New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
v1.7 backports 2020-07-08 #12458
v1.7 backports 2020-07-08 #12458
Conversation
test-backport-1.7 |
The failures look legit:
|
113f926
to
7d336a1
Compare
test-backport-1.7 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM for my changes. I noticed that the PRs listed are not marked as "pending". Could you please mark them (the script should do it for you)? This helps reduce any conflict in case another backporter starts a 1.7 backport.
[ upstream commit 1cc79c1 ] The skb->mark field may not reliable in chaining modes because the host stack may have conflicting users of the mark field. For example in one case we observe a set mark rule 'MARK and 0xfff1ffff' which mangles the identity stored in skb->mark. If Cilium user also has ingress policy logic the identity is no longer correct. This likely will result in policy denied hits, -> stack flow 0xa0688256 identity 54898->7179 state established ifindex 0 orig-ip 0.0.0.0: 192.168.187.136:50344 -> 192.168.187.139:80 tcp SYN xx drop (Policy denied) flow 0xa0688256 to endpoint 149, identity 54897->7179: 192.168.187.136:50344 -> 192.168.187.139:80 tcp SYN To fix this create a flag EnableIdentityMark to allow setting the identity. In cases that have conflicting mark values this can then be disabled. The trace on ingress will no longer have a listed identity but because when 'identity < UNMANAGED' we do the lookup using the src ip and policy will work correctly. Fixes: f25d8b9 ("bpf: Preserve source identity for hairpin via stack") Signed-off-by: John Fastabend <john.fastabend@gmail.com> Signed-off-by: Michal Rostecki <mrostecki@opensuse.org>
[ upstream commit c7acec0 ] Fix the helm usage of enableIdentityMap so that it uses the correct cilium-agent variable enableIdentityMark. Additionally add text in Calico guide for CNI chaining to use the field. Signed-off-by: John Fastabend <john.fastabend@gmail.com> Signed-off-by: Michal Rostecki <mrostecki@opensuse.org>
[ upstream commit 8f624a7 ] Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Michal Rostecki <mrostecki@opensuse.org>
[ upstream commit ecac73d ] This is useful in cases where a backport PR is started on the same day that another backport PR was created, for the same branch (e.g. v1.6). In this case, the developer would have to manually modify the script to create a non-conflicting branch name. This commit allows the developer instead to pass a suffix to disambiguate the branch name, without need to modify the script. Example usage: ``` $ ./contrib/backporting/start-backport 1.6 "-2" ``` This creates a backport branch name pr/v1.6-backport-2020-06-30-2. Signed-off-by: Chris Tarazi <chris@isovalent.com> Signed-off-by: Michal Rostecki <mrostecki@opensuse.org>
[ upstream commit 5cfa8a8 ] Signed-off-by: Chris Tarazi <chris@isovalent.com> Signed-off-by: Michal Rostecki <mrostecki@opensuse.org>
[ upstream commit 5968d5a ] The `if` condition is actually inverted which makes it impossible to create a backport branch. This commit fixes this issue. Signed-off-by: Robin Hahling <robin.hahling@gw-computing.net> Signed-off-by: Michal Rostecki <mrostecki@opensuse.org>
[ upstream commit edff374 ] This PR adds in an option 'enable-health-check-nodeport' to the cilium-agent for disabling 'HealthCheckNodePort' based on the KubeProxyReplacement configuration. It also adds in an opton 'enableHealthCheckNodePort' to the helm charts and documents the new config options with impacts when kubeProxyReplacement is set to 'partial'. Fixes: #11168 Signed-off-by: Swaminathan Vasudevan <svasudevan@suse.com> Signed-off-by: Michal Rostecki <mrostecki@opensuse.org>
7d336a1
to
32212cf
Compare
@christarazi Sorry for that, I totally forgot about running the set-labels script. |
test-backport-1.7 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
looks good for my changes
Failure:
|
Looks like known flake #10442 , not a regression so can be bypassed to merge. |
start-backport
script #12361 -- contrib: fix branch check instart-backport
script (@rolinh)Once this PR is merged, you can update the PR labels via: