-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
v1.13 Backports 2024-05-06 #32386
v1.13 Backports 2024-05-06 #32386
Commits on May 6, 2024
-
pkg: don't cache Host identity rule matches
[ upstream commit 8397e45 ] Unlike every other identity, the set of labels for the reserved:host identity is mutable. That means that rules should not cache matches for this identity. So, clean up the code around determining matches. Signed-off-by: Casey Callendrello <cdc@isovalent.com> Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
Configuration menu - View commit details
-
Copy full SHA for c01d66a - Browse repository at this point
Copy the full SHA c01d66aView commit details -
ipsec: Refactor temporary removal of XFRM state
[ upstream commit e7db879 ] Context: During IPsec upgrades, we may have to temporarily remove some XFRM states due to conflicts with the new states and because the Linux API doesn't enable us to perform this atomically as we do for XFRM policies. This commit moves this removal logic to its own function. That logic will grow in subsequent commits as I'll add debugging information to the log message. This commit doesn't make any functional changes. Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com> Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
Configuration menu - View commit details
-
Copy full SHA for f9186e5 - Browse repository at this point
Copy the full SHA f9186e5View commit details -
ipsec: Log duration of temporary XFRM state removal
[ upstream commit bba016e ] Context: During IPsec upgrades, we may have to temporarily remove some XFRM states due to conflicts with the new states and because the Linux API doesn't enable us to perform this atomically as we do for XFRM policies. This temporary removal should be very short but can still cause drops under heavy throughput. This commit logs the duration of the removal so we can validate that it's actually always short and estimate the impact on packet drops. Note the log message will now be displayed only once the XFRM state is re-added, instead of when it's removed like before. Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com> Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
Configuration menu - View commit details
-
Copy full SHA for 60735f8 - Browse repository at this point
Copy the full SHA 60735f8View commit details -
ipsec: Log XFRM errors during temporary state removal
[ upstream commit 76d6670 ] Context: During IPsec upgrades, we may have to temporarily remove some XFRM states due to conflicts with the new states and because the Linux API doesn't enable us to perform this atomically as we do for XFRM policies. This temporary removal should be very short but can still cause drops under heavy throughput. This commit logs how many such drops happened. Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com> Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
Configuration menu - View commit details
-
Copy full SHA for 9a52bd3 - Browse repository at this point
Copy the full SHA 9a52bd3View commit details -
ci: Filter supported versions of AKS
[ upstream commit dbcdd7d ] Whenever AKS stopped supporting a particular version of AKS, we had to manually remove it from all stable branches. Now instead of that, we will dynamically check if it's supported and only then run the test. Signed-off-by: Marcel Zieba <marcel.zieba@isovalent.com> Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
Configuration menu - View commit details
-
Copy full SHA for d891dad - Browse repository at this point
Copy the full SHA d891dadView commit details -
cni: Use correct route MTU for various cloud cidrs
[ upstream commit 29a340e ] This commit corrects the MTU that is used by the cilium-cni plugin when creating routes for CIDRs received from ENI, Azure or Alibaba Cloud. The cilium-agent daemon returns two MTUs to the cilium-cni plugin: a "device" MTU, which is used to set the MTU on a Pod's interface in its network namespace, and a "route" MTU, which is used to set the MTU on the routes created inside the Pod's network namespace that handle traffic leaving the Pod. The "route" MTU is adjusted based on the Cilium configuration to account for any configured encapsulation protocols, such as VXLAN or WireGuard. Before this commit, when ENI, Azure or Alibaba Cloud IPAM was enabled, the routes created in a Pod's network namespace were using the "device" MTU, rather than the "route" MTU, leading to fragmentation issues. Signed-off-by: Ryan Drew <ryan.drew@isovalent.com> Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
Configuration menu - View commit details
-
Copy full SHA for f81cdd2 - Browse repository at this point
Copy the full SHA f81cdd2View commit details -
fqdn: Change error log to warning
[ upstream commit f1925b5 ] There is no reason why the log level of "Timed out waiting for datapath updates of FQDN IP information" log message should be an error. Change it to a warning instead. Add a reference to --tofqdns-proxy-response-max-delay parameter to make this warning actionable. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
Configuration menu - View commit details
-
Copy full SHA for af38ea4 - Browse repository at this point
Copy the full SHA af38ea4View commit details -
fqdn: Fix Upgrade Issue Between PortProto Versions
[ upstream commit a682a62 ] Users of this library need Cilium to both check restore and updated DNS rules for the new PortProto version. Otherwise upgrade incompatibilities exist between Cilium and programs that utilize this library. Signed-off-by: Nate Sweet <nathanjsweet@pm.me> Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
Configuration menu - View commit details
-
Copy full SHA for ca5ebd8 - Browse repository at this point
Copy the full SHA ca5ebd8View commit details