1.1.0-rc1
Pre-release
Pre-release
Changes
Amey Bhide (2):
contrib: Script to figure cilium pod for a given pod
Adds flag to clean up cilium state before startup
André Martins (70):
vendor: update k8s dependencies to 1.10.0
docs: update k8s dependencies to 1.10.0
examples/kubernetes: add k8s spec file auto-generator
examples/kubernetes: add k8s spec files for master (:latest)
docs/conf.py: Update copyright date to 2018
docs: add global var SCM_BRANCH for branch name
docs: update docs with tabs for multiple k8s versions
test: use generate k8s spec files for testing
tests: disabling K8sValidatedUpdates test
README: change jenkins badge links
fix misspelled comments in the code
docs: fix l4 policy examples
docs: review kafka GSG
docs: update minikube GSG
examples/k8s: fix 1.8 spec files
docs: add sphinx-spelling to documentation
docs: add custom worldlist for spellcheck
docs: fix spelling in documentation
pkg/node: fix nil pointer dereference
packaging/docker: update docker runtime to 17.10
Dockerfile: point dockerfile to quay.io base images
envoy: move Dockerfile.builder to envoy directory
Makefile: remove docker-image push instructions
docs: fix titles formatting
docs: add quay.io tutorial
docs: add misspell words checker
docs: fix some misspelled words
docs: review troubleshooting guide
examples/kubernetes: keep file order when catenating all files into one
examples/kubernetes: avoid port conflict for running etcd
examples/kubernetes: change etcd default port
docs: use common minikube setup for all GSG
examples/kubernetes: move standalone-etcd.yaml to addons/
docs: GSG add instructions to install standalone etcd
docs: add istio GSG to the list of GSGs
docs: fix misspelled words
test: update kubedns to 1.14.9
test: fix star wars demo
test: use cilium exec helper
ctmap: remove debug message
test: fix wrong IPv6 assignment
Revert "CI: Temporarily add retry 3 times logic in connectivity.go"
test: change archive type to zip
k8s: remove unused code for KNP extensions/v1beta1
test: change k8s 1.7 manifests to extensions/v1beta1
development: add cache to k8s components
k8s: add some fixes to the kubernetes spec file
k8s: only watch for ingress changes if LB is enabled
Vagrantfile: re-add workaround for kube-proxy in node-2
start.sh: add routes based on VM name
test: update k8s tests for 1.8, 1.9, 1.10 and 1.11
pkg/ip: fix getNextIP for IPv4
pkg/option: move pkg/option/config to pkg/option/map_options.go
pkg/option: move endpoint library options to option package
daemon: move daemon's libray option to pkg/option
endpoint: move endpoint's library option to pkg/option
daemon: move daemon's config to option/config
vendor.conf to golang/dep
docs: list dep in dependencies list
pkg/endpoint: fix owner merge conflict
docs: fix typos
docs: change minikube GSG to have necessary flags to run CNI
docs: remove duplicated cilium installation instructions from GSG
docs: layout fixes in GSG
pkg/bpf: Use pointer receivers for MapKeys types
test: update k8s versions to 1.7.15, 1.8.13, 1.9.8, 1.10.3 and 1.11.0-beta.0
vendor: update k8s dependencies to 1.10.2
common: add C2GoArray function
pkg/ip: add GetNextIP
pkg: allocate first IP in IPv4 allocation range
Arvind Soni (4):
doc: Star Wars theme HTTP Getting Started Guide
Text edits based on the reviews
Fix image formatting and simplifies app yaml
Elasticsearch Getting Started Guide
Ashwin Paranjpe (2):
Update docs related to cluster-diagnosis
GH4164 Append rule labels while parsing api.Rule
ChristopherBiscardi (1):
cilium/cmd: add ls alias for list commands
Daniel Borkmann (11):
docs: update mailmap and authors
bpf: further work on bpf reference guide
docs, bpf: complete iproute2 section and add llvm inline asm example
docs, bpf: initial xdp section and improved projects section
docs, bpf: finalize initial round on xdp section
docs, bpf: initial tc bpf section
docs: update mailmap and authors
docs, bpf: fix typo in overview graphic
docs, bpf: minor follow-up fixes in the ref guide
docs, bpf: improve llvm6.0 dependency note
bpf: remove geneve TLV options
Eloy Coto (67):
Test: Trigger `vm.ReportFailed` in the global AfterAll
Test: Enable egress-deny
Test: Fix hack in `SetAndWaitForEndpointConfiguration`
Nightly: Change Ping behaviour on egress rules
Nightly: Add listening check on TCP KeepAlive
Test: Add cilium monitor in GuestBook Examples
Test: Do not gather envoy.log
Bugtool: Add gops output
Test: Enable Cilium Update test
Test: trigger AfterFailed before AfterEach when is in Context
Test: Add separate logs per each cilium pod
Test: Fix issue with Kubectl describe
Test: Enabled K8sUpdates correctly.
DOC: Cheatsheet change structure
Test: Validate DNS before trying to connect on curl
Test: CNP use full FQDN
DOC: Update cilium contributing docs:
Docs: Add a new `test-docs-please` phrase to test only docs
Docs: review GRPC GSG
DOC: Review Getting help section
Documentation: Address PR comments
Test: Added new Jenkins jon to run Kubernetes official e2e tests
Test: Increase logs for Kube-dns issues
Jenkins: Fix timeout on docs.
CI: Add colors to builds.
Ginkgo: Run monitor on test
Test: Fix typos
Test: Update Kafka Env variable.
Test: Fix issues with Updates and Kube-dns
Nightly: Fix issues with Kubectl exec
CI: Update packer-ci job and documentation
Docs: Fix spelling wordlist and sphinx warnings
Test: Archive in quiet mode
Test: Fix recursion issue with Kubectl.CiliumExec
Test: Check that after restart cilium still return 403 messages
Test: Import Network Policy and ensure that it is applied in all Cilium Pods.
Vagrantfile: Update Vagrant version to 68
Jenkins: Add automatic trigger if a label is present
Ginkgo: Add segmentation fault check on `ValidateErrorsOnLogs`
Test: Gather core dumps in test if are present.
Test: Gather core dumps from cilium kubernetes pods
Nightly: Exclude connectivity test on invalid policies
Test: Fix Bookinfo issues
Test: Updating Kube-dns manifest to get more verbose
Test: Fix issues on `kubectl.CiliumReport`
Bugtool: Fix gops commands
Test: Simplified Kafka K8S test
Test: Add NACK message in log checks.
Test/K8s: Added debug logs in cilium DS
Test: K8s Policies did not wait for all endpoints to be ready.
Contrib: Add a jenkins status script.
Test: Update Vagrant boxes
Test: CMDSuccess Matcher
Test: Use helpers.CMDSuccess in ExpectWithOffset
Test: Clean all res.CombineOutput in all ResCmd asserts
Test: CMDSuccess fix typos
Test: Improved Ginkgo logs
Test: Append the AfterFailed commands to the Jenkins Output.
Test: Add more context commands on AfterFailed commands
Test: Dump vagrant provision logs to Jenkins console.
Test: Add test result in Jenkins Junit
Jenkins: Fix issues with downstreams Jobs
Test: Improved Kubectl CEP helpers
Test: Enable containerd on Jenkins builds.
Test: Fix issues with Ginkgo Kubernetes Job
Test: Ginkgo fix AfterFailed when fail on JustAfterEach.
Test: Do not log cilium logs in test-output.log
Eohyung Lee (1):
Fix broken kubernetes-ingress example
Ian Vernon (151):
pkg/policy/api: add SelectsAllEndpoints function
pkg/policy: fix merging of L4-related policy
examples/minikube: convert L3-L4 policy to CiliumNetworkPolicy
Documentation/gettingstarted: update Minikube GSG to reflect how we handle L4-only and L4-L7 policy on the same port
Documentation/gettingstarted: update `cilium status` output in Docker GSG
pkg/k8s: add TODO for cleaning up unit tests
pkg/maps/ipcache: log if map unable to be opened
pkg/logging/logfields: add log field for BPF map name
pkg/bpf: add additional logging and error handling
bpf/lib: unconditionally create ipcache bpf map in datapath
.gitignore: ignore test/test_results directory
test/helpers: gather more K8s metadata
test/k8sT: query both service IP and hostname of redis master
test/k8sT: add wait for service endpoints to be ready in guestbook test
test/k8sT: add more descriptive error messages to Guestbook test
pkg/endpoint: log what caused policy changes
pkg/ip: add functionality to coalesce CIDR list
test/k8sT: do not access redis-master via hostname, only service IP
test/helpers: add previous Cilium pod logs to kubectl.GatherLogs()
test/k8sT: do not defer deletion of resources within It
pkg/policy: remove redundant length check in AllowsAllAtL3
pkg/policy: do not use length checks on L4Filter.Endpoints
pkg/policy: change parser type logic for merging L4Filter
Documentation/policy: add label-based egress documentation
test/helpers: add helper function for adding IP addresses to VM loopback device
test: factor out IPs which represent the host
test/helpers: add helper function for flushing global connection tracking table
test/helpers: add HostDockerNetwork constant
test/runtime: add test for egress to host
test/helpers: change `ip addr` commands to use `ExecWithSudo`
test/runtime: misc. cleanups for host egress test
pkg/policy: change string "l3" --> "L4" in tests
pkg/policy: misc. cleanup in merging port functions
pkg/envoy: always use dport in proxy statistics
debuginfo: remove unneeded per-endpoint calls to some bpf commands
debuginfo: run `cilium endpoint health` for each endpoint
cmd: update misc. command Short descriptions
test/helpers: validate policy before importing in `PolicyImportAndWait`
test/runtime: add L3-dependent L7 egress tests
test/helpers: use rsync to copy files instead of cp (#3826)
test/k8sT: wrap CNP Specs test in Context
test/k8sT: do not defer resources in CNP Specs test
test/helpers: make sure that key is non-empty for running `docker logs`
k8sT: test default-deny ingress and egress policy
ginkgo-kubernetes-all.Jenkinsfile: increase timeouts
test/helpers: remove unnecessary logs for creating / deleting Docker containers
test/helpers: log to console when report generation begins / ends
Documentation: remove bash-test framework references
test/k8sT: move cleanupNetworkPolicy to AfterEach within test
test/k8sT: wrap policy across namespaces test in Context
test/k8sT: move creation and deletion of resources
test/k8sT: wrap Checks Service test in `Context`
test/k8sT: move creation of resources outside of `It`
test/k8sT: move cross-node service test within `Context`
test/k8sT: move creation of resources
test/k8sT: move NodePort test to within across nodes `Context`
test/k8sT: fix deletions in AfterEach to not have assertions
test/k8sT: fix instantiation of variables
test/k8sT: change "Checks service across nodes" to use "BeforeAll" and "AfterAll"
test: add helper PolicyEnforcement assertion to avoid boilerplate code
test/runtime: convert RuntimeValidatedPolicyImportTests to use BeforeAll / AfterAll
test/runtime: remove unused constants
test/runtime: add ExpectEndpointSummary helper
test/runtime: cleanup RuntimeValidatedChaos test
pkg/policy/api: reject rules which use non-TCP protocols in conduit with L7 rules
pkg/policy: remove L3L4Policy field from Consumable
pkg/policy: remove SecurityIDContexts and associated types
test/k8sT: wrap Geneve test in `Context`
test/k8sT: move creation / deletion of resources outside `It`
test/k8sT: wrap vxlan test in `Context`
test/k8sT: move creation / deletion of resources outside `It`
pkg/endpoint: do not link created Consumables to ConsumableCache
pkg/policy: remove Remove for ConsumableCache
pkg/identity: add GetAllReservedIdentities function
pkg/policy: remove ConsumableCache
pkg/u8proto: add constant to represent all protocols being allowed
pkg/maps/policymap: coalesce Allow and AllowL4 functions
pkg/maps/policymap: merge IdentityExists and L4Exists functions
pkg/maps/policymap: merge Deletion functions
pkg/endpoint: remove WaitGroup return value from TriggerPolicyUpdatesLocked
pkg/identity: move LabelArray from Consumable to SecurityIdentity
pkg/policy: remove \"changed\" return value from regenerateConsumable
test/helpers: disable microscope in K8s tests
pkg/endpoint: remove PortMap field
test/k8sT: do not set Debug=False during tests
test/k8sT: rename variable to be more descriptive
test: add helper to wait for CEP revision update in K8s
test/helpers: check whether cep is nil before trying to access its fields
test/helpers: add WaitForCEPToExist function
test/k8sT: wait for CEP to exist before getting policy revision
vagrant: configure journald to allow for large amounts of logs
test/helpers: fix ManifestGet to use filepath.Join
test/helpers: remove Kubectl receiver from ManifestGet
test/k8sT: group var declarations in var( ... )
test/k8sT: move instantiation of vars to when they are declared
test/k8sT: move K8s chaos test to use BeforeAll
test/k8sT: add some assertion helpers
test/k8sT: get manifests in var declarations
test/k8sT: have KafkaPolicies test use assertion helpers
test/k8sT: add wrapper for expecting all pods to be deleted
test/k8sT: replace WaitKubeDNS with ExpectKubeDNSReady
test/k8sT: refactor WaitForPods to return only an error
test/k8sT: use ExpectCiliumReady in more helpers
test/k8sT: remove unused demoPath var
test/k8sT: move instanation of var to its declaration
test/k8sT: move initialize function for demo test into BeforeAll
test/k8sT: group var declarations
test/k8sT: move Health.go initialization into BeforeAll
test/k8sT: change WaitForServiceEndpoints to only return an error
test/k8sT: move instantiation of manifest variables in declarations
test/k8sT: remove unneeded type declarations for vars
test/k8sT: move instantiation of vars to declaration
test/k8sT: move initialize function to BeforeAll
test/helpers: move ManifestGet to utils.go
test/runtime: add output of command if curl to Google fails in test
pkg/policy: remove debugging Println calls in unit test
pkg/policy/api: add basic HTTP Rule sanitization
pkg/maps/policymap: export PolicyKey type
policy: factor out endpoint PolicyMap updates into controller
pkg/endpoint: refactor label-based L3 policy determination
pkg/bpf: update comment to reflect current behavior
pkg/endpoint: rename L4Policy field to RealizedL4Policy
pkg/endpoint: add DesiredL4Policy field for endpoint
endpoint: remove consumable checks
pkg/endpoint: check SecurityIdentity directly in regenerateBPF
pkg/endpoint: check if endpoint SecurityIdentity is nil in TriggerPolicyUpdatesLocked
pkg/endpoint: add Iteration to Endpoint
pkg/endpoint: remove use of Consumable in regeneratePolicy
pkg/endpoint: do not populate endpoint policy model with Consumable info
pkg/endpoint: check SecurityIdentity instead of Consumable ID
pkg/endpoint: remove Consumable from Endpoint
pkg/policy: remove Consumable
pkg/endpoint: specify why local copy of DesiredL4Policy is made
test: fix Policy cmd test resource deletion
test/runtime: move initialize func into BeforeAll
test: fix CLI resource creation / deletion
test/runtime: move policy deletion to AfterEach
test/k8sT: fix deletion of policy in external services test
test/k8sT: use ExpectWithOffset in helper function
test/k8sT: add faliure messages to assertions in validateEgress
test/k8sT/manifests: re-add l3_l4_policy.yaml
pkg/endpoint: release lock if syncPolicyMap fails
configuration: move TracingEnabled to pkg/option
Revert "Re-enable microscsope in CI"
cmd: specify JSON format for `cilium policy import`
cleanup: remove refs to Consumable in comments
pkg/endpoint: check if PolicyMap is nil in syncPolicyMap
pkg/endpoint: include node headerfile hash
daemon: factor out node config headerfile into separate function
pkg/node: move IPv4Loopback address from daemon to node package
daemon: remove loopbackIPv4 from Daemon type
Jarno Rajahalme (43):
envoy: Update generated go-files for Cilium HTTP filter.
envoy: Set SO_LINGER and SO_KEEPALIVE on accepted sockets.
envoy: Fix integration test
docs: Document the backporting process.
daemon: Fix Envoy version check and add hidden option to skip it
daemon: Remove deprecated '--envoy-proxy' option
envoy: Pass 'non-redirect' http traffic through.
endpoint: Fix label replacement.
daemon: Regenerate endpoint in PATCH handler also when endpoint is in waiting-for-identity state.
envoy: Remove assert, reduce logging.
bpf: Honor DROP_ALL also in ingress to a container.
bpf: Make all funtions in lib/policy.h conditional on DROP_ALL
Makefile: Fix the name of the builder Dockerfile in envoy.
envoy: Fix integration test setting of original dst address.
envoy: Use network byte-order addresses in host map.
envoy: Support CIDRs in NPHDS.
envoy: Add host map to cilium integration test
envoy: Egress intergation tests.
docs: Refine backporting instructions.
envoy: Manage life-cycles of singleton maps properly.
envoy: Initialize thread local host map with an empty map.
envoy: Minor cleanup.
envoy: Use distinct Stats stores for each instance of a xDS client.
envoy: Fix handling of zero length CIDR prefixes.
systemd: Enable core dumps.
envoy: Make policy direction configurable for Istio.
maps: Use pointer receivers for MapValue types.
daemon: Sync local IPs to lxcmap periodically.
envoy: Configure gRPC service explicitly to get rid of deprecation warning in the logs.
test: Change DROP_ALL to install a dummy policy.
policy: Do not enable DROP_ALL mode if not needed.
docs: Fix ginkgo command line.
ctmap: Make GC bpf map dumps more robust.
envoy: Log CIDR->ID mappings at debug level.
proxy: Test if port is available before allocating it for a proxy.
proxy: Release redirect sooner.
docs: Remove repetition from Istio GSG.
bugtool: Add '-a' option to netstat.
Gopkg: Update golang/protobuf
envoy: Rebase to get gRPC proxy responses.
bpf: Only create veth pair if it does not already exist.
envoy: Update generated Cilium protobufs.
envoy: Update integration test.
Jess Frazelle (1):
pkg/bpf: add function wrappers for prog syscalls.
Joe Stringer (113):
daemon: Sync loadbalancer BPF maps from goroutine
k8s: Gather timestamps in cilium_logs on failure
docs: Update kubernetes policy page
docs: Update policy intro page
docs: Fix contributing guide warnings
docs: Improve L3 policy section
docs: Improve L4-L7 (+HTTP) policy section
docs: Improve kafka policy wording
docs: Document per-endpoint policy configuration
docs: Document the guiding policy principles
docs: Add GH links for future roadmap features
bpf: Fix conntrack entries for ICMP
bpf: Derive proxy_port from policy rather than CT
bpf: Only apply CIDR ingress to reserved identities
bpf: Apply egress CIDR policy to reserved identities
docs: Document consistent CIDR policy
cidrmap: Allow insert of any length of CIDR
policy: Log errors inserting CIDR entries
bpf: Rename tunnel_endpoint_map -> cilium_tunnel_map
tunnel: Remove old tunnel map upon upgrade.
bpf: Only create conntrack entries for SYN packets
Revert "bpf: Allow CT creation on FIN"
bpf: Fix log message about not supporting CIDR
docs: Pass sphinx options to spellcheck make target
docs: Split spellcheck check from main builds
docs: Print spelling list upon failure
ipcache: Shift NPHDS logic to envoy
envoy: Handle IP->ID deletes inside cache
daemon: Push reserved IP->Identity mappings to XDS
xds: Add tests for cache.Lookup
monitor: Fix CT entry dst port printing
policy: Support reserved:cluster entity
bpf: Fix tracing message for egress policy
bpf: Fix default build config
ipcache: Avoid issuing delete for identity=0
xds: Validate NPHDS updates before upserting
docs: Update concepts for egress policy
docs: Fix bpf spelling complaint
docs: Describe namespace selector behaviour in k8s
endpoint: Remove unnecessary l3 wildcard expansion
ipcache: Reuse existing function for lookup
endpoint: Refactor some IPID handling code to ipcache
ipcache: Log inserts/removes from map
runtime: Refactor egress before/after functions
monitor: Fix IPv6 string formatting in CT messages
policy: Refactor L4Filter creation
policy: Create L7 rules with wildcard selector
policy: Expand comments for policy objects
policy: Move computeResultantCIDRSet() to api
policy: Use typed CIDRSlice / CIDRRuleSlice
policy: Shift error checking comment to function doc
bpf: Rework ipcache to support LPM lookups.
k8sT: Make health test more robust
Makefile: Fix quiet target for make unit-tests
labels: Add CIDR to labels libraries
labels: Format only one CIDR label
policy: Add rule CIDR->*net.IPNet conversion libraries
Makefile: Start etcd test container with -listen-peer-urls
daemon: Check if device exists on endpoint restore
contrib: Remove KVstore containers in systemd scripts
k8sT/Services: Fix URL for bookinfo tests
k8sT/Services: Remove fetch http://details:9080/
ipcache: Support CIDR prefix to ID mappings
daemon: Populate BPF ipcache with CIDR prefixes
daemon: Allocate identities for CIDRs
policy: Resolve CIDRs in rule GetAsEndpointSelectors()
daemon: Fix ipcache conflict between hosts and prefixes
daemon: Refactor ipcache initialization.
daemon: Push reserved CIDR ranges into ipcache
api: Allow egress CIDR+L4 rules
runtime: Add CIDR + L4/L7 egress tests.
ipcache: Reject policies with too many CIDRs.
CODEOWNERS: Shift ownership of ipcache to a team
identity: Fix pair.PrefixString() arguments
manifests: Pin bookinfo container image versions
k8s: Support IPv6 addresses in CIDR policy
k8s: Add CRD IP address validation unit tests
docs: Describe downgrade impact of IPv6 CRD validation
k8s: CIDR: Expand v6 regex to make it more readable
k8s: CIDR: Disallow IPv4-mapped IPv6 addresses
k8s: CIDR: Format IPv6 CIDR regex
policy: Remove CIDR L3 egress plumbing
k8s: Bump CRD schema version.
bpf: Ensure maps are restored on load failure
bpf: Fix failure handling in CreateMap
bpf: Respond to all ARP requests
cmd: Fix `cilium bpf ipcache`
test: Refactor policy labels name for common usage
test: Fix no-op checks in CT tests
test: Handle endpoint list errors in helper
bpf: Improve logging output for map creation
ipcache: Refactor ipcache limitations check to map
bpf: Remove egress CIDR lookup
bpf: Support LPM for ipcache on newer kernels
ipcache: Loosen CIDR configuration restrictions
cmd: Fix import ordering for bpf ipcache
cmd: Describe LPM limitation of IPCache
Remove upstart artifacts.
test: Don't gather logs in -holdEnvironment
bpf: Fix lxc header guard
endpoint: Fix detection of L4 policy changes
ipcache: Rename ipIDPair parameter
ipcache: Provide old mapping to listeners on change
docs: Attempt to use RTD version for GH URLs
daemon: Install rules to mark local applications
bpf: Mark traffic from outside local host as world
daemon: Reuse proxy magic marker variables
daemon: Format packet marks as 32bit hexits
docs: Update dependencies for latest Envoy
metricsmap: Set the key size properly
policy: Express egress CIDRs in endpoint model
endpoint: Use policy for IP LPM, not IPCache
policy: Add test for default CIDR prefix lengths
Julien Kassar (2):
Replace ADD with COPY instruction in Dockerfile
Update envoy Dockerfile
Junli Ou (1):
docs: Specify the instruction format on little-endian machine.
Maciej Kwiek (18):
Clear logging in state.go
Recover from panics in Cilium API
Add pkg/apipanic to API codeowners
[DOCS] Edit API compatibility guarantees section
Remove combine flag from microscope call
Log monitor client disconnect nicely
Notify monitor about policy changes
Wrap monitor policy event information is json
Structure ep regen monitor notifications
Structure agent start monitor notification
Add docstrings to agent monitor notification code
GetLabels -> GetOpLabels in monitor messages
Unflake monitor agent notifications tests
Move endpoint interface from endpoint to monitor
[Docs] Kops installation guide stub
`cilium monitor` json mode
Re-enable microscsope in CI
[Monitor] add src and dst data to json output
Manali Bhutiyani (21):
test: Make the Kafka CI errors more descriptive. Fixes: #3503 Related to: #3502 Signed-Off-By: Manali Bhutiyani <manali@covalent.io>
test: Move topic creation in the BeforeEach function Fixes: #3503 Related to: #3502 Signed-Off-By: Manali Bhutiyani <manali@covalent.io>
docs: Correct spelling mistakes in the docs Fixes: #3523 Signed-Off-By: Manali Bhutiyani <manali@covalent.io>
CI: Temporarily add retry 3 times logic in connectivity.go Fixes: #3596 Related to: #3393 Related to: #3595 Related to: #3558
docs: Minikube audit. Add reference links wherever required. Improve docs wherever required. Part of the 1.0 Documentation Review. Fixes: #3669 Related to: #3597
CI: Add ingress/egress default deny tests for CNP Fixes :#3343 Signed-Off-By: Manali Bhutiyani <manali@covalent.io>
CI: Remove call to WaitUntilEndpointUpdates, if CiliumPolicyAction is present. CiliumPolicyAction takes care of waiting till endpoints get updated correctly. Remove the unnecessary calling of WaitUntilEndpointUpdates, in addition to CiliumPolicyAction.
docs: Correct backport label in docs from stable/needs-backporting to stable/needs-backport Fixes: #3738 Signed-Off-By: Manali Bhutiyani <manali@covalent.io>
Kafka : remove noise from logging EOF messages in Kafka parser We keep seeing a lot of these on normal client (produce/consume) connection close. We should not be logging valid EOF as errors.
CI: add Runtime default DROP_ALL test This test adds the runtime DROP_ALL tests and does 3 checks to make sure DROP_ALL is applied properly
CI: Move RuntimeValidatedPolicyDropAllTests to RuntimeValidatedPolicies Make the DROP_ALL gingko test more time-efficient and resource effecient, by grouping it with RuntimeValidatedPolicies
endpoint: Remove endpoint state directories left behind after build failure Failed regeneration files `XXXXX_next_fail` may stick around after regeneration. We are correctly deleting these files on regeneration, but not on deletion of endpoint. This commit deletes the endpoint XXX_next_fail files on endpoint deletion.
docs: Fix the gsg to point to the correct prometheus yaml The path examples/kubernetes/plugins/prometheus/prometheus.yaml has changed to examples/kubernetes/addons/prometheus/prometheus.yaml Fix this in the GSG docs.
docs: Fix spellchecker to include word Jenkinsfiles
metrics: Add new L7 proxy based metrics This commit declares new proxy based metrics to be exposed via the prometheus framework namely:
docs: Update docs with new L7 proxy based prometheus metrics
linux/bpf.h: Add reference link to in-kernel sk_buff structure.
cmd: Add a CLI command to access the bpf L3-L4 metrics map
bpf: Add BPF map cilium_metrics for L3-l4 packet drops/forwards
pkg/maps/metricsmap: Add a new userspace pkg/maps/metricsmap to access BPF metrics maps.
pkg/maps/metricsmap/: Add a doc.go in the metricsmap pkg
Marius Gerling (2):
Dependency to LLVM >= 6.0 in Documentation added
Dependency to LLVM >= 6.0 in Documentation modified
Matt Layher (3):
pkg/labels: fix go vet issues
pkg/policy: fix go vet issues
test/runtime: fix go vet issues
Michal Rostecki (8):
daemon/endpoint: Handle DeleteElement error properly
pkg/endpoint: Don't declare errs variable in function scope
pkg/envoy/xds: Assign value to ip variable only if it's used
pkg/ip: Assign value to allowedCIDRs variable only if it's used
pkg/policy: Don't assingn unused variables
pkg/k8s: Remove unused `node` variable assignment
pkg/k8s: Assign value to `rules` variable only if it's used
pkg/kvstore: Handler error from Get method properly
Nirmoy Das (1):
daemon: exit if tunnel is not supported
Patrice Peterson (1):
Various link fixes in documentation.
Peter Slovak (1):
app3 -> app1 in stateful conntrack paragraph
Ray Bejjani (25):
k8s: Fix bug with CEP cross-version delete
api: Switch API version from v1beta to v1
cli: protect against API nils
daemon: Add more info logs on startup
docs: Update system requirements
doc: Update metrics documentation & list exported metrics
doc: system requirements mention meltdown
doc: Reword docker integration text
k8s: CEP GC controller logs errors at debug level
doc: Update spelling list and fix misspellings
scripts: contrib/backports/check_stable handles backports-done label
scripts: contrib/backports/check_stable prints PR link
doc: Add a section about CiliumEndpoint CRDs
docs: Correct RBAC urls in upgrade guide
test: CmdRes.CombineOutput does not clobber stdout
test: Star Wars demo checks HTTP status in stdout
test: Switch Kafka runtime test to use CombineOutput
monitor: Don't spinloop on node-monitor crashes
monitor: pass payload objects by reference
monitor: only read perf buffer on listener connect
monitor: refactor globals into an object
controller: Cleanup global manager on UpdateController
monitor: Fatal on critical errors instead of panic
monitor: More correctly cancel contexts on exit
endpoint: Force regeneration when there are underlying errors
Romain Lenglet (56):
npds: Properly translate L4-only rules
envoy: Rename the xDS cluster into xds-grpc-cilium
proxy: Create access log file and setup notifier at startup
docs: Use go-swagger Docker container to generate APIs
daemon: Clean up access log setup
test: Fix K8s demos to not use TTYs with kubectl exec
doc: Update Istio GSG for Istio 0.7.0
examples/kubernetes: Generate daemon sets defs for sidecar mode
doc: Use K8s-version-specific YAML files in Istio GSG
doc: Replace cilium-sidecar.yaml with a config map setting
doc: Fix spelling
test: Fix Star Wars demo test
test: Always execute "cilium endpoint get" with -o json
test: Force using IPv4 for egress connections to google.com
policy: Synthesize wildcard L7 rules for L3-only rules
policy: Replace adding L3-only rules into L4PolicyMap with extra loop
envoy: Optimize lookup in allowed remote policies ordered list
daemon: Define CILIUM_ACCESS_LOG and CILIUM_ACCESS_LABELS env vars
daemon: Stop calling viper.AutomaticEnv() in daemon and cilium-health
endpoint: Skip BPF compilation if headerfile is unchanged
endpoint: Support hashing C headers with very long lines
etcd: Clear the etcd status error when connectivity is OK
Revert "etcd: Clear the etcd status error when connectivity is OK"
etcd: Clear the etcd status error when connectivity is OK
npds: Don't update NetworkPolicy if none has been calculated
npds: Don't wait for ACK from sidecar proxy with no L7 rules
ipcache: Fix ipcache deletion of old identities on update
envoy: Fix dynamic casts that remove constness
envoy: Update to same Envoy version as Istio master
build: Fix builder image tag; fix tag used by ginkgo
vagrant: Update box version to use updated Bazel cache
envoy: Remove obsolete Envoy V2 API protobuf generated files
Makefile: Remove instructions to push the -builder Docker image
envoy: Build Istio Docker images
tests: Fix old 10-proxy.sh test
labels: Replace ParseStringLabels with NewLabelsFromModel
controller: Skip StopFunc when stopping controller for update
k8s: Consistently check for namespace labels in endpoint selectors
endpoint: Allow traffic in BPF map when transitioning to allow-all
ipcache: Update NPHDS cache before updating BPF maps
ipcache: Create copies of NPHDS cache resources when updating
xds: Match the client's version if higher than the server's
ipcache: Create copies of NPHDS cache resources when deleting
daemon: Define reserved:init label and set it on endpoints with no labels
policy: Always enable policy for reserved:init endpoints in default mode
api: Add "init" as supported entity
identity: Allocate reserved identities for entity reserved labels
cilium-docker: Remove constraint on endpoint state after creation
cilium-docker: Create veth pair on endpoint creation
cilium-docker: Remove now-unnecessary PATCH /endpoint/{id} API call
endpoint: Fix state machine to support changing endpoint's labels
daemon: Fix identity label update APIs
test: Handle initializing endpoints with the reserved:init identity
k8s: Don't add namespace labels into reserved:init endpoint selectors
endpointmanager: Don't generate new endpoints waiting-for-identity
envoy: Update Istio to the latest 0.8 RC version
Shantanu Deshpande (7):
Miscellaneous typo fixes in documentation.
Change logging of new connections from warn to info level
Sorting controller output by name (alphabetical) in status command
Fix weird indentation for rules
Add org to spellcheck wordlist
Fixes 'any' reference target not found warning
Misc fixes for kops installation guide
Steven Ceuppens (1):
Add "cilium identity list" output to bugtool
Tasdik Rahman (2):
docs: k8s: updating docs for k8s v1.9, 1.10 and 1.11 support
docs: k8s: updating formatting
Thomas Graf (29):
labels: Ignore istio sidecar annotation labels
etcd: Move etcd status check into the background
cilium: Make cilium endpoint list resilient
policy: Apply wildcarded source L7 rules to all sources
bpf: Remove proxy_port from conntrack table
policy: Remove logic to reset proxy port
policy: Do not make initial endpoint DROP_ALL mode dependent on policy option
bpf: Remove connection tracking entries on policy deny
policy: Remove connection tracking cleanup on policy change
agent: Provide non-blocking agent status
health: Do sanity checking on health response
policy: Do not wildcard CIDR 0/0 for world and all entity
Revert "Revert "bpf: Allow CT creation on FIN""
Revert "bpf: Only create conntrack entries for SYN packets"
policy: Add TestWildcardL4RulesIngress and TestWildcardL4RulesEgress
contrib: Provide script to show unmanaged Kubernetes pods
workloads: Silence noisy harmless warning
Bump version in master tree to 1.0.90
endpoint: Improve logging of endpoint lifecycle events
tunnel: Add debug messages on tunnel map manipulation
bpf: Avoid unnecessary debug output on policy map open
testutils: Factor our random rune generator
agent: Fix panic when node.GetNodes() is empty
agent: Fix indentation of loopback address
kvstore: Introduce shared store type
store: Cast event.Value to string
policy: Overwrite eventual L4 localhost policies when AllowLocalhost=true
Update NEWS
Prepare for 1.1.0-rc1
Tobias Klauser (1):
pkg/bpf: update BPF_* constants as of Linux kernel 4.17-rc3
ackerman80 (3):
Update minikube.rst
examples/minikube: update http-sw-app.yaml
examples/minikube: delete unused yamls