Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

backports v1.7 2020-02-05 #10072

Merged
merged 28 commits into from
Feb 7, 2020
Merged

backports v1.7 2020-02-05 #10072

merged 28 commits into from
Feb 7, 2020

Conversation

borkmann
Copy link
Member

@borkmann borkmann commented Feb 5, 2020

Once this PR is merged, you can update the PR labels via:

$ for pr in 9977 10028 10016 10053 9808 10057 10062 10060 10066 10047 10069 9997 10059 10073 10051 10063; do contrib/backporting/set-labels.py $pr done 1.7; done

This change is Reviewable

gandro and others added 7 commits February 5, 2020 21:55
[ upstream commit 2134e62 ]

This tests that the HTTP server running on HealthCheckNodePort returns
the correct HTTP code. We add a new service for this, since only
services with Type=LoadBalancer and externalTrafficPolicy=Local will
have the HealthCheckNodePort field set.

Signed-off-by: Sebastian Wicki <sebastian@isovalent.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
[ upstream commit e07e8ce ]

Support for HealthCheckNodePort in NodePort BPF was added in #9906.

Signed-off-by: Sebastian Wicki <sebastian@isovalent.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
[ upstream commit 20c3922 ]

On GKE/EKS, pods are automatically restarted when the
`--set global.restartPods=true` switch is passed to `helm` when
deploying Cilium. If not, pods need to be manually restarted to ensure
that they are managed by Cilium.

Signed-off-by: Robin Hahling <robin.hahling@gw-computing.net>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
[ upstream commit 909021c ]

Signed-off-by: Zhiyuan Hou <zhiyuan2048@linux.alibaba.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
[ upstream commit d432ea6 ]

Make sure these tests pass as well on v6 sockets where we end up
processing v4 socket hooks.

Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
[ upstream commit 403d20a ]

While chaining, a route covering the AllocCIDR was still being installed
pointing to the cilium_host interface. Ideally the k8s node resource populates
the PodCIDR information in which case this is harmless. If the PodCIDR is not
known, Cilium would fall back to allocate a PodCIDR using the standard
10.x.0.0/16 template which then had the potential to conflict witha PodCIDR of
another node.

In case of a conflict, the rp_filter protection could cause packet loss due to
conflicting routes.

Related: #9794

Signed-off-by: Thomas Graf <thomas@cilium.io>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
[ upstream commit eb01fe7 ]

Signed-off-by: Dan Wendlandt <dan@covalent.io>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
@borkmann borkmann requested a review from a team as a code owner February 5, 2020 20:59
@maintainer-s-little-helper maintainer-s-little-helper bot added the kind/backports This PR provides functionality previously merged into master. label Feb 5, 2020
@borkmann
Copy link
Member Author

borkmann commented Feb 5, 2020

never-tell-me-the-odds

@borkmann
Copy link
Member Author

borkmann commented Feb 6, 2020

test-me-please

@borkmann
Copy link
Member Author

borkmann commented Feb 6, 2020

test-missed-k8s

@borkmann
Copy link
Member Author

borkmann commented Feb 6, 2020

never-tell-me-the-odds

@borkmann
Copy link
Member Author

borkmann commented Feb 6, 2020

provision error, retrying

@borkmann
Copy link
Member Author

borkmann commented Feb 6, 2020

never-tell-me-the-odds

@aanm
Copy link
Member

aanm commented Feb 6, 2020

test-missed-k8s

@aanm
Copy link
Member

aanm commented Feb 6, 2020

test-me-please

1 similar comment
@joestringer
Copy link
Member

test-me-please

@joestringer
Copy link
Member

test-missed-k8s

@aanm
Copy link
Member

aanm commented Feb 7, 2020

test-me-please

@borkmann
Copy link
Member Author

borkmann commented Feb 7, 2020

Maciej hinted that we need #10062 in this backport as well to get it working.

nebril and others added 7 commits February 7, 2020 12:50
[ upstream commit 161fcd4 ]

Signed-off-by: Maciej Kwiek <maciej@isovalent.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
…bled

[ upstream commit cb2f135 ]

Since in case of option.Config.DisableK8sServices=true we don't listen to
service updates, there is also no point in doing service lookups in the
fast-path. Therefore, compile the code out. Similarly, if the user opts
into DisableK8sServices=true, then set kubeProxyReplacement=disabled.

Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
[ upstream commit 4890a15 ]

It has been observed that kubelet calls CNI DELETE multiple times with
potentially stale CNI result information. This can lead to a race condition
where the initial CNI DELETE properly releases the IP in use which then gets
reused by a different pod. Any subsequent CNI DELETE with the stale IP will
then cause the IP of the live pod to be released. While the pod will continue
to function, the next scheduled pod will attempt to use that IP and
continuously fail to be scheduled due to a IP in use error.

This is a regression of commit ab61853 which introduced the ability for CNI
DELETE to release an IP even if the endpoint deletion fails which is required
to fix the race condition when the CNI binary gets killed in between allocating
an IP and creating the endpoint.

Fixes: ab61853 ("cni: Release IP even when endpoint deletion fails")
Fixes: #10065

Signed-off-by: Thomas Graf <thomas@cilium.io>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
[ upstream commit 65cddbe ]

Skip the externalTrafficPolicy=Local test case from the third (external)
host when such does not exist.

This will allow us to avoid skipping the whole Context() or It() if the
third host does not exist.

Signed-off-by: Martynas Pumputis <m@lambda.lt>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
[ upstream commit 7ef9f87 ]

This commit makes the kube-proxy (NodePort) tests to be skipped when
running without kube-proxy.

