v1.8 backports 2020-06-19 #12203
Merged
v1.8 backports 2020-06-19 #12203
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[ upstream commit 3b40d80 ] Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
[ upstream commit 0baeaa1 ] Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
[ upstream commit 2db8829 ] Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
[ upstream commit 4355df5 ] Mention: - Doesn't support L7 policies. - Applies only to host namespace. - Only for CCNPs. - Example Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
[ upstream commit 0e535cb ] This commit updates the getting started guide for kata containers in the following ways: - Remove all custom instructions that were likely copied over from external sources, namely the official Kata Containers, CRI-O and containerd guides. These turned out to be outdated for the most part. Instead, this guide now points the reader to the official guides from the Kata Containers documentation to setup Kata Containers and a Kubernetes cluster. - By removing custom instructions and linking to the official Kata Containers documentation, this guide is now also more generic in that it should work for any platform that supports the Kata Containers runtime instead of being specific to Google Compute Engine (GCE). - This guide now being generic, rename it, including the file name, to just kata instead of kata-gce. - Include `k8s-install-download-release.rst` instead of duplicating the instructions. - Add a note that this guide has only been validated using instructions for GCE. Signed-off-by: Robin Hahling <robin.hahling@gw-computing.net> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
[ upstream commit ac158be ] Rework a couple of the existing instances to reuse this. Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
[ upstream commit 5d00f6a ] Based partially on prior wording from Quentin Monnet. Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
[ upstream commit ff4882a ] All test packages need to have a hook for check.v1 This commit adds the missing checks on those unit tests. Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
[ upstream commit 62e4558 ] Noticed in local testing that an Istio sidecar-injector label can prevent PODs being deployed in the default namespace if left behind by a failed Istio test. Delete also all other resources left into the default namespace. Delete cilium-monitoring and cilium namespaces to leave the cluster in a more predictable condition. Finally, delete all CRDs. Move the cleaning to the renamed `gke/clean-cluster.sh` so that it can be reused from the command line in local testing. Signed-off-by: Jarno Rajahalme <jarno@covalent.io> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
[ upstream commit 28eb07b ] This commit extends "cilium status" to show which devices can run the BPF masquerading program. E.g.: $ cilium status | grep Masquerading Masquerading: BPF [eth0, eth1] Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
[ upstream commit ec20119 ] Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
[ upstream commit ec89f62 ] Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
[ upstream commit 202b199 ] The helper is used to determine the dst CIDR for SNAT exclusion. Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
[ upstream commit 4197021 ] This commits extends "cilium status" to show dst cidr of SNAT exclusion. E.g.: $ cilium status | grep Masquerading Masquerading: BPF [eth0, eth1] 10.0.0.0/16 Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
[ upstream commit 2f04afd ] Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
|
test-backport-1.8 |
[ upstream commit cc4a64d ] Previously, if IPv{4,6} global scope addrs could have not been derived for BPF NodePort, the agent had logged an error and panicked. In v1.8, we extended the device detection to include devices with k8s InternalIP/ExternalIP addrs. The detection does not check a scope of those addrs. So, it is possible that an upgrade to v1.8 might break for users with --enable-ipv6=true and --kube-proxy-replacement=probe. To avoid that, for now just disable BPF NodePort and friends if no global scope addr can be detected. In the future, we should revisit whether it makes sense to consider local scope addrs for IPv6 too. Reported-by: Jed Salazar <jed@isovalent.com> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
[ upstream commit 5462ced ] Otherwise, cilium-agent will panic when --enable-ipv6=true with the following: panic: runtime error: invalid memory address or nil pointer dereference [signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x1b17ec7] [...] /go/src/github.com/cilium/cilium/pkg/datapath/linux/config/config.go:344 +0x31d7 Fixes: a562b74 ("bpf: Check native-routing-cidr in BPF masquerade") Reported-by: Robin Hahling <robin.hahling@gw-computing.net> Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
|
test-backport-1.8 |
34 tasks
[ upstream commit 93d32dd ] Otherwise, when running with IPv6-only the agent fails with the following: level=fatal msg="Error while creating daemon" error="invalid daemon configuration: native routing cidr must be configured with option --native-routing-cidr in combination with --masquerade --tunnel=disabled --ipam=hostscope-legacy" subsys=daemon Also, we currently do not masquerade IPv6. Fixes: e7d4f5c ("daemon: validate IPv4NativeRoutingCIDR value in DaemonConfig") Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
|
test-backport-1.8 |
|
runtime-4.9 test suite hit This should be fixed via #12003 which was not backported to 1.8 branch. Given this is known, I'm rerunning runtime-4.9 to see if it goes green, also marking 12003 to be backported, but can be done at a later point with the next batch. |
|
retest-runtime |
joestringer
approved these changes
Jun 19, 2020
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
v1.8 backports 2020-06-19
Once this PR is merged, you can update the PR labels via: