/test-backport-1.11

/test-backport-1.11

Job 'Cilium-PR-Runtime-net-next' failed:

RuntimePrivilegedUnitTests Run Tests

FAIL: Failed to run privileged unit tests

If it is a flake and a GitHub issue doesn't already exist to track it, comment /mlh new-flake Cilium-PR-Runtime-net-next so I can create one.

Job 'Cilium-PR-Runtime-net-next' failed:

RuntimePrivilegedUnitTests Run Tests

FAIL: Failed to run privileged unit tests

If it is a flake and a GitHub issue doesn't already exist to track it, comment /mlh new-flake Cilium-PR-Runtime-net-next so I can create one.

The CI failures are a bit suspect, are those passing on the v1.11 branch? 🤔

EDIT: Oh, it's just 4.9... I wonder if something got messed up for all of those ones. Or that visibility feature is somehow not supported on that kernel version.. hmm.

EDIT2: Never mind, the jobs that pass probably just don't run those tests. net-next also fails. Definitely looks like something gets messed up.

Runtime test also looks weird, timed out after ten minutes?

https://jenkins.cilium.io/job/Cilium-PR-K8s-1.18-kernel-4.9/2083/testReport/junit/Suite-k8s-1/18/K8sPolicyTest_Basic_Test_Traffic_redirections_to_proxy_Tests_HTTP_proxy_visibility_without_policy/

Top 1 errors/warnings:
[[C15] cilium.network: Policy NOT FOUND for id: 9326 port: 80

I'm not quite sure what this means or why it only shows up in 1.11, but it looks like an Envoy (maybe Envoy configuration from Cilium?) issue.

seems like something goes wrong, all jobs are failing for below two jobs

• Basic Test Traffic redirections to proxy Tests HTTP proxy visibility without policy
• Basic Test Traffic redirections to proxy Tests proxy visibility interactions with policy lifecycle operations

Let me try to simulate locally

/test-1.16-netnext

/test-runtime

/test

https://jenkins.cilium.io/job/Cilium-PR-K8s-1.18-kernel-4.9/2083/testReport/junit/Suite-k8s-1/18/K8sPolicyTest_Basic_Test_Traffic_redirections_to_proxy_Tests_HTTP_proxy_visibility_without_policy/

Top 1 errors/warnings:
[[C15] cilium.network: Policy NOT FOUND for id: 9326 port: 80

I'm not quite sure what this means or why it only shows up in 1.11, but it looks like an Envoy (maybe Envoy configuration from Cilium?) issue.

This was an unforeseen incompatibility with this change in cilium/proxy (made after v1.11) and this change to support visibility policies for proxylib parsers (in cilium v1.11). This latter change broke the assumption that Cilium agent always creates an allow-all policy when policy enforcement is disabled, and changed to create a port-specific rule instead, but only for proxylib parsers. For L7 LB we needed to actually rely on that assumption, removing a special case originally added for Istio sidecars that allowed traffic if no policy was found.

Backporting envoy: Include allow-all policy with visibility policies as well fixed this in my local testing. Versions prior to v1.11 are not affected as they do not have the proxylib visibility support commit.

/test-1.24-4.19

/test-runtime

/test-backport-1.11

Job 'Cilium-PR-K8s-1.16-net-next' hit: #18889 (95.01% similarity)

Some failures are shown mainly due to /test command was used instead of /test-backport-1-11:

• ci-l4lb --> success in https://github.com/cilium/cilium/actions/runs/2487971717
• ci-awscni --> success in https://github.com/cilium/cilium/actions/runs/2487971724
• test-1.24-4.19 --> not applicable as 1.24 run is not for v1.11
• test-1.23-net-next -> 1.23 + net-next are not valid combination for v1.11. Job for 1.23 and 4.9 is successful here https://jenkins.cilium.io/job/Cilium-PR-K8s-1.23-kernel-4.9/196/
• test-1.16-netnext -> hit CI: K8sKafkaPolicyTest Kafka Policy Tests KafkaPolicies #18889 (comment)