Signed-off-by: Martynas Pumputis <m@lambda.lt>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
[ upstream commit aa1a5a9 ]

Instead, skip individual test cases which require the third host.

Signed-off-by: Martynas Pumputis <m@lambda.lt>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
[ upstream commit 714a56e ]

For Cilium 1.7, we move host-reachable services out of the beta
state therefore update the doc. Also document that libceph is a
known issue with getpeername hook.

Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
borkmann and others added 14 commits February 7, 2020 13:36
[ upstream commit 8ee8815 ]

Consolidate and rework the nodeport and kube-proxy free guides into
a single one, move it out of beta and reflect recent updates.

Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
[ upstream commit 7dd756e ]

Previously, test-k8s2 was missing from the list of DaemonSet pods which
have to be ready before the test is started.

Signed-off-by: Sebastian Wicki <sebastian@isovalent.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
[ upstream commit 59263d2 ]

Adds an additional UDP echoserver to the pods and service definitions,
allowing us to check UDP connectivity alongside the existing TCP tests.

The new echoserver uses the TFTP protocol to serve a status page similar
to the existing HTTP server used for TCP tests. This allows us to reuse
the existing test infrastructure, i.e. curl has built-in support for
TFTP.

The deployed cilium/echoserver-udp is using the so-called "single-port"
mode of TFTP, where the server will always answer on the UDP port on
which it received the request. This is required for NAT to work.

Fixes: #9363

Signed-off-by: Sebastian Wicki <sebastian@isovalent.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
[ upstream commit 9943a66 ]

Extends the failBind tests to also test for UDP ports.

Signed-off-by: Sebastian Wicki <sebastian@isovalent.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
[ upstream commit 06add2d ]

It's going to be used when reporting kube-proxy replacement state in
"cilium status" output.

Signed-off-by: Martynas Pumputis <m@lambda.lt>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
[ upstream commit 500bad1 ]

This commit adds kube-proxy-replacement configuration to "cilium status"
cmd output, so that users could better detect which kube-proxy replacement
features are enabled.

The example of such output:

    $ cilium status
    KVStore:                Ok   Disabled
    Kubernetes:             Ok   1.17 (v1.17.2) [linux/amd64]
    Kubernetes APIs:        ["CustomResourceDefinition", "cilium/v2::CiliumClusterwideNetworkPolicy", "cilium/v2::CiliumEndpoint", "cilium/v2::CiliumNetworkPolicy", "cilium/v2::CiliumNode", "core/v1::Endpoint", "core/v1::Namespace", "core/v1::Pods", "core/v1::Service", "networking.k8s.io/v1::NetworkPolicy"]
    KubeProxyReplacement:   Strict   [NodePort, ExternalIPs, HostReachableServicesTCP, HostReachableServicesUDP]
    Cilium:                 Ok   OK
    NodeMonitor:            Disabled
    Cilium health daemon:   Ok
    IPAM:                   IPv4: 4/65535 allocated from 10.1.0.0/16,
    Controller Status:      17/17 healthy
    Proxy Status:           OK, ip 10.1.28.236, port-range 10000-20000
    Cluster health:       0/1 reachable   (2020-02-05T14:02:54+01:00)
      Name                IP              Reachable   Endpoints reachable
        ceuse (localhost)   10.5.57.1       true        false

Signed-off-by: Martynas Pumputis <m@lambda.lt>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
[ upstream commit a54cbec ]

This commit:
- Disables option.Config.EnableExternalIP if NodePort is disabled
- Disables option.EnableHostServices{TCP,UDP} if host-lb is disabled

Otherwise, "cilium status" when --kube-proxy-replacement=partial will
misleadingly report that ExternalIP and HostServices{TCP,UDP} are
enabled even if NodePort and host-lb is disabled.

Signed-off-by: Martynas Pumputis <m@lambda.lt>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
[ upstream commit 6be80f4 ]

Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
[ upstream commit aa9f90f ]

Also group all kube-proxy replacement settings together.

Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
[ upstream commit cf6c890 ]

Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
[ upstream commit 4edbcad ]

Elaborate on the various kubeProxyReplacement options.

Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
[ upstream commit 0c3660f ]

... and move all the NodePort related settings into its own section
along with that.

Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
[ upstream commit 08927bb ]

Queries via host were iterating through the search list. This meant that
the first few attempts would always fail, and this seemed to fail
outright sometimes. This change forces 3 retries on the domain without
using the search list. This should mean that NXDomain should never
be returned as kubernetes.default.svc.cluster.local. is always defined.

Signed-off-by: Ray Bejjani <ray@isovalent.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
[ upstream commit 4836b2a ]

This commit extends "cilium cleanup" by making it to remove tc filters
(bpf_netdev.o) from a nodeport netdev.

The iface of the netdev is obtained from
/var/run/cilium/state/globals/node_config.h (NATIVE_DEV_IFINDEX) which
is set by bpf/init.sh.

Signed-off-by: Martynas Pumputis <m@lambda.lt>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
@borkmann borkmann requested a review from a team as a code owner February 7, 2020 12:39
@borkmann
Copy link
Member Author

borkmann commented Feb 7, 2020

never-tell-me-the-odds

@aanm aanm merged commit 06d55c6 into v1.7 Feb 7, 2020
@aanm aanm deleted the pr/backport-v1.7-2020-02-05 branch February 7, 2020 16:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/backports This PR provides functionality previously merged into master.
Projects
None yet
Development

Successfully merging this pull request may close these issues.