v1.8 backports 2020-09-09 #13126
Merged
v1.8 backports 2020-09-09 #13126
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[ upstream commit 5519f2b ] * This commit fixes an inherent issue with CCNP where if toGroups is specified in the Clusterwide policies it has no effect in creating a derived policy. The reason being we handle CCNP similar to CNP as they both are converted into SlimCNPs and processed in a similar way. For CCNP, creation of derived policy fails as we try to update status as CNP which is not possible. * This commit introduces a fix by checking the namespace field in the converted SlimCNP and handling cases of CCNP in a different manner suited for the required type. Signed-off-by: Deepesh Pathak <deepshpathak@gmail.com>
[ upstream commit ff99774 ] Signed-off-by: Deepesh Pathak <deepshpathak@gmail.com>
[ upstream commit 09b3df1 ] Signed-off-by: Deepesh Pathak <deepshpathak@gmail.com>
[ upstream commit b13dcfb ] * This commit adds a logfield to embed the help messages into the logs. * Adds help message to ipam CRD waiting for allocation pool log message * Adds a cleanup function to daemon signal handler that logs help status information and help message when related to KVStore failure. Signed-off-by: Deepesh Pathak <deepshpathak@gmail.com>
[ upstream commit e9b3844 ] Connectivity disruptions caused by missed tail calls were recently reported at #13015. It was caused by an incorrect handling of a call map rename. We didn't detect it because we don't have code to specifically detect missed tail calls during the upgrade/downgrade test; the test only fails if the connectivity is broken during a long enough period. This commit adds a new function to retrieve the sum of 'Missed tail calls' metrics across all Cilium pods. It is then used in the test after both the upgrade and the subsequent downgrade to check that no drops due to missed tail calls happened. This new test was tested by: - backporting to v1.8 and checking that missed tail calls are indeed detected. - backporting the fixes on the v1.7 (#13052) and v1.8 (#13051) branches and checking that no more tail calls were detected. We need to wait for both #13052 and #13051 to be merged and backported before we can backport this test to v1.7 and v1.8, as it will otherwise fail. Related: #13015, #13051, #13052 Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Deepesh Pathak <deepshpathak@gmail.com>
[ upstream commit c6eae50 ] * This commits add changes to operator and agent to honor the service.kubernetes.io/service-proxy-name label associated with the services. * Add command line flag for operator and agent to configure service-proxy-name associated with the services. Default value is empty string which means Cilium will handle all the services which do not have service.kubernetes.io/service-proxy-name label. * The modifier cannot be applied to EndpointSlices as they do not mirror the mentioned service-proxy-name label from parent services. So for endpoint slices we still watch for all the objects but when the backing service does not have the required label selector no service event is created in the cache and hence no processing. Signed-off-by: Deepesh Pathak <deepshpathak@gmail.com>
[ upstream commit 4f7fbae ] Signed-off-by: Deepesh Pathak <deepshpathak@gmail.com>
[ upstream commit 799040d ] Signed-off-by: Deepesh Pathak <deepshpathak@gmail.com>
[ upstream commit 08fda01 ] Signed-off-by: Deepesh Pathak <deepshpathak@gmail.com>
[ upstream commit 5c14aa0 ] Signed-off-by: Deepesh Pathak <deepshpathak@gmail.com>
[ upstream commit 905b8d4 ] * This commit fixes an issue in endpoint selection when we provide wildcard for to/fromEndpoint in CCNP. When a wildcard is provided in CCNP fromEndpoint selector we end up with a truly empty endpoint selector. This results in allowing all traffic. The commit restricts this to only include endpoints that are managed by cilium by checking the presence of namespace label in endpoint. * For a more detailed explaination of the approach and the issue take a look at discussion following this github comment - #12890 (comment) Signed-off-by: Deepesh Pathak <deepshpathak@gmail.com>
[ upstream commit abe5e24 ] Signed-off-by: Deepesh Pathak <deepshpathak@gmail.com>
[ upstream commit 91a6fc4 ] * This commit extends the cilium preflight validate-cnp check. When validating CCNP it checks if there is an empty to/from endpoint selector in the rules and warns about the problem and a possible fix. * This is to help users with upgrade scenarios when using Cilium. For a more detailed discussion on the probelm see issue - #12844 Signed-off-by: Deepesh Pathak <deepshpathak@gmail.com>
[ upstream commit 2231af0 ] Signed-off-by: Deepesh Pathak <deepshpathak@gmail.com>
89e14dc to
550c552
Compare
|
test-backport-1.8 |
As discussed with @fristonio, we split out the gops update to a separate PR: #13128 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
v1.8 backports 2020-09-09
Not included due to non-trivial conflicts. @tklauser will be doing a round of backports later to pick this up.
Once this PR is merged, you can update the PR labels via: