v1.10 backports 2021-05-18 #16210
Merged
v1.10 backports 2021-05-18 #16210
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[ upstream commit 6522dfd ] Current logging has been implemented in #14878 using Warning level. As reported in #15935 this causes lots of log lines to be generated at each garbage collection cycle. The fix here is to move the log generation from Warning to Debug. Fixes: #15935 Signed-off-by: Youssef Azrak <yazrak.tech@gmail.com> Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
[ upstream commit 3882893 ] Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
[ upstream commit e75b46a ] Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
[ upstream commit aaa7b8d ] We use a number of WaitXXX helper function to wait for pods to be deployed, policies to be enforced, service endpoints to be created, etc. The default frequency at which these functions check the expected output is 5s. So for namespace deletions and policy enforcements, we often wait 10s, because the output is not as expected after the first 5s check. This is unnecessary. We can instead check the output every 1s and shave off a few seconds every time we wait for something to happen (and we do that a lot!). Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
[ upstream commit 7387ca2 ] By parallelizing the verification of test cases, we save 5min. Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
[ upstream commit 79e5351 ] We may spend a lot of time just waiting in these tests because the requests are sometimes expected to fail (in which case we wait for the timeout). Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
[ upstream commit 9e141aa ] For each of the host firewall test cases, we check both an allowed and a blocked request. We therefore spend a fair amount of time waiting for the timeout to occur on blocked requests. We can parallelize test cases to waste less time. Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
[ upstream commit 15437e4 ] The statement to uninstall Cilium in K8sBandwidth/AfterAll doesn't match the statements to install it, meaning we could try to disable Cilium even though we never installed it. This commit fixes it. Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
[ upstream commit acab730 ] Signed-off-by: Ilya Dmitrichenko <errordeveloper@gmail.com> Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
[ upstream commit 8aed9d9 ] It's currently possible to enable the no CT Iptables rules together with Iptables masquerading, which results in Iptables failing to masquerade traffic. With this commit, when this setup is detected, we return a fatal error. Fixes: #16046 Signed-off-by: Gilberto Bertin <gilberto@isovalent.com> Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
[ upstream commit 5d5f5d2 ] Make use of the version 2 of AWS's instance metadata API which is recommended for security purposes. More info [here](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html) Fixes: #15520 Signed-off-by: Smaine Kahlouch <smainklh@gmail.com> Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
[ upstream commit 107fb8f ] b2d2d69 ("docs: Add how to remove kube-proxy from existing clusters") added the howto for removing kube-proxy right into the middle of the kubeadm setup given right afterwards we talk about kubeadm join. Detangle this to make it more clear that both don't have anything to do with each other. Also add a warning to removing kube-proxy that this is disruptive. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
[ upstream commit d5d0727 ] Given this details the various service types and our implementation, add this to further reading. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
[ upstream commit 465cac1 ] As pointed out in the code changes, it is expected to receive k8s events after custom-resource events as the propagation delay is often higher than CRs. Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
[ upstream commit e95a201 ] Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
[ upstream commit 30f3011 ] This will help users avoid running into issues during installation. It is possible that OpenShift will be updated to support this in the future. Source: https://docs.okd.io/latest/installing/installing_bare_metal/installing-bare-metal.html#machine-requirements_installing-bare-metal Signed-off-by: Chris Tarazi <chris@isovalent.com> Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
[ upstream commit 8a2d2d3 ] This bash function is super close to being generically useful across different repositories, by allowing to check whether a commit is in any particular upstream (including hubble repos). Make it a bit more generic without changing the default args, that way we don't have to update any of the existing scripts. Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
[ upstream commit f3fed9a ] Wireguard keeps track of the traffic sent and receive for each peer. We print this information in `cilium debuginfo`. Because the agent failed to populate them the JSON response, the counters were always wrongly reported as zero. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
jrajahalme
added
kind/backports
|
test-backport-1.10 |
|
test-1.16-netnext #16203 https://jenkins.cilium.io/job/Cilium-PR-K8s-1.16-net-next/545/ |
tklauser
approved these changes
May 19, 2021
|
test-1.18-4.9 needs further triage: https://jenkins.cilium.io/job/Cilium-PR-K8s-1.18-kernel-4.9/1638/ |
|
test-runtime looks like arping issues are reappearing: #16221 https://jenkins.cilium.io/job/Cilium-PR-Runtime-4.9/4731/ |
|
test-1.19-5.4 needs further triage: https://jenkins.cilium.io/job/Cilium-PR-K8s-1.19-kernel-5.4/124/ |
errordeveloper
approved these changes
May 19, 2021
|
test-gke #16004 again: https://jenkins.cilium.io/job/Cilium-PR-K8s-GKE/5492/ |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
cilium debuginfo#16178 -- wireguard: Fix traffic counters incilium debuginfo(@gandro)Once this PR is merged, you can update the PR labels via: