daemon: Implement route-based device detection

[joamaki]

This reimplements the device detection logic to use the route
information rather than detecting devices based on k8s nodeIP and
the device with the default route.

The devices are discovered by finding all devices mentioned in global
unicast routes and filtering out cilium-managed devices by prefix.

Motivation for this change is to handle cases like #15960 more reliably
and not have the user specify devices manually. This also prepares for
later work to detect devices at runtime to allow e.g. use of KPR with ENI,
which adds devices dynamically.

The reason for introducing DeviceManager is to later add support for
dynamically reconfiguring the datapath for devices added at runtime.
Also the detected devices are now also used for host firewall and
bandwidth manager so makes sense for this logic to be moved out.

Fixes: #15960

Detect devices from global unicast routes in addition to only
looking for the device with the Kubernetes Node IP and the one with
default route.  This expands the set of devices used for kube-proxy
replacement, host firewall and bandwidth manager and should reduce
the need to specify devices manually.

[joamaki]

A follow-up PR will reuse this logic to detect devices at runtime and reload the datapath.

[joamaki]

In a follow-up with runtime detection of devices the plan is to stop using option.Config.Devices throughout and rather call into device manager to ask for the list of devices as it may mutate over time. Hence I already have the state for the devices and this function here.

See #17187 for the work in progress for the runtime detection and reasoning behind the structure of this file.

[joamaki]

A more suitable place for DeviceManager might be in pkg/datapath, but I'd like to leave it here for now.

[joamaki]

test-me-please

[joamaki]

test-me-please

[joamaki]

test-me-please

[joamaki]

test-runtime

[joamaki]

test-gke

[joamaki]

test-runtime

[joamaki]

test-me-please

Job 'Cilium-PR-K8s-1.16-net-next' failed and has not been observed before, so may be related to your PR:

Click to show.

Test Name

K8sDemosTest Tests Star Wars Demo

Failure Output

FAIL: DNS entry is not ready after timeout

If it is a flake, comment /mlh new-flake Cilium-PR-K8s-1.16-net-next so I can create a new GitHub issue to track it.

[joamaki]

test-me-please

Job 'Cilium-PR-K8s-1.16-net-next' failed and has not been observed before, so may be related to your PR:

Click to show.

Test Name

K8sBookInfoDemoTest Bookinfo Demo Tests bookinfo demo

Failure Output

FAIL: DNS entry is not ready after timeout

If it is a flake, comment /mlh new-flake Cilium-PR-K8s-1.16-net-next so I can create a new GitHub issue to track it.

[joamaki]

test-1.16-netnext

[joamaki]

@pchaigno PTAL

[pchaigno]

Could you break commit daemon: Address review comments on device detection and merge it in the respective commits it fixes/improves? Having it in a separate commit hinders reviewing and doesn't make sense once merged.

Ah I was just trying to make reviewing easier. I'll squash.

I didn't mean you should squash everything; that doesn't make reviews any easier ;-)

If you're looking for guidance on how to split commits in pull requests, maybe a good starting point is https://kernelnewbies.org/PatchPhilosophy#How_to_break_up_changes. For this specific pull request, a good example is the code you moved from daemon/cmd/kube_proxy_replacement{,_test}.go to a new file; that move should be in its own commit, before the rest. It would help reviewers because we wouldn't have to re-review existing code that was just moved around.

[joamaki]

test-me-please

Job 'Cilium-PR-K8s-1.16-net-next' failed and has not been observed before, so may be related to your PR:

Click to show.

Test Name

K8sChaosTest Connectivity demo application Endpoint can still connect while Cilium is not running

Failure Output

FAIL: DNS entry is not ready after timeout

If it is a flake, comment /mlh new-flake Cilium-PR-K8s-1.16-net-next so I can create a new GitHub issue to track it.

[joamaki]

test-1.16-netnext

[pchaigno]

I think the two tests failing in k8s-1.16-kernel-netnext are new, so likely a case of #15474. You can confirm by checking you don't have the related changes (the changes those tests test) in your branch. Happy to help on Slack.

If that's confirmed, then I think we're good to go. The remaining cilium/agent review is for changes under daemon/ but I'm familiar with the specific code you touched and I approved already.

[joamaki]

I think the two tests failing in k8s-1.16-kernel-netnext are new, so likely a case of #15474. You can confirm by checking you don't have the related changes (the changes those tests test) in your branch. Happy to help on Slack.

If that's confirmed, then I think we're good to go. The remaining cilium/agent review is for changes under daemon/ but I'm familiar with the specific code you touched and I approved already.

cilium % git diff upstream/master -- test/k8sT/Services.go|grep "Checks conn"
-       }, "Checks connectivity when skipping socket lb in pod ns", func() {

Yep, it's a new test.

[pchaigno]

Yep, it's a new test.

Yep, but are the changes added with that test included in your branch?