v1.13 Backports 2023-06-07 #25977
Merged
v1.13 Backports 2023-06-07 #25977
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[ upstream commit f64e073 ] Fail helm if kube-proxy-replacement is set or defaults to an invalid value. kube-proxy-replacement can be defaulted to a deprecated (and since removed) "probe" value. User can also set it into an incorrect value explicitly. It is better to fail on helm than cilium agent failing to start. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> Signed-off-by: Yutaro Hayakawa <yutaro.hayakawa@isovalent.com>
YutaroHayakawa
added
kind/backports
YutaroHayakawa
requested review from
ferozsalam,
joamaki,
jrajahalme and
pchaigno
ferozsalam
approved these changes
Jun 7, 2023
YutaroHayakawa
force-pushed
the
pr/v1.13-backport-2023-06-07
branch
from
47519b7
to
9433ac8
Compare
pchaigno
reviewed
Jun 7, 2023
|
Making this as a draft as it introduces some build errors. |
[ upstream commit a579e9b ] [ backporter's note: Observed a conflict due to the missing IPsecKeyRotationDuration which is missing in v1.13 branch. The change is made in another PR, but that's a feature PR and we don't want to pull that into v1.13 branch. Also, not directly related to this commit, but this PR contains the changes to expose Helm flag for IPsecKeyRotationDuration (31f6ab). I confirmed with the original author and confirmed that this is accidentally introduced. Thus, I dropped it.] The IPsec key watcher is used to automatically detect and apply changes in the key (typically during key rotations). Having this watcher avoids having to restart the agents to apply the key change. It can however be desired to only apply the key change when the agent is restarted. It gives control to the user on when exactly the change happens. It may also be used as a way to switch from one IPsec implementation to another (XFRM configs specifically): the user rotates the key just before the upgrade; on upgrade, the SPI is implicitly used to distinguish between the old and new implementations as well as the old and new keys. Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com> Signed-off-by: Yutaro Hayakawa <yutaro.hayakawa@isovalent.com>
[ upstream commit 3ee2fb7 ] [ backporter's note: Fixed a minor Helm template conflict ] This commit adds a Helm value for the enable-ipsec-key-watcher agent flag introduced in the previous commit. Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com> Signed-off-by: Yutaro Hayakawa <yutaro.hayakawa@isovalent.com>
[ upstream commit be6b6ed ] Adds information on the possibility of spoofing attacks carried out by network attackers with knowledge of pod network configuration. Signed-off-by: Feroz Salam <feroz.salam@isovalent.com> Signed-off-by: Yutaro Hayakawa <yutaro.hayakawa@isovalent.com>
[ upstream commit 4704655 ] Now that the code is reloading the bpf_network program at runtime we should not fatal if we fail to reload the program since this may be caused by ongoing interface changes (e.g. interface was being removed). Change the log.Fatal into log.Error and keep loading to other interfaces. Fixes: bf0940b ("loader: Reinitialize IPsec on device changes on ENI") Signed-off-by: Jussi Maki <jussi@isovalent.com> Signed-off-by: Yutaro Hayakawa <yutaro.hayakawa@isovalent.com>
[ upstream commit 592777d ] reloadIPSecOnLinkChanges() did not ignore veth device updates causing reload to be triggered when new endpoints were created. Ignore any updates with "veth" as device type. The draining of updates during settle wait was broken due to unintentional breaking out of the loop. Removed the break. Fixes: bf0940b ("loader: Reinitialize IPsec on device changes on ENI") Signed-off-by: Jussi Maki <jussi@isovalent.com> Signed-off-by: Yutaro Hayakawa <yutaro.hayakawa@isovalent.com>
YutaroHayakawa
force-pushed
the
pr/v1.13-backport-2023-06-07
branch
from
9433ac8
to
327be6f
Compare
|
/test-backport-1.13 |
pchaigno
approved these changes
Jun 7, 2023
|
k8s-1.26-kernel-net-next: Test timeout while waiting for the initial Vagrant bootup 🤔 Let me see if it is consistent or not. |
|
/test-1.26-net-next |
|
/test-1.22-4.19 |
|
Cilium Conformance E2E: https://github.com/cilium/cilium/actions/runs/5199848693
|
|
/ci-e2e-1.13 |
|
Succeeded. Seems like a flake. Filed a new issue. Sysdump doesn't show the XFRM drop counter increased. At least, IPSec mechanism itself is not an issue. Filed a new issue. |
YutaroHayakawa
added
the
ready-to-merge
This was referenced Jun 9, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Once this PR is merged, you can update the PR labels via:
or with