[pull] master from cilium:master #1016
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![pull[bot]](https://avatars.githubusercontent.com/in/12910?s=60&v=4){kind=small}
Add missing check_url env var to conformance-clustermesh workflow. Otherwise, "Details" link won't appear on the check result. Signed-off-by: Yutaro Hayakawa <yutaro.hayakawa@isovalent.com>
This is needed to parse entries like:
cluster-pool-map: \
"mars=ipv4-cidrs:172.16.0.0/16,172.17.0.0/16;ipv4-mask-size:24
聽jupiter=ipv4-cidrs:192.168.0.0/19;ipv4-mask-size:26"
which will be used for IPAM pools in cilium-operator.
Signed-off-by: Tobias Klauser <tobias@cilium.io>
This commit contains no functional changes. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> Signed-off-by: Tobias Klauser <tobias@cilium.io>
This function is only used once inside the package, so inline it Signed-off-by: Tobias Klauser <tobias@cilium.io>
It will be used by the IPAM pools allocator in a subsequent commit. This commit contains no functional changes. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> Signed-off-by: Tobias Klauser <tobias@cilium.io>
This commit creates separate matrix configs for the encryption tests, so that they can be run in separately jobs. The main motivation for that is that previously, some configurations were not possible. E.g., DSR with WireGuard due to [1]. The whole job had to disable the DSR. Next, this commit undoes the encryption limitation changes for non-encryption jobs (IPsec with IPv6 and WireGuard with DSR). Afterwards, the commit adds Cilium configuration reporting via the "cilium status", as it's not clear which features are enabled (some might get auto-disabled by the cilium-agent). Finally, do not allow more than 8 parallel jobs to avoid starving the runners. [1]: #23328 Signed-off-by: Martynas Pumputis <m@lambda.lt>
The nodeport code creates its own CT entry for a service connection to a non-DSR backend. While doing so, the initial CT lookup might find a stale (non-nodeport) CT entry that needs to be re-created. CT_REPLY in particular needs consideration here - regardless of the entry's rev_nat_index, we don't expect incoming SVC requests to be a *reply* to some existing connection. So we always need to re-create such entries. Typically ct_create() is only called after the lookup returned a CT_NEW ct_status. Meaning that the CT tuple was already flipped by ct_lookup(). If we also call ct_create() after CT_REPLY, then the tuple needs to be flipped first. Otherwise the new CT entry is created for a tuple in the wrong direction. Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
Commit 441759e ("pkg/kvstore: fix concurrent access of var in testing") changed versionCheckTimeout to be accessed atomically to fix a race in tests. Instead, pass the timeout value to the function it is used in. This allows to drop the use of an atomic type. Signed-off-by: Tobias Klauser <tobias@cilium.io>
Prior to this commit, auth information were kept as additional property in the ct map which required authentication on a per connection basis. This commit introduces the bpf map auth which keeps track of authentication state between security identities in combination with the remote node id, auth type and an expiration. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com>
Introduce cilium CLI command "cilium bpf auth list" to inspect the entries of the bpf auth map. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com>
Currently, the policy verdict notification gets reported for every packet which matches a policy with authentication - even in cases where the corresponding connection already got authenticated in the meantime and therefore not getting dropped. With this commit the policy verdict notification only gets reported if the packet actually gets dropped due to required and still missing authentication. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com>
This fixes a typo in the config.go file: CilliumEndpoint -> CiliumEndpoint Signed-off-by: Maartje Eyskens <maartje.eyskens@isovalent.com>
Due to an oversight when updating init.sh to deal with the new tc filter names for bpf progs after the introduction of Go-based loader/netlink attach, all interfaces in the host namespace that didn't contain the word 'cilium' would have their egress and ingress filters stripped. This included lxc interfaces and many others. lxc programs in particular would only be reattached when the endpoint got regenerated, which can take a while on nodes with many Pods. This caused connectivity interruptions in the meantime. This commit changes the tc filter naming convention to converge on the changes introduced in 2e40d67 ("bpf: Finish rename of BPF programs to cil_ prefix"), using the bpf program (function) name containing the 'cil_' prefix. The 'cilium_' prefix is no longer included explicitly, instead opting for the program name suffixed by the interface name, e.g. cil_from_netdev-eth0. init.sh no longer uses the term 'cilium' to trigger a removal of the interface's tc filters. Also switched over to a regex that acts on a word boundary to reduce the chance of a false positive (e.g. a filter pencil_foo installed by another tool should not trigger removal). Fixes commit 2a7cef4 ("init,cleanup: remove TC filters containing 'cilium' in their names"). Signed-off-by: Timo Beckers <timo@isovalent.com>
We would only test service interruptions using up/downgrades, but agent restarts should also be clean. Signed-off-by: Timo Beckers <timo@isovalent.com> Co-authored-by: Martynas Pumputis <m@lambda.lt>
Change the order of locking to keep it consistent in the CiliumEndpointSlice Manager. Lock identityLock always before locking backends lock. Fixes: #24206 Fixes: a2d0596 Fix operator crash race condition for CES identity map concurrent read/write Signed-off-by: Alan Kutniewski <kutniewski@google.com>
Avoid accessing a nil map once we use more than just the default pool. Fixes: e3f1a22 ("ipam: track IP owner per pool") Signed-off-by: Tobias Klauser <tobias@cilium.io>
Injecting the IPCache into the nodemanager via hive instead of setting it explicitly from within the daemon. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com>
Now you can easily setup clustermesh in kind using: ``` make kind-clustermesh make kind-clustermesh-images make kind-install-cilium-clustermesh ``` Signed-off-by: Marcel Zieba <marcel.zieba@isovalent.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
See Commits and Changes for more details.
Created by
pull[bot]
Can you help keep this open source service alive? 馃挅 Please sponsor : )