v1.14 Backports 2023-07-13 #26799
Merged
v1.14 Backports 2023-07-13 #26799
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[ upstream commit 5e1139d ] As part of introducing native tunnel support for XDP, we started passing a `src_ip` parameter to `__encap_with_nodeid()`. This was needed to manually build the packet's outer headers. But for TC context we actually don't want to specify the outer src IP, and defer its selection to the kernel stack instead. Worse, specifying the outer src IP means that the skb implementation for `ctx_set_encap_info()` starts to use the `local_ipv4` field in the `bpf_tunnel_key`. And that's not supported on older kernels, resulting in drops. Fix this by only setting the `src_ip` parameter in XDP context. Reported-by: Yusuke Suzuki <yusuke-suzuki@cybozu.co.jp> Fixes: 43dffb2 ("bpf: encap: manually set src IP and port from nodeport XDP paths") Signed-off-by: Julian Wiedmann <jwi@isovalent.com> Signed-off-by: Gilberto Bertin <jibi@cilium.io>
[ upstream commit e2f475d ] This commit adds the helm values for the client rate limit feature. This makes it easier for users to tune the client rate limit which is necessary for L2 announcements to work properly. Added warnings about client rate limits and sizing instructions to the L2 announcements documentation. Signed-off-by: Dylan Reimerink <dylan.reimerink@isovalent.com> Signed-off-by: Gilberto Bertin <jibi@cilium.io>
[ upstream commit afbac04 ] As part of a CNI refactor, a bug was introduced where node-specific IPAM overrides were no longer being loaded. Specifically, the parsed network configuration wasn't properly being passed down to the NodeDiscovery manager. Fixes: #26731 Fixes: 1254bf4 Signed-off-by: Casey Callendrello <cdc@isovalent.com> Signed-off-by: Gilberto Bertin <jibi@cilium.io>
[ upstream commit 856e3f8 ] This commit fixes the propagation of the possible error which can be returned by `rc.Run()` (e.g., if the validation of the cluster ID failed). This ensures that the controller registers the failure and performs another attempt. Fixes: 019eac8 ("clustermesh: correctly report status of remote cluster controller") Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> Signed-off-by: Gilberto Bertin <jibi@cilium.io>
[ upstream commit 9410932 ] Avoiding the use of varargs saves some allocations Before ``` Benchmark_TrackNamespaces-12 5122684 231.8 ns/op 192 B/op 6 allocs/op ``` After ``` Benchmark_TrackNamespaces-12 6114062 187.9 ns/op 168 B/op 4 allocs/op ``` Signed-off-by: Glib Smaga <code@gsmaga.com> Signed-off-by: Gilberto Bertin <jibi@cilium.io>
[ upstream commit d242b88 ] This issue was resolved and the fix shipped in v1.13.3. Signed-off-by: Casey Callendrello <cdc@isovalent.com> Signed-off-by: Gilberto Bertin <jibi@cilium.io>
[ upstream commit 718d774 ] Signed-off-by: Antonio Ojea <aojea@google.com> Signed-off-by: Gilberto Bertin <jibi@cilium.io>
[ upstream commit 08196fe ] Github runners does not have enough resources to deal with the network policy test that runs multiple pods in parallal and it may happen that the tests get stuck and start to timeout causing flakiness on the CI. Signed-off-by: Antonio Ojea <aojea@google.com> Signed-off-by: Gilberto Bertin <jibi@cilium.io>
[ upstream commit c25b96d ] Cilium CLI v0.15 leverages the Helm-based installation mode by default, and it is the one which supports Cilium v1.14 and above. Let's adapt the kind-install-cilium-clustermesh Makefile target to work properly with it. While being there, let's also add the possibility to enable kvstoremesh if the dedicated variable is set. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> Signed-off-by: Gilberto Bertin <jibi@cilium.io>
[ upstream commit 0790d0f ] This fixes the filtering of endpoint slices to ensure that we support all the k8s versions we intend to. This ensures that we always filter out endpoint slices with the well-known "headless" label, and _do not_ filter out any endpoint slices based on the service proxy label. In pre Kubernetes v1.20, the labels on a service were not mirrored into the labels of the endpoint slice. The headless label was not applied. See PR 94443 in kubernetes/kubernetes for more info. When no longer supporting Kubernetes v1.20, we can remove this custom logic - and use the same label filter for endpoints, services and endpoint slices. Historically, we had no filters on the endpoint slice objects, but with the two referred commits, the same filter we had for endpoints and services was introduced to endpoint slices as part of the refactor. The reason we don't revert the behavior directly, is that we _do want_ to filter out endpoint slices for headless services, like we do with normal endpoints. For completeness; the end user behavior will now be equal for both endpoints and endpoint slices; since we will always filter the services in the same way, and when we get an endpoint slice without a corresponding service in state, we effectively ignore that endpoint slice. Fixes: ca3a4df ("k8s: Add Resource[*Endpoints] to shared resources") Fixes: 82a728a ("agent, operator, clustermesh-apiserver: use Resource[*Endpoints]") Signed-off-by: Odin Ugedal <ougedal@palantir.com> Signed-off-by: Odin Ugedal <odin@uged.al> Signed-off-by: Gilberto Bertin <jibi@cilium.io>
jibi
added
kind/backports
jibi
requested review from
sayboras,
julianwiedmann,
squeed,
dylandreimerink,
giorio94,
glibsm,
aojea and
rolinh
giorio94
approved these changes
Jul 13, 2023
[ upstream commit 41c4174 ] The cilium/customvet repository is now archived and replaced by cilium/linters. backporting conflicts: * had to rerun go mod tidy && go mod vendor Signed-off-by: Robin Hahling <robin.hahling@gw-computing.net> Signed-off-by: Gilberto Bertin <jibi@cilium.io>
[ upstream commit d834b39 ] instead of running the reconciliation logic for each event received by the egress gateway manager, switch to a trigger based approach where each event simply triggers a reconciliation, and the actual reconciliation is be performed at most once every --egress-gateway-reconciliation-trigger-interval time interval. This should help reducing the CPU load in case the manager is dealing with lots of events (for example high churn of endpoints) Signed-off-by: Gilberto Bertin <jibi@cilium.io> Signed-off-by: Gilberto Bertin <jibi@cilium.io>
[ upstream commit ab64a46 ] by: * making locking more granular by introducing a new pendingEndpointEventsLock lock that protects accesses to the pendingEndpointEvents field * using the endpoint workqueue to handle also CiliumEndpoint deletion events we can completely decouple the On{Update,Delete}Endpoint methods from the reconciliation logic, as the caller will not have to block anymore on the main manager lock (which is held during the entire reconciliation process) Signed-off-by: Gilberto Bertin <jibi@cilium.io> Signed-off-by: Gilberto Bertin <jibi@cilium.io>
[ upstream commit bbdad5d ] This commit is to make sure that users can have option to disable node port allocation for LB service used by Ingress. https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-nodeport-allocation Signed-off-by: Tam Mach <tam.mach@cilium.io> Signed-off-by: Gilberto Bertin <jibi@cilium.io>
jibi
force-pushed
the
pr/v1.14-backport-2023-07-13
branch
from
6099c82
to
a5e4999
Compare
squeed
approved these changes
Jul 13, 2023
|
/test-backport-1.14 |
sayboras
approved these changes
Jul 13, 2023
nbusseneau
approved these changes
Jul 13, 2023
julianwiedmann
approved these changes
Jul 13, 2023
rolinh
approved these changes
Jul 13, 2023
odinuge
approved these changes
Jul 13, 2023
dylandreimerink
approved these changes
Jul 14, 2023
aanm
approved these changes
Jul 14, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
PRs skipped due to conflicts:
Once this PR is merged, you can update the PR labels via:
or with