v1.8 backports 2020-09-25 #13289
Merged
v1.8 backports 2020-09-25 #13289
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
test-backport-1.8 |
|
@christarazi I'm a bit unsure if I backported your PR properly. I had a conflict with christarazi@c2ca49c. |
|
@mrostecki the code is failing: |
14ae365 to
b4829be
Compare
|
test-backport-1.8 |
christarazi
requested changes
Sep 25, 2020
christarazi
approved these changes
Sep 25, 2020
fristonio
approved these changes
Sep 26, 2020
|
Failure is legit, let me fix it. |
b4829be to
6d1f79d
Compare
|
test-backport-1.8 |
|
@mrostecki I would suggest to drop the faulty commits so we can merge the other changes. |
6d1f79d to
952f092
Compare
|
test-backport-1.8 |
952f092 to
247b349
Compare
|
test-backport-1.8 |
[ upstream commit 8e24ea3 ] Not all trace observation points have access to the connection tracking state and populate the `Reason` field of `TraceNotify` accordingly. This commit extracts a helper function to determine which trace points currently do have access to connection tracking state. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> Signed-off-by: Michal Rostecki <mrostecki@opensuse.org>
[ upstream commit 511b15d ] This fixes a bug in the reply filter on `reply=false` would report flows for which we actually do not know if they were replies or not. Not all trace points have connection tracking state available, thus looking at the reply flag alone is not sufficent to tell if something a flow was a reply or not. Ideally, we would fix this in the parser and make the `reply` an optional boolean, so we can distinguish between a `false` value and an absent value. This however is a breaking change in the Hubble API, which we want to avoid. Therefore, this commit modifies the reply filter to only report flows here for which we know that the reply field is reliable. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> Signed-off-by: Michal Rostecki <mrostecki@opensuse.org>
[ upstream commit 510566a ] Signed-off-by: Kornilios Kourtis <kornilios@isovalent.com> Co-authored-by: Joe Stringer <joe@cilium.io> Signed-off-by: Michal Rostecki <mrostecki@opensuse.org>
[ upstream commit 01f8dcc ] EKS needs some specific rules for NodePort traffic (see PR #12770, or comments in the code, for details). The addition of part of these rules were added to the body of the Reinitialize() function in the loader. To make them easier to maintain or extend, let's move them to a dedicated function called by Reinitialize(). No functional change. Signed-off-by: Quentin Monnet <quentin@isovalent.com> Signed-off-by: Michal Rostecki <mrostecki@opensuse.org>
[ upstream commit 09e9a46 ] EKS needs some specific rules for asymmetric routing with multi-node NodePort traffic. These rules are implemented only for IPv4, so we can avoid installing them when IPv4 is disabled. This is what this commit does. Note that this check is, in fact, not necessary at the moment, because as the config package says: "IPv6 cannot be enabled in ENI IPAM mode". So we always run with IPv4. But let's have it for good measure, to avoid issues if IPv6 support comes in the future. For the same reason, we also do not have to implement equivalent rules for IPv6 at the moment. Signed-off-by: Quentin Monnet <quentin@isovalent.com> Signed-off-by: Michal Rostecki <mrostecki@opensuse.org>
[ upstream commit a301853 ] Multi-node NodePort traffic on EKS needs specific rules regarding asymmetric routing. These rules were implemented for the eth0 interface (namely), because this is what EKS uses. With the default Amazon Linux 2 distribution. But EKS can also run with Ubuntu for example, and the name of the interface is not the same in that case. Instead of "eth0", use the interface with the dafault route. This is a quick fix, and longer term we want to add the rules to all relevant interfaces, as discussed in #12770. Fixes: #12770 Fixes: #13143 Signed-off-by: Quentin Monnet <quentin@isovalent.com> Signed-off-by: Michal Rostecki <mrostecki@opensuse.org>
[ upstream commit 815be6a ] EKS requires some specific rules for asymmetric routing with multi-node NodePort traffic. These rules relies on the xt_connmark kernel module, which is usually loaded by iptables when necessary. The rules are installed when the selected IPAM is ENI, meaning they are installed on AWS (but not only EKS). The xt_connmark module should be loaded in a similar way, unless loading modules after boot has been disabled, in which case the setup fails and the agent crashes. Add a comment to at least help debug the issue. Longer term, we may want to add more explicit hints to the logs if too many users hit the issue, but that would require parsing iptables' output for the specific error, so let's see how it goes with a simple comment in the code for now. Signed-off-by: Quentin Monnet <quentin@isovalent.com> Signed-off-by: Michal Rostecki <mrostecki@opensuse.org>
[ upstream commit d888057 ] * This commit fixes an issue in nodeport service revnat handling where the interface index was not properly restored from the Conntrack state leading to packet redirects to invalid interface. Signed-off-by: Deepesh Pathak <deepshpathak@gmail.com> Signed-off-by: Michal Rostecki <mrostecki@opensuse.org>
[ upstream commit 71c5086 ] Signed-off-by: Deepesh Pathak <deepshpathak@gmail.com> Signed-off-by: Michal Rostecki <mrostecki@opensuse.org>
[ upstream commit 5c6aad6 ] This commit removes the ability to delete CRDs from Cilium because that would delete all the CRs in the cluster. Follow-up from: #11477 (comment) Updates: #12737 Signed-off-by: Chris Tarazi <chris@isovalent.com> Signed-off-by: Michal Rostecki <mrostecki@opensuse.org>
247b349 to
b943a2b
Compare
|
test-backport-1.8 |
|
https://jenkins.cilium.io/job/Cilium-PR-Kubernetes-Upstream/2541/console - VM provisioning failed |
|
test-backport-1.8 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
identity: Avoid kvstore lookup for local identities #13228 -- identity: Avoid kvstore lookup for local identities (@gandro)too many unit tests fail, I will try in an another PROnce this PR is merged, you can update the PR labels via: