Skip to content

v1.8 backports 2020-09-21 #13226

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 9 commits into from
Sep 29, 2020
Merged

v1.8 backports 2020-09-21 #13226

merged 9 commits into from
Sep 29, 2020

Conversation

jrajahalme
Copy link
Member

Once this PR is merged, you can update the PR labels via:

$ for pr in 12964; do contrib/backporting/set-labels.py $pr done 1.8; done

@jrajahalme
daemon: Minimize DNS proxy downtime on restart
ea7c503 
[ upstream commit 4058b9a ]

Start proxy support earlier in the daemon bootstrap, notably before any k8s setup.

Fetch old endpoints earlier so that the DNS history is avalailable
before k8s is set up and move dns proxy initialization earlier in the
bootstrap.

Reuse DNS proxy port from previous run on restart unless overridden by
an explicit Cilium agent option

These changes allow the DNS proxy start serving requests as soon as
the toFQDN policy is received from k8s and avoid any service
disruption prevously possible due to endpoints being regenerated
before the DNS proxy was started.

Signed-off-by: Jarno Rajahalme <jarno@covalent.io>
@jrajahalme
dnsproxy: Use restored rules during restart
8decf31 
[ upstream commit f1ac9a2 ]

Store current DNS rules with the Endpoint and use them in the DNS
proxy during initial regeneration of the restrored endpoints.

DNS proxy starts with restored DNS rules based on allowed IP
addresses. These rules are removed for each endpoint as soon as the
first regeneration completes. Such restored rules should allow DNS
requests to be served, but for new DNS resolutions to be added to the
Endpoint's policy the restored endpoint's must still have their first
regeneration completed.

Signed-off-by: Jarno Rajahalme <jarno@covalent.io>
@jrajahalme jrajahalme added kind/backports This PR provides functionality previously merged into master. backport/1.8 labels Sep 21, 2020
@jrajahalme jrajahalme requested a review from a team as a code owner September 21, 2020 07:21
@jrajahalme
Copy link
Member Author

test-backport-1.8

@aanm
Copy link
Member

aanm commented Sep 21, 2020 

# github.com/cilium/cilium/pkg/proxy
vet: pkg/proxy/kafka_test.go:112:45: cannot use &(proxyUpdaterMock literal) (value of type *proxyUpdaterMock) as logger.EndpointUpdater value in variable declaration: missing method OnDNSPolicyUpdateLocked
Makefile:393: recipe for target 'govet' failed
make[1]: *** [govet] Error 2
make[1]: Leaving directory '/home/travis/gopath/src/github.com/cilium/cilium'
Makefile:209: recipe for target 'unit-tests' failed
make: *** [unit-tests] Error 2

@jrajahalme
endpoint: Update DNSRules on header rewrite
39b34f8 
[ upstream commit 5dfe140 ]

Update DNSRules, if any, before writing headers to capture potentially
changed allowed destination IPs.

Signed-off-by: Jarno Rajahalme <jarno@covalent.io>
@jrajahalme jrajahalme force-pushed the pr/v1.8-backport-2020-09-21 branch from 09bb326 to 35748f0 Compare September 28, 2020 20:13
@jrajahalme
Copy link
Member Author

test-backport-1.8

@jrajahalme
Copy link
Member Author

Fixed pkg/proxy/kafka_test.go (which does not exist in master)

@jrajahalme
endpoint: Remove restored DNS rules
303c1aa 
[ upstream commit 8b390eb ]

Remove restored DNS rules after a successful regeneration, and also at
endpoint delete to cover endpoints that were never regenerated.

Signed-off-by: Jarno Rajahalme <jarno@covalent.io>
@jrajahalme
fqdn: Limit the max processing in GetRules()
02a1837 
[ upstream commit 8c7b980 ]

Normally the number of DNS proxy rules should be very small. To guard
against pathological cases, limit the number of IPs processed to 1000
per port.

Signed-off-by: Jarno Rajahalme <jarno@covalent.io>
@jrajahalme
dnsproxy: Use restored Endpoints before Endpoints are available
97db613 
[ upstream commit bdf15d4 ]

Use restored Endpoints during Cilium restart when Endpoints are no yet available.

Do not error out if the destination IP can not be found from ipcache,
but default to WORLD destination security identity instead.  This
allows IP-based restored rules to be processed before ipcache is fully
updated.

Signed-off-by: Jarno Rajahalme <jarno@covalent.io>
@jrajahalme
endpoint: Demote proxy stats not found warnings to debug level
71494cb 
[ upstream commit 3c2996b ]

"Proxy stats not found when updating" warnigns are currently issued if
stats updates are received for a proxy redirect that can not be
found. There are two common scenarios where this can happen as part of
normal operation:

1. A policy change removed a proxy redirect, and stats updates from
  requests that were redirected to the proxy before the datapath
  redirect entry was removed are received.

2. DNS proxy issues stats for requests that have been forwarded on the
  basis of a restored DNS policy while the Endpoint policy has not yet
  been computed.

Demote this log message to debug level to avoid these false warnings.

Signed-off-by: Jarno Rajahalme <jarno@covalent.io>
@jrajahalme
fqdn: rename removeRestoredRules() as removeRestoredRulesLocked()
4e605e4 
[ upstream commit 78daa53 ]

removeRestoredRules() requires locking, better reflect that in the
function name.

Signed-off-by: Jarno Rajahalme <jarno@covalent.io>
@jrajahalme
test: Test DNS proxying while Cilium is restarting.
2b4a0c5 
[ upstream commit 6173e1c ]

Re-run connectivity test while Cilium is still restarting. This should
succeed as the same DNS names were used in a connectivity test before
the restart.

Signed-off-by: Jarno Rajahalme <jarno@covalent.io>
@jrajahalme jrajahalme force-pushed the pr/v1.8-backport-2020-09-21 branch from 35748f0 to 2b4a0c5 Compare September 28, 2020 21:11
@jrajahalme
Copy link
Member Author

Fixed white space errors.

@jrajahalme
Copy link
Member Author

test-backport-1.8

@jrajahalme
Copy link
Member Author

jrajahalme commented Sep 29, 2020
edited
Loading

k8s-1.11-kernel-netnext and k8s tests fail to pull cilium operator for the old version in the upgrade/downgrade test, seems not releated to this PR:

Failed to pull image "docker.io/cilium/operator:v1.7": rpc error: code = Unknown desc = error pulling image configuration: unknown blob

No other test failures.

@jrajahalme jrajahalme added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Sep 29, 2020
@rolinh rolinh merged commit 5c5f7df into v1.8 Sep 29, 2020
@rolinh rolinh deleted the pr/v1.8-backport-2020-09-21 branch September 29, 2020 08:54
@joestringer joestringer mentioned this pull request Oct 1, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rolinh rolinh rolinh approved these changes

Assignees
No one assigned
Labels
kind/backports This PR provides functionality previously merged into master. ready-to-merge This PR has passed all tests and received consensus from code owners to merge.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@jrajahalme @aanm @rolinh