New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
v1.14 Backports 2023-07-13 #26799
v1.14 Backports 2023-07-13 #26799
Conversation
[ upstream commit 5e1139d ] As part of introducing native tunnel support for XDP, we started passing a `src_ip` parameter to `__encap_with_nodeid()`. This was needed to manually build the packet's outer headers. But for TC context we actually don't want to specify the outer src IP, and defer its selection to the kernel stack instead. Worse, specifying the outer src IP means that the skb implementation for `ctx_set_encap_info()` starts to use the `local_ipv4` field in the `bpf_tunnel_key`. And that's not supported on older kernels, resulting in drops. Fix this by only setting the `src_ip` parameter in XDP context. Reported-by: Yusuke Suzuki <yusuke-suzuki@cybozu.co.jp> Fixes: 43dffb2 ("bpf: encap: manually set src IP and port from nodeport XDP paths") Signed-off-by: Julian Wiedmann <jwi@isovalent.com> Signed-off-by: Gilberto Bertin <jibi@cilium.io>
[ upstream commit e2f475d ] This commit adds the helm values for the client rate limit feature. This makes it easier for users to tune the client rate limit which is necessary for L2 announcements to work properly. Added warnings about client rate limits and sizing instructions to the L2 announcements documentation. Signed-off-by: Dylan Reimerink <dylan.reimerink@isovalent.com> Signed-off-by: Gilberto Bertin <jibi@cilium.io>
[ upstream commit afbac04 ] As part of a CNI refactor, a bug was introduced where node-specific IPAM overrides were no longer being loaded. Specifically, the parsed network configuration wasn't properly being passed down to the NodeDiscovery manager. Fixes: #26731 Fixes: 1254bf4 Signed-off-by: Casey Callendrello <cdc@isovalent.com> Signed-off-by: Gilberto Bertin <jibi@cilium.io>
[ upstream commit 856e3f8 ] This commit fixes the propagation of the possible error which can be returned by `rc.Run()` (e.g., if the validation of the cluster ID failed). This ensures that the controller registers the failure and performs another attempt. Fixes: 019eac8 ("clustermesh: correctly report status of remote cluster controller") Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> Signed-off-by: Gilberto Bertin <jibi@cilium.io>
[ upstream commit 9410932 ] Avoiding the use of varargs saves some allocations Before ``` Benchmark_TrackNamespaces-12 5122684 231.8 ns/op 192 B/op 6 allocs/op ``` After ``` Benchmark_TrackNamespaces-12 6114062 187.9 ns/op 168 B/op 4 allocs/op ``` Signed-off-by: Glib Smaga <code@gsmaga.com> Signed-off-by: Gilberto Bertin <jibi@cilium.io>
[ upstream commit d242b88 ] This issue was resolved and the fix shipped in v1.13.3. Signed-off-by: Casey Callendrello <cdc@isovalent.com> Signed-off-by: Gilberto Bertin <jibi@cilium.io>
[ upstream commit 718d774 ] Signed-off-by: Antonio Ojea <aojea@google.com> Signed-off-by: Gilberto Bertin <jibi@cilium.io>
[ upstream commit 08196fe ] Github runners does not have enough resources to deal with the network policy test that runs multiple pods in parallal and it may happen that the tests get stuck and start to timeout causing flakiness on the CI. Signed-off-by: Antonio Ojea <aojea@google.com> Signed-off-by: Gilberto Bertin <jibi@cilium.io>
[ upstream commit c25b96d ] Cilium CLI v0.15 leverages the Helm-based installation mode by default, and it is the one which supports Cilium v1.14 and above. Let's adapt the kind-install-cilium-clustermesh Makefile target to work properly with it. While being there, let's also add the possibility to enable kvstoremesh if the dedicated variable is set. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> Signed-off-by: Gilberto Bertin <jibi@cilium.io>
[ upstream commit 0790d0f ] This fixes the filtering of endpoint slices to ensure that we support all the k8s versions we intend to. This ensures that we always filter out endpoint slices with the well-known "headless" label, and _do not_ filter out any endpoint slices based on the service proxy label. In pre Kubernetes v1.20, the labels on a service were not mirrored into the labels of the endpoint slice. The headless label was not applied. See PR 94443 in kubernetes/kubernetes for more info. When no longer supporting Kubernetes v1.20, we can remove this custom logic - and use the same label filter for endpoints, services and endpoint slices. Historically, we had no filters on the endpoint slice objects, but with the two referred commits, the same filter we had for endpoints and services was introduced to endpoint slices as part of the refactor. The reason we don't revert the behavior directly, is that we _do want_ to filter out endpoint slices for headless services, like we do with normal endpoints. For completeness; the end user behavior will now be equal for both endpoints and endpoint slices; since we will always filter the services in the same way, and when we get an endpoint slice without a corresponding service in state, we effectively ignore that endpoint slice. Fixes: ca3a4df ("k8s: Add Resource[*Endpoints] to shared resources") Fixes: 82a728a ("agent, operator, clustermesh-apiserver: use Resource[*Endpoints]") Signed-off-by: Odin Ugedal <ougedal@palantir.com> Signed-off-by: Odin Ugedal <odin@uged.al> Signed-off-by: Gilberto Bertin <jibi@cilium.io>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
My commits look good. Thanks!
[ upstream commit 41c4174 ] The cilium/customvet repository is now archived and replaced by cilium/linters. backporting conflicts: * had to rerun go mod tidy && go mod vendor Signed-off-by: Robin Hahling <robin.hahling@gw-computing.net> Signed-off-by: Gilberto Bertin <jibi@cilium.io>
[ upstream commit d834b39 ] instead of running the reconciliation logic for each event received by the egress gateway manager, switch to a trigger based approach where each event simply triggers a reconciliation, and the actual reconciliation is be performed at most once every --egress-gateway-reconciliation-trigger-interval time interval. This should help reducing the CPU load in case the manager is dealing with lots of events (for example high churn of endpoints) Signed-off-by: Gilberto Bertin <jibi@cilium.io> Signed-off-by: Gilberto Bertin <jibi@cilium.io>
[ upstream commit ab64a46 ] by: * making locking more granular by introducing a new pendingEndpointEventsLock lock that protects accesses to the pendingEndpointEvents field * using the endpoint workqueue to handle also CiliumEndpoint deletion events we can completely decouple the On{Update,Delete}Endpoint methods from the reconciliation logic, as the caller will not have to block anymore on the main manager lock (which is held during the entire reconciliation process) Signed-off-by: Gilberto Bertin <jibi@cilium.io> Signed-off-by: Gilberto Bertin <jibi@cilium.io>
[ upstream commit bbdad5d ] This commit is to make sure that users can have option to disable node port allocation for LB service used by Ingress. https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-nodeport-allocation Signed-off-by: Tam Mach <tam.mach@cilium.io> Signed-off-by: Gilberto Bertin <jibi@cilium.io>
6099c82
to
a5e4999
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm on my side
/test-backport-1.14 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks and looks good for my commits ✔️
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
My cherry-pick looks fine. Thanks!
PRs skipped due to conflicts:
Once this PR is merged, you can update the PR labels via:
or with