v1.10 backports 2022-09-28 #21469
Merged
v1.10 backports 2022-09-28 #21469
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[ upstream commit 751e2df ] Signed-off-by: John Watson <johnw@planetscale.com> Signed-off-by: Sebastian Wicki <sebastian@isovalent.com>
[ upstream commit ac377a4 ] Let's use Grafana instead to monitor CI stability. Ref: cilium#21238 Signed-off-by: Michi Mutsuzaki <michi@isovalent.com> Signed-off-by: Sebastian Wicki <sebastian@isovalent.com>
[ upstream commit 619366f ] The DNS proxy is only allocated if L7 proxy is enabled. The cleanup code did not check if it allocated causing a nil deref on shutdown. controlplane test was modified to only set the mock DNS proxy when L7 proxy is enabled to reflect behavior of bootstrapFDQN and catch similar issue in the future. Fixes: cilium#21264 Fixes: 266f705 ("dnsproxy: add cleanup") Signed-off-by: Jussi Maki <jussi@isovalent.com> Signed-off-by: Sebastian Wicki <sebastian@isovalent.com>
[ upstream commit 0cb4b97 ] There is more and more usage of envoy proxy in cilium, so it's better to have utility to dump its config for troubleshooting later. ``` root@minikube:/home/cilium# tar -xf /tmp/cilium-bugtool-20220918-132428.955+0000-UTC-2901326153.tar root@minikube:/home/cilium# ls -lrt cilium-bugtool-20220918-132428.955+0000-UTC-2901326153/cmd/envoy-config.json -rw-r--r-- 1 root root 28645 Sep 18 13:24 cilium-bugtool-20220918-132428.955+0000-UTC-2901326153/cmd/envoy-config.json ``` Signed-off-by: Tam Mach <tam.mach@cilium.io> Signed-off-by: Sebastian Wicki <sebastian@isovalent.com>
[ upstream commit 563787e ] Signed-off-by: Tom Hadlaw <tom.hadlaw@isovalent.com> Signed-off-by: Sebastian Wicki <sebastian@isovalent.com>
[ upstream commit 3e0d679 ] It's `log` in the [config.go](https://github.com/cilium/cilium/blob/master/pkg/option/config.go#L988). Also fix the delimeter (the actual cli acceps the space but not a comma). Signed-off-by: Vladimir Pouzanov <farcaller@gmail.com> Signed-off-by: Sebastian Wicki <sebastian@isovalent.com>
[ upstream commit 41d1499 ] Explicitly log if no policy maps are found to improve debuggability. Signed-off-by: Aditi Ghag <aditi@cilium.io> Signed-off-by: Sebastian Wicki <sebastian@isovalent.com>
[ upstream commit 592ff13 ] **TL;DR.** We only need one of an XFRM IN policy or an XFRM IN state to match each packet. This commit removes one superfluous XFRM IN policy and enables some additional simplification as a result. What XFRM IN policy we install currently depends of whether we are running in tunneling mode and with or without endpoint routes: In tunneling mode: XFRM IN policy matching on mark 0x200/0xf00 (for proxy) XFRM IN policy matching on mark 0xd00/0xf00 (for decrypt.) In native routing mode with endpoint routes: XFRM IN policy matching on mark 0x200/0xf00 (for proxy) In all cases, we also have: XFRM IN state matching on mark 0xd00/0xf00 (for decrypt.) The two policies in tunneling mode were introduced by a9f18f3 ("datapath/linux/ipsec: Insert additional In rule when tunneling"). The additional case for endpoint routes was introduced by 3ffe49e ("ipsec: Fix L7 with endpoint routes"). Now, I got to wonder how 3ffe49e even worked as it was missing an XFRM IN policy for 0xd00 which a9f18f3 suggested was necessary. After some local testing, it turns out that the two XFRM IN policies for tunneling mode are not required. All we need is to have either (1) an XFRM IN policy or (2) an XFRM IN state matching the packets. The XFRM state is needed if we want to decrypt packets; the XFRM policy is needed to not drop packets that don't match an XFRM state. Given we always have an XFRM IN state for packets coming with the decryption mark, we don't need an XFRM IN policy for that. We only need an XFRM IN policy for packets coming with the proxy mark because we don't have a state for those, rightly so as we don't want to decrypt them. This commit therefore removes the XFRM IN policy for decryption. It also removes any dependency on particular options: we will always install the XFRM IN policy for the proxy. It doesn't hurt to have that policy even if not required (e.g., in native routing mode without endpoint routes). **How was this tested?** This change was tested with our Jenkins IPsec tests (including the quarantined one for VXLAN), as well as with GKE and EKS clusters of 3 nodes. In all cases, the connectivity tests were executed and L7 policies were thus covered. Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Sebastian Wicki <sebastian@isovalent.com>
[ upstream commit 2e36f12 ] In case the call to endpoint.NewEndpointFromChangeModel in (*Daemon).createEndpoint fails (e.g. due to invalid data in the request), the returned *endpoint.Endpoint is nil while err is non-nil. However, invalidDataError is called with ep=nil, leading to a nil pointer dereference in ep.SetState. Fixes: 0d6b7ad ("endpoint: Add Invalid state") Signed-off-by: Tobias Klauser <tobias@cilium.io> Signed-off-by: Sebastian Wicki <sebastian@isovalent.com>
gandro
added
backport/1.10
kind/backports
gandro
requested review from
nebril,
aditighag,
joamaki,
michi-covalent,
pchaigno,
sayboras,
tklauser and
tommyp1ckles
sayboras
approved these changes
Sep 28, 2022
tklauser
approved these changes
Sep 28, 2022
aditighag
approved these changes
Sep 28, 2022
joamaki
approved these changes
Sep 28, 2022
joestringer
approved these changes
Sep 28, 2022
|
/test-backport-1.10 Job 'Cilium-PR-K8s-GKE' failed: Click to show.Test NameFailure OutputIf it is a flake and a GitHub issue doesn't already exist to track it, comment |
nebril
approved these changes
Sep 30, 2022
|
Marking this ready-to-merge. The failing GKE workflows are infrastructure related and both pipelines have been disabled on master for that reason. |
gandro
added
the
ready-to-merge
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Once this PR is merged, you can update the PR labels via: