[v1.13] Bump envoy to v1.27.x #31498
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Member
sayboras
commented
Mar 19, 2024
•
sayboras
commented
- envoy: Use embedded proxylib from cilium-proxy image #26101 (@sayboras)
- daemon: Add ingress endpoint #28126 (@jrajahalme).
- envoy: Update to Envoy 1.27.0, drop privileges #27498 (@jrajahalme )
- [v1.15] envoy: Bump golang version to 1.21.8 #31221 (@sayboras)
sayboras
had a problem deploying
to
release-base-images
GitHub Actions
Failure
maintainer-s-little-helper
bot
added
the
dont-merge/needs-release-note-label
sayboras
added
kind/backports
|
/test |
sayboras
force-pushed
the
tam/envoy-1.27-drop-priviledges-1.13
branch
from
4453cc5
to
94ecd1c
Compare
sayboras
added
the
release-note/minor
sayboras
changed the title
sayboras
removed
the
dont-merge/needs-release-note-label
sayboras
force-pushed
the
tam/envoy-1.27-drop-priviledges-1.13
branch
from
94ecd1c
to
b03c95a
Compare
2 tasks
sayboras
force-pushed
the
tam/envoy-1.27-drop-priviledges-1.13
branch
3 times, most recently
from
fadf3ed
to
6c47ff7
Compare
sayboras
changed the title
sayboras
added
the
release-blocker/1.13
sayboras
force-pushed
the
tam/envoy-1.27-drop-priviledges-1.13
branch
from
6c47ff7
to
6f39645
Compare
|
/test-backport-1.13 Job 'Cilium-PR-K8s-1.16-kernel-4.19' failed: Click to show.Test NameFailure OutputJenkins URL: https://jenkins.cilium.io/job/Cilium-PR-K8s-1.16-kernel-4.19/1123/ If it is a flake and a GitHub issue doesn't already exist to track it, comment Then please upload the Jenkins artifacts to that issue. Job 'Cilium-PR-K8s-1.21-kernel-4.19' hit: #30802 (91.34% similarity) |
sayboras
changed the title
1 task
|
/test-1.16-4.19 |
|
/test-1.21-4.19 |
This module is moved to cilium/proxy as part of the below PR, the main reason is to make sure that cilium/proxy container image is fully self-contained, and has no dependency with cilium/cilium. cilium/proxy#232 Signed-off-by: Tam Mach <tam.mach@cilium.io>
This module can be imported directly from cilium/proxy now Signed-off-by: Tam Mach <tam.mach@cilium.io>
[ upstream commit 34415bd ] This commit is to perform the below: - Update envoy image to latest build from v1.26 branch - Include new resources into pkg/envoy/resource for serialization - grpc related resources are for upcoming support with GRPCRoute - Change policy id to uint32, related to cilium/proxy@f37daf7 Related build: https://github.com/cilium/proxy/actions/runs/7070197416/job/19246669763 Signed-off-by: Tam Mach <tam.mach@cilium.io>
[ upstream commit de085db ] Fix comments that still had references to the now-deprecated uint64 policy IDs. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
[ upstream commit 04f19e9 ] Add Cilium Endpoint representing Ingress. It is defined without a veth interface and no bpf programs or maps are created for it. Ingress endpoint is needed so that the network policy is computed and configured to Envoy, so that ingress/egress network policy defined for Ingress can be enforced. Cilium Ingress is implemented as L7 LB, which is an Envoy redirect on the egress packet path. Egress CNP policies are already enforced when defined. Prior to this commit CNPs defined for reserved:ingress identity were not computed, however, and all traffic was passed through by Cilium Ingress was allowed to egress towards the backends. When the backends receive such packets, they are identified as coming from Cilium Ingress, so any ingress policies at the backends can not discern the original source of the traffic. This commit adds a Cilium endpoint for the reserved:ingress identity, which makes the Cilium node compute and pass policies whose endpoint selector selects this identity (e.g., by selecting all entities) to Envoy, so that they can be enforced. Envoy listener will then enforce not just the egress policy but also the ingress policy for the original incoming source security identity. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
[ upstream commit 7646b69 ] Turn on ingress policy enforcement on L7 LB. With this cilium-envoy starts dropping Ingress traffic unless Cilium Agent configures it with a passing policy via the Ingress endpoint (with the reserved:ingress identity). Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
[upstream commit 7404cb2] Update generated Envoy Go API for cilium-envoy based on Envoy 1.27.0. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> Signed-off-by: Tam Mach <tam.mach@cilium.io>
[upstream commit 3166f95] Use cilium-envoy image that drops privileges from the Envoy process before it starts. Envoy now needs to be started as `cilium-envoy-starter`, which drops all privileges before executing `cilium-envoy`. If `cilium-envoy` is executed directly with any privileges, it will terminate with the following error message when any Cilium filters are first configured: "[assert failure: get_capabilities(CAP_EFFECTIVE) == 0 && get_capabilities(CAP_PERMITTED) == 0. Details: cilium-envoy running with privileges, exiting" Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> Signed-off-by: Tam Mach <tam.mach@cilium.io>
This is to pick up the new image with updated golang version, and other dependency bump. Related commit: cilium/proxy@99c1c8f Related build: https://github.com/cilium/proxy/actions/runs/8179378100/job/22365327840 Signed-off-by: Tam Mach <tam.mach@cilium.io>
sayboras
force-pushed
the
tam/envoy-1.27-drop-priviledges-1.13
branch
from
6f39645
to
d0fae6a
Compare
|
/test |
|
Remove preview only label as https://github.com/cilium/cilium/releases/tag/v1.13.14 is released. |
sayboras
removed
the
dont-merge/preview-only
|
/test-backport-1.13 Job 'Cilium-PR-K8s-1.24-kernel-4.19' failed: Click to show.Test NameFailure OutputJenkins URL: https://jenkins.cilium.io/job/Cilium-PR-K8s-1.24-kernel-4.19/436/ If it is a flake and a GitHub issue doesn't already exist to track it, comment Then please upload the Jenkins artifacts to that issue. Job 'Cilium-PR-K8s-1.21-kernel-4.19' failed: Click to show.Test NameFailure OutputJenkins URL: https://jenkins.cilium.io/job/Cilium-PR-K8s-1.21-kernel-4.19/458/ If it is a flake and a GitHub issue doesn't already exist to track it, comment Then please upload the Jenkins artifacts to that issue. |
|
/test-1.21-4.19 |
|
/test-1.24-4.19 |
learnitall
reviewed
Mar 29, 2024
learnitall
approved these changes
Apr 1, 2024
sayboras
added
the
release-blocker/1.13
|
@sayboras Optimally we would not introduce functional changes to v1.13. Did you find that we had introduced breaking changes to Envoy so that this update did not work our without the Ingress IP? Seems that the drop privileges change is wanted to avoid reverting that change on |
jrajahalme
approved these changes
Apr 2, 2024
julianwiedmann
approved these changes
Apr 2, 2024
maintainer-s-little-helper
bot
added
the
ready-to-merge
|
@sayboras please manually update the |
Thanks and done ✅ |
This was referenced Apr 11, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.