v1.13 Backports 2023-04-03 #24706
Merged
v1.13 Backports 2023-04-03 #24706
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[ upstream commit 2a0c158 ] as we don't know which k8s events/resources were received during the initial k8s sync Backporting conflicts: * minor conflict in the manager as v1.13 doesn't have the policies by source IP cache Fixes: #23529 Fixes: #23967 Suggested-by: Julian Wiedmann <jwi@isovalent.com> Signed-off-by: Gilberto Bertin <jibi@cilium.io> Signed-off-by: Gilberto Bertin <jibi@cilium.io>
[ upstream commit c08189c ] This commits add unittest case for L3 skb fast redirecting to L2 device. Backporting conflicts: * minor conflicts in bpf/tests/pktgen.h as some surrounding helpers changed in master, mostly due to the introduction of pktgen__push_default_iphdr_with_options Signed-off-by: Zhichuan Liang <gray.liang@isovalent.com> Signed-off-by: Gilberto Bertin <jibi@cilium.io>
[ upstream commit 772f4a0 ] Currently, the log field k8sNamespace contains the name of the pod instead of the actual namespace when an endpoint gets deleted. This commit fixes this and adds the k8s namespace. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> Signed-off-by: Gilberto Bertin <jibi@cilium.io>
[ upstream commit 22a3743 ] There is a flake in e2e test when a test case starts to proceed before ccnp comes to take effect by cilium-agent. The correct way to delete ccnp is to run "kubectl delete" followed by "cilium policy wait", and kubectl helper already has such wrappers. Fixes: #24380 Signed-off-by: Zhichuan Liang <gray.liang@isovalent.com> Signed-off-by: Gilberto Bertin <jibi@cilium.io>
[ upstream commit 294bcd1 ] There is a flake in e2e test when a test case starts to proceed before cnp comes to take effect by cilium-agent. The correct way to delete cnp is to run "kubectl delete" followed by "cilium policy wait", and kubectl helper already has such wrappers. Signed-off-by: Zhichuan Liang <gray.liang@isovalent.com> Signed-off-by: Gilberto Bertin <jibi@cilium.io>
[ upstream commit debdd2a ] Currently, a service is reported as ready if the local Endpoint resource has been found, or it has at least one endpoint in remote clusters. This commit changes slightly the logic, reporting the service ready also if any remote service has been found (even though with 0 endpoints), to prevent that an update is possibly missed on scale to zero events. In particular, the issue can be triggered in case the local service has no selector (hence k8s creates neither an Endpoint nor an EndpointSlice object), while the remote one is standard. When the deployment targeted by the remote cluster is scaled to 0, the service entry in the local cluster is not correctly cleared. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> Signed-off-by: Gilberto Bertin <jibi@cilium.io>
[ upstream commit b7d58c1 ] Previously, upon detecting the deletion of a global service in a remote cluster, we removed the corresponding external endpoints. Still, we did not delete the map associated with that service when no remote endpoints were left. This commit fixes this, and also ensures that the service entry is deleted if no longer ready. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> Signed-off-by: Gilberto Bertin <jibi@cilium.io>
[ upstream commit b021b64 ] Follow-up to e5e44a9 ("bpf: grow verifier log buffer to 10MiB, log as debug"). This commit removes the call to Debug from replaceDatapath and handles it in regenerate() instead, where it writes a 'verifier.log' file containing the full verifier log to the endpoint directory as well as to standard error. This results in output similar to this: ``` Verifier error: program cil_to_host: load program: invalid argument: unreachable insn 68 (1 line(s) omitted) Verifier log: load program: invalid argument: unreachable insn 68 processed 0 insns (limit 1000000) max_states_per_insn 0 total_states 0 peak_states 0 mark_read 0 level=warning msg="JoinEP: Failed to load program for host endpoint (cil_to_host)" ... error="loading eBPF collection ..." file-path=628_next/bpf_host.o identity=1 ipv4= ipv6= k8sPodName=/ subsys=datapath-loader veth=cilium_host ``` Signed-off-by: Timo Beckers <timo@isovalent.com> Signed-off-by: Gilberto Bertin <jibi@cilium.io>
[ upstream commit e76d074 ] The ipv6_hdrlen function incorrectly sets the length of the extension header during parsing, causing cilum to obtain the wrong next header and resulting in packet loss. This issue will affect the parsing of IPv6 packets that carry both the "auth" and other extension headers, such as `ipv6/auth/hopbyhop/tcp`. Backporting conflicts: * minor conflict in bpf/tests/pktgen.h due to the upstream changes to the pktgen__push_default_iphdr helper Fixes: 1ce3c7f ("bpf: Skip over IPv6 extension headers") Fixes: #24187 Signed-off-by: chenyuezhou <zcy.chenyue.zhou@gmail.com> Signed-off-by: Gilberto Bertin <jibi@cilium.io>
[ upstream commit cef765b ] Backporting conflicts: * skipped the CODEOWNERS changes Signed-off-by: Feroz Salam <feroz@argh.in> Co-authored-by: Dan Wendlandt <dan@isovalent.com> Co-authored-by: Joe Stringer <joe@isovalent.com> Signed-off-by: Gilberto Bertin <jibi@cilium.io>
jibi
added
kind/backports
jibi
requested review from
jschwinger233,
giorio94,
ti-mo,
ferozsalam,
mhofstetter and
tklauser
[ upstream commit edf15f1 ] Always init gatewayIP to 0.0.0.0 by default instead of the previous nil value. Before this commit the rules that didn't match any node where added in addMissingEgressRules and removed right after in removeUnusedEgressRules. The egressmap auto convert nil to 0.0.0.0 and removeUnusedEgressRules doesn't do anything to match nil and 0.0.0.0. Signed-off-by: Arthur Outhenin-Chalandre <arthur@cri.epita.fr> Signed-off-by: Gilberto Bertin <jibi@cilium.io>
[ upstream commit af5d551 ] As documented in the code, since we quadruple the buffer in the loop, the next step up from 4MiB is 16MiB, which would overshoot the limit of <5.2 kernels by one byte. I did not opt for doubling instead of quadrupling the buffer, since that means logs over 8MiB would also fail to load on kernels <5.2. Signed-off-by: Timo Beckers <timo@isovalent.com> Signed-off-by: Gilberto Bertin <jibi@cilium.io>
jibi
force-pushed
the
pr/v1.13-backport-2023-04-03
branch
from
ec037dd
to
11299c9
Compare
mhofstetter
approved these changes
Apr 3, 2023
|
/test-backport-1.13 Job 'Cilium-PR-K8s-1.24-kernel-4.9' failed: Click to show.Test NameFailure Outputedit: probably another instance of #24701 |
MrFreezeex
approved these changes
Apr 3, 2023
jschwinger233
approved these changes
Apr 3, 2023
pchaigno
approved these changes
Apr 4, 2023
ferozsalam
approved these changes
Apr 4, 2023
Marking as ready |
jibi
added
the
ready-to-merge
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Once this PR is merged, you can update the PR labels via:
or with
see individual commits for list of conflicts