v1.11 backports 2021-11-26 #18027

The update for the Helm reference was omitted in commit c9d9f7e ("Prepare for release v1.11.0-rc3"). Let's update it now. Fixes: c9d9f7e ("Prepare for release v1.11.0-rc3") Signed-off-by: Quentin Monnet <quentin@isovalent.com>

[ upstream commit 79987fa ] Minor update sync to the AUTHORS file. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: Quentin Monnet <quentin@isovalent.com>

[ upstream commit 858b5e2 ] Towards: cilium#15956 Signed-off-by: Ilya Dmitrichenko <errordeveloper@gmail.com> Signed-off-by: Quentin Monnet <quentin@isovalent.com>

[ upstream commit f579ab7 ] Reduces scope to where it is really used given this creates a map. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: Quentin Monnet <quentin@isovalent.com>

[ upstream commit cb1bf90 ] When the agent starts up we can see the following maps being removed as stale maps: [...] level=info msg="Restored endpoint" endpointID=3747 ipAddr="[ ]" subsys=endpoint level=info msg="Finished regenerating restored endpoints" regenerated=1 subsys=daemon total=1 level=info msg="Removed stale bpf map" file-path=/sys/fs/bpf/tc/globals/cilium_capture_cache subsys=daemon level=info msg="Removed stale bpf map" file-path=/sys/fs/bpf/tc/globals/cilium_ktime_cache subsys=daemon [...] This is due to pcap.h being included from nodeport.h where the former defines mentioned maps unconditionally. Rework it, so that both are only created in L4LB mode. Fixes: cilium#17935 Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: Quentin Monnet <quentin@isovalent.com>

[ upstream commit 1ccb845 ] This commit fixes the image digest as part of the operator deployment. Fixes: 4638de2 ("cleanup the cilium helm chart:") Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Quentin Monnet <quentin@isovalent.com>

[ upstream commit eeb7f1b ] The status only reflects the value of the flag 'enable-k8s-terminating-endpoints'. Per the (kube-proxy-replacement) documentation, the relevant feature gate still needs to be enabled in kubernetes deployments >= v1.20. Signed-off-by: Aditi Ghag <aditi@cilium.io> Signed-off-by: Quentin Monnet <quentin@isovalent.com>

[ upstream commit 7eaafc8 ] Most of the use cases don't require setting up a KVstore to use Cilium. This commit updates the documentation to reflect the current situations where someone would like to set up a KVStore. Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Quentin Monnet <quentin@isovalent.com>

[ upstream commit abb1d06 ] IPVLAN support has a list of caveats in terms of features, few users and fewer maintainers. Recently, we improved virtual ethernet support in the kernel to gain many of the performance advantages of IPVLAN. Unless there is strong community support for maintaining this feature going forward, it will make sense to remove support in the v1.12 development cycle. Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Quentin Monnet <quentin@isovalent.com>

[ upstream commit fb65f8c ] Consul support has been primarily used for developer environments in local testing, but we are not aware of any users running clusters depending on Consul for Cilium control plane co-ordination. Deprecate it in preparation to remove support in a future release, to minimize the maintenance burden of this code. Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Quentin Monnet <quentin@isovalent.com>

[ upstream commit 747ef3a ] Support for the various policy types in the in-pod 'cilium policy trace' command has not kept pace with the development on the core policy model. Deprecate this tool so that users are not misled by the confusing and often wrong policy trace output. Users are suggested to use one of the alternative methods to reason about their policies: * https://app.networkpolicy.io * https://docs.cilium.io/en/stable/gettingstarted/policy-creation/ Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Quentin Monnet <quentin@isovalent.com>

[ upstream commit b0a9510 ] Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Quentin Monnet <quentin@isovalent.com>

[ upstream commit 4ce5cef ] Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Quentin Monnet <quentin@isovalent.com>

[ upstream commit c46a028 ] This example demonstrates a good example of when all pods are managed by Cilium. Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Quentin Monnet <quentin@isovalent.com>

[ upstream commit 2ac1403 ] This is going to be used by the upcoming (service) topology aware hints feature. Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Quentin Monnet <quentin@isovalent.com>

[ upstream commit 2ddf5e7 ] It's going to be used by the k8s service topology aware hints feature to be implemented in the next commit. Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Quentin Monnet <quentin@isovalent.com>

[ upstream commit 14b70ad ] The swg (stoppable wait group) is used by the service_cache.go when syncing k8s caches upon the agent startup. Until now, service_cache was consuming only Service and Endpoint* objects. However, for the upcoming service topology aware hints feature we need to add (self) Node object as well to the list. This is because the feature needs to get the "topology.kubernetes.io/zone" of the self Node. Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Quentin Monnet <quentin@isovalent.com>

[ upstream commit 6ddfbd2 ] This commit implements the topology aware hints for k8s services described in [1]. The idea of the feature is to provision service endpoints only if their zone hints matches the self node's "topology.kubernetes.io/zone" label value. The main benefit is that it allows service traffic to prefer zone-local endpoints which could be used e.g., to avoid costs associated with crossing cloud network zones. Also, it might yield better performance for service traffic, as the nearer endpoints are preferred. The hints for endpoints is set by kube-controller-manager. The heuristics are described in [1]. The hints are set in the EndpointsliceV1 object (this is the reason why we don't implement the hints parsing for other endpoint object types). I considered implementing the feature in "pkg/service" instead of "pkg/k8s". The main reasons for choosing the latter is (1) that this feature is k8s specific and (2) that in the near future we probably will merge "pkg/service" with "pkg/maps/lbmap", as both deal with the low-level datapath specific details. [1]: https://kubernetes.io/docs/concepts/services-networking/topology-aware-hints/ Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Quentin Monnet <quentin@isovalent.com>

[ upstream commit 8442d6e ] Previously, the function returned all passed endpoints instead the ones which were filtered and correlated by correlateEndpoints(). The change is no-op, as nobody was consuming the return value of UpdateEndpoint*(). Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Quentin Monnet <quentin@isovalent.com>

[ upstream commit ed9c7ce ] Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Quentin Monnet <quentin@isovalent.com>

[ upstream commit 545d94c ] This enables k8s service topology aware hints. Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Quentin Monnet <quentin@isovalent.com>

[ upstream commit 0b27f80 ] Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Quentin Monnet <quentin@isovalent.com>

[ upstream commit 3ba8e6e ] Signed-off-by: Gilberto Bertin <gilberto@isovalent.com> Signed-off-by: Quentin Monnet <quentin@isovalent.com>

[ upstream commit 2b07959 ] to make it more clear it's related to the egress gateway policies Signed-off-by: Gilberto Bertin <gilberto@isovalent.com> Signed-off-by: Quentin Monnet <quentin@isovalent.com>

[ upstream commit cdb4b46 ] Signed-off-by: Gilberto Bertin <gilberto@isovalent.com> Signed-off-by: Quentin Monnet <quentin@isovalent.com>

[ upstream commit d9b60f7 ] which will block the caller until the agent has fully sync its k8s cache. Signed-off-by: Gilberto Bertin <gilberto@isovalent.com> Signed-off-by: Quentin Monnet <quentin@isovalent.com>

[ upstream commit ed73a31 ] This commit refactors the egress gateway manager in order to provide a single `reconcile()` method which will be invoked on all events received by the manager. This method is responsible for adding and removing entries to and from the egress policy map. In addition to this, the manager will now wait for the k8s cache to be fully synced before running its first reconciliation, in order to always have the egress_policy map in a consistent state with the k8s configuration. Fixes: cilium#17380 Fixes: cilium#17753 Signed-off-by: Gilberto Bertin <gilberto@isovalent.com> Signed-off-by: Quentin Monnet <quentin@isovalent.com>

[ upstream commit 18b10b4 ] When running in CRD-based IPAM modes (Alibaba, Azure, ENI, CRD), it is possible to observe spurious "Unable to update CiliumNode custom resource" failures in the cilium-agent. The full error message is as follows: "Operation cannot be fulfilled on ciliumnodes.cilium.io <node>: the object has been modified; please apply your changes to the latest version and try again". It means that the Kubernetes `UpdateStatus` call has failed because the local `ObjectMeta.ResourceVersion` of submitted CiliumNode version is out of date. In the presence of races, this error is expected and will resolve itself once the agent receives a more recent version of the object with the new resource version. However, it is possible that the resource version of a `CiliumNode` object is bumped even though the `Spec` or `Status` of the `CiliumNode` remains the same. This for examples happens when `ObjectMeta.ManagedFields` is updated by the Kubernetes apiserver. Unfortunately, `CiliumNode.DeepEqual` does _not_ consider any `ObjectMeta` fields (including the resource version). Therefore two objects with different resource versions are considered the same by the `CiliumNode` watcher used by IPAM. But to be able to successfully call `UpdateStatus` we need to know the most recent resource version. Otherwise, `UpdateStatus` will always fail until the `CiliumNode` object is updated externally for some reason. Therefore, this commit modifies the logic to always store the most recent version of the `CiliumNode` object, even if `Spec` or `Status` has not changed. This in turn allows `nodeStore.refreshNode` (which invokes `UpdateStatus`) to always work on the most recently observed resource version. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> Signed-off-by: Quentin Monnet <quentin@isovalent.com>

[ upstream commit c56075d ] Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Quentin Monnet <quentin@isovalent.com>

[ upstream commit bb6ef27 ] Fixes: 6181255 ("test: ensure kubectl version is available for test run") Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Quentin Monnet <quentin@isovalent.com>

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

v1.11 backports 2021-11-26 #18027

v1.11 backports 2021-11-26 #18027

Commits on Nov 29, 2021