-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
v1.13 Backports 2023-06-07 #25977
v1.13 Backports 2023-06-07 #25977
Conversation
[ upstream commit f64e073 ] Fail helm if kube-proxy-replacement is set or defaults to an invalid value. kube-proxy-replacement can be defaulted to a deprecated (and since removed) "probe" value. User can also set it into an incorrect value explicitly. It is better to fail on helm than cilium agent failing to start. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> Signed-off-by: Yutaro Hayakawa <yutaro.hayakawa@isovalent.com>
47519b7
to
9433ac8
Compare
Making this as a draft as it introduces some build errors. |
[ upstream commit a579e9b ] [ backporter's note: Observed a conflict due to the missing IPsecKeyRotationDuration which is missing in v1.13 branch. The change is made in another PR, but that's a feature PR and we don't want to pull that into v1.13 branch. Also, not directly related to this commit, but this PR contains the changes to expose Helm flag for IPsecKeyRotationDuration (31f6ab). I confirmed with the original author and confirmed that this is accidentally introduced. Thus, I dropped it.] The IPsec key watcher is used to automatically detect and apply changes in the key (typically during key rotations). Having this watcher avoids having to restart the agents to apply the key change. It can however be desired to only apply the key change when the agent is restarted. It gives control to the user on when exactly the change happens. It may also be used as a way to switch from one IPsec implementation to another (XFRM configs specifically): the user rotates the key just before the upgrade; on upgrade, the SPI is implicitly used to distinguish between the old and new implementations as well as the old and new keys. Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com> Signed-off-by: Yutaro Hayakawa <yutaro.hayakawa@isovalent.com>
[ upstream commit 3ee2fb7 ] [ backporter's note: Fixed a minor Helm template conflict ] This commit adds a Helm value for the enable-ipsec-key-watcher agent flag introduced in the previous commit. Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com> Signed-off-by: Yutaro Hayakawa <yutaro.hayakawa@isovalent.com>
[ upstream commit be6b6ed ] Adds information on the possibility of spoofing attacks carried out by network attackers with knowledge of pod network configuration. Signed-off-by: Feroz Salam <feroz.salam@isovalent.com> Signed-off-by: Yutaro Hayakawa <yutaro.hayakawa@isovalent.com>
[ upstream commit 4704655 ] Now that the code is reloading the bpf_network program at runtime we should not fatal if we fail to reload the program since this may be caused by ongoing interface changes (e.g. interface was being removed). Change the log.Fatal into log.Error and keep loading to other interfaces. Fixes: bf0940b ("loader: Reinitialize IPsec on device changes on ENI") Signed-off-by: Jussi Maki <jussi@isovalent.com> Signed-off-by: Yutaro Hayakawa <yutaro.hayakawa@isovalent.com>
[ upstream commit 592777d ] reloadIPSecOnLinkChanges() did not ignore veth device updates causing reload to be triggered when new endpoints were created. Ignore any updates with "veth" as device type. The draining of updates during settle wait was broken due to unintentional breaking out of the loop. Removed the break. Fixes: bf0940b ("loader: Reinitialize IPsec on device changes on ENI") Signed-off-by: Jussi Maki <jussi@isovalent.com> Signed-off-by: Yutaro Hayakawa <yutaro.hayakawa@isovalent.com>
9433ac8
to
327be6f
Compare
/test-backport-1.13 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
My PR looks good to me. Sorry about the trouble with the third commit and thanks for backporting!
k8s-1.26-kernel-net-next: Test timeout while waiting for the initial Vagrant bootup 🤔 Let me see if it is consistent or not. |
/test-1.26-net-next |
/test-1.22-4.19 |
Cilium Conformance E2E: https://github.com/cilium/cilium/actions/runs/5199848693
|
/ci-e2e-1.13 |
Succeeded. Seems like a flake. Filed a new issue. Sysdump doesn't show the XFRM drop counter increased. At least, IPSec mechanism itself is not an issue. Filed a new issue. |
Once this PR is merged, you can update the PR labels via:
or with