-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
v1.11 backports 2021-11-26 #18027
v1.11 backports 2021-11-26 #18027
Commits on Nov 29, 2021
-
docs: update Helm reference after updates for latest -rc release
Configuration menu - View commit details
-
Copy full SHA for 73729f0 - Browse repository at this point
Copy the full SHA 73729f0View commit details -
docs: Fix up mailmap a bit and update authors
[ upstream commit 79987fa ] Minor update sync to the AUTHORS file. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: Quentin Monnet <quentin@isovalent.com>
Configuration menu - View commit details
-
Copy full SHA for 1d2e084 - Browse repository at this point
Copy the full SHA 1d2e084View commit details -
docs: Add upgrade note rearding custom ports
[ upstream commit 858b5e2 ] Towards: cilium#15956 Signed-off-by: Ilya Dmitrichenko <errordeveloper@gmail.com> Signed-off-by: Quentin Monnet <quentin@isovalent.com>
Configuration menu - View commit details
-
Copy full SHA for bc3c0ef - Browse repository at this point
Copy the full SHA bc3c0efView commit details -
bpf: Move time cache into separate header file
[ upstream commit f579ab7 ] Reduces scope to where it is really used given this creates a map. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: Quentin Monnet <quentin@isovalent.com>
Configuration menu - View commit details
-
Copy full SHA for 98a4417 - Browse repository at this point
Copy the full SHA 98a4417View commit details -
bpf: Fix l4lb stale map removal under cni mode
[ upstream commit cb1bf90 ] When the agent starts up we can see the following maps being removed as stale maps: [...] level=info msg="Restored endpoint" endpointID=3747 ipAddr="[ ]" subsys=endpoint level=info msg="Finished regenerating restored endpoints" regenerated=1 subsys=daemon total=1 level=info msg="Removed stale bpf map" file-path=/sys/fs/bpf/tc/globals/cilium_capture_cache subsys=daemon level=info msg="Removed stale bpf map" file-path=/sys/fs/bpf/tc/globals/cilium_ktime_cache subsys=daemon [...] This is due to pcap.h being included from nodeport.h where the former defines mentioned maps unconditionally. Rework it, so that both are only created in L4LB mode. Fixes: cilium#17935 Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: Quentin Monnet <quentin@isovalent.com>
Configuration menu - View commit details
-
Copy full SHA for 3f0c75a - Browse repository at this point
Copy the full SHA 3f0c75aView commit details -
install/kubernetes: fix helm generation for operator image digest
Configuration menu - View commit details
-
Copy full SHA for 72131e0 - Browse repository at this point
Copy the full SHA 72131e0View commit details -
daemon/cmd: Extend Cilium status with graceful termination flag
[ upstream commit eeb7f1b ] The status only reflects the value of the flag 'enable-k8s-terminating-endpoints'. Per the (kube-proxy-replacement) documentation, the relevant feature gate still needs to be enabled in kubernetes deployments >= v1.20. Signed-off-by: Aditi Ghag <aditi@cilium.io> Signed-off-by: Quentin Monnet <quentin@isovalent.com>
Configuration menu - View commit details
-
Copy full SHA for dc54a6c - Browse repository at this point
Copy the full SHA dc54a6cView commit details -
docs: remove mention of 250 nodes for kvstore
[ upstream commit 7eaafc8 ] Most of the use cases don't require setting up a KVstore to use Cilium. This commit updates the documentation to reflect the current situations where someone would like to set up a KVStore. Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Quentin Monnet <quentin@isovalent.com>
Configuration menu - View commit details
-
Copy full SHA for b801e9f - Browse repository at this point
Copy the full SHA b801e9fView commit details -
docs: Deprecate IPVLAN support
[ upstream commit abb1d06 ] IPVLAN support has a list of caveats in terms of features, few users and fewer maintainers. Recently, we improved virtual ethernet support in the kernel to gain many of the performance advantages of IPVLAN. Unless there is strong community support for maintaining this feature going forward, it will make sense to remove support in the v1.12 development cycle. Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Quentin Monnet <quentin@isovalent.com>
Configuration menu - View commit details
-
Copy full SHA for f4df3fd - Browse repository at this point
Copy the full SHA f4df3fdView commit details -
docs: Deprecate Consul support
[ upstream commit fb65f8c ] Consul support has been primarily used for developer environments in local testing, but we are not aware of any users running clusters depending on Consul for Cilium control plane co-ordination. Deprecate it in preparation to remove support in a future release, to minimize the maintenance burden of this code. Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Quentin Monnet <quentin@isovalent.com>
Configuration menu - View commit details
-
Copy full SHA for 775c942 - Browse repository at this point
Copy the full SHA 775c942View commit details -
docs: Deprecate 'cilium policy trace'
[ upstream commit 747ef3a ] Support for the various policy types in the in-pod 'cilium policy trace' command has not kept pace with the development on the core policy model. Deprecate this tool so that users are not misled by the confusing and often wrong policy trace output. Users are suggested to use one of the alternative methods to reason about their policies: * https://app.networkpolicy.io * https://docs.cilium.io/en/stable/gettingstarted/policy-creation/ Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Quentin Monnet <quentin@isovalent.com>
Configuration menu - View commit details
-
Copy full SHA for 47071ef - Browse repository at this point
Copy the full SHA 47071efView commit details -
Remove remaining references to Mesos
[ upstream commit b0a9510 ] Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Quentin Monnet <quentin@isovalent.com>
Configuration menu - View commit details
-
Copy full SHA for 3b17ebd - Browse repository at this point
Copy the full SHA 3b17ebdView commit details -
docs: Document recent feature deprecations
[ upstream commit 4ce5cef ] Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Quentin Monnet <quentin@isovalent.com>
Configuration menu - View commit details
-
Copy full SHA for 979732f - Browse repository at this point
Copy the full SHA 979732fView commit details -
docs: Add cilium "managed pods" example
[ upstream commit c46a028 ] This example demonstrates a good example of when all pods are managed by Cilium. Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Quentin Monnet <quentin@isovalent.com>
Configuration menu - View commit details
-
Copy full SHA for bc6cf49 - Browse repository at this point
Copy the full SHA bc6cf49View commit details -
k8s: Add Hints.ForZone field to slim Endpoint
[ upstream commit 2ac1403 ] This is going to be used by the upcoming (service) topology aware hints feature. Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Quentin Monnet <quentin@isovalent.com>
Configuration menu - View commit details
-
Copy full SHA for 1c13481 - Browse repository at this point
Copy the full SHA 1c13481View commit details -
daemon: Add --enable-service-topology
[ upstream commit 2ddf5e7 ] It's going to be used by the k8s service topology aware hints feature to be implemented in the next commit. Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Quentin Monnet <quentin@isovalent.com>
Configuration menu - View commit details
-
Copy full SHA for 8cc26a0 - Browse repository at this point
Copy the full SHA 8cc26a0View commit details -
k8s: Extend Node subscriber to accept swg
[ upstream commit 14b70ad ] The swg (stoppable wait group) is used by the service_cache.go when syncing k8s caches upon the agent startup. Until now, service_cache was consuming only Service and Endpoint* objects. However, for the upcoming service topology aware hints feature we need to add (self) Node object as well to the list. This is because the feature needs to get the "topology.kubernetes.io/zone" of the self Node. Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Quentin Monnet <quentin@isovalent.com>
Configuration menu - View commit details
-
Copy full SHA for d4d407b - Browse repository at this point
Copy the full SHA d4d407bView commit details -
k8s: Implement svc topology aware hints
[ upstream commit 6ddfbd2 ] This commit implements the topology aware hints for k8s services described in [1]. The idea of the feature is to provision service endpoints only if their zone hints matches the self node's "topology.kubernetes.io/zone" label value. The main benefit is that it allows service traffic to prefer zone-local endpoints which could be used e.g., to avoid costs associated with crossing cloud network zones. Also, it might yield better performance for service traffic, as the nearer endpoints are preferred. The hints for endpoints is set by kube-controller-manager. The heuristics are described in [1]. The hints are set in the EndpointsliceV1 object (this is the reason why we don't implement the hints parsing for other endpoint object types). I considered implementing the feature in "pkg/service" instead of "pkg/k8s". The main reasons for choosing the latter is (1) that this feature is k8s specific and (2) that in the near future we probably will merge "pkg/service" with "pkg/maps/lbmap", as both deal with the low-level datapath specific details. [1]: https://kubernetes.io/docs/concepts/services-networking/topology-aware-hints/ Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Quentin Monnet <quentin@isovalent.com>
Configuration menu - View commit details
-
Copy full SHA for c3bbb79 - Browse repository at this point
Copy the full SHA c3bbb79View commit details -
k8s: Fix endpoints returned by update routine
[ upstream commit 8442d6e ] Previously, the function returned all passed endpoints instead the ones which were filtered and correlated by correlateEndpoints(). The change is no-op, as nobody was consuming the return value of UpdateEndpoint*(). Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Quentin Monnet <quentin@isovalent.com>
Configuration menu - View commit details
-
Copy full SHA for ba611d1 - Browse repository at this point
Copy the full SHA ba611d1View commit details -
k8s: Add unit tests for topology aware hints
[ upstream commit ed9c7ce ] Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Quentin Monnet <quentin@isovalent.com>
Configuration menu - View commit details
-
Copy full SHA for 482b5ca - Browse repository at this point
Copy the full SHA 482b5caView commit details -
helm: Add loadBalancer.serviceTopology
[ upstream commit 545d94c ] This enables k8s service topology aware hints. Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Quentin Monnet <quentin@isovalent.com>
Configuration menu - View commit details
-
Copy full SHA for d7e40d4 - Browse repository at this point
Copy the full SHA d7e40d4View commit details -
docs: Mention service topology in KPR guide
[ upstream commit 0b27f80 ] Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Quentin Monnet <quentin@isovalent.com>
Configuration menu - View commit details
-
Copy full SHA for 064c40a - Browse repository at this point
Copy the full SHA 064c40aView commit details -
maps: switch egressmap to cilium/ebpf package
[ upstream commit 3ba8e6e ] Signed-off-by: Gilberto Bertin <gilberto@isovalent.com> Signed-off-by: Quentin Monnet <quentin@isovalent.com>
Configuration menu - View commit details
-
Copy full SHA for 08da94d - Browse repository at this point
Copy the full SHA 08da94dView commit details -
bpf: rename egress policy map and its fields
[ upstream commit 2b07959 ] to make it more clear it's related to the egress gateway policies Signed-off-by: Gilberto Bertin <gilberto@isovalent.com> Signed-off-by: Quentin Monnet <quentin@isovalent.com>
Configuration menu - View commit details
-
Copy full SHA for fb3fe7e - Browse repository at this point
Copy the full SHA fb3fe7eView commit details -
docs: add a note on egress gateway upgrade impact for 1.11
[ upstream commit cdb4b46 ] Signed-off-by: Gilberto Bertin <gilberto@isovalent.com> Signed-off-by: Quentin Monnet <quentin@isovalent.com>
Configuration menu - View commit details
-
Copy full SHA for b3f0302 - Browse repository at this point
Copy the full SHA b3f0302View commit details -
daemon: add WaitUntilK8sCacheIsSynced method
[ upstream commit d9b60f7 ] which will block the caller until the agent has fully sync its k8s cache. Signed-off-by: Gilberto Bertin <gilberto@isovalent.com> Signed-off-by: Quentin Monnet <quentin@isovalent.com>
Configuration menu - View commit details
-
Copy full SHA for b9fc764 - Browse repository at this point
Copy the full SHA b9fc764View commit details -
egressgateway: refactor manager logic
[ upstream commit ed73a31 ] This commit refactors the egress gateway manager in order to provide a single `reconcile()` method which will be invoked on all events received by the manager. This method is responsible for adding and removing entries to and from the egress policy map. In addition to this, the manager will now wait for the k8s cache to be fully synced before running its first reconciliation, in order to always have the egress_policy map in a consistent state with the k8s configuration. Fixes: cilium#17380 Fixes: cilium#17753 Signed-off-by: Gilberto Bertin <gilberto@isovalent.com> Signed-off-by: Quentin Monnet <quentin@isovalent.com>
Configuration menu - View commit details
-
Copy full SHA for 0e5789f - Browse repository at this point
Copy the full SHA 0e5789fView commit details -
ipam/crd: Fix spurious CiliumNode update status failures
[ upstream commit 18b10b4 ] When running in CRD-based IPAM modes (Alibaba, Azure, ENI, CRD), it is possible to observe spurious "Unable to update CiliumNode custom resource" failures in the cilium-agent. The full error message is as follows: "Operation cannot be fulfilled on ciliumnodes.cilium.io <node>: the object has been modified; please apply your changes to the latest version and try again". It means that the Kubernetes `UpdateStatus` call has failed because the local `ObjectMeta.ResourceVersion` of submitted CiliumNode version is out of date. In the presence of races, this error is expected and will resolve itself once the agent receives a more recent version of the object with the new resource version. However, it is possible that the resource version of a `CiliumNode` object is bumped even though the `Spec` or `Status` of the `CiliumNode` remains the same. This for examples happens when `ObjectMeta.ManagedFields` is updated by the Kubernetes apiserver. Unfortunately, `CiliumNode.DeepEqual` does _not_ consider any `ObjectMeta` fields (including the resource version). Therefore two objects with different resource versions are considered the same by the `CiliumNode` watcher used by IPAM. But to be able to successfully call `UpdateStatus` we need to know the most recent resource version. Otherwise, `UpdateStatus` will always fail until the `CiliumNode` object is updated externally for some reason. Therefore, this commit modifies the logic to always store the most recent version of the `CiliumNode` object, even if `Spec` or `Status` has not changed. This in turn allows `nodeStore.refreshNode` (which invokes `UpdateStatus`) to always work on the most recently observed resource version. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> Signed-off-by: Quentin Monnet <quentin@isovalent.com>
Configuration menu - View commit details
-
Copy full SHA for 3913fe1 - Browse repository at this point
Copy the full SHA 3913fe1View commit details -
Update k8s tests and libraries to v1.23.0-rc.0
[ upstream commit c56075d ] Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Quentin Monnet <quentin@isovalent.com>
Configuration menu - View commit details
-
Copy full SHA for a3a9aa5 - Browse repository at this point
Copy the full SHA a3a9aa5View commit details -
Configuration menu - View commit details
-
Copy full SHA for ffa2ef5 - Browse repository at this point
Copy the full SHA ffa2ef5View commit details