-
Notifications
You must be signed in to change notification settings - Fork 2.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
v1.9 backports 2021-02-11 #14930
v1.9 backports 2021-02-11 #14930
Conversation
[ upstream commit 16e8f2f ] Fix #14100 Identity relevant labels is a label prefix list combined of two parts: 1. base part: 1.1. Read from a user specified (--label-prefix-file) json file if this file is provided. Default: `--label-prefix-file=""`. 1.2 If `--label-prefix-file=""`, read from a default hardcoded list (`func defaultLabelPrefixCfg()`). 2. additional part: read from user inputs (--labels), default `--labels=""` When `--label-prefix-file=""` (default) but `--labels=<custom-list>` provided, if `reserved:host` (or `reserved:.*`) is not included in the above `<custom-list>`, the `cilium_host` endpoint will lose its `reserved:host` label. When rolling back to the default configuration, that is, setting `--labels=""` and restarting the agent, cilium agent will raise errors like following: ``` level=warning msg="Regeneration of endpoint failed" .. error="Exposing new BPF failed: invalid LXC MAC: invalid MAC address " level=error msg="endpoint regeneration failed" .. error="Exposing new BPF failed: invalid LXC MAC: invalid MAC address " ``` And subsequently, all pods' traffic on this node will be interrupted. This is because the agent relies on this label to distinguish `cilium_host` endpoint from normal endpoints, and the former has no `lxcMAC`. We should never exclude reserved labels from default label list. Add reserved labels to the default label list could solve the problem. Appendix: Sample custom label file (--label-prefix-file) to overwrite the default base label list: ``` { "version": 1, "valid-prefixes": [ { "source": "k8s", "prefix": "io.kubernetes.pod.namespace" }, { "source": "k8s", "prefix": ":io.cilium.k8s.namespace.labels" }, { "source": "k8s", "prefix": "app.kubernetes.io" },{ "source": "k8s", "prefix": "k8s!:io.kubernetes" },{ "source": "k8s", "prefix": "!kubernetes.io" },{ "source": "k8s", "prefix": "!.*beta.kubernetes.io" },{ "source": "k8s", "prefix": "!k8s.io" },{ "source": "k8s", "prefix": "!pod-template-generation" },{ "source": "k8s", "prefix": "!pod-template-hash" },{ "source": "k8s", "prefix": "!controller-revision-hash" },{ "source": "k8s", "prefix": "!annotation.*" },{ "source": "k8s", "prefix": "!etcd_node" ] } ``` Signed-off-by: ArthurChiao <arthurchiao@hotmail.com> Signed-off-by: Michi Mutsuzaki <michi@isovalent.com>
[ upstream commit 463e0dc ] Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Michi Mutsuzaki <michi@isovalent.com>
test-backport-1.9 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I reviewed both commits and they look good to me 👍
@michi-covalent when skipping some PRs, don't forget to update the command at the end of the PR description. At the moment it will try to set labels for both the backported and skipped PRs, which might lead to us thinking we've backported those PRs when we actually haven't. |
@joestringer ah yes of course, updated the description 👍 |
test-missed-k8s |
test-1.16-4.9 |
K8s-1.16-kernel-4.9 failed with known flakes #13773 and #13774 as well. K8s-1.14-kernel-4.9 had failed with #14958 and now failed with #14959. Given the changes backported here (docs and labelsfilter), it's unlikely any of the two new flakes (#14958 and #14959) were introduced by this PR. I think we're ready to merge. |
Skipped:
Once this PR is merged, you can update the PR labels via: