New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add the data path filtering for policy verdict logs. #10477
Conversation
Release note label not set, please set the appropriate release note. |
test-me-please |
1 similar comment
test-me-please |
test-me-please |
e1c2a78
to
734fc53
Compare
test-me-please previous failure https://jenkins.cilium.io/job/Cilium-PR-Ginkgo-Tests-Validated/17796/ |
test-me-please |
From here: Into the zip, into the cilium logs for pod
I'm not sure why the Jenkins CI didn't identify any errors/warnings in the logs, but I saw them there. This particular case I think we've seen before on the I've filed issue #10517 to track root-cause and upstream fixes for the underlying issue here. For the other two failures from that link, they look like policy-related CI flakes. Given the timing they may have been resolved by #10493. At a glance from the latest failures, I see endpoints in |
We bypassed the issue earlier by removing all the if else statements in the datapath patch. For this one, we cannot bypass the single check for the filtering operation. |
test-me-please |
I filed #10615 for the Travis flake. |
test-me-please |
Thanks @joestringer ! For the "log buffer too small" issue, it is possible to put in the mitigation with iproute2 to the CI? |
That wouldn't solve the underlying issue, which is a complexity error in the BPF verifier (we're hitting the limit). As a short term solution, we're hoping #10542 will give us some slack there and allow the currently-blocked PRs to pass. |
Yes, I know it doesn't solve the underlying issue, but I think it shouldn't block CI as it will take longer time for the real fix to get in. We can always remove the workaround later. It's great if #10542 can help and unblock CI. |
test-me-please |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Neat! The tests are passing 😃
I have a couple small comments below, but we should be okay to merge after that 🎉
Generate policy verdict logs only if the endpoint does have a network policy enforced on the direction of the traffic. Signed-off-by: Zang Li <zangli@google.com>
test-me-please |
Generate policy verdict logs only if the endpoint does have a network policy
enforced on the direction of the traffic.
Signed-off-by: Zang Li zangli@google.com
This change is