v1.13 backports 2023-05-10 #25368
v1.13 backports 2023-05-10 #25368
Conversation
thorn3r
added
kind/backports
|
/test-backport-1.13 |
|
These look like legitimate build failures https://github.com/cilium/cilium/actions/runs/4940616411/jobs/8832419274?pr=25368 |
[ upstream commit a1c949c ] [ Backporter's notes: Dropped conflict in pkg/node/types/node.go ] This fixes the adding of relevant annotations to the created CiliumNode object. This was caused by the local node not containing this info. Signed-off-by: Maartje Eyskens <maartje.eyskens@isovalent.com> Signed-off-by: Tim Horner <timothy.horner@isovalent.com>
[ upstream commit 05b6d82 ] This is a fix for a regression in the local addresses logic, introduced in 080857b as part of the implementation for AddressScopeMax. Addresses with the form of link-local unicast addresses began to be filtered out of the local address aggregation, causing them to labeled with the "world" identity for the sake of policy enforcement. Examples of such addresses include: 169.254.10.10 fe80::1234 This caused issues for a variety of users, whose policies allowing "host" traffic would no longer allow traffic to these addresses, forcing the use of workarounds involving CIDR policies, which is not the intended behavior for this type of address. This was a regression as of Cilium 1.12.0-rc2. One reason for this regression was that logic prior to the change looked at the address scope, whereas logic after the change looked at the address bytes, and it was found that many users had assigned addresses of the forms above but with scope global, causing them to again be filtered unconditionally. This patch factors out the local address filtering logic into a function, removes the skip over IsLinkLocalUnicast(), and adds a variety of unit tests for that function. fixes: cilium#25242 fixes: cilium#23910 fixes: cilium#16308 fixes: cilium#20055 Signed-off-by: Andrew Sauber <andrew.sauber@isovalent.com> Signed-off-by: Tim Horner <timothy.horner@isovalent.com>
thorn3r
force-pushed
the
pr/v1.13-backport-2023-05-10
branch
from
e9a5349
to
0b1a79f
Compare
|
/test-backport-1.13 |
|
/test-backport-1.13 Job 'Cilium-PR-K8s-1.25-kernel-4.19' failed: Click to show.Test NameFailure OutputJenkins URL: https://jenkins.cilium.io/job/Cilium-PR-K8s-1.25-kernel-4.19/2217/ If it is a flake and a GitHub issue doesn't already exist to track it, comment Then please upload the Jenkins artifacts to that issue. Job 'Cilium-PR-K8s-1.26-kernel-net-next' failed: Click to show.Test NameFailure OutputJenkins URL: https://jenkins.cilium.io/job/Cilium-PR-K8s-1.26-kernel-net-next/2317/ If it is a flake and a GitHub issue doesn't already exist to track it, comment Then please upload the Jenkins artifacts to that issue. Job 'Cilium-PR-K8s-1.26-kernel-net-next' failed: Click to show.Test NameFailure OutputJenkins URL: https://jenkins.cilium.io/job/Cilium-PR-K8s-1.26-kernel-net-next/2332/ If it is a flake and a GitHub issue doesn't already exist to track it, comment Then please upload the Jenkins artifacts to that issue. |
|
/ci-e2e-1.13 |
|
/ci-external-workloads-v1.13 |
|
/test-1.25-4.19 |
|
/test-1.26-net-next |
|
Cilium Conformance E2E tracking this flake here: #25483 |
|
k8s-1.26-kernel-net-next - failing due to #15455 |
Once this PR is merged, you can update the PR labels via: