v1.15 Backports 2024-05-06 #32384
Merged
v1.15 Backports 2024-05-06 #32384
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[ upstream commit feaf6c7 ] inherit_identity_from_host() already knows how to handle MARK_MAGIC_PROXY_EGRESS_EPID and extract the endpoint ID from the mark. Use it to condense the code path, similar to how to-container looks like. Also fix up the drop notification, which currently uses the endpoint ID in place of the source security identity. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
[ upstream commit 446cf56 ] Use a single send_trace_notify() statement, with parameters that can be trivially optimized out in the from-netdev path. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
[ upstream commit 58b74f5 ] The blamed commit anticipated the execution of the watchdog in charge of restarting the etcd connection to a remote cluster in case of errors. However, this can lead to a panic if the etcd client cannot be created (e.g., due to an invalid config file), as in that case the returned backend is nil, and the errors channel cannot be accessed. Let's push again this logic below the error check, to make sure that the backend is always valid at that point. Yet, let's still watch for possible reconnections during the initial connection establishment phase, so that we immediately restart it in case of issues. Otherwise, this phase may hang due to the interceptor preventing the establishment to succeed, given that it would continue returning an error. Fixes: 174e721 ("ClusterMesh: validate etcd cluster ID") Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
[ upstream commit 2136418 ] [ backporter's notes: values.schema.json has been introduced in #30631 and thus is not present in v1.15. Changes to that file have been ignored. ] Starting from k8s 1.30 together with Ubuntu 24.04, Cilium fails to initialize with the error: ``` Error: applying apparmor profile to container 43ed6b4ba299559e8eac46a32f3246d9c54aca71a9b460576828b662147558fa: empty localhost AppArmor profile is forbidden ``` This commit adds the "Unconfined" as default, where users can overwrite it with any of the AppArmor profiles available on their environments, to all the pods that have the "container.apparmor.security.beta.kubernetes.io" annotations. Signed-off-by: André Martins <andre@cilium.io>
[ upstream commit 8397e45 ] Unlike every other identity, the set of labels for the reserved:host identity is mutable. That means that rules should not cache matches for this identity. So, clean up the code around determining matches. Signed-off-by: Casey Callendrello <cdc@isovalent.com> Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
[ upstream commit e7db879 ] Context: During IPsec upgrades, we may have to temporarily remove some XFRM states due to conflicts with the new states and because the Linux API doesn't enable us to perform this atomically as we do for XFRM policies. This commit moves this removal logic to its own function. That logic will grow in subsequent commits as I'll add debugging information to the log message. This commit doesn't make any functional changes. Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com> Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
[ upstream commit bba016e ] Context: During IPsec upgrades, we may have to temporarily remove some XFRM states due to conflicts with the new states and because the Linux API doesn't enable us to perform this atomically as we do for XFRM policies. This temporary removal should be very short but can still cause drops under heavy throughput. This commit logs the duration of the removal so we can validate that it's actually always short and estimate the impact on packet drops. Note the log message will now be displayed only once the XFRM state is re-added, instead of when it's removed like before. Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com> Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
[ upstream commit 76d6670 ] Context: During IPsec upgrades, we may have to temporarily remove some XFRM states due to conflicts with the new states and because the Linux API doesn't enable us to perform this atomically as we do for XFRM policies. This temporary removal should be very short but can still cause drops under heavy throughput. This commit logs how many such drops happened. Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com> Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
[ upstream commit dbcdd7d ] Whenever AKS stopped supporting a particular version of AKS, we had to manually remove it from all stable branches. Now instead of that, we will dynamically check if it's supported and only then run the test. Signed-off-by: Marcel Zieba <marcel.zieba@isovalent.com> Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
[ upstream commit 29a340e ] This commit corrects the MTU that is used by the cilium-cni plugin when creating routes for CIDRs received from ENI, Azure or Alibaba Cloud. The cilium-agent daemon returns two MTUs to the cilium-cni plugin: a "device" MTU, which is used to set the MTU on a Pod's interface in its network namespace, and a "route" MTU, which is used to set the MTU on the routes created inside the Pod's network namespace that handle traffic leaving the Pod. The "route" MTU is adjusted based on the Cilium configuration to account for any configured encapsulation protocols, such as VXLAN or WireGuard. Before this commit, when ENI, Azure or Alibaba Cloud IPAM was enabled, the routes created in a Pod's network namespace were using the "device" MTU, rather than the "route" MTU, leading to fragmentation issues. Signed-off-by: Ryan Drew <ryan.drew@isovalent.com> Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
[ upstream commit f1925b5 ] There is no reason why the log level of "Timed out waiting for datapath updates of FQDN IP information" log message should be an error. Change it to a warning instead. Add a reference to --tofqdns-proxy-response-max-delay parameter to make this warning actionable. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
…ages [ upstream commit b1fae23 ] When tail_nodeport_rev_dnat_ingress_ipv*() is called by from-container to apply RevDNAT for a local backend's reply traffic, it drops all unhandled packets. This would mostly be traffic where the pod-level CT entry was flagged as .node_port = 1, but there is no corresponding nodeport-level CT entry to provide a rev_nat_index for RevDNAT. Essentially an unexpected error situation. But we didn't consider that from-container might also see ICMP error messages by a service backend, and the CT_RELATED entry for such traffic *also* has the .node_port flag set. As we don't have RevDNAT support for such traffic, there's no good reason to send it down the RevDNAT tailcall. Let it continue in the normal from-container flow instead. This avoids subsequent drops with DROP_NAT_NO_MAPPING. Alternative solutions would be to tolerate ICMP traffic in tail_nodeport_rev_dnat_ingress_ipv*(), or not propagate the .node_port flag into CT_RELATED entries. Fixes: 6936db5 ("bpf: nodeport: drop reply by local backend if revDNAT is skipped") Signed-off-by: Julian Wiedmann <jwi@isovalent.com> Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
[ upstream commit d74bc1c ] Signed-off-by: Casey Callendrello <cdc@isovalent.com> Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
[ upstream commit 01c3b83 ] [ backporter's notes: The workflow looks different in v1.15, the option to bump the timeout has been applied to the wait for cluster mesh to be ready after rolling out Cilium in cluster2. ] The KPR matrix entry recently started failing quite frequently due to cilium status --wait failing to complete within the timeout after the upgrading Cilium to the tip of main. Part of the cause seems to be cilium/test-connection-disruption@619be5ab79a6, which made the connection disruption test more aggressive. In turn, causing more CPU contention during endpoint regeneration, which now requires longer. Hence, let's bump the timeout, to avoid failing too early due to the endpoint regeneration not having terminated yet. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
[ upstream commit a682a62 ] Users of this library need Cilium to both check restore and updated DNS rules for the new PortProto version. Otherwise upgrade incompatibilities exist between Cilium and programs that utilize this library. Signed-off-by: Nate Sweet <nathanjsweet@pm.me> Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
[ upstream commit 0e07aa5 ] The documentation for the Host Firewall contains a number of invocations of the cilium-dbg command-line tool, to run on a Cilium pod. For convenience, the full, standalone command starting with "kubectl -n <namespace> exec <podname> -- cilium-dbg ..." is provided everytime. But this makes for long commands that are hard to read, and that sometimes require scrolling on the rendered HTML version of the guide. Let's shorten them by adding an alias for the recurrent "kubectl exec" portion of the commands. Signed-off-by: Quentin Monnet <qmo@qmon.net> Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
[ upstream commit 21d5f01 ] This commit is a mix of various minor improvements for the host firewall guide and the host policies documentation: - Fix some commands in troubleshooting steps: - "cilium-dbg policy get" does not show host policies - "kubectl get nodes -o wide" does not show labels - Add the policy audit mode check - (Attempt to) improve style - Mark references with the ":ref:" role in a consistent way - Improve cross-referencing (in particular, the text displayed for the K8s label selector references was erroneous) - Strip trailing whitespaces Signed-off-by: Quentin Monnet <qmo@qmon.net> Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
[ upstream commit 642921d ] Make sure that users of the Host Firewall are aware of the current limitations, or rather the known issues, for the feature. Signed-off-by: Quentin Monnet <qmo@qmon.net> Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
[ upstream commit 5dd2f14 ] Help users reading the Host Firewall tutorial to find the sections related to troubleshooting host policies or listing known issues for the Host Firewall. Signed-off-by: Quentin Monnet <qmo@qmon.net> Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
pippolo84
added
kind/backports
pippolo84
requested review from
sayboras,
pchaigno,
marseel,
nathanjsweet,
julianwiedmann,
giorio94,
aanm and
squeed
|
/test-backport-1.15 |
julianwiedmann
approved these changes
May 6, 2024
nathanjsweet
approved these changes
May 6, 2024
giorio94
approved these changes
May 7, 2024
squeed
approved these changes
May 7, 2024
sayboras
approved these changes
May 7, 2024
marseel
approved these changes
May 7, 2024
jrajahalme
approved these changes
May 8, 2024
julianwiedmann
added
the
ready-to-merge
ldelossa
approved these changes
May 8, 2024
maintainer-s-little-helper
bot
removed
the
ready-to-merge
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
values.schema.jsonnot present in v1.15Wait for cluster mesh status to be readyafter the first Cilium rollout in cluster2Once this PR is merged, a GitHub action will update the labels of these PRs: