Skip to content

v1.8 backports 2020-08-27 #12990

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 9 commits into from
Sep 2, 2020
Merged

v1.8 backports 2020-08-27 #12990

merged 9 commits into from
Sep 2, 2020

Conversation

kaworu
Copy link
Member

@kaworu kaworu commented Aug 27, 2020

NOT INCLUDED DUE TO MERGE CONFLICTS

Once this PR is merged, you can update the PR labels via:

$ for pr in 12894 12621 12973 12977 12952; do contrib/backporting/set-labels.py $pr done 1.8; done

UnwashedMeme and others added 9 commits August 27, 2020 16:51
@UnwashedMeme @kaworu
fix: node-init should use docker if /etc/crictl.yaml not found
c936a30 
[ upstream commit 552c823 ]

This script has several tests for what the container runtime situation
looks like to determine how best to restart the underlying containers
(going around the kubelet) so that the new networking configuration
can take effect.

The first test looks to see if the crictl config file is configured to use
docker, but if that file doesn't exist then it fails. I believe docker
is the default if this hasn't been configured at all so if that file
doesn't exist then use docker.

Fixes #12850

Signed-off-by: Nathan Bird <njbird@infiniteenergy.com>
Signed-off-by: Alexandre Perrin <alex@kaworu.ch>
@pchaigno @kaworu
test: Enable host firewall in CI only when label is set
802f2c0 
[ upstream commit 3f8f7c3 ]

The host firewall is only enabled in CI if label ci/host-firewall is
set. The goal is to have default CI options closer to common user
environments and host firewall is not enabled by default in those.

Signed-off-by: Paul Chaignon <paul@cilium.io>
Signed-off-by: Alexandre Perrin <alex@kaworu.ch>
@pchaigno @kaworu
test: fromCIDR+toPorts host policy
a9f1a6e 
[ upstream commit 74be0b2 ]

This commit extends the existing fromCIDR+toPorts policy test to test
the same kind of policy for the host firewall. To that end, it:
1. Enables the host firewall. The issue in comment is not relevant
   anymore since masquerading is disabled.
2. Introduce a helper to get the ID of the host endpoint. This helper
   will likely be needed for other host firewall tests as well.
3. Load a new DaemonSet to instanciate a host-networking pod on each k8s
   node. This pod serves as the target for host firewall connectivity
   tests.
4. Extend the existing test cases with CCNP tests.

Signed-off-by: Paul Chaignon <paul@cilium.io>
Signed-off-by: Alexandre Perrin <alex@kaworu.ch>
@pchaigno @kaworu
test: NodePort with host policy
4ce6042 
[ upstream commit eecd5b9 ]

This commit adds new tests, identical to NodePort tests under vxlan
tunneling and direct routing, but with an ingress+egress host policy
applied. The host policy only allow communications between nodes and to
specific endpoints for readiness probes.

Signed-off-by: Paul Chaignon <paul@cilium.io>
Signed-off-by: Alexandre Perrin <alex@kaworu.ch>
@brb @kaworu
docs: Disable BPF-masq in KIND GSG
6fd3795 
[ upstream commit 7403251 ]

Disable BPF-masq when deploying in KIND until
#12699 has been fixed.

Signed-off-by: Martynas Pumputis <m@lambda.lt>
Signed-off-by: Alexandre Perrin <alex@kaworu.ch>
@tklauser @kaworu
docs: bump kernel and ena driver version, drop custom prebuilt driver…
d8e0160 
… in EKS XDP GSG

[ upstream commit dee0191 ]

The kernel-ng package updated to 5.4.58-27.104.amzn2.x86_64 which
includes version 2.2.10g of the ena driver. Thus we no longer require a
manually built ena driver for the EKS XDP Getting Started Guide. Drop
the corresponding note as well.

Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
Signed-off-by: Alexandre Perrin <alex@kaworu.ch>
@dctrwatson @kaworu
nodeinit: only bypass IP-MASQ if Cilium manages masquerade
ea07eff 
[ upstream commit 58aea35 ]

Signed-off-by: John Watson <johnw@planetscale.com>
Signed-off-by: Alexandre Perrin <alex@kaworu.ch>
@dctrwatson @kaworu
Simplify gate expression
5e17e9c 
[ upstream commit ff821d2 ]

Signed-off-by: John Watson <johnw@planetscale.com>
Signed-off-by: Alexandre Perrin <alex@kaworu.ch>
@dctrwatson @kaworu
Fix expression per lint error
4340c3f 
[ upstream commit 7457ce6 ]

Signed-off-by: John Watson <johnw@planetscale.com>
Signed-off-by: Alexandre Perrin <alex@kaworu.ch>
@kaworu kaworu added kind/backports This PR provides functionality previously merged into master. backport/1.8 labels Aug 27, 2020
@kaworu kaworu requested a review from a team as a code owner August 27, 2020 15:11
@kaworu
Copy link
Member Author

kaworu commented Aug 27, 2020

test-backport-1.8

@christarazi
Copy link
Member

Both 4.9 and 4.19 failed in the same way, likely indicative of a real failure.

pchaigno
pchaigno approved these changes Aug 27, 2020
View reviewed changes
Copy link
Member

@pchaigno pchaigno left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍 for my changes.

@joestringer
Copy link
Member

Most failures are #12994 ; just one in the k8s that is not. Istio failuret here instead which seems like potential temporary github infrastructure issue while downloading the cilium-istioctl:

https://jenkins.cilium.io/job/Cilium-PR-Ginkgo-Tests-K8s/3453/testReport/junit/Suite-k8s-1/17/K8sIstioTest_Istio_Bookinfo_Demo_Tests_bookinfo_inter_service_connectivity/

Retrying.

@joestringer
Copy link
Member

test-missed-k8s

brb
brb approved these changes Aug 28, 2020
View reviewed changes
Copy link
Member

@brb brb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM for my changes.

@joestringer
Copy link
Member

There's a few k8s services tests that have failed on both versions here, needs triage:
https://jenkins.cilium.io/job/Cilium-PR-Ginkgo-Tests-K8s/3458/

This was referenced Aug 28, 2020
Closed
Closed
Closed
@pchaigno
Copy link
Member

pchaigno commented Aug 28, 2020
edited
Loading

Lots of failing tests with different apparent flakes: https://jenkins.cilium.io/job/Cilium-PR-Ginkgo-Tests-K8s/3458/
Flake #13008:

Suite-k8s-1.12.K8sServicesTest Checks service across nodes Tests NodePort (kube-proxy)
Suite-k8s-1.12.K8sServicesTest Checks service across nodes with L4 policy Tests NodePort with L4 Policy
Suite-k8s-1.12.K8sServicesTest Checks service across nodes with L7 policy Tests NodePort with L7 Policy
Suite-k8s-1.13.K8sServicesTest Checks service across nodes with L4 policy Tests NodePort with L4 Policy

Flake #13009:

Suite-k8s-1.13.K8sServicesTest Checks service across nodes Tests NodePort (kube-proxy)

Flake #13011:

Suite-k8s-1.13.K8sServicesTest Checks service across nodes with L7 policy Tests NodePort with L7 Policy

Then two other failures appear to be caused by the builds reaching a timeout, probably due to the time spent waiting on pods for flake #13008:
Suite-k8s-1.12.K8sPolicyTest Multi-node policy test validates ingress CIDR-dependent L4
Suite-k8s-1.13.K8sPolicyTest Multi-node policy test validates fromEntities policies with remote-node identity enabled Validates fromEntities remote-node policy

test-missed-k8s

@pchaigno
Copy link
Member

pchaigno commented Sep 1, 2020

The only test failing in CI builds is the GuestBook flaky once. I think we're good to merge.

@pchaigno pchaigno added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Sep 1, 2020
@aanm
Copy link
Member

aanm commented Sep 1, 2020

@pchaigno is the guestbook flake being introduced by this PR? There are a lot of suspicious flakes here in comparison to the last PR merged into v1.8 #12963

@pchaigno
Copy link
Member

pchaigno commented Sep 1, 2020

@aanm No, it failed in the v1.8 and v1.7 branches already: https://datastudio.google.com/s/nXAOxbdZN_I. See #12994 (comment) and #12994 (comment).

@kkourt kkourt merged commit 7910deb into v1.8 Sep 2, 2020
@kkourt kkourt deleted the pr/v1.8-backport-2020-08-27 branch September 2, 2020 07:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@brb brb brb approved these changes

@pchaigno pchaigno pchaigno approved these changes

Assignees
No one assigned
Labels
kind/backports This PR provides functionality previously merged into master. ready-to-merge This PR has passed all tests and received consensus from code owners to merge.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
10 participants
@kaworu @christarazi @joestringer @pchaigno @aanm @brb @kkourt @UnwashedMeme @tklauser @dctrwatson