11.247.232" Signed-off-by: Thomas Graf <thomas@cilium.io> | 15 May 2018, 14:35:19 UTC |
| 53c3001 | Thomas Graf | 15 May 2018, 11:08:04 UTC | agent: Fix panic when node.GetNodes() is empty Fix the following panic: ``` cilium-agent[16942]: panic: runtime error: invalid memory address or nil pointer dereference cilium-agent[16942]: [signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x18ea5f9] cilium-agent[16942]: goroutine 217 [running]: cilium-agent[16942]: main.(*Daemon).getStatus(0xc4221faea0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, ...) cilium-agent[16942]: /home/vagrant/go/src/github.com/cilium/cilium/daemon/status.go:178 +0x3c9 cilium-agent[16942]: main.(*Daemon).collectStatus(0xc4221faea0) cilium-agent[16942]: /home/vagrant/go/src/github.com/cilium/cilium/daemon/status.go:111 +0x63 cilium-agent[16942]: created by main.(*Daemon).startStatusCollector cilium-agent[16942]: /home/vagrant/go/src/github.com/cilium/cilium/daemon/status.go:122 +0x3f ``` Signed-off-by: Thomas Graf <thomas@cilium.io> | 15 May 2018, 14:33:35 UTC |
| 96e7098 | Thomas Graf | 12 May 2018, 13:48:01 UTC | testutils: Factor our random rune generator Signed-off-by: Thomas Graf <thomas@cilium.io> | 15 May 2018, 12:40:55 UTC |
| 05d258a | Thomas Graf | 15 May 2018, 09:42:41 UTC | bpf: Avoid unnecessary debug output on policy map open Due to diff in fd in the map instance, the following output was printed on each startup in debug mode: "Unified diff:" subsys=policy-map "--- b" subsys=policy-map "+++ a" subsys=policy-map "@@ -1,11 +1,11 @@" subsys=policy-map " &bpf.Map{" subsys=policy-map " MapInfo: bpf.MapInfo{MapType:1, KeySize:0x8, ValueSize:0x18, MaxEntries:0x4000, Flags:0x0, OwnerProgType:0}," subsys=policy-map "- fd: 0," subsys=policy-map "+ fd: 11," subsys=policy-map " name: \"cilium_policy_29898\"," subsys=policy-map " path: \"/sys/fs/bpf/tc/globals/cilium_policy_29898\"," subsys=policy-map " once: sync.Once{}," subsys=policy-map " lock: lock.RWMutex{}," subsys=policy-map " openLock: lock.Mutex{}," subsys=policy-map " NonPersistent: false," subsys=policy-map " dumpParser: bpf.DumpParser {...}," subsys=policy-map " }" subsys=policy-map Signed-off-by: Thomas Graf <thomas@cilium.io> | 15 May 2018, 12:39:31 UTC |
| c8c914a | Eloy Coto | 11 May 2018, 14:57:23 UTC | Test: Update Vagrant boxes - Update Vagrant box to version 70, where containerd support is added. - Change the way that we provisioned the servers to support IPv6 - Added envtpl utility for templating. - Added new two options to Vagrantfile `CONTAINER_RUNTIME` and IPv6 - Added a new topic in e2e test related with VM options. Signed-off-by: Eloy Coto <eloy.coto@gmail.com> | 15 May 2018, 08:27:15 UTC |
| ccd046c | Romain Lenglet | 12 May 2018, 00:33:25 UTC | k8s: Consistently check for namespace labels in endpoint selectors Some checks were only looking for the K8s namespace label in matchLabels, wheras others were looking in both matchLabels and matchExpressions. Make it consistent by doing only the latter. Signed-off-by: Romain Lenglet <romain@covalent.io> | 15 May 2018, 01:02:59 UTC |
| 4ee0cd4 | Romain Lenglet | 09 May 2018, 08:10:20 UTC | controller: Skip StopFunc when stopping controller for update Signed-off-by: Romain Lenglet <romain@covalent.io> | 15 May 2018, 01:01:35 UTC |
| 8db012f | Romain Lenglet | 09 May 2018, 07:52:15 UTC | labels: Replace ParseStringLabels with NewLabelsFromModel NewLabelsFromModel is slightly safer as it eliminates labels with no keys. Reduce memory reallocations when building the resulting map. Signed-off-by: Romain Lenglet <romain@covalent.io> | 14 May 2018, 23:46:00 UTC |
| 3a5ed4a | Romain Lenglet | 09 May 2018, 08:06:46 UTC | tests: Fix old 10-proxy.sh test Remove UDP ports from L7 rules, which are not forbidden by validation. Fix typo: protool -> protocol. Signed-off-by: Romain Lenglet <romain@covalent.io> | 14 May 2018, 21:22:14 UTC |
| 28cb9d6 | Maciej Kwiek | 11 May 2018, 15:46:54 UTC | [Docs] Kops installation guide stub Added a new install guide for kubernetes/kops Signed-off-by: Maciej Kwiek <maciej@covalent.io> | 14 May 2018, 17:56:01 UTC |
| d5ce82b | Jarno Rajahalme | 09 May 2018, 00:06:23 UTC | proxy: Release redirect sooner. So far we have kept two references to each Redirect, one in both maps 'allocatedPorts' and 'redirects'. The redirect is only ever accessed through 'redirects', so we can remove the pointer from 'allocatedPorts'. Replace the pointer in 'allocatedPorts' with an empty struct instead. This has the effect of releasing the last reference to a Redirect as soon as it is closed as opposed to the after 'portReleaseDelay', the time we keep a port number allocated to avoid reusing it too soon. 'portReleaseDelay' is renamed as 'portReuseDelay' as the port was already released by closing (Kafka) or otherwise making it available for reuse (draining in Envoy) it as soon as the redirect implementation was closed within RemoveRedirect() before waiting for the delay. Signed-off-by: Jarno Rajahalme <jarno@covalent.io> | 14 May 2018, 07:49:19 UTC |
| 32b25d5 | Thomas Graf | 13 May 2018, 09:13:09 UTC | tunnel: Add debug messages on tunnel map manipulation Signed-off-by: Thomas Graf <thomas@cilium.io> | 13 May 2018, 20:54:43 UTC |
| 318aa7a | Joe Stringer | 11 May 2018, 22:52:18 UTC | bpf: Ensure maps are restored on load failure Previously, `set -e` at the top of these bash scripts prevented the second `cilium-map-migrate` from being invoked in error cases. This meant that the second `cilium-map-migrate` only ever saw error code 0, and the moved maps would remain as /sys/fs/bpf/tc/globals/foo:pending on the filesystem if the script failed. Fix this by dropping out of error mode briefly for the BPF load invocation, store the return code, then go back into error mode. Signed-off-by: Joe Stringer <joe@covalent.io> | 13 May 2018, 10:31:23 UTC |
| 1fe51af | Joe Stringer | 11 May 2018, 21:36:40 UTC | k8s: Bump CRD schema version. In commit 54b8658b252a ("k8s: Support IPv6 addresses in CIDR policy"), the schema for validating CNP was updated, but the schema version was not bumped. As a result, during upgrade, the new schema validation resource is not updated in k8s, so the new schema does not apply. Bump the schema version to ensure that the new CRD validation is pushed on Cilium startup. Signed-off-by: Joe Stringer <joe@covalent.io> | 11 May 2018, 22:58:02 UTC |
| ce9250c | Ian Vernon | 03 May 2018, 21:17:13 UTC | pkg/policy: remove debugging Println calls in unit test Signed-off by: ian Vernon <ian@cilium.io> | 11 May 2018, 22:20:13 UTC |
| a7effcb | Ian Vernon | 03 May 2018, 21:16:45 UTC | test/runtime: add output of command if curl to Google fails in test Signed-off by: Ian Vernon <ian@cilium.io> | 11 May 2018, 22:20:13 UTC |
| 2bb1295 | Ray Bejjani | 11 May 2018, 11:23:49 UTC | controller: Cleanup global manager on UpdateController We left controllers that are being replaced in the global list during UpdateController. The intent is to wholly replace the previous controller, and this includes in the global list (also then removing it's statistics). Signed-off-by: Ray Bejjani <ray@covalent.io> | 11 May 2018, 22:09:53 UTC |
| 19638fd | Joe Stringer | 23 April 2018, 22:18:46 UTC | policy: Remove CIDR L3 egress plumbing CIDR L3 egress is now implemented via label-based policy, so the plumbing into the datapath can be removed. We keep the L3Policy in place to allow the desired policy state to be reflected in the Endpoint API structures. Signed-off-by: Joe Stringer <joe@covalent.io> | 11 May 2018, 20:39:16 UTC |
| 42a4752 | ChristopherBiscardi | 11 May 2018, 08:00:37 UTC | cilium/cmd: add ls alias for list commands Add shorthand aliases to the list sub-commands. This is a "first issue" related change to get more familiar with the code. cobra supports aliases through an `Aliases` field, so I used that to add shorthand support. fixes #4018 Signed-off-by: ChristopherBiscardi <chris@christopherbiscardi.com> | 11 May 2018, 17:37:11 UTC |
| d1e423e | Ray Bejjani | 02 May 2018, 16:13:02 UTC | monitor: refactor globals into an object We previously treated the package as the execution context. This made it difficult to enforce isolation between subcomponents. This changes restructures the code into an explicit Monitor class with a singleton instance. We also clean up how listeners are cleaned up, avoiding giving the listener handler goroutine direct access to the internals of Monitor. Signed-off-by: Ray Bejjani <ray@covalent.io> | 11 May 2018, 12:31:03 UTC |
| e8bb880 | Ray Bejjani | 02 May 2018, 13:29:17 UTC | monitor: only read perf buffer on listener connect Reading the perf ring buffer seems to be a CPU intensive operation. We would read this data, then discard it, when no listeners were connected. node-monitor now only reads the perf buffer when ther is somewhere to send the data to. Signed-off-by: Ray Bejjani <ray@covalent.io> | 11 May 2018, 12:31:03 UTC |
| 6f8e933 | Ray Bejjani | 02 May 2018, 17:13:25 UTC | monitor: pass payload objects by reference The payload object was mostly used to move around a slice and some numbers. While harmless, it might be passed by value and that might cause slightly more garbage to be generated. Signed-off-by: Ray Bejjani <ray@covalent.io> | 11 May 2018, 12:31:03 UTC |
| 15e6771 | Maciej Kwiek | 07 May 2018, 09:52:19 UTC | Move endpoint interface from endpoint to monitor Signed-off-by: Maciej Kwiek <maciej@covalent.io> | 11 May 2018, 12:15:00 UTC |
| 14b73df | Maciej Kwiek | 06 May 2018, 20:58:06 UTC | Unflake monitor agent notifications tests Signed-off-by: Maciej Kwiek <maciej@covalent.io> | 11 May 2018, 12:15:00 UTC |
| 8f9276e | Maciej Kwiek | 06 May 2018, 18:49:21 UTC | GetLabels -> GetOpLabels in monitor messages Signed-off-by: Maciej Kwiek <maciej@covalent.io> | 11 May 2018, 12:15:00 UTC |
| 70e9bef | Maciej Kwiek | 04 May 2018, 13:03:43 UTC | Add docstrings to agent monitor notification code Signed-off-by: Maciej Kwiek <maciej@covalent.io> | 11 May 2018, 12:15:00 UTC |
| d69ada6 | Maciej Kwiek | 04 May 2018, 12:56:09 UTC | Structure agent start monitor notification Signed-off-by: Maciej Kwiek <maciej@covalent.io> | 11 May 2018, 12:15:00 UTC |
| 10a9cde | Maciej Kwiek | 04 May 2018, 12:36:13 UTC | Structure ep regen monitor notifications Signed-off-by: Maciej Kwiek <maciej@covalent.io> | 11 May 2018, 12:15:00 UTC |
| 457b556 | Maciej Kwiek | 02 May 2018, 13:21:06 UTC | Wrap monitor policy event information is json Signed-off-by: Maciej Kwiek <maciej@covalent.io> | 11 May 2018, 12:15:00 UTC |
| bbd3c84 | Maciej Kwiek | 30 April 2018, 13:33:04 UTC | Notify monitor about policy changes Monitor daemon is notified about policy updates and deletions. Agent informs monitor about - rule labels and descriptions when updating - rule labels and number of deleted rules when deleting Signed-off-by: Maciej Kwiek <maciej@covalent.io> | 11 May 2018, 12:15:00 UTC |
| fab5a7d | Ian Vernon | 10 May 2018, 17:16:57 UTC | test/helpers: move ManifestGet to utils.go Now that ManifestGet does not have a receiver, move it to the file containing utility functions. Signed-off by: Ian Vernon <ian@cilium.io> | 11 May 2018, 08:18:05 UTC |
| 2a06c2f | Ian Vernon | 04 May 2018, 23:57:58 UTC | test/k8sT: move initialize function to BeforeAll Signed-off by: Ian Vernon <ian@cilium.io> | 11 May 2018, 08:18:05 UTC |
| ce7df38 | Ian Vernon | 04 May 2018, 23:40:34 UTC | test/k8sT: move instantiation of vars to declaration Signed-off by: Ian Vernon <ian@cilium.io> | 11 May 2018, 08:18:05 UTC |
| bff4223 | Ian Vernon | 04 May 2018, 23:36:08 UTC | test/k8sT: remove unneeded type declarations for vars Signed-off by: Ian Vernon <ian@cilium.io> | 11 May 2018, 08:18:05 UTC |
| 7d06b43 | Ian Vernon | 04 May 2018, 23:35:37 UTC | test/k8sT: move instantiation of manifest variables in declarations Signed-off by: Ian Vernon <ian@cilium.io> | 11 May 2018, 08:18:05 UTC |
| 61fb685 | Ian Vernon | 04 May 2018, 23:22:47 UTC | test/k8sT: change WaitForServiceEndpoints to only return an error This function returned a boolean and an error, but the boolean was true if the error was nil, and false if the error was non-nil, making it useless. Remove it. Signed-off by: Ian Vernon <ian@cilium.io> | 11 May 2018, 08:18:05 UTC |
| 58212ed | Ian Vernon | 04 May 2018, 23:13:10 UTC | test/k8sT: move Health.go initialization into BeforeAll Signed-off by: Ian Vernon <ian@cilium.io> | 11 May 2018, 08:18:05 UTC |
| 6e27ac3 | Ian Vernon | 04 May 2018, 23:09:15 UTC | test/k8sT: group var declarations Signed-off by: Ian Vernon <ian@cilium.io> | 11 May 2018, 08:18:05 UTC |
| a323ce8 | Ian Vernon | 04 May 2018, 23:06:36 UTC | test/k8sT: move initialize function for demo test into BeforeAll Signed-off by: Ian Vernon <ian@cilium.io> | 11 May 2018, 08:18:05 UTC |
| 67ae464 | Ian Vernon | 04 May 2018, 23:05:11 UTC | test/k8sT: move instanation of var to its declaration Signed-off by: Ian Vernon <ian@cilium.io> | 11 May 2018, 08:18:05 UTC |
| aabb788 | Ian Vernon | 04 May 2018, 23:03:27 UTC | test/k8sT: remove unused demoPath var Signed-off by: Ian Vernon <ian@cilium.io> | 11 May 2018, 08:18:05 UTC |
| 31501bb | Ian Vernon | 04 May 2018, 22:59:44 UTC | test/k8sT: use ExpectCiliumReady in more helpers Signed-off by: Ian Vernon <ian@cilium.io> | 11 May 2018, 08:18:05 UTC |
| 06338d7 | Ian Vernon | 04 May 2018, 22:52:09 UTC | test/k8sT: refactor WaitForPods to return only an error This function previously returned a boolean and an error. However, the boolean was always false when the error was non-nil, and true when the error was nil, which makes it useless. Remove it. Also update WaitKubeDNS to reflect this. Signed-off by: Ian Vernon <ian@cilium.io> | 11 May 2018, 08:18:05 UTC |
| 05fbdeb | Ian Vernon | 04 May 2018, 22:32:47 UTC | test/k8sT: replace WaitKubeDNS with ExpectKubeDNSReady Signed-off by: Ian Vernon <ian@cilium.io> | 11 May 2018, 08:18:05 UTC |
| 1ebe4a3 | Ian Vernon | 04 May 2018, 22:24:26 UTC | test/k8sT: add wrapper for expecting all pods to be deleted Add a wrapper which expects WaitCleanAllTerminatingPods to succeed, as these two operations were always done in conjunction with one another. Signed-off by: Ian Vernon <ian@cilium.io> | 11 May 2018, 08:18:05 UTC |
| 1ddd4a9 | Ian Vernon | 04 May 2018, 22:14:56 UTC | test/k8sT: have KafkaPolicies test use assertion helpers Signed-off by: Ian Vernon <ian@cilium.io> | 11 May 2018, 08:18:05 UTC |
| 05fbf33 | Ian Vernon | 04 May 2018, 22:12:01 UTC | test/k8sT: get manifests in var declarations Signed-off by: Ian Vernon <ian@cilium.io> | 11 May 2018, 08:18:05 UTC |
