Merge branch 'cilium:main' into main

.github/actions/ginkgo/main-focus.yaml

@@ -50,6 +50,7 @@ include:
 
   ###
   # K8sAgentPolicyTest Clusterwide policies Test clusterwide connectivity with policies
+  # K8sAgentPolicyTest Clusterwide policies Tests connectivity with default-allow policies
   # K8sAgentPolicyTest External services To Services first endpoint creation
   # K8sAgentPolicyTest External services To Services first endpoint creation match service by labels
   # K8sAgentPolicyTest External services To Services first policy
@@ -82,6 +83,8 @@ include:
   # K8sAgentPolicyTest Basic Test Traffic redirections to proxy Tests DNS proxy visibility without policy
   # K8sAgentPolicyTest Basic Test Traffic redirections to proxy Tests HTTP proxy visibility without policy
   # K8sAgentPolicyTest Basic Test Traffic redirections to proxy Tests proxy visibility interactions with policy lifecycle operations
+  # K8sAgentPolicyTest Basic Test Traffic redirections to proxy Tests proxy visibility with L7 default-allow rules
+  # K8sAgentPolicyTest Basic Test Traffic redirections to proxy Tests proxy visibility with L7 rules
   # K8sPolicyTestExtended Validate toEntities KubeAPIServer Allows connection to KubeAPIServer
   # K8sPolicyTestExtended Validate toEntities KubeAPIServer Denies connection to KubeAPIServer
   # K8sPolicyTestExtended Validate toEntities KubeAPIServer Still allows connection to KubeAPIServer with a duplicate policy

.github/actions/lvh-kind/action.yaml

@@ -28,6 +28,7 @@ runs:
         mem: 12G
         install-dependencies: 'true'
         port-forward: '6443:6443'
+        ssh-startup-wait-retries: 600
         cmd: |
           git config --global --add safe.directory /host
 

.github/ariane-config.yaml

@@ -110,7 +110,7 @@ workflows:
   tests-clustermesh-upgrade.yaml:
     paths-ignore-regex: (test|Documentation)/
   tests-datapath-verifier.yaml:
-    paths-regex: (bpf|test/verifier|vendor)/
+    paths-regex: (bpf|test/verifier|vendor|images)/
   tests-l4lb.yaml:
     paths-regex: (bpf|daemon|images|pkg|test/l4lb|vendor)/
   tests-e2e-upgrade.yaml:

.github/workflows/conformance-clustermesh.yaml

@@ -336,7 +336,8 @@ jobs:
 
       # Make sure that coredns uses IPv4-only upstream DNS servers also in case of clusters
       # with IP family dual, since IPv6 ones are not reachable and cause spurious failures.
-      # Additionally, this is also required to workaround #23283.
+      # Additionally, this is also required to workaround
+      # https://github.com/cilium/cilium/issues/23283#issuecomment-1597282247.
       - name: Configure the coredns nameservers
         run: |
           COREDNS_PATCH="

.github/workflows/conformance-multi-pool.yaml

@@ -120,7 +120,8 @@ jobs:
           #  - Multi-pool IPAM only supports endpoint routes, thus we disable
           #    the local-node-route.
           #  - helm/kind-action does not support BPF host routing, so we fall
-          #    back on legacy host routing (#23283)
+          #    back on legacy host routing
+          #    (https://github.com/cilium/cilium/issues/23283#issuecomment-1597282247)
           #  - iptables-based masquerading does not support multiple non-masquerade
           #    CIDRs. Thus, we enable BPF masquerading where we can add multiple
           #    non-masquerade CIDRs.

.github/workflows/lint-bpf-checks.yaml

@@ -41,6 +41,7 @@ jobs:
           filters: |
             bpf-tree:
               - 'bpf/**'
+              - 'images/**'
             coccinelle:
               - 'contrib/coccinelle/**'
             bpf-tests-runner:

.github/workflows/tests-clustermesh-upgrade.yaml

@@ -231,7 +231,8 @@ jobs:
 
       # Make sure that coredns uses IPv4-only upstream DNS servers also in case of clusters
       # with IP family dual, since IPv6 ones are not reachable and cause spurious failures.
-      # Additionally, this is also required to workaround #23283.
+      # Additionally, this is also required to workaround
+      # https://github.com/cilium/cilium/issues/23283#issuecomment-1597282247.
       - name: Configure the coredns nameservers
         run: |
           COREDNS_PATCH="

Documentation/operations/upgrade.rst

@@ -317,6 +317,9 @@ Removed Options
 * The unused flag ``sidecar-istio-proxy-image`` has been removed.
 * The flag ``endpoint-status`` has been removed.
   More information can be found in the following Helm upgrade notes.
+* The ``ip-allocation-timeout`` flag (which provided a time limit on blocking
+  CIDR identity allocations) has been removed. CIDR identity allocation
+  now always happens asynchronously, therefore making this timeout obsolete.
 
 Helm Options
 ~~~~~~~~~~~~

bpf/bpf_alignchecker.c

@@ -89,3 +89,4 @@ add_type(struct auth_info);
 add_type(struct encrypt_config);
 add_type(struct world_cidrs_key4);
 add_type(struct mcast_subscriber_v4);
+add_type(struct node_key);

bpf/lib/common.h

@@ -496,6 +496,21 @@ struct vtep_value {
 	__u32 tunnel_endpoint;
 };
 
+struct node_key {
+	__u16 pad1;
+	__u8 pad2;
+	__u8 family;
+	union {
+		struct {
+			__u32 ip4;
+			__u32 pad4;
+			__u32 pad5;
+			__u32 pad6;
+		};
+		union v6addr ip6;
+	};
+};
+
 enum {
 	POLICY_INGRESS = 1,
 	POLICY_EGRESS = 2,

bpf/lib/lb.h

@@ -746,7 +746,10 @@ __lb6_affinity_backend_id(const struct lb6_service *svc, bool netns_cookie,
 	};
 	struct lb_affinity_val *val;
 
-	ipv6_addr_copy_unaligned(&key.client_id.client_ip, &id->client_ip);
+	if (netns_cookie)
+		key.client_id.client_cookie = id->client_cookie;
+	else
+		ipv6_addr_copy_unaligned(&key.client_id.client_ip, &id->client_ip);
 
 	val = map_lookup_elem(&LB6_AFFINITY_MAP, &key);
 	if (val != NULL) {
@@ -795,7 +798,10 @@ __lb6_update_affinity(const struct lb6_service *svc, bool netns_cookie,
 		.last_used	= now,
 	};
 
-	ipv6_addr_copy_unaligned(&key.client_id.client_ip, &id->client_ip);
+	if (netns_cookie)
+		key.client_id.client_cookie = id->client_cookie;
+	else
+		ipv6_addr_copy_unaligned(&key.client_id.client_ip, &id->client_ip);
 
 	map_update_elem(&LB6_AFFINITY_MAP, &key, &val, 0);
 }

bpf/lib/maps.h

@@ -183,21 +183,6 @@ struct {
 	__uint(max_entries, 1);
 } ENCRYPT_MAP __section_maps_btf;
 
-struct node_key {
-	__u16 pad1;
-	__u8 pad2;
-	__u8 family;
-	union {
-		struct {
-			__u32 ip4;
-			__u32 pad4;
-			__u32 pad5;
-			__u32 pad6;
-		};
-		union v6addr    ip6;
-	};
-};
-
 struct {
 	__uint(type, BPF_MAP_TYPE_HASH);
 	__type(key, struct node_key);

cilium-dbg/cmd/post_uninstall_cleanup.go

@@ -550,8 +550,12 @@ func removeTCFilters(linkAndFilters map[string][]*netlink.BpfFilter) error {
 }
 
 func removeXDPAttachments(links []netlink.Link) error {
+	loader := loader.NewLoader(loader.Params{
+		Config: loader.DefaultConfig,
+	})
+
 	for _, link := range links {
-		if err := loader.NewLoader(nil).DetachXDP(link, bpf.CiliumPath(), "cil_xdp_entry"); err != nil {
+		if err := loader.DetachXDP(link, bpf.CiliumPath(), "cil_xdp_entry"); err != nil {
 			return err
 		}
 		fmt.Printf("removed cilium xdp of %s\n", link.Attrs().Name)

contrib/scripts/kind.sh

@@ -6,7 +6,7 @@ set -euo pipefail
 
 default_controlplanes=1
 default_workers=1
-default_cluster_name=""
+default_cluster_name="kind"
 default_image=""
 default_kubeproxy_mode="iptables"
 if [ "$(uname 2>/dev/null)" == "Linux" ] && [ "$(</proc/sys/net/ipv6/conf/all/disable_ipv6)" == 1 ] ; then
@@ -108,9 +108,8 @@ fi
 
 kind_cmd="kind create cluster"
 
-if [[ -n "${cluster_name}" ]]; then
-  kind_cmd+=" --name ${cluster_name}"
-fi
+kind_cmd+=" --name ${cluster_name}"
+
 if [[ -n "${image}" ]]; then
   kind_cmd+=" --image ${image}"
 fi
@@ -260,6 +259,11 @@ kubectl taint nodes --all node-role.kubernetes.io/control-plane-
 kubectl taint nodes --all node-role.kubernetes.io/master-
 set -e
 
+# Set start of unprivileged port range to 1024
+# Docker defaults to 0
+# https://github.com/moby/moby/pull/41030
+kind get nodes --name $cluster_name | xargs -I container_name docker exec container_name sysctl -w net.ipv4.ip_unprivileged_port_start=1024
+
 echo
 if [[ -n "${kubeconfig}" ]]; then
   echo "export KUBECONFIG=${kubeconfig}"

daemon/cmd/daemon.go

@@ -771,11 +771,6 @@ func newDaemon(ctx context.Context, cleaner *daemonCleanup, params *daemonParams
 			log.Error("BPF masquerading does not yet support masquerading to source IP from routing layer")
 			return nil, nil, fmt.Errorf("BPF masquerading to route source (--%s=\"true\") currently not supported with BPF-based masquerading (--%s=\"true\")", option.EnableMasqueradeRouteSource, option.EnableBPFMasquerade)
 		}
-		// TODO(brb) nodeport constraints will be lifted once the SNAT BPF code has been refactored
-		if err := node.InitBPFMasqueradeAddrs(option.Config.GetDevices()); err != nil {
-			log.WithError(err).Error("failed to determine BPF masquerade addrs")
-			return nil, nil, fmt.Errorf("failed to determine BPF masquerade addrs: %w", err)
-		}
 	} else if option.Config.EnableIPMasqAgent {
 		log.WithError(err).Errorf("BPF ip-masq-agent requires (--%s=\"true\" or --%s=\"true\") and --%s=\"true\"", option.EnableIPv4Masquerade, option.EnableIPv6Masquerade, option.EnableBPFMasquerade)
 		return nil, nil, fmt.Errorf("BPF ip-masq-agent requires (--%s=\"true\" or --%s=\"true\") and --%s=\"true\"", option.EnableIPv4Masquerade, option.EnableIPv6Masquerade, option.EnableBPFMasquerade)

daemon/cmd/daemon_main.go

@@ -530,9 +530,6 @@ func InitGlobalFlags(cmd *cobra.Command, vp *viper.Viper) {
 	flags.Duration(option.KVstoreConnectivityTimeout, defaults.KVstoreConnectivityTimeout, "Time after which an incomplete kvstore operation  is considered failed")
 	option.BindEnv(vp, option.KVstoreConnectivityTimeout)
 
-	flags.Duration(option.IPAllocationTimeout, defaults.IPAllocationTimeout, "Time after which an incomplete CIDR allocation is considered failed")
-	option.BindEnv(vp, option.IPAllocationTimeout)
-
 	flags.Var(option.NewNamedMapOptions(option.KVStoreOpt, &option.Config.KVStoreOpt, nil),
 		option.KVStoreOpt, "Key-value store options e.g. etcd.address=127.0.0.1:4001")
 	option.BindEnv(vp, option.KVStoreOpt)
@@ -693,10 +690,6 @@ func InitGlobalFlags(cmd *cobra.Command, vp *viper.Viper) {
 	flags.Bool(option.EnableMasqueradeRouteSource, false, "Masquerade packets to the source IP provided from the routing layer rather than interface address")
