v1.8 backport 2020-09-16 #13184
v1.8 backport 2020-09-16 #13184
Conversation
[ upstream commit b10fd49 ] Signed-off-by: Gaurav Yadav <gaurav.dev.iiitm@gmail.com> Signed-off-by: Kornilios Kourtis <kornilios@isovalent.com>
[ upstream commit 4c68f8a ] Signed-off-by: Gaurav Yadav <gaurav.dev.iiitm@gmail.com> Signed-off-by: Kornilios Kourtis <kornilios@isovalent.com>
[ upstream commit 3d6cf1b ] Signed-off-by: Gaurav Yadav <gaurav.dev.iiitm@gmail.com> Signed-off-by: Kornilios Kourtis <kornilios@isovalent.com>
[ upstream commit d7433cf ] In endpoint-routes mode, we encode the source identity in the ctx->mark when locally routing the packet to the destination device for ingress policy assessment. Previously we only encoded the local cluster identity in the mark, thereby omitting the original cluster portion of the identity. Found by code inspection. Fixes: 654303a ("bpf: Skip ingress policy at egress of source if egress prog is in use") Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Kornilios Kourtis <kornilios@isovalent.com>
|
test-backport-1.8 |
There was a problem hiding this comment.
#13153 -- Report correct target system architecture in Cilium version (@tklauser)
conflict on original commit d570daa resolved by omitting change in daemon/cmd/daemon_main.go since the corresponding line does not exist
I think this comment should instead belong to
#13141 -- operator: fix invocation with --help option (@tklauser)
instead? Regarding commit d570daa: it looks like this didn't apply because #12675 wasn't backported. I've now marked it as needs-backport/1.8 and maybe you could pick it up for this backport PR before the PR above, so the conflict would go away?
Indeed, apologies.
How about, I remove #13141 from this PR so that we can pick it up on the next backport round together with #12675? This solution seems simpler to me... I can do another backport round tomorrow. |
Indeed, that sounds like the simpler solution. Let's drop #13141 from this PR. |
6abcd8d to
5dddefc
Compare
[ upstream commit d1c6a75 ] The code for handling CNP status updates from other nodes via the kvstore was previously not covered by the same option that enables this functionality in the cilium-agent daemon. As such, this could cause the logic to run, including goroutines for each CNP, in scenarios where this logic is not in use. Improve memory usage by disabling this functionality when it is disabled. Co-authored-by: Joe Stringer <joe@cilium.io> Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Kornilios Kourtis <kornilios@isovalent.com>
[ upstream commit 8efceda ] Signed-off-by: Tobias Klauser <tklauser@distanz.ch> Signed-off-by: Kornilios Kourtis <kornilios@isovalent.com>
[ upstream commit 3fb4d15 ] When cross-building Cilium, like we do for the ARM64 image, version.Version reports the GOOS/GOARCH of the build system (i.e. linux/amd64) because it is set to the value of `go version` as run on the build system. Instead, report the Go version properties of the proper target system by using the corresponding information from Go's runtime package. Mimic the `go version` format to keep Cilium's version format backwards-compatible. Fixes #13122 Signed-off-by: Tobias Klauser <tklauser@distanz.ch> Signed-off-by: Kornilios Kourtis <kornilios@isovalent.com>
[ upstream commit ed00ac6 ] Signed-off-by: Gaurav Yadav <gaurav.dev.iiitm@gmail.com> Signed-off-by: Kornilios Kourtis <kornilios@isovalent.com>
[ upstream commit bb9411b ] From minikube 1.12.1+, cilium quick install can be enabled by passing flag --network-cni=cilium Signed-off-by: Tam Mach <sayboras@yahoo.com> Signed-off-by: Kornilios Kourtis <kornilios@isovalent.com>
[ upstream commit f191f9e ] Remove ipmasq, source range check and session affinity related maps if corresponding features are not enabled. Signed-off-by: Martynas Pumputis <m@lambda.lt> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: Kornilios Kourtis <kornilios@isovalent.com>
[ upstream commit dc6a065 ] If kube-proxy is in use (no BPF-based masquerading), packets from pods may be SNATed. The response packet will therefore have a host IP as the destination IP. For example, if a pod connects to 1.1.1.1: # Pod sends a SYN. from-lxc: 10.8.0.1 -> 1.1.1.1 # Src IP gets masqueraded to 192.168.33.11. We skip the host firewall # because the packet mark tells us this is not coming from hostns. to-netdev: 192.168.33.11 -> 1.1.1.1 ... # SYN+ACK is sent to 192.168.33.11. This IP belongs to the host # endpoints, so we incorrectly enforce host policy on this packet. from-netdev: 1.1.1.1 -> 192.168.33.11 To avoid enforcing host policies for response packets to pods, we need to create a CT entry for the forward, SNATed packet from the pod. Response packets will thus match this CT entry and bypass host policies. I tested this change by deploying the connectivity checks in the dev. VM with kube-proxy and the lock-down-dev-vms.yaml host policy. A subsequent commit also updates the CIDR+toPorts host policy test to run it when kube-proxy is used. Finally, the pull request has label ci/host-firewall to run all e2e CI tests on Jenkins with the host firewall enabled by default. Fixes: 88bf291 ("bpf: Enforce host policies for IPv4") Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Kornilios Kourtis <kornilios@isovalent.com>
[ upstream commit 5b581f6 ] Previous commit fixed the host firewall to work with kube-proxy. Thus, we can now run the CIDR+toPorts test for the host firewall when kube-proxy is enabled. Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Kornilios Kourtis <kornilios@isovalent.com>
[ upstream commit 3135759 ] This includes allowing some services that were not present on the release-channel=rapid GKE clusters. Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Kornilios Kourtis <kornilios@isovalent.com>
[ upstream commit 4028da9 ] Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Kornilios Kourtis <kornilios@isovalent.com>
5dddefc to
793615f
Compare
|
test-backport-1.8 |
|
test-upstream-k8s |
v1.8 backports 2020-09-16
There were some conflicts, so please have a look. Notes below.
operator: fix invocation with--helpoption #13141 -- operator: fix invocation with--helpoption (@tklauser)conflict on original commit d570daa resolved by omitting change inNOTE: The changes of operator: fix invocation withdaemon/cmd/daemon_main.gosince the corresponding line does not exist (edit: moved on the correct PR)--helpoption #13141 were dropped from this backport PR to be picked up later.lbmap packageand ignoring lines added by Add Maglev consistent hashing to kube-proxy replacement #13131 which was not backported (CC: @borkmann @joestringer @pchaigno)lock-down-dev-vms.yamland omitting changes inexamples/policies/host/lock-down-gke.yamlsince file does not exist in v1.8.Once this PR is merged, you can update the PR labels via: