backports v1.7 2020-02-05 #10072
Merged
backports v1.7 2020-02-05 #10072
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[ upstream commit 2134e62 ] This tests that the HTTP server running on HealthCheckNodePort returns the correct HTTP code. We add a new service for this, since only services with Type=LoadBalancer and externalTrafficPolicy=Local will have the HealthCheckNodePort field set. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
[ upstream commit 20c3922 ] On GKE/EKS, pods are automatically restarted when the `--set global.restartPods=true` switch is passed to `helm` when deploying Cilium. If not, pods need to be manually restarted to ensure that they are managed by Cilium. Signed-off-by: Robin Hahling <robin.hahling@gw-computing.net> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
[ upstream commit 909021c ] Signed-off-by: Zhiyuan Hou <zhiyuan2048@linux.alibaba.com> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
[ upstream commit d432ea6 ] Make sure these tests pass as well on v6 sockets where we end up processing v4 socket hooks. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
[ upstream commit 403d20a ] While chaining, a route covering the AllocCIDR was still being installed pointing to the cilium_host interface. Ideally the k8s node resource populates the PodCIDR information in which case this is harmless. If the PodCIDR is not known, Cilium would fall back to allocate a PodCIDR using the standard 10.x.0.0/16 template which then had the potential to conflict witha PodCIDR of another node. In case of a conflict, the rp_filter protection could cause packet loss due to conflicting routes. Related: #9794 Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
[ upstream commit eb01fe7 ] Signed-off-by: Dan Wendlandt <dan@covalent.io> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
maintainer-s-little-helper
bot
added
the
kind/backports
|
never-tell-me-the-odds |
|
test-me-please |
|
test-missed-k8s |
|
never-tell-me-the-odds |
|
provision error, retrying |
|
never-tell-me-the-odds |
|
test-missed-k8s |
|
test-me-please |
1 similar comment
|
test-me-please |
|
test-missed-k8s |
|
test-me-please |
|
Maciej hinted that we need #10062 in this backport as well to get it working. |
[ upstream commit 161fcd4 ] Signed-off-by: Maciej Kwiek <maciej@isovalent.com> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
…bled [ upstream commit cb2f135 ] Since in case of option.Config.DisableK8sServices=true we don't listen to service updates, there is also no point in doing service lookups in the fast-path. Therefore, compile the code out. Similarly, if the user opts into DisableK8sServices=true, then set kubeProxyReplacement=disabled. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
[ upstream commit 4890a15 ] It has been observed that kubelet calls CNI DELETE multiple times with potentially stale CNI result information. This can lead to a race condition where the initial CNI DELETE properly releases the IP in use which then gets reused by a different pod. Any subsequent CNI DELETE with the stale IP will then cause the IP of the live pod to be released. While the pod will continue to function, the next scheduled pod will attempt to use that IP and continuously fail to be scheduled due to a IP in use error. This is a regression of commit ab61853 which introduced the ability for CNI DELETE to release an IP even if the endpoint deletion fails which is required to fix the race condition when the CNI binary gets killed in between allocating an IP and creating the endpoint. Fixes: ab61853 ("cni: Release IP even when endpoint deletion fails") Fixes: #10065 Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
[ upstream commit 65cddbe ] Skip the externalTrafficPolicy=Local test case from the third (external) host when such does not exist. This will allow us to avoid skipping the whole Context() or It() if the third host does not exist. Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
[ upstream commit 7ef9f87 ] This commit makes the kube-proxy (NodePort) tests to be skipped when running without kube-proxy. Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
[ upstream commit aa1a5a9 ] Instead, skip individual test cases which require the third host. Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
[ upstream commit 714a56e ] For Cilium 1.7, we move host-reachable services out of the beta state therefore update the doc. Also document that libceph is a known issue with getpeername hook. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
[ upstream commit 8ee8815 ] Consolidate and rework the nodeport and kube-proxy free guides into a single one, move it out of beta and reflect recent updates. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
[ upstream commit 7dd756e ] Previously, test-k8s2 was missing from the list of DaemonSet pods which have to be ready before the test is started. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
[ upstream commit 59263d2 ] Adds an additional UDP echoserver to the pods and service definitions, allowing us to check UDP connectivity alongside the existing TCP tests. The new echoserver uses the TFTP protocol to serve a status page similar to the existing HTTP server used for TCP tests. This allows us to reuse the existing test infrastructure, i.e. curl has built-in support for TFTP. The deployed cilium/echoserver-udp is using the so-called "single-port" mode of TFTP, where the server will always answer on the UDP port on which it received the request. This is required for NAT to work. Fixes: #9363 Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
[ upstream commit 9943a66 ] Extends the failBind tests to also test for UDP ports. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
[ upstream commit 06add2d ] It's going to be used when reporting kube-proxy replacement state in "cilium status" output. Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
[ upstream commit 500bad1 ] This commit adds kube-proxy-replacement configuration to "cilium status" cmd output, so that users could better detect which kube-proxy replacement features are enabled. The example of such output: $ cilium status KVStore: Ok Disabled Kubernetes: Ok 1.17 (v1.17.2) [linux/amd64] Kubernetes APIs: ["CustomResourceDefinition", "cilium/v2::CiliumClusterwideNetworkPolicy", "cilium/v2::CiliumEndpoint", "cilium/v2::CiliumNetworkPolicy", "cilium/v2::CiliumNode", "core/v1::Endpoint", "core/v1::Namespace", "core/v1::Pods", "core/v1::Service", "networking.k8s.io/v1::NetworkPolicy"] KubeProxyReplacement: Strict [NodePort, ExternalIPs, HostReachableServicesTCP, HostReachableServicesUDP] Cilium: Ok OK NodeMonitor: Disabled Cilium health daemon: Ok IPAM: IPv4: 4/65535 allocated from 10.1.0.0/16, Controller Status: 17/17 healthy Proxy Status: OK, ip 10.1.28.236, port-range 10000-20000 Cluster health: 0/1 reachable (2020-02-05T14:02:54+01:00) Name IP Reachable Endpoints reachable ceuse (localhost) 10.5.57.1 true false Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
[ upstream commit a54cbec ] This commit: - Disables option.Config.EnableExternalIP if NodePort is disabled - Disables option.EnableHostServices{TCP,UDP} if host-lb is disabled Otherwise, "cilium status" when --kube-proxy-replacement=partial will misleadingly report that ExternalIP and HostServices{TCP,UDP} are enabled even if NodePort and host-lb is disabled. Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
[ upstream commit 6be80f4 ] Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
[ upstream commit aa9f90f ] Also group all kube-proxy replacement settings together. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
[ upstream commit cf6c890 ] Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
[ upstream commit 4edbcad ] Elaborate on the various kubeProxyReplacement options. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
[ upstream commit 0c3660f ] ... and move all the NodePort related settings into its own section along with that. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
[ upstream commit 08927bb ] Queries via host were iterating through the search list. This meant that the first few attempts would always fail, and this seemed to fail outright sometimes. This change forces 3 retries on the domain without using the search list. This should mean that NXDomain should never be returned as kubernetes.default.svc.cluster.local. is always defined. Signed-off-by: Ray Bejjani <ray@isovalent.com> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
[ upstream commit 4836b2a ] This commit extends "cilium cleanup" by making it to remove tc filters (bpf_netdev.o) from a nodeport netdev. The iface of the netdev is obtained from /var/run/cilium/state/globals/node_config.h (NATIVE_DEV_IFINDEX) which is set by bpf/init.sh. Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
|
never-tell-me-the-odds |
aanm
approved these changes
Feb 7, 2020
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Once this PR is merged, you can update the PR labels via:
This change is