 	option.BindEnv(vp, option.EnableMasqueradeRouteSource)
 
-	flags.String(option.DeriveMasqIPAddrFromDevice, "", "Device name from which Cilium derives the IP addr for BPF masquerade")
-	flags.MarkHidden(option.DeriveMasqIPAddrFromDevice)
-	option.BindEnv(vp, option.DeriveMasqIPAddrFromDevice)
-
 	flags.Bool(option.EnableIPMasqAgent, false, "Enable BPF ip-masq-agent")
 	option.BindEnv(vp, option.EnableIPMasqAgent)
 

daemon/cmd/device-reloader.go

@@ -10,7 +10,6 @@ import (
 	"github.com/cilium/cilium/pkg/datapath/tables"
 	"github.com/cilium/cilium/pkg/hive/cell"
 	"github.com/cilium/cilium/pkg/hive/job"
-	"github.com/cilium/cilium/pkg/node"
 	"github.com/cilium/cilium/pkg/option"
 	"github.com/cilium/cilium/pkg/promise"
 	"github.com/cilium/cilium/pkg/statedb"
@@ -112,12 +111,6 @@ func (d *deviceReloader) reload(ctx context.Context) error {
 
 	d.params.Config.SetDevices(devices)
 
-	if d.params.Config.MasqueradingEnabled() && option.Config.EnableBPFMasquerade {
-		if err := node.InitBPFMasqueradeAddrs(devices); err != nil {
-			log.Warnf("InitBPFMasqueradeAddrs failed: %s", err)
-		}
-	}
-
 	daemon, err := d.params.Daemon.Await(ctx)
 	if err != nil {
 		return err

daemon/cmd/hostips-sync.go

@@ -136,6 +136,9 @@ func (s *syncHostIPs) sync(addrs statedb.Iterator[tables.NodeAddress]) error {
 	}
 
 	for addr, _, ok := addrs.Next(); ok; addr, _, ok = addrs.Next() {
+		if addr.DeviceName == tables.WildcardDeviceName {
+			continue
+		}
 		ip := addr.Addr.AsSlice()
 		if (!option.Config.EnableIPv4 && addr.Addr.Is4()) || (!option.Config.EnableIPv6 && addr.Addr.Is6()) {
 			continue

daemon/cmd/policy_test.go

@@ -292,6 +292,9 @@ func (ds *DaemonSuite) TestUpdateConsumerMap(c *C) {
 			},
 		},
 	}
+	for i := range rules {
+		rules[i].Sanitize()
+	}
 
 	ds.d.envoyXdsServer.RemoveAllNetworkPolicies()
 
@@ -465,6 +468,9 @@ func (ds *DaemonSuite) TestL4_L7_Shadowing(c *C) {
 			},
 		},
 	}
+	for i := range rules {
+		rules[i].Sanitize()
+	}
 
 	ds.d.envoyXdsServer.RemoveAllNetworkPolicies()
 
@@ -548,6 +554,9 @@ func (ds *DaemonSuite) TestL4_L7_ShadowingShortCircuit(c *C) {
 			},
 		},
 	}
+	for i := range rules {
+		rules[i].Sanitize()
+	}
 
 	ds.d.envoyXdsServer.RemoveAllNetworkPolicies()
 
@@ -635,6 +644,9 @@ func (ds *DaemonSuite) TestL3_dependent_L7(c *C) {
 			},
 		},
 	}
+	for i := range rules {
+		rules[i].Sanitize()
+	}
 
 	ds.d.envoyXdsServer.RemoveAllNetworkPolicies()
 
@@ -710,6 +722,9 @@ func (ds *DaemonSuite) TestReplacePolicy(c *C) {
 			EndpointSelector: api.NewESFromLabels(lblBar),
 		},
 	}
+	for i := range rules {
+		rules[i].Sanitize()
+	}
 
 	_, err := ds.d.PolicyAdd(rules, policyAddOptions)
 	c.Assert(err, IsNil)
@@ -791,6 +806,9 @@ func (ds *DaemonSuite) TestRemovePolicy(c *C) {
 			},
 		},
 	}
+	for i := range rules {
+		rules[i].Sanitize()
+	}
 
 	ds.d.envoyXdsServer.RemoveAllNetworkPolicies()
 
@@ -876,6 +894,9 @@ func (ds *DaemonSuite) TestIncrementalPolicy(c *C) {
 			},
 		},
 	}
+	for i := range rules {
+		rules[i].Sanitize()
+	}
 
 	ds.d.envoyXdsServer.RemoveAllNetworkPolicies()