v1.16 Backports 2024-10-25 #35543
Merged
v1.16 Backports 2024-10-25 #35543
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[ upstream commit decd610 ] The referenced helper doesn't exist any longer. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> Signed-off-by: Tobias Klauser <tobias@cilium.io>
[ upstream commit 60ebfbf ] The VXLAN helpers currently assume that the outer packet has a L2 header, but this isn't necessarily true. Instead of hard-coding the `struct ethhdr` length, let the caller use ETH_HLEN instead (which can be either 14 or 0). Signed-off-by: Julian Wiedmann <jwi@isovalent.com> Signed-off-by: Tobias Klauser <tobias@cilium.io>
[ upstream commit 4f51bad ] Determine the L4 offset just once, so that we don't have to revalidate the IPv4 header after rewriting the MAC addresses. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> Signed-off-by: Tobias Klauser <tobias@cilium.io>
[ upstream commit 1ede9d9 ] Cilium is currently affected by a bug that causes traffic matched by network policies to be incorrectly dropped when running in either ENI mode (both AWS and AlibabaCloud) or AWS VPC CNI chaining mode, if the cluster ID is 128-255 (and 384-511 when maxConnectedClusters=511) [1]. Let's add validation both at the helm level and in the agent itself to prevent users from configuring Cilium in a configuration which is known to be broken. [1]: #21330 Suggested-by: Joe Stringer <joe@cilium.io> Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> Signed-off-by: Tobias Klauser <tobias@cilium.io>
|
/test-backport-1.16 |
jrife
approved these changes
Oct 25, 2024
giorio94
approved these changes
Oct 25, 2024
julianwiedmann
approved these changes
Oct 25, 2024
|
oh, netlink build failures :(. For reference, Andre fixed this up in |
[ upstream commit 1de792c ] [ backporter's note: due to update of vishvananda/netlink also pull in relevant changes from commit f6031e2 ("fix(deps): update all go dependencies main") adjusting to the changed mask type (uint32 instead of int). ] When using endpoint routes with veth, cil_to_container runs before the veth driver scrubs the packet (i.e. clears skb->mark). In netkit mode, cil_to_container is executed after scrubbing the packet. This causes traffic from originating from the host to be miscategorized leading to cases like GH-34042 where enabling netkit causes liveness+readiness probes to fail. To address this, the IFLA_NETKIT_SCRUB and IFLA_NETKIT_PEER_SCRUB flags were recently introduced to configure whether or not netkit scrubs the packet when xmiting to the primary or peer devices, respectively. Set IFLA_NETKIT_SCRUB to NETKIT_SCRUB_NONE to ensure that any mark set in the host namespace is passed to cil_to_container when using netkit with endpoint routes. Set IFLA_NETKIT_PEER_SCRUB to NETKIT_SCRUB_DEFAULT to ensure that the mark is always cleared before running cil_from_container and passing the packet on to the host namespace. Signed-off-by: Jordan Rife <jrife@google.com> Link: https://lore.kernel.org/bpf/20241004101335.117711-1-daniel@iogearbox.net/T/#u Fixes: #35060 Fixes: #34042 Fixes: #33875 Fixes: 6895341 ("cilium, connector: Add netkit connector")
[ upstream commit 6170030 ] It turns out that ForEachService() does a lot of allocation to convert an EndpointSlices in to an Endpoints; this is wasteful if the caller does not need the endpoints. Instead, yield the EndpointSlices directly, so the caller may generate the endpoints if desired. Signed-off-by: Casey Callendrello <cdc@isovalent.com> Signed-off-by: Tobias Klauser <tobias@cilium.io>
[ upstream commit e9756ef ] We already track whether or not a given CNP / CCNP has a ToServices selector. We can use this bit to skip resolving ToServices entirely (and thus iterating over all known services) when no ToServices selectors are present. Signed-off-by: Casey Callendrello <cdc@isovalent.com> Signed-off-by: Tobias Klauser <tobias@cilium.io>
[ upstream commit a55178f ] This commit fixes the pod-to-pod traffic being dropped because of using a higher MTU value. This is caused by a non-configuration of the default route from proxy, in the routing table n. 2005 respectively. While the pod-to-pod default route MTU is being adjusted according to the IPSec overhead and the adjusted size of the authentication key, the from-proxy route is not changed as well leading to connectivity issues when both ingress and egress policies are in-place. Fixes: #33168 Signed-off-by: Simone Magnani <simone.magnani@isovalent.com> Signed-off-by: Tobias Klauser <tobias@cilium.io>
[ upstream commit 3ccd76a ] This commit extends the routes tests to check that, according to the previous commit, the default route in the table 2005 is correctly installed with the provided MTU. This is particularly useful as when enabling both ingress and egress policies with IPSec, the default route has a lower MTU since it needs to account also for the encryption overhead. With this commit, in the tests we make sure that, when provided, the correct value is used rather than the default one. Signed-off-by: Simone Magnani <simone.magnani@isovalent.com> Signed-off-by: Tobias Klauser <tobias@cilium.io>
06cf02b to
4e84ea1
Compare
Thanks. I've pulled these fixes into the commit updating the netlink lib. |
|
/test-backport-1.16 |
smagnani96
approved these changes
Oct 25, 2024
smagnani96
added a commit
to smagnani96/cilium
that referenced
this pull request
Nov 4, 2024
This commit enables the `pod-to-pod-with-l7-policy-encryption` cli connectivity test from v1.15, after the successful backports of cilium#35173 in: * v1.15: cilium#35586 * v1.16: cilium#35543 While enabling the test, in this commit we split the version check logic (that is independent from the IP family used) from the check for running IPv6+IPsec (that should be prevented due to a current limitation of having a flaky plain-text packet in the test suite, tracked in cilium#35485). Signed-off-by: Simone Magnani <simone.magnani@isovalent.com>
smagnani96
added a commit
to smagnani96/cilium
that referenced
this pull request
Nov 5, 2024
This commit enables the `pod-to-pod-with-l7-policy-encryption` cli connectivity test for v1.15 and v1.16, after the backports of cilium#35173 in: * v1.15: cilium#35586 * v1.16: cilium#35543 While enabling the test, in this commit we split the version check logic (that is independent from the IP family used) from the check for running IPv6+IPsec (that should be prevented due to a current limitation of having a flaky plain-text packet in the test suite, tracked in cilium#35485). Signed-off-by: Simone Magnani <simone.magnani@isovalent.com>
github-merge-queue bot
pushed a commit
that referenced
this pull request
Nov 22, 2024
This commit enables the `pod-to-pod-with-l7-policy-encryption` cli connectivity test for v1.15 and v1.16, after the backports of #35173 in: * v1.15: #35586 * v1.16: #35543 While enabling the test, in this commit we split the version check logic (that is independent from the IP family used) from the check for running IPv6+IPsec (that should be prevented due to a current limitation of having a flaky plain-text packet in the test suite, tracked in #35485). Signed-off-by: Simone Magnani <simone.magnani@isovalent.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
go.modfor the netlink package, kept the version from the PR and rango mod tidy && go mod vendor. Also had to pull in changes to adjust Cilium code to the changed mask type in the new netlink library version (inttouint32).v1.16does not have thecilium-cli/directory and the version onmainsupports and is used on all stable branches.Once this PR is merged, a GitHub action will update the labels of these PRs: