Conversation
[ upstream commit 798f178 ] The server might depend on the metrics module to be initialized first so we should enable this module before starting the hubble server. Fixes: 56825e0 ("vendor: Add hubble as a dependency") Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
[ upstream commit 6421ecc ] This adds a Hubble section to the Troubleshooting chapter, explaining how to use the CLI for embedded Hubble. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
[ upstream commit bdf98cb ] The k8s cache handlers will depend on node addressing information so the retrieval of own node information must complete before caches are being synchronized. Also re-add a bootstrap start sequence that was removed accidentally by 05163ed. Fixes: 05163ed ("endpoint: Ensure restored endpoint is validated before regenerating it") Fixes: #11836 Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
[ upstream commit 03602e3 ] Due to bug in jenkins, nesting timeout in retry block causes build to abort. Work around by using shell-based timeout Signed-off-by: Maciej Kwiek <maciej@isovalent.com> Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
[ upstream commit 1f0719e ] Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
[ upstream commit 5b12097 ] Ubuntu 20.04 ships Python 3.8 by default, which causes `make live-preview` failure during one of the dependency installations in the pipenv unless we bump the "six" version. While we're at it, sort alphabetically. Signed-off-by: Joe Stringer <joe@cilium.io> Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
[ upstream commit 507d9b8 ] The detected MTU is always the one belonging to the interface that acts as gateway. That interface does not necessarily need to be the one that holds nodeIP and thus the one that Cilium will use to send traffic inside the k8s cluster. This patch fixes this and detects the mtu of the interface used for cluster communications The extra calculation of the correct MTU must be done before the daemon is created and thus part of the K8s initialization code must be moved before the daemon creation. The reason is that the Kubernetes IP for the node is calculated during the K8s initialization. Fixes: #10309 Signed-off-by: Manuel Buil <mbuil@suse.com> Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
[ upstream commit a1ccadb ] This bumps the image tag of Hubble UI to 0.6.0. In addition, the default security context is set to a non-root user, which now supported with this new version. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
[ upstream commit 78d99a5 ] Signed-off-by: Maciej Kwiek <maciej@isovalent.com> Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
[ upstream commit f02bd2a ] This new Coccinelle script will detect tail calls (ep_tail_call() calls) that are not followed by either a call to send_drop_notify_error(arg1, arg2, DROP_MISSED_TAIL_CALL, ...) or return DROP_MISSED_TAIL_CALL. Tail calls in macros are not analyzed. The script cannot patch such unlogged tail calls as the correct fix depends on the context. It is up to the developer to fix any error found. Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
[ upstream commit 14ecd67 ] Without these changes, and because Coccinelle doesn't analyze the values of variables to prune branches, the new Coccinelle script detects the two tail calls as missing a subsequent DROP_MISSED_TAIL_CALL. Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
[ upstream commit 56b48e0 ] Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
[ upstream commit 32d3d36 ] This change makes sure that two Cilium pods cannot be running on the same node in parallel. Signed-off-by: Maciej Kwiek <maciej@isovalent.com> Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
[ upstream commit b7c7fec ] Re-sync the AWS ENI limits list with https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.html?shortFooter=true#AvailableIpPerENI For those not using `--update-ec2-apdater-limit-via-api`. Signed-off-by: Benjamin Pineau <benjamin.pineau@datadoghq.com> Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
[ upstream commit 59df34f ] Signed-off-by: Maciej Kwiek <maciej@isovalent.com> Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
[ upstream commit 82df172 ] Signed-off-by: Maciej Kwiek <maciej@isovalent.com> Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
[ upstream commit 9056286 ] Make docker images Import them into kind cluster Install gingko Run ginkgo test Signed-off-by: Maciej Kwiek <maciej@isovalent.com> Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
[ upstream commit f7b0378 ] This fixes an issue with the `HealthCheckNodePort` server where it would non-deterministically sometimes return a non-zero `localEndpoints` count on nodes which do not have local endpoints. Because Cilium internally creates a service object per frontend IP, we end up with multiple services sharing the same name. In the case where a `LoadBalancer` service has `externalTrafficPolicy=Local` with no local backends, Cilium will still create a `ClusterIP` sibling service which retains the non-local backends. In that case, we must take care to not incooperate the `ClusterIP` backends into the `localEndpoints` count intended for external traffic. The final count is dependent on the order in which services are added to the service manager, which explains why the occurence of this bug was non-deterministic. This commit fixes this issue by checking that the service may only contain local backends before its count is added to the `HealthCheckNodePort` server. The unit tests are adapated as well and try to emulate the way the K8s watcher upserts services in the service manager. Fixes: #11043 Signed-off-by: Sebastian Wicki <sebastian@isovalent.com> Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
[ upstream commit d32c25b ] When an endpoint is created, its status is only created 10 seconds after. This happens because Kubernetes ignores the status field of a CRD object on its initialization and Cilium has a controller running every 10 seconds. In order to have a shorter CEP update window, Cilium can create the status field immediately after the creation of the CEP without waiting for the next execution of the CEP controller to be executed. Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
[ upstream commit 4bad487 ] Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
[ upstream commit 7204c2c ] This commit enables the enforcement of host policies in the datapath for our kube-proxy-free CI builds. Since no host policies are loaded, it defaults to allow all on ingress and egress. Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
[ upstream commit 7f617ed ] See cilium/image-tools#21 Signed-off-by: Ilya Dmitrichenko <errordeveloper@gmail.com> Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
[ upstream commit 5f1bec8 ] - Create a cluster with `--without-nodegroup` option and create a node group after deploying Cilium. - Change the cluster name to `test-cluster` in the ENI getting started so it can use the same "Create a nodegroup" section as the EKS guide. Ref: eksctl-io/eksctl#2022 Signed-off-by: Michi Mutsuzaki <michi@isovalent.com> Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
[ upstream commit b8f78b3 ] The audit mode may overwrite policy related verdict and in this situation it's unclear from the policy verdict log that this happened. This commit adds a new audit bit to the policy log's struct and adds a new policy log action 'audit' based on that flag. Related policy log calls were updated to contain audit flag. Signed-off-by: Arthur Evstifeev <aevstifeev@gitlab.com> Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
Member
Author
|
test-backport-1.8 |
34 tasks
Contributor
|
My changes look good! |
Member
|
test-missed-k8s |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
13 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Once this PR is merged, you can update the PR labels via: