-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
v1.11 backports 2022-04-26 #19585
v1.11 backports 2022-04-26 #19585
Conversation
[ upstream commit 6c5e2d6 ] Prometheus provides metrics collectors that expose go runtime and go build information, which can be useful to server administrators, lets expose them. Signed-off-by: Chance Zibolski <chance.zibolski@gmail.com> Signed-off-by: Joe Stringer <joe@cilium.io>
[ upstream commit ec187e8 ] Currently, when building Cilium with a Go major/minor version other than the one specified in `GO_VERSON`, the build currently fails with: package github.com/cilium/cilium/cilium: build constraints exclude all Go files It's not obvious from the compiler error message that this is due to mismatching Go version. This change adds a `check-go-version` target which checks the Go compiler version used for building Cilium (as specified in `$(GO)` against the version pinned in the `GO_VERSION` file, i.e. the version used to build Cilium in CI. This check is required to pass in the `precheck` target which should surface mismatching Go versions in a more user-friendly way. Example with matching version: $ go version go version go1.18.1 linux/amd64 $ make check-go-version Example with mismatching version: $ go1.17.9 version go version go1.17.9 linux/amd64 $ make GO=go1.17.9 check-go-version Installed Go version 1.17 does not match requested Go version 1.18 make: *** [Makefile:602: check-go-version] Error 1 Suggested-by: Aditi Ghag <aditi@cilium.io> Signed-off-by: Tobias Klauser <tobias@cilium.io> Signed-off-by: Joe Stringer <joe@cilium.io>
[ upstream commit aafc70b ] It'll be useful to reuse this in-place zombie sort in an upcoming patch, split it out in preparation. Signed-off-by: Joe Stringer <joe@cilium.io>
[ upstream commit ac93cb4 ] [ Backporter's notes: Minor conflicts in endpoint.go, fqdn/cache.go ] Commit f6ce522 ("FQDN: Added garbage collector functions.") introduced a per-host limit on the number of IPs to be associated in the DNS cache, but at the time we did not support keeping FQDN entries alive beyond DNS TTL ("zombie entries"). These were later added in commit f629372 ("fqdn: Add and use DNSZombieMappings in Endpoint"), but at that time no such per-host limit was imposed on these zombie entries. Commit 5923daf ("fqdn: keep IPs alive if their name is alive") later adjusted the zombie garbage collection to allow zombies to stay alive as long as any IP that shares the same FQDN is marked as alive. Unfortunately, this lead to situations where a very high number of DNS cache entries remain in the cache beyond the DNS TTL, simply because one IP for the given name continues to be used. In the case of something like Amazon S3, where DNS TTLs are known to be low, and IP recycling high, if an app constantly made requests via ToFQDNs policy towards names hosted by this service, this could lead to thousands of stale FQDN mappings accumulating in the cache. For each of these mappings, Cilium would allocate corresponding identities, and when this is combined with a permissive pod policy, this could lead to policymaps becoming full, and error messages in the logs like: msg="Failed to add PolicyMap key" ... error="Unable to update element for map with file descriptor 67: argument list too long" This could also prevent new pods from being scheduled on nodes, as Cilium would be unable to implement the full requested policy for the new endpoints. In order to mitigate this situation, extend the per-host limit configuration to apply separately also to zombie entries. This allows up to 'ToFQDNsMaxIPsPerHost' FQDN entries that are alive (ie below DNS TTL) in addition to a further 'ToFQDNsMaxIPsPerHost' zombie entries corresponding to connections which remain alive beyond the DNS TTL. Signed-off-by: Joe Stringer <joe@cilium.io>
[ upstream commit b3b0502 ] Due to some CORS policy, the requests being performed from docs.cilium.io to readthedocs.org were being denied. This was causing the warning banner to never show up in the documentation. To avoid this problem a page redirect was configured in readthedocs settings to redirect docs.cilium.io/version to readthedocs.org/api/v2/version which will hopefully fix the issue and the API endpoint was set to docs.cilium.io. Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Joe Stringer <joe@cilium.io>
/test-backport-1.11 Job 'Cilium-PR-K8s-1.22-kernel-4.19' failed: Click to show.Test Name
Failure Output
If it is a flake and a GitHub issue doesn't already exist to track it, comment |
|
/ci-external-workloads-v1.11 |
/test-1.17-4.9 |
The fix for the conformance aws-cni test is here |
/ci-awscni-1.11 |
Latest aws-cni breakage during
|
External workloads hit #19603 again. |
Only AWS-CNI (described above), External workloads (known flake) and k8s-1.22-kernel-4.19 (known flake) are currently broken. This PR should be good from a CI perspective. |
[ upstream commit 7d30daf ] It looks that we can't do a Page redirect from 'robots.txt' in readthedocs settings. This commit is another attempt of having a manually defined robots.txt file. Signed-off-by: André Martins <andre@cilium.io>
c1a95aa
to
6244aca
Compare
--tofqdns-endpoint-max-ip-per-hostname
#19452 -- Limit the number of active FQDNs beyond the TTL to--tofqdns-endpoint-max-ip-per-hostname
(@joestringer)pkg/endpoint/endpoint.go
,pkg/fqdn/cache.go
Once this PR is merged, you can update the PR labels via: