v1.8: remap gops to fixed port to avoid port collision with proxy #15634
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
test-backport-1.8 |
|
test-1.11-netnext https://jenkins.cilium.io/job/Cilium-PR-K8s-1.11-net-next/1586/ |
pchaigno
approved these changes
Apr 12, 2021
borkmann
reviewed
Apr 12, 2021
1d7a1a1 to
4d617c2
Compare
|
test-backport-1.8 |
borkmann
approved these changes
Apr 12, 2021
4d617c2 to
4fc767e
Compare
|
test-backport-1.8 |
|
test-1.16-4.9 hit something that looks like #12795 https://jenkins.cilium.io/job/Cilium-PR-K8s-1.16-kernel-4.9/163/ |
[ upstream commit b8d65ad ] Manually updated gops to v0.3.14 using: go get github.com/google/gops@v0.3.14 go mod tidy go mod vendor Signed-off-by: Tobias Klauser <tobias@cilium.io>
[ upstream commit 7757d31 ] Manually backported from cilium#14329 to address cilium#13400 for v1.8. Lee reported that kube-proxy log had a warning that its bind protection couldn't bind a specific port in the nodeport range. Turns out gops was using this particular port already through it's auto-binding (127.0.0.1:0). Meaning that in case gops collides with a NodePort service, we might not be able to pull gops data from that port since either kube-proxy or kube-proxt free variant will redirect us to the actual service instead. Given this is rather unpredictable wrt which port the agent will bind for gops, remap it to a fixed default port and add a user configurable knob that allows to use a different one if necessary. Given the agent, operator, clustermesh-apiserver and hubble-relay all start the gops listener, add the --gops-port flag to each of them. The CNI does not have gops enabled by default but only in debug mode hence no changes there for now given it's unlikely being used this way in production. Fixes: cilium#14218 Reported-by: Lee Hu via Slack Co-authored-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: Tobias Klauser <tobias@cilium.io>
4fc767e to
54adf1a
Compare
|
test-backport-1.8 |
|
test-upstream-k8s (failed to download the VM in time) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Manual backport of #14329 to fix port collision of the gops port with the proxy (#13400).
I manually backported the commits from #14329 as they didn't apply cleaning using cherry-picking. I also dropped the commit that updates the client-side gops binary in the runtime images - same as was done for the v1.9 backport in #14419.
See individual commits for details.
Fixes #13400