Index | index by Group | index by Distribution | index by Vendor | index by creation date | index by Name | Mirrors | Help | Search |
Name: cilium-operator | Distribution: SUSE Linux Enterprise 15 SP3 |
Version: 1.8.5 | Vendor: openSUSE |
Release: bp153.1.15 | Build date: Tue May 18 19:17:11 2021 |
Group: Unspecified | Build host: goat01 |
Size: 218554368 | Source RPM: cilium-1.8.5-bp153.1.15.src.rpm |
Packager: https://bugs.opensuse.org | |
Url: https://github.com/cilium/cilium | |
Summary: Kubernetes operator for Cilium |
Cilium is a software for providing, and transparently securing, network connectivity, and for load-balancing between application containers and services deployed using Linux container management platforms like Docker and Kubernetes. This package provides a Kubernetes operator that does garbage collector work for Cilium.
Apache-2.0 AND GPL-2.0-or-later
* Fri Oct 30 2020 Michał Rostecki <mrostecki@suse.com> - Update to 1.8.5 * Release notes: https://github.com/cilium/cilium/releases/tag/v1.8.5 - Remove patches which were included upstream: * 0001-option-mark-keep-bpf-templates-as-deprecated.patch * 0002-make-remove-the-need-for-go-bindata.patch * 0003-bpf-don-t-use-fixed-size-integer-types-from-stdint.h.patch * 0005-bpf-re-add-a-proper-types.h-mapper.patch * 0006-build-Avoid-using-git-if-not-in-a-git-repo.patch * 0007-option-rename-PolicyMapMaxEntries-to-PolicyMapEntrie.patch * 0008-helm-allow-to-configure-bpf-nat-global-max-using-Hel.patch * 0009-option-reduce-default-number-for-TCP-CT-and-NAT-tabl.patch * 0010-daemon-add-option-to-dynamically-size-BPF-maps-based.patch - Remove downstream patch which is not needed anymore (now it's enough to just modify the Helm chart with sed to set out images): * 0004-helm-Allow-variables-for-compatibility-with-openSUSE.patch - Add upstream patch for installing the operator binary: * 0001-operator-make-Add-install-target.patch * Mon Aug 03 2020 Callum Farmer <callumjfarmer13@gmail.com> - Fixes for %_libexecdir changing to /usr/libexec (bsc#1174075) * Thu Jul 30 2020 Dirk Mueller <dmueller@suse.com> - update to 1.7.6: Fixes https://github.com/cilium/cilium/security/advisories/GHSA-9hx8-3wfx-q2vw (CVE-2020-8663, CVE-2020-12605, CVE-2020-12604, CVE-2020-12603, bsc#1173559) see https://github.com/cilium/cilium/releases/tag/v1.7.6 * avoid having endpoints in 'restoring' state in case the connectivity with the KVStore is not reliable (Backport PR #12333, Upstream PR #12307, @aanm) * bpf: Use nproc --all for __NR_CPUS__ (Backport PR #12363, Upstream PR #12121, @gandro) * cilium: fix encryption flow labels in ip6 case (Backport PR #12056, Upstream PR #12015, @jrfastab) * Fix bug where etcd session renew would block indefinitely, causing endpoint provision to fail (Backport PR #12333, Upstream PR #12292, @joestringer) * Fix bug where identity allocation wouldn't cancel from api timeouts (Backport PR #12350, Upstream PR #12328, @joestringer) * Fix setting monitorAggregationLevel to max reflects via CLI (Backport PR #12333, Upstream PR #12014, @soumynathan) * Fix silent cilium monitor on systems with offline CPUs (Backport PR #12363, Upstream PR #12310, @pchaigno) * Fix syslog hook missing in DefaultLogger (Backport PR #12333, Upstream PR #12170, @ArthurChiao) * helm/operator: fix IPv6 liveness probe address for operator (Backport PR #12333, Upstream PR #12223, @Rolinh) * iptables: Remove '--nowildcard' from socket match (Backport PR #12333, Upstream PR #12248, @jrajahalme) * Istio integration is updated to Istio release 1.5.6. (Backport PR #12333, Upstream PR #12214, @jrajahalme) * Istio integration is updated to Istio release 1.5.7. (Backport PR #12357, Upstream PR #12353, @jrajahalme) * make: fix LOCKDEBUG env variable reference for docker-plugin-image (Backport PR #12333, Upstream PR #12318, @Rolinh) * option: Require native-routing-cidr only if IPv4 is enabled (Backport PR #12354, Upstream PR #12198, @brb) * policy/api: Add reserved:health entity (Backport PR #12333, Upstream PR #12199, @pchaigno) * stop Cilium from hanging on CNP or CCNP events from Kubernetes if running with 'k8s-event-handover=true' and 'kvstore=""' (Backport PR #12333, Upstream PR #12146, @aanm) * The host proxy is updated to Envoy release 1.13.3 (Backport PR #12350, Upstream PR #12343, @jrajahalme) * Valid CNP and CCNP 'matchLabel' values must be 63 characters or less and must be empty or begin and end with an alphanumeric character ([a-z0-9A-Z]) with dashes (-), underscores (_), dots (.), and alphanumerics between. (Backport PR #12354, Upstream PR #12117, @aanm) - 0001-option-mark-keep-bpf-templates-as-deprecated.patch, 0002-make-remove-the-need-for-go-bindata.patch, 0003-bpf-don-t-use-fixed-size-integer-types-from-stdint.h.patch, 0004-helm-Allow-variables-for-compatibility-with-openSUSE.patch, 0005-bpf-re-add-a-proper-types.h-mapper.patch, 0006-build-Avoid-using-git-if-not-in-a-git-repo.patch, 0007-option-rename-PolicyMapMaxEntries-to-PolicyMapEntrie.patch, 0008-helm-allow-to-configure-bpf-nat-global-max-using-Hel.patch, 0009-option-reduce-default-number-for-TCP-CT-and-NAT-tabl.patch, 0010-daemon-add-option-to-dynamically-size-BPF-maps-based.patch: rebase against 1.7.6 * Tue Jul 07 2020 jmassaguerpla@suse.com - Add a _constraints to require at least 5GB of disk space * Mon Jun 15 2020 Michał Rostecki <mrostecki@suse.com> - Fix cniInstallScript and cniUninstallScript values in helm chart. * Fri Jun 12 2020 Dirk Mueller <dmueller@suse.com> - Update to 1.7.5 + Too many bugfixes to list here, see https://github.com/cilium/cilium/releases/tag/v1.7.5 https://github.com/cilium/cilium/releases/tag/v1.7.4 https://github.com/cilium/cilium/releases/tag/v1.7.3 https://github.com/cilium/cilium/releases/tag/v1.7.2 https://github.com/cilium/cilium/releases/tag/v1.7.1 - rename 0002-bpf-re-add-a-proper-types.h-mapper.patch to 0005-bpf-re-add-a-proper-types.h-mapper.patch - rename 0001-build-Avoid-using-git-if-not-in-a-git-repo.patch to 0006-build-Avoid-using-git-if-not-in-a-git-repo.patch - rename 0005-rename-PolicyMapMaxEntries-to-PolicyMapEntries-and-define-policy-map-size-limits-as-consts.patch to 0007-option-rename-PolicyMapMaxEntries-to-PolicyMapEntrie.patch - rename 0006-allow-to-configure-bpf-nat-global-max-using-helm.patch to 0008-helm-allow-to-configure-bpf-nat-global-max-using-Hel.patch - rename 0007-reduce-default-number-for-TCP-CT-and-NAT-table-max-entries.patch to 0009-option-reduce-default-number-for-TCP-CT-and-NAT-tabl.patch - rename 0008-add-option-to-dynamically-size-BPF-maps-based-on-system-memory.patch to 0010-daemon-add-option-to-dynamically-size-BPF-maps-based.patch - remove 0001-datapath-Switch-to-upstream-bpftool-remove-additiona.patch * Wed Jun 10 2020 Dirk Mueller <dmueller@suse.com> - add 0002-bpf-re-add-a-proper-types.h-mapper.patch - add 0001-build-Avoid-using-git-if-not-in-a-git-repo.patch - add 0001-datapath-Switch-to-upstream-bpftool-remove-additiona.patch - build BPF_SRCFILES to get the list of bpf files to install * Wed Apr 29 2020 Dirk Mueller <dmueller@suse.com> - enable build for all 64 bit arches (adds ppc64le, s390x) * Sat Apr 25 2020 Swaminathan Vasudevan <svasudevan@suse.com> - Adds a couple of patches that fixes bpf load error (bsc#1151876) * 0005-rename-PolicyMapMaxEntries-to-PolicyMapEntries-and-define-policy-map-size-limits-as-consts.patch(combined) * 0006-allow-to-configure-bpf-nat-global-max-using-helm.patch * 0007-reduce-default-number-for-TCP-CT-and-NAT-table-max-entries.patch * 0008-add-option-to-dynamically-size-BPF-maps-based-on-system-memory.patch * Mon Mar 09 2020 Michał Rostecki <mrostecki@opensuse.org> - Remove cilium-init package. * Fri Mar 06 2020 Michał Rostecki <mrostecki@opensuse.org> - Add bpftool as a runtime dependency. * Thu Feb 27 2020 Michał Rostecki <mrostecki@opensuse.org> - Use %requires_eq for cilium-proxy. * Thu Feb 27 2020 Michał Rostecki <mrostecki@opensuse.org> - Add cilium-proxy as a runtime dependency. * Mon Feb 24 2020 Michał Rostecki <mrostecki@opensuse.org> - Build with correct cilium-proxy version string. * Mon Feb 24 2020 Michał Rostecki <mrostecki@opensuse.org> - Add upstream patches which fix running Cilium on aarch64 and remove dependency on glibc: * 0001-option-mark-keep-bpf-templates-as-deprecated.patch * 0002-make-remove-the-need-for-go-bindata.patch * 0003-bpf-don-t-use-fixed-size-integer-types-from-stdint.h.patch - Add downstream patch which makes helm charts compatible with openSUSE images: * 0004-helm-Allow-variables-for-compatibility-with-openSUSE.patch * Mon Feb 24 2020 Michał Rostecki <mrostecki@opensuse.org> - Update to version 1.7.0: * Major changes - Add direct server return (DSR) for NodePort BPF - Add support for k8s 1.17 - Add support for k8s endpoint slice - Add support for L7 visibility via pod annotations - Clusterwide K8s Cilium Network Policies - Envoy TLS support with header imposition * Bugfixes - Add better mechanism to detect if k8s caches are synced against k8s - api: Add missing annotations to generate DeepCopy for new status fields - bpf: Fix proxy redirection for egress programs - bpf: Remove POLICY_MAP from bpf_netdev and bpf_overlay - cilium: use %v for dumping frontend struct on error - Correct clustermesh identity sync kvstore backend usage (to actually use the remote) - daemon: Upgrade spf13/viper - eni: Check instance existence before resolving deficit - Filter out bpftool probes emitting dmesg messages - Fix cilium daemonset deletion on AKS - Fix concurrent access of a variable used for metrics - Fix issue (#10092) which incorrectly configured route MTU with encryption and tunnel enabled. - Fix memory corruption on clusters with IPv6 and NodePort enabled - Fix node-port default route detection in case there multiple default entries with same ifindex. - Fix regression to avoid freeing alive IPs - Fix regular service lookup in node-port range in case of host-reachable services. - Fix Unlock handling for kvstore locks - Fix vishvananda/netlink library's VethPeerIndex() stack corruption with 4.20+ kernels. - fqdn: Support setting tofqdns-min-ttl to 0 - health: add ipv6 health check status to cilium health status output - HostToContainer propagation for /sys/fs/bpf - ipam: Protect release from releasing alive IP - ipcache: Add probe to check for dump capability to support delete - ipsec: fix connectivity after node reboots - k8s: Fix Service.DeepEquals for ExternalIP - kubernetes: Disable LocalNodeRoute while chaining - node: Provide context in log when restoring router addresses - operator: only enable kvstore watcher if kvstore is enabled - pkg/bpf: Protect each uintptr with runtime.KeepAlive - pkg/endpoint: access endpoint state safely across go routines - pkg/ip: fix cilium status output for big CIDR ranges - policy: Don't open localhost when allowing L7 traffic - policy: Expose L3 selectors within endpoint JSON * Thu Feb 20 2020 Michał Rostecki <mrostecki@suse.com> - Remove quick-install.yaml file, ship only helm chart instead. * Mon Dec 23 2019 Michał Rostecki <mrostecki@opensuse.org> - Update to version 1.6.5: * Important Bug Fixes - Envoy is updated to release 1.12.2, including important security fixes (CVE-2019-18801, CVE-1019-18802, CVE-1019-18838) * Bug fixes - Fix disabling health-checks in chaining mode - Delete endpoint xxx_next directories during restore - Fix typo in io.cilium/shared-service annotation - Fix issue where services would not be updated when comparing two services - Fix bugtool support for aead encryption algorithm * Misc - Add github actions to cilium - Fix AKS installation guide - Disable masquerading in all chaining documentation guides - Update golang to 1.12.14 - Add delay between reconnect attempts to containerd - Decrease log level for "service not found" message * CI - Use force flag in Cilium install apply command - Move missed kubectl apply calls to Apply calls - Add nil check for init container terminated state * Thu Oct 17 2019 Richard Brown <rbrown@suse.com> - Remove obsolete Groups tag (fate#326485) * Fri Oct 11 2019 Michał Rostecki <mrostecki@opensuse.org> - Update to version 1.6.3: * Highlights * KVStore free operation * 100% Kube-proxy replacement * Socket-based load-balancing * Policy scalability improvements * Generic CNI chaining * Native AWS ENI mode * Key Fixes * Fix IP leak on main interface when using ENI IPAM * Fix deadlock caused by buffered channel being full when large amounts of local identities are allocated while FQDNSelectors are being updated * Minor Bug Fixes * Fix apiVersion in micropk8s Daemonset in microk8s-prepull.yml to apps/v1 * Do not try to delete CiliumEndpoint from K8s if name / namespace fields are empty * Configure sysctl if IPv6 is disabled for the health endpoint's device to have IPv6 disabled as well in order to avoid emitting IPv6 autoconf frames * Fix monitor reporting status to not show monitor as always being disabled * Fix sockops compilation / verification on newer LLVM versions * Ensure that unroutable packets are dropped as being unroutable when they are unroutable via cilium_host device * Fix bug where L7 wildcarding for policy was not occurring for CIDR-based policy rules * Enhancements * Populate source and destination ports for DNS records in the monitor * Backport of pkg/sysctl to make it easier to configure sysctl options * Support client certificate rotation in the etcd client * Encryption Fixes * Fix packet drops when using encryption by setting output-mark to use table 200 post-encryption and set different MTU for main/200 tables / not using policies/states for subnets * Dependencies * Update netlink library to get support for output-mark * Update golang version in Docker images to v1.12.10 * Always run update when building dependencies in Docker images * Bump K8s dependency to v1.16.1 * Bump golang.org/sys/unix library version * Documentation * Update supported Kubernetes versions * Update microk8s instructions to use cilium plugin to microk8s * Fri Oct 11 2019 rbrown@suse.com - Update to version 1.6.3: * Prepare for v1.6.3 release * envoy: Update image for Envoy CVEs 2019-10-08 * Fix IP leak on main if * policy: remove checking of CIDR-based fields from `IsLabelBased` checks * daemon: Populate source and destination ports for DNS records * kvstore/etcd: always reload keypair * bpf: Fix sockops compile on newer LLVM * Revert "add PR #82410 patch from kubernetes/kubernetes" * vendor: update to k8s 1.16.1 * k8s/endpointsynchronizer: Do not delete CEP on empty k8s resource names * monitor: Fix reporting the monitor status * docs: update k8s supported versions * policy: Fix up selectorcache locking issue * bpf: fix cilium_host unroutable check * Do not add policies/states for subnets * Use output-mark to use table 200 post-encryption and set different MTU for main/200 tables * Update netlink library (support for output-mark) * vendor: Bump golang.org/sys/unix library revision * sysctl: Add function to write any param value * sysctl: Get rid of GOOS targets * sysctl: Add package for managing kernel parameters * Change kind of daemonset in microk8s-prepull.yml to apps/v1 * docs: Simplify microk8s instructions * health: Configure sysctl when IPv6 is disabled * dockerfile.runtime: always run update when building dependencies * go: bump golang to 1.12.10 * Prepare for release v1.6.2 * test: Add a standalone test for validating static pod labels * daemon: Start controller when pod labels resolution fails * iptables: fix cilium_forward chain rules to support openshift * docs/azure: wait for azure-vnet.json to be created * docs: add akz and az to list of spelling words * Dockerfile: Use latest iproute2 image * endpoint: Update proxy policies when applying policy map changes out-of-band * test: Add L3-dependent L7 test with toFQDN * plugins/cilium-cni: add support for AKS * docs: fix proper nodeinit.enabled flag * docs: fix aks guide * docs: Do not pin cilium image vsn in kubeproxy-free guide * cilium: encryption, replace Router() IP with CiliumInternal * FQDN: Wait on policy map update when adding new IPs * policy: Expose map-update WaitGroup in FQDN update callchains * endpoint: Expose Endpoint.ApplyPolicyMapChanges * dev VM: update to k8s 1.16.0 * test: test against k8s 1.16.0 * Gopkg.* bump to k8s 1.16.0 * charts/managed-etcd: bump cilium-etcd-operator to v2.0.7 * test: bump k8s testing versions to 1.13.11, 1.14.7 and 1.15.4 * endpoint: start a controller to retry regeneration * endpoint: use endpoint ID for error message * daemon: do not delete directories created by tests if tests fail * daemon: move directory setup into `SetUpTest` * daemon: check error from `d.init()` * bpf: Don't delete conntrack entries on policy deny * use common custom dialer to connect to etcd * pkg/k8s: create custom dialer function * docs: Update kubeproxy-free guide * loader: remove hash from compileQueue if build fails * Do not ping during preflight checks * Refactor probing to reuse client * daemon: fix container runtime disabled state log * add PR #82410 patch from kubernetes/kubernetes * test: disable non-working k8s upstream test * dev VM: update k8s to v1.16.0-rc.2 * test: test against k8s 1.16 by default * Makefile: avoid go modules when running k8s code generation * Makefile: simplify k8s code generation target * update to k8s 1.16.0.rc.2 * Revert "Revert "Remove componentstatus from rbac"" * CI: increase timeouts by 30m to avoid k8s-1.10 test timeouts * Prepare for v1.6.1 * cilium: make all ct timeouts configurable * bpf: add separate ct_service lifetime for tcp/non-tcp * bpf: remove unused args from slave selection code * bpf: usr prandom as slave selection in lb * operator: Pass identity allocation mode through correctly * doc: minor additional tweaks to kube-proxy free gsg * docs: fix typo and update kube-proxy free gsg * test: fix k8s upstream test * Dockerfile: Use latest Envoy image * Revert "pkg/k8s: add merge method to merge 2 set of endpoints together" * Revert "pkg/k8s: test endpoints and service received by events channel" * Revert "pkg/k8s: add k8s external IPs support" * Revert "test: add integration tests for k8s services with external IPs" * Revert "test: wait for k8s external service in [kube|core]-dns" * Docs: minor spelling corrections (Fixes #9127) * Fix connectivity test example probes * docs: Improve sysdump collection guide * test: Ensure managed etcd test tears down etcd * deps: update etcd to v3.4.0 * etcd: use ca-file field from etcd option if available * daemon: Improve logging for auto-enabling host-lb * bump manifests apiVersion to apps/v1 * bpf: fix routing of cilium_host router ip and health in v6 tunnel mode * bpf: fix asymmetric routing and cilium_host connectivity in v6 tunnel mode * k8s: replace NodePort frontend cilium_host IP with router addr * ipam: fix v6 address corruption in cilium status dump * ipam: do not assign v4 addresses for status.IPV6 * bump k8s support to 1.15.3 * tofqdns: Allow "_" in DNS names to support service discovery schemes * cilium: fix restore v6 router ip to not break pod connectivity on restart * clustermesh: Improve troubleshooting ability * test: Remove workaround to MASQ traffic from k8s2 * docs: Update source branch in kube-proxy-free guide * cilium: encryption, add host networking routes for encrypt-node * cilium: encryption, delete encrypt-node routes if node is deleted * cilium: add interface to neighborLog * cilium: encryption, if encryptNode is disable release routes * cilium: encryption, log MapUpdateContext failures * cilium: encryption, throw hard error if map create fails * cilium: pull ConfigureResourceLimits earlier in bootstrapping * cilium: silence harmless CILIUM_TRANSIENT_FORWARD warning on startup * docs: clarify nodeport and host-reachable services and 5.0.y kernel situation * CI: K8sPolicyTest tests local DNS only * CI: decouple HTTP and DNS testing in K8sPolicyTest * test: Wait for at least one Istio POD to get ready * istio: Update to 1.2.5 * docs: Avoid mentioning deprecated option * cni: Fix disabling of routing in chaining mode * bpf: Skip ingress proxy ip rule with endpoint routes * health: Fix endpoint routes mode * health: Prefer contacting health EP over IPv4 * test: Add disabled test for tunnel+endpointRoutes * test: Fix endpoint routes mode test * eni: update ENI limits mappings * daemon: Specify exact kernel version in host-lb fatal log msg * daemon: Lower kernel requirement for TCP host-lb * doc: Add Azure CNI to CNI chaining section * datapath: probe socket match support, plumb to Envoy configuration * envoy: Update to the latest API * policy/api: Add test case for EntityAll * policy/api: remove Entity matching functions * policy/api: Add tests for reserved:unmanaged match * k8s: Use api.WildcardEndpointSelector instead of an endpoint label reserved:all * labels: Make Matches private * AKS getting started guide * cilium: assert monitor agent is allowed to expose socket * cilium: only start daemon's monitoring agent after base datapath setup * test: Return the error in CmdRes.GetErr() * k8s: Add initcontainer to wait for nodeinit to complete * nodeinit: Change network mode from bridge to transparent on Azure * test: Remove old Cilium versions * workloads: Fix disabled status reflection in API * Revert "Remove componentstatus from rbac" * daemon: signal endpoint restore fail when waiting for global identities times out * docs: Update direct routing policy limitation * install/kubernetes: do not add clustermesh documentation by default * docs: Add kube-proxy free getting started guide * policy: Allow DNS policy on ports other than 53 * test: Use global.tag in helm command line * helm: Allow to specify k8s api-server host and port via env vars * docs: Document how to specify Flannel bridge name * iptables: Add explicit ACCEPT rules for host proxy traffic * operator: Fix passing kvstore options via arguments * helm: Add global.kubeConfigPath * cilium: update IsEtcdCluster to return true if etcd.operator="true" kv option is set * iptables: Allow xt_socket match rules to fail * iptables: Refactor proxy socket redirect rule * cilium: encryption, if IPv6 is not supported do not throw debug warning * daemon: Disable BPF routing in endpoint routes mode * Remove componentstatus from rbac * Connection readiness of k8s client gets ns * test: Get rid of unused skipIfDoesNotRunOnNetNext helper * test: Use SkipContextIf in Tests NodePort BPF * test: Add SkipContextIf helper * cilium: Support user-specified monitor socket * Use proper helm value in CI clusters * doc: Update minikube requirement to meet TPROXY requirements * Prepare for v1.6.0 * bpf: try to atomically replace filters when possible * docs: Fix versioned archive path * test: Add NodePort BPF tests * test: Add helper to skip test if running on non net-next * test: Extend testNodePort * test: Add deleteCiliumDS * test: Fix comment in K8sUpdates test * test: Exclude NodePort services from pre-flight checks * lb: Add field to indicate whether svc is of NodePort type * daemon: Do not start L7 proxy support if --install-iptables-rules="false" * update cilium-docker-plugin, cilium-operator to golang 1.12.8 * endpoint: check if returned FinalizeFunc is nil before executing it * operator: generate cmdref * endpoint: Fix proxy port leak on endpoint delete * bpf: Support proxy using original source address and port. * dockerfiles: update golang versions to 1.12.8 * docs: Use masterDevice to specify the ipvlan master device * helm: Change ipvlan related vars * cilium: install transient rules during agent restart * add capability to disable CNP NodeStatus updates * install: Allow skipping CNI install * cilium: route mtu not set unless route.Spec set MTU * test: Run 1.5.x cilium-operator version in upgrade test * operator: Fix kvstore configuration inheritance from ConfigMap * helm: Do not use default function when setting default values * Istio: Update to 1.2.4 * Enable insertNeighbor when tunneling is disabled * test: Fix flannel testing with helm * docs: Document flannel limitations * docs: Fail out on documentation warnings * docs: Fix outstanding warnings in docs build * Revert "[daemon] - Change MTU source for cilium_host (Use the Route one)" * Bump vagrant box versions * doc: Document generic veth chaining plugin * doc: Add CNI chaining documentation for Weave Net * doc: Add CNI chaining documentation for Calico * install: Support customizing CNI configuration via ConfigMap * Update AUTHORS * Centralize automatic interface detection in initEnv * Emit AvailableIPsPerSubnet metric * docs: Fine tune external etcd guide. * envoy: Use patched image * datapath/iptables: wait until acquisition xtables lock is done * use iptables-manager to manage iptables executions * examples/kubernetes: mount xtables.lock * daemon: sleep 2 seconds before fatal * Use custom timeout option instead ginkgo * Add timeout option to ginkgo suite * doc: Fix cosmetic problem of two helm blocks in guides * Add back code that was removed during refactoring * datapath: Enable host redirect in ENI mode * helm: fix host reachable services template for cilium config map * doc: Fix some typos in the portmap chaining guide * docs: Always use ClusterFirst DNS policy for preflight * docs: Fix deadlock in cilium preflight on etcd timeout * docs: cilium preflight uses cilium RBAC role * Revert "docs: Add rbac template for cilium-preflight" * cilium: fix skipping symbol substitution warnings for neigh map * cilium: size snat/neigh table depending on how ct table is scaled * cilium: bump nat collision retries to 20 * docs: fix install upgrade typo * preflight/templates: add correct imagePullPolicy for init image * docs: Fix NodePort GSG * install: Fix helm template for NodePort * bpf: simplify sock cookie retrieving functions * bpf: fix verifier error due to repulling of skb->data/end * eventqueue: return error if Enqueue fails * eventqueue: protect against enqueueing same Event twice * docs: Simplify preflight migrate-identity example * docs: Add rbac template for cilium-preflight * doc: Create cilium namespace in GKE guide * datapath: Always include IP of cilium_host in list of local IPs * Added prometheus-operator ServiceMonitor * docs: Add instructions for kvstore-CRD identity migration * preflight: Add migrate-identity command * docs: Add etcd config to cilium preflight daemonset * identity: Expose GlobalIdentity to other packages * docs: Correct namespace typo in preflight example * docs: Correct misspelling of containerd * test: wait for k8s external service in [kube|core]-dns * operator: start health check handler after initializing k8s client * aws/eni: Fix race condition leading to overaggressive ENI allocation * k8s: Remove unused types instanceID and availabilityZone * eventqueue: use mutex to synchronize access to events channel * helm: Allow setting egress-masquerade-interfaces * doc: Add AWS ENI installation guide * helm: Fix global.masquerade=false * documentation: Fix a typo * docs: Rephrase event-driven behavior explanation * Documentation: update Quick Install guide * doc: Fix include directive in upgrade guide to download release * doc: Document downgrade limitation when changing identity allocation * doc: Specify the full path for connectivity-check.yaml * doc: Add 'cilium-' prefix to archive_name * doc: Disable wait-for-bpf in EKS guide * docs: Adjust Prometheus & Grafana guides to use Helm * helm: Enable operator metrics if .Values.global.prometheus is set * doc: Disable wait-for-bpf in AWS-CNI guide * helm: Fix variable names for nodeEncryption * docs: Fix microk8s guide with helm * install: Allow configuration of containerRuntime socket * install: Add debug-verbose to the helm options * lbmap: Do not arping each service backend IP addr * bpf: Attempt pulling skb->data if it is not pulled * bpf: Introduce revalidate_data_first() * test: Improve upgrade/downgrade test * cilium: ci, fix DatapathConfiguration tests * endpointmanager: move dereference outside of `WithFields` invocation to avoid possible panic * install: Add option for ENI mode configuration * cli: add k8s-service-cache-size daemon cli flag * doc: Fix install Helm link * node: Update ipcache with health IPs * operator/eni: fix panic if metrics are not enabled * cilium: encryption, delete encrypt node routes * k8s: Update ipcache based on CiliumEndpoint only if NodeIP is available * bugtool: Add counters to iptables-save output * test: Fix CiliumReport calls * ipam: eni: Resolve bootstrap misorder to create CiliumNode CR for ENI * Logging improvements around CRD creation of the CiliumNode * Log when CNI config is written to disk * Fix typo in field comment * cilium: encryption, use fib_lookup to rewrite dmac/smac * cilium: encryption, use fib output for redirect port * daemon: get list of frontends from ServiceCache before acquiring BPFMapMu * test: gather kvstore output last * test: Remove unused GetK8sDescriptor * test: Do not re-deploy CoreDNS after all upgrade/downgrade tests * test: Provide symmetric uninstall method * test: Delete CoreDNS deployment after upgrade/downgrade test * test: Use resource names to delete etcd-operator * test: Do not deploy etcd-operator in BeforeAll() * doc: Adjust all guides to use Helm templating * kubernetes: Migrate to Helm based YAML generation * doc: Clean up Istio getting started guide * test: Reuse infra pod provision function * test: Skip DatapathConfiguration tests in Flannel * test: Fix flannel tests * test: Highlight flannel installation step * test: Ensure that agent health checks are run in flannel mode * docs: Fix flannel apply command * bpf: Document skb_redirect_to_proxy * iptables: Don't match device on egress proxy rules * bpf: Fix L7 proxy redirect in flannel case * bpf: Improve debugging of proxy forwarding * bpf: Fix qdisc deletion in flannel mode * workloads: Make ENOIMPL messages more readable * cni: Fix flannel chaining * daemon: Improve option autoconfig with flannel * cilium: encryption, ensure 0x*d00 and 0x*e00 marks dont cause conflicts * test: use kvstore-based allocator for upgrade tests * Revert "CI: Add WaitForDaemonSetReady & ExpectDaemonSetReady" * Revert "CI: Add/Use WaitforDeploy & ExpectDeployReady" * Revert "test: Fix etcd-operator readiness check" * agent: Fix wait for ipcache synchroniation when kvstore is disabled * agent: Allow ipsec-key-file to be set via ConfigMap * agent: Provide better error message when ipsec setup fails * cilium: encryption, docs use IPsec instead of IPSec * cilium: encryption, docs update architecture with l3 encryption * cilium: encryption, docs update arch pictures * cilium: encryption, docs gettingstarted update for direct routing * cilium: encryption, docs key updates * pkg/monitor: add endpoint create and delete monitor notifications * metrics: fixes constant registering and unregistering of metrics map * Dockerfile: Use proxy with legacy fix * daemon: Remove old proxymaps on startup * lbmap: Add more context to neighAddBackends errors * lbmap: Do not fail to upsert if ARP neigh add fails * cilium: encryption, push tunnel_endpoint IP with encrypt ipcache entries * cilium: encryption, use default interface when encrypt-interface is not set * policy: Reject unsupported L7 rules * policy: Avoid egress kafka rules for tests * monitor: Add human-readable reason for NO_FIB_LOOKUP drops * - Made the function setupIPSec more idiomatic * - Change MTU source for cilium_host (Use the Route one) * - Fix scoping issue of authKeySize * bpf, doc: clarify limitations for node-port and host-reachable services * bpf, doc: small improvements in nodeport gsg * bpf: fix nodeport over tunnel when vxlan/geneve have lco * docs: Explain how to enable metrics * documentation: split out CI section from contributing guide * documentation: split up contributing and release management guides * documentation: remove references to v1.0 from supported prefix lengths limitation * documentation: remove instructions for upgrading to v1.3 * identity: Fix manager refcounts, reduce churn * endpoint: fix deadlock when endpoint EventQueue is full * init-container: Look for a concrete BPFFS mount in /sys/fs/bpf * test: Fix etcd-operator readiness check * examples/kubernetes: update etcd dev version to v3.3.13 * Gopkg: update etcd library to v3.3.13 * datapath: Store NodePort client MAC addr in LRU map * docs: Add NodePort GSG * docs: Remove confusing mentioning of etcd server in ConfigMap * bpf: initial docs for getting started on host reachable services * bpf: add build assertions for nodeport assumptions * bpf: fix obscure llvm codegen bug in port clamping * bpf: optimize nat to avoid rewrites if possible * daemon: register warning_error metric after parsing CLI options * Documentation: update list of responsibilities of `cilium-operator` * Fix seds in microk8s docs * bpf: bpf based masq for nodeport to avoid tuple clashes * endpoint: Do not error out when bpf map entry is already deleted. * examples: Add CILIUM_WAIT_BPF_MOUNT variable to minikube DS * CODEOWNERS: update for v1.6 branching * daemon: Fix removal of non-existing SVCs in syncLBMapsWithK8s * examples/kubernetes: update k8s dev VM to v1.15.1 * test: update k8s test version to v1.15.1 * Gopkg: update k8s dependencies to v1.15.1 * datapath: Get rid of MARK_MAGIC_REPLY * bpf: Avoid redirect in bpf_netdev for NodePort * [CI] Add timeout to ginkgo calls * k8s: Add surrogate NodePort frontend with cilium_host IP addr * k8s: Provision NodePort per ClusterIP IP protocol * node: Don't join shared store if kvstore is disabled * operator: Don't attempt to connect to kvstore if disabled * k8s: Register CiliumEndpointList * operator: Support reading identity-allocation-mode from environment variable * k8s: Populate ipcache based on CiliumEndpoint * k8s: Use CiliumNode for node discovery by default * node: Discover other nodes based on CiliumNode custom resource * k8s: Extend CiliumNode CR to carry full node information * nodediscovery: Create CiliumNode from the nodediscovery package * node: Update ipcache entries independent of node update source * source: Refactor source definition into package * examples/k8s: Set identity allocation mode to CRD as default * CI: Keep yaml file search order with no integration * test: replace calls to `kubectl apply` using `ExecShort` with `ExecMiddle` in `ciliumInstall` * test: add namespace generator function * test: provide capability for tests to run in their own namespace * test: add environment variable override for log level for unit tests * logging: allow for injection of log level via ldflags * identity/allocator: Move key encoding into backend * allocator: Print debug message when identities have been synced * bpf: compile out encap ifindex check when tunnel is disabled * bpf: convert overlay v6 handling into tail call for recirculation * bpf: update ifindex after node-port fib lookup * bpf: v6 support for NodePort via tunnel * bpf: add support for remote NodePort via tunnel * bpf: add support for local NodePort via tunnel * bpf: pass through for after dmac translation for tunneling * bpf: move remaining node-port handling into header * Run bpf unit tests * endpoint: Make owner a member of Endpoint * kvstore: Controllerize stale lock garbage collection * daemon: Allow kvstore to be unconfigured * CI: Add/Use WaitforDeploy & ExpectDeployReady * CI: Add WaitForDaemonSetReady & ExpectDaemonSetReady * CI: K8sServicesTest consistenly uses global DefaultNamespace * ip: add ip_darwin / ip_linux files * daemon: Use TestMain, SetUpSuite, and SetUpTest * labