Endpoint/CEP Ownership Fix #21768

tommyp1ckles · 2022-10-17T16:47:48Z

Fixes: #19931

Fix bugs where ciliumendpoints for statefulset pods where being incorrectly overwritten/deleted

maintainer-s-little-helper · 2022-10-17T16:47:50Z

Commit 675c00e91ba2c5e7f6c65bc86dc04ba3b643f407 does not contain "Signed-off-by".

Please follow instructions provided in https://docs.cilium.io/en/stable/contributing/development/contributing_guide/#developer-s-certificate-of-origin

github-actions · 2022-11-17T02:11:48Z

This pull request has been automatically marked as stale because it
has not had recent activity. It will be closed if no further activity
occurs. Thank you for your contributions.

tommyp1ckles · 2022-11-22T06:28:08Z

/test

tommyp1ckles · 2022-11-22T15:20:47Z

/test-1.25-net-next

tommyp1ckles · 2022-11-22T19:59:50Z

/test

tommyp1ckles · 2022-11-23T05:27:42Z

/test

tommyp1ckles · 2022-11-23T06:12:29Z

/test

tommyp1ckles · 2022-11-25T18:43:24Z

/test

aanm · 2023-01-10T11:02:07Z

@aanm Can we backport these changes?

@tommyp1ckles let's do it for 1.13 and 1.12 for now /cc @joestringer

This is intended to prevent endpoints from overwriting ciliumendpoints that have the same name but are being managed by a new endpoint sync. This can occur because endpointsynchronizer controllers can overlap when restarting a statefulset (i.e. two CEPs will have the same namespace and name as each other). By adding an operation for patching the UID, this ensures that only endpoints with the UID of the current CEP in apiserver will be able to successfully mutate the CEP status. All other requests will be rejected due to the immutability constraint on UID. Fixes: cilium#19931 Signed-off-by: Tom Hadlaw <tom.hadlaw@isovalent.com>

This change adds writing the CiliumEndpoint UID to an endpoints restore. CiliumEndpoint UID is not currently written alongside the stored restore data. This can cause problems related to ambiguous ownership of CEPs by endpoint synchronizers. Signed-off-by: Tom Hadlaw <tom.hadlaw@isovalent.com>

Prevents endpointsynchronizer from taking ownership and managing ciliumendpoints, except in the case of endpoint restore where the ciliumendpoint is on the same node as the agent. This fixes bugs related to two endpointsynchronizers running for pods of the same name (i.e. as can happen in the case of Stateful sets). Fixes: cilium#19931 Signed-off-by: Tom Hadlaw <tom.hadlaw@isovalent.com>

Signed-off-by: Tom Hadlaw <tom.hadlaw@isovalent.com>

tommyp1ckles · 2023-01-10T22:18:48Z

/test

maintainer-s-little-helper bot added dont-merge/needs-sign-off The author needs to add signoff to their commits before merge. dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. labels Oct 17, 2022

tommyp1ckles changed the title ~~wip~~ Endpoint/CEP Ownership Fix Oct 17, 2022

tommyp1ckles changed the title ~~Endpoint/CEP Ownership Fix~~ WIP: Endpoint/CEP Ownership Fix Oct 17, 2022

github-actions bot added stale The stale bot thinks this issue is old. Add "pinned" label to prevent this from becoming stale. and removed stale The stale bot thinks this issue is old. Add "pinned" label to prevent this from becoming stale. labels Nov 17, 2022

tommyp1ckles force-pushed the pr/tommyp1ckles/cep-endpoint-sync-ownership-bug branch from 675c00e to a40b0b0 Compare November 22, 2022 06:27

maintainer-s-little-helper bot removed the dont-merge/needs-sign-off The author needs to add signoff to their commits before merge. label Nov 22, 2022

tommyp1ckles force-pushed the pr/tommyp1ckles/cep-endpoint-sync-ownership-bug branch 2 times, most recently from 17fc9d0 to dcf9db8 Compare November 22, 2022 19:59

tommyp1ckles changed the title ~~WIP: Endpoint/CEP Ownership Fix~~ Endpoint/CEP Ownership Fix Nov 22, 2022

tommyp1ckles force-pushed the pr/tommyp1ckles/cep-endpoint-sync-ownership-bug branch 2 times, most recently from 244455c to cf4705c Compare November 23, 2022 05:22

tommyp1ckles marked this pull request as ready for review November 23, 2022 05:27

tommyp1ckles requested review from a team as code owners November 23, 2022 05:27

tommyp1ckles requested review from nathanjsweet and jrajahalme November 23, 2022 05:27

tommyp1ckles force-pushed the pr/tommyp1ckles/cep-endpoint-sync-ownership-bug branch from cf4705c to 5a070c2 Compare November 23, 2022 06:12

tommyp1ckles force-pushed the pr/tommyp1ckles/cep-endpoint-sync-ownership-bug branch from 5a070c2 to 8d94b91 Compare November 23, 2022 16:19

tommyp1ckles removed the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Nov 23, 2022

maintainer-s-little-helper bot added the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Nov 23, 2022

aanm added needs-backport/1.12 labels Jan 10, 2023

tommyp1ckles added 4 commits January 10, 2023 14:18

daemon/cmd/endpoint: add more fields to logging when deleting endpoint.

eabb193

Signed-off-by: Tom Hadlaw <tom.hadlaw@isovalent.com>

tommyp1ckles force-pushed the pr/tommyp1ckles/cep-endpoint-sync-ownership-bug branch from 3306def to eabb193 Compare January 10, 2023 22:18

maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Jan 11, 2023

aditighag merged commit aad0927 into cilium:master Jan 11, 2023

aditighag mentioned this pull request Jan 12, 2023

Validate "ownership" of hostPort service being deleted #22587

Merged

ti-mo mentioned this pull request Jan 13, 2023

v1.12 backports 2023-01-13 #23092

Closed

This was referenced Jan 14, 2023

[Backport v1.12] Stale CEP cleanup backports #23096

Merged

[Backport v1.11] Stale CEP cleanup backports #23097

Merged

tommyp1ckles added the backport-pending/1.12 label Jan 17, 2023

aanm added backport-done/1.12 The backport for Cilium 1.12.x for this PR is done. and removed backport-pending/1.12 labels Jan 17, 2023

aanm mentioned this pull request Jan 18, 2023

v1.13 Backports 2023-01-18 #23147

Merged

30 tasks

aanm added backport-pending/1.13 and removed needs-backport/1.13 labels Jan 18, 2023

ldelossa added backport-done/1.13 The backport for Cilium 1.13.x for this PR is done. and removed backport-pending/1.13 labels Jan 18, 2023

This was referenced Jan 19, 2023

v1.12 backports 2023-01-13 (replacement) #23190

Closed

Pr/v1.12 backports #23260

Merged

This was referenced Jan 24, 2023

CI: K8sAgentChaosTest Connectivity demo application Endpoint can still connect while Cilium is not running #23269

Closed

Prepare for release v1.13.0-rc5 #23270

Merged

tommyp1ckles added the backport/author The backport will be carried out by the author of the PR. label Jan 24, 2023

michi-covalent mentioned this pull request Jan 26, 2023

Prepare for release v1.12.6 #23372

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Endpoint/CEP Ownership Fix #21768

Endpoint/CEP Ownership Fix #21768

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Endpoint/CEP Ownership Fix #21768

Endpoint/CEP Ownership Fix #21768

Uh oh!

Conversation

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!