-
Notifications
You must be signed in to change notification settings - Fork 2.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
v1.13 Backports 2023-04-03 #24706
v1.13 Backports 2023-04-03 #24706
Conversation
[ upstream commit 2a0c158 ] as we don't know which k8s events/resources were received during the initial k8s sync Backporting conflicts: * minor conflict in the manager as v1.13 doesn't have the policies by source IP cache Fixes: #23529 Fixes: #23967 Suggested-by: Julian Wiedmann <jwi@isovalent.com> Signed-off-by: Gilberto Bertin <jibi@cilium.io> Signed-off-by: Gilberto Bertin <jibi@cilium.io>
[ upstream commit c08189c ] This commits add unittest case for L3 skb fast redirecting to L2 device. Backporting conflicts: * minor conflicts in bpf/tests/pktgen.h as some surrounding helpers changed in master, mostly due to the introduction of pktgen__push_default_iphdr_with_options Signed-off-by: Zhichuan Liang <gray.liang@isovalent.com> Signed-off-by: Gilberto Bertin <jibi@cilium.io>
[ upstream commit 772f4a0 ] Currently, the log field k8sNamespace contains the name of the pod instead of the actual namespace when an endpoint gets deleted. This commit fixes this and adds the k8s namespace. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> Signed-off-by: Gilberto Bertin <jibi@cilium.io>
[ upstream commit 22a3743 ] There is a flake in e2e test when a test case starts to proceed before ccnp comes to take effect by cilium-agent. The correct way to delete ccnp is to run "kubectl delete" followed by "cilium policy wait", and kubectl helper already has such wrappers. Fixes: #24380 Signed-off-by: Zhichuan Liang <gray.liang@isovalent.com> Signed-off-by: Gilberto Bertin <jibi@cilium.io>
[ upstream commit 294bcd1 ] There is a flake in e2e test when a test case starts to proceed before cnp comes to take effect by cilium-agent. The correct way to delete cnp is to run "kubectl delete" followed by "cilium policy wait", and kubectl helper already has such wrappers. Signed-off-by: Zhichuan Liang <gray.liang@isovalent.com> Signed-off-by: Gilberto Bertin <jibi@cilium.io>
[ upstream commit debdd2a ] Currently, a service is reported as ready if the local Endpoint resource has been found, or it has at least one endpoint in remote clusters. This commit changes slightly the logic, reporting the service ready also if any remote service has been found (even though with 0 endpoints), to prevent that an update is possibly missed on scale to zero events. In particular, the issue can be triggered in case the local service has no selector (hence k8s creates neither an Endpoint nor an EndpointSlice object), while the remote one is standard. When the deployment targeted by the remote cluster is scaled to 0, the service entry in the local cluster is not correctly cleared. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> Signed-off-by: Gilberto Bertin <jibi@cilium.io>
[ upstream commit b7d58c1 ] Previously, upon detecting the deletion of a global service in a remote cluster, we removed the corresponding external endpoints. Still, we did not delete the map associated with that service when no remote endpoints were left. This commit fixes this, and also ensures that the service entry is deleted if no longer ready. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> Signed-off-by: Gilberto Bertin <jibi@cilium.io>
[ upstream commit b021b64 ] Follow-up to e5e44a9 ("bpf: grow verifier log buffer to 10MiB, log as debug"). This commit removes the call to Debug from replaceDatapath and handles it in regenerate() instead, where it writes a 'verifier.log' file containing the full verifier log to the endpoint directory as well as to standard error. This results in output similar to this: ``` Verifier error: program cil_to_host: load program: invalid argument: unreachable insn 68 (1 line(s) omitted) Verifier log: load program: invalid argument: unreachable insn 68 processed 0 insns (limit 1000000) max_states_per_insn 0 total_states 0 peak_states 0 mark_read 0 level=warning msg="JoinEP: Failed to load program for host endpoint (cil_to_host)" ... error="loading eBPF collection ..." file-path=628_next/bpf_host.o identity=1 ipv4= ipv6= k8sPodName=/ subsys=datapath-loader veth=cilium_host ``` Signed-off-by: Timo Beckers <timo@isovalent.com> Signed-off-by: Gilberto Bertin <jibi@cilium.io>
[ upstream commit e76d074 ] The ipv6_hdrlen function incorrectly sets the length of the extension header during parsing, causing cilum to obtain the wrong next header and resulting in packet loss. This issue will affect the parsing of IPv6 packets that carry both the "auth" and other extension headers, such as `ipv6/auth/hopbyhop/tcp`. Backporting conflicts: * minor conflict in bpf/tests/pktgen.h due to the upstream changes to the pktgen__push_default_iphdr helper Fixes: 1ce3c7f ("bpf: Skip over IPv6 extension headers") Fixes: #24187 Signed-off-by: chenyuezhou <zcy.chenyue.zhou@gmail.com> Signed-off-by: Gilberto Bertin <jibi@cilium.io>
[ upstream commit cef765b ] Backporting conflicts: * skipped the CODEOWNERS changes Signed-off-by: Feroz Salam <feroz@argh.in> Co-authored-by: Dan Wendlandt <dan@isovalent.com> Co-authored-by: Joe Stringer <joe@isovalent.com> Signed-off-by: Gilberto Bertin <jibi@cilium.io>
[ upstream commit edf15f1 ] Always init gatewayIP to 0.0.0.0 by default instead of the previous nil value. Before this commit the rules that didn't match any node where added in addMissingEgressRules and removed right after in removeUnusedEgressRules. The egressmap auto convert nil to 0.0.0.0 and removeUnusedEgressRules doesn't do anything to match nil and 0.0.0.0. Signed-off-by: Arthur Outhenin-Chalandre <arthur@cri.epita.fr> Signed-off-by: Gilberto Bertin <jibi@cilium.io>
[ upstream commit af5d551 ] As documented in the code, since we quadruple the buffer in the loop, the next step up from 4MiB is 16MiB, which would overshoot the limit of <5.2 kernels by one byte. I did not opt for doubling instead of quadrupling the buffer, since that means logs over 8MiB would also fail to load on kernels <5.2. Signed-off-by: Timo Beckers <timo@isovalent.com> Signed-off-by: Gilberto Bertin <jibi@cilium.io>
ec037dd
to
11299c9
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
My PR looks good. Thanks!
/test-backport-1.13 Job 'Cilium-PR-K8s-1.24-kernel-4.9' failed: Click to show.Test Name
Failure Output
edit: probably another instance of #24701 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I reviewed the backport for that PR and it looks good to me. Thanks!
Marking as ready |
Once this PR is merged, you can update the PR labels via:
or with
see individual commits for list of conflicts