Skip to content

v1.10 backports 2021-10-12 #17582

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Oct 13, 2021
Merged

v1.10 backports 2021-10-12 #17582

merged 4 commits into from
Oct 13, 2021

Conversation

errordeveloper
Copy link
Contributor

Once this PR is merged, you can update the PR labels via:

$ for pr in 17318 17517; do contrib/backporting/set-labels.py $pr done 1.10; done

nebril and others added 4 commits October 12, 2021 12:37
@nebril @errordeveloper
fqdn: Add proxy interface
9e40579 
[ upstream commit 1fc4208 ]

This change adds interface for abstracting away FQDN proxy

Signed-off-by: Maciej Kwiek <maciej@isovalent.com>
Signed-off-by: Ilya Dmitrichenko <errordeveloper@gmail.com>
@nebril @errordeveloper
daemon: add mock dns proxy to tests
f664f1f 
[ upstream commit 0666f53 ]

This change allows for daemon integration tests to run with mock DNS
proxy

Signed-off-by: Maciej Kwiek <maciej@isovalent.com>
Signed-off-by: Ilya Dmitrichenko <errordeveloper@gmail.com>
@kkourt @errordeveloper
datapath: egress gw: fix non-tunnel mode
1b02c9c 
[ upstream commit 1433181 ]

When a client uses an egress gateway node, it forwards traffic via a
vxlan tunnel to the egress gateway node. If datapath is configured in
non-tunnel mode (direct routing), replies from the gateway to the client
do not go via the tunnel. This causes these replies to be dropped
by iptables because no Cilium's FORWARD rule matches them

This patch identifies above packets (i.e., from egress gw to client),
and steers them via the vlxan tunnel after rev-SNAT is performed even
when datapath is configured in non-tunnel mode.

A suggestion by Paul and Martynas (@brb) was to use the following
condition to identify said packets:
> if rev-SNATed IP ∈ native CIDR && rev-SNATed IP !∈ node pod CIDR => send to tunnel

This patch, instead, checks the egress gateway policy map. This seems
like a safer approach, because all packets that match contents of above
map in the forward direction will be forwarded to the gw node.

Fixes: cilium#17386

Signed-off-by: Kornilios Kourtis <kornilios@isovalent.com>
Signed-off-by: Ilya Dmitrichenko <errordeveloper@gmail.com>
@anfernee @errordeveloper
test: Basic e2e test for egress gateway
b6ffb79 
[ upstream commit 0ed817c ]

The original patch
(cilium@06e1f1c)
for this test included an additional policy in test/k8sT/manifests/egress-nat-policy.yaml:

> apiVersion: cilium.io/v2alpha1
> kind: CiliumEgressNATPolicy
> metadata:
>   name: egress-to-black-hole
> spec:
>   egress:
>   - podSelector:
>       matchLabels:
>         zgroup: testDSClient
>     namespaceSelector:
>       matchLabels:
>         ns: cilium-test
>   # Route everything to a black hole.
>   # It shouldn't affect in-cluster traffic.
>   destinationCIDRs:
>   - 0.0.0.0/0
>   egressSourceIP: 1.1.1.1 # It's a black hole

which was meant to test
cilium@b8c757a,
which aimed to address cilium#16147.

The above patch, however, lead to a verification error so it was
excluded from this PR.

Signed-off-by: Yongkun Gui <ygui@google.com>
Signed-off-by: Kornlios Kourtis <kornilios@isovalent.com>
Signed-off-by: Ilya Dmitrichenko <errordeveloper@gmail.com>
@errordeveloper errordeveloper requested a review from a team as a code owner October 12, 2021 12:39
@maintainer-s-little-helper maintainer-s-little-helper bot added backport/1.10 kind/backports This PR provides functionality previously merged into master. labels Oct 12, 2021
@errordeveloper
Copy link
Contributor Author

/test-backport-1.10

@nebril
Copy link
Member

nebril commented Oct 13, 2021

ci-aks-1.10

@errordeveloper
Copy link
Contributor Author

@nbusseneau ConformanceAKS seems to be stuck, has it been disable and not removed from the list of required checks?

@errordeveloper
Copy link
Contributor Author

ci-aks-1.10

@nebril that didn't seem to have triggered it...

@errordeveloper
Copy link
Contributor Author

Will merge since backports are exempt from zero-flake strategy.

@errordeveloper errordeveloper added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Oct 13, 2021
@errordeveloper errordeveloper merged commit f5a5149 into cilium:v1.10 Oct 13, 2021
@errordeveloper errordeveloper deleted the pr/v1.10-backport-2021-10-12 branch October 13, 2021 13:45
@nbusseneau
Copy link
Member

@nbusseneau ConformanceAKS seems to be stuck, has it been disable and not removed from the list of required checks?

Yes, we had decided in community meeting to leave the status there. Hopefully #17529 will re-enable AKS soon.

This was referenced Oct 13, 2021
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kkourt kkourt kkourt approved these changes

@nebril nebril nebril approved these changes

Assignees
No one assigned
Labels
kind/backports This PR provides functionality previously merged into master. ready-to-merge This PR has passed all tests and received consensus from code owners to merge.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@errordeveloper @nebril @nbusseneau @kkourt @anfernee