-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
v1.13 backports 2023-05-10 #25368
v1.13 backports 2023-05-10 #25368
Conversation
/test-backport-1.13 |
These look like legitimate build failures https://github.com/cilium/cilium/actions/runs/4940616411/jobs/8832419274?pr=25368 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Apart from the build failure and 1 GHA comment on the import my part is LGTM
[ upstream commit a1c949c ] [ Backporter's notes: Dropped conflict in pkg/node/types/node.go ] This fixes the adding of relevant annotations to the created CiliumNode object. This was caused by the local node not containing this info. Signed-off-by: Maartje Eyskens <maartje.eyskens@isovalent.com> Signed-off-by: Tim Horner <timothy.horner@isovalent.com>
[ upstream commit 05b6d82 ] This is a fix for a regression in the local addresses logic, introduced in 080857b as part of the implementation for AddressScopeMax. Addresses with the form of link-local unicast addresses began to be filtered out of the local address aggregation, causing them to labeled with the "world" identity for the sake of policy enforcement. Examples of such addresses include: 169.254.10.10 fe80::1234 This caused issues for a variety of users, whose policies allowing "host" traffic would no longer allow traffic to these addresses, forcing the use of workarounds involving CIDR policies, which is not the intended behavior for this type of address. This was a regression as of Cilium 1.12.0-rc2. One reason for this regression was that logic prior to the change looked at the address scope, whereas logic after the change looked at the address bytes, and it was found that many users had assigned addresses of the forms above but with scope global, causing them to again be filtered unconditionally. This patch factors out the local address filtering logic into a function, removes the skip over IsLinkLocalUnicast(), and adds a variety of unit tests for that function. fixes: cilium#25242 fixes: cilium#23910 fixes: cilium#16308 fixes: cilium#20055 Signed-off-by: Andrew Sauber <andrew.sauber@isovalent.com> Signed-off-by: Tim Horner <timothy.horner@isovalent.com>
e9a5349
to
0b1a79f
Compare
/test-backport-1.13 |
/test-backport-1.13 Job 'Cilium-PR-K8s-1.25-kernel-4.19' failed: Click to show.Test Name
Failure Output
Jenkins URL: https://jenkins.cilium.io/job/Cilium-PR-K8s-1.25-kernel-4.19/2217/ If it is a flake and a GitHub issue doesn't already exist to track it, comment Then please upload the Jenkins artifacts to that issue. Job 'Cilium-PR-K8s-1.26-kernel-net-next' failed: Click to show.Test Name
Failure Output
Jenkins URL: https://jenkins.cilium.io/job/Cilium-PR-K8s-1.26-kernel-net-next/2317/ If it is a flake and a GitHub issue doesn't already exist to track it, comment Then please upload the Jenkins artifacts to that issue. Job 'Cilium-PR-K8s-1.26-kernel-net-next' failed: Click to show.Test Name
Failure Output
Jenkins URL: https://jenkins.cilium.io/job/Cilium-PR-K8s-1.26-kernel-net-next/2332/ If it is a flake and a GitHub issue doesn't already exist to track it, comment Then please upload the Jenkins artifacts to that issue. |
/ci-e2e-1.13 |
/ci-external-workloads-v1.13 |
/test-1.25-4.19 |
/test-1.26-net-next |
Cilium Conformance E2E tracking this flake here: #25483 |
k8s-1.26-kernel-net-next - failing due to #15455 |
Once this PR is merged, you can update the PR labels via: