New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[v1.13] Bump envoy to v1.27.x #31498
Conversation
sayboras
commented
Mar 19, 2024
•
edited by jrajahalme
edited by jrajahalme
- envoy: Use embedded proxylib from cilium-proxy image #26101 (@sayboras)
- daemon: Add ingress endpoint #28126 (@jrajahalme).
- envoy: Update to Envoy 1.27.0, drop privileges #27498 (@jrajahalme )
- [v1.15] envoy: Bump golang version to 1.21.8 #31221 (@sayboras)
/test |
4453cc5
to
94ecd1c
Compare
94ecd1c
to
b03c95a
Compare
fadf3ed
to
6c47ff7
Compare
6c47ff7
to
6f39645
Compare
/test-backport-1.13 Job 'Cilium-PR-K8s-1.16-kernel-4.19' failed: Click to show.Test Name
Failure Output
Jenkins URL: https://jenkins.cilium.io/job/Cilium-PR-K8s-1.16-kernel-4.19/1123/ If it is a flake and a GitHub issue doesn't already exist to track it, comment Then please upload the Jenkins artifacts to that issue. Job 'Cilium-PR-K8s-1.21-kernel-4.19' hit: #30802 (91.34% similarity) |
/test-1.16-4.19 |
/test-1.21-4.19 |
This module is moved to cilium/proxy as part of the below PR, the main reason is to make sure that cilium/proxy container image is fully self-contained, and has no dependency with cilium/cilium. cilium/proxy#232 Signed-off-by: Tam Mach <tam.mach@cilium.io>
This module can be imported directly from cilium/proxy now Signed-off-by: Tam Mach <tam.mach@cilium.io>
[ upstream commit 34415bd ] This commit is to perform the below: - Update envoy image to latest build from v1.26 branch - Include new resources into pkg/envoy/resource for serialization - grpc related resources are for upcoming support with GRPCRoute - Change policy id to uint32, related to cilium/proxy@f37daf7 Related build: https://github.com/cilium/proxy/actions/runs/7070197416/job/19246669763 Signed-off-by: Tam Mach <tam.mach@cilium.io>
[ upstream commit de085db ] Fix comments that still had references to the now-deprecated uint64 policy IDs. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
[ upstream commit 04f19e9 ] Add Cilium Endpoint representing Ingress. It is defined without a veth interface and no bpf programs or maps are created for it. Ingress endpoint is needed so that the network policy is computed and configured to Envoy, so that ingress/egress network policy defined for Ingress can be enforced. Cilium Ingress is implemented as L7 LB, which is an Envoy redirect on the egress packet path. Egress CNP policies are already enforced when defined. Prior to this commit CNPs defined for reserved:ingress identity were not computed, however, and all traffic was passed through by Cilium Ingress was allowed to egress towards the backends. When the backends receive such packets, they are identified as coming from Cilium Ingress, so any ingress policies at the backends can not discern the original source of the traffic. This commit adds a Cilium endpoint for the reserved:ingress identity, which makes the Cilium node compute and pass policies whose endpoint selector selects this identity (e.g., by selecting all entities) to Envoy, so that they can be enforced. Envoy listener will then enforce not just the egress policy but also the ingress policy for the original incoming source security identity. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
[ upstream commit 7646b69 ] Turn on ingress policy enforcement on L7 LB. With this cilium-envoy starts dropping Ingress traffic unless Cilium Agent configures it with a passing policy via the Ingress endpoint (with the reserved:ingress identity). Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
[upstream commit 7404cb2] Update generated Envoy Go API for cilium-envoy based on Envoy 1.27.0. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> Signed-off-by: Tam Mach <tam.mach@cilium.io>
[upstream commit 3166f95] Use cilium-envoy image that drops privileges from the Envoy process before it starts. Envoy now needs to be started as `cilium-envoy-starter`, which drops all privileges before executing `cilium-envoy`. If `cilium-envoy` is executed directly with any privileges, it will terminate with the following error message when any Cilium filters are first configured: "[assert failure: get_capabilities(CAP_EFFECTIVE) == 0 && get_capabilities(CAP_PERMITTED) == 0. Details: cilium-envoy running with privileges, exiting" Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> Signed-off-by: Tam Mach <tam.mach@cilium.io>
This is to pick up the new image with updated golang version, and other dependency bump. Related commit: cilium/proxy@99c1c8f Related build: https://github.com/cilium/proxy/actions/runs/8179378100/job/22365327840 Signed-off-by: Tam Mach <tam.mach@cilium.io>
6f39645
to
d0fae6a
Compare
/test |
Remove preview only label as https://github.com/cilium/cilium/releases/tag/v1.13.14 is released. |
/test-backport-1.13 Job 'Cilium-PR-K8s-1.24-kernel-4.19' failed: Click to show.Test Name
Failure Output
Jenkins URL: https://jenkins.cilium.io/job/Cilium-PR-K8s-1.24-kernel-4.19/436/ If it is a flake and a GitHub issue doesn't already exist to track it, comment Then please upload the Jenkins artifacts to that issue. Job 'Cilium-PR-K8s-1.21-kernel-4.19' failed: Click to show.Test Name
Failure Output
Jenkins URL: https://jenkins.cilium.io/job/Cilium-PR-K8s-1.21-kernel-4.19/458/ If it is a flake and a GitHub issue doesn't already exist to track it, comment Then please upload the Jenkins artifacts to that issue. |
/test-1.21-4.19 |
/test-1.24-4.19 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Quick clarifying question, otherwise looks good for API changes. If you need a more advanced review from an API perspective, I'd recommend looping other folks in- my knowledge of our proxy stack isn't good enough to give a lot of feedback here.
@sayboras Optimally we would not introduce functional changes to v1.13. Did you find that we had introduced breaking changes to Envoy so that this update did not work our without the Ingress IP? Seems that the drop privileges change is wanted to avoid reverting that change on |
@sayboras please manually update the |
Thanks and done ✅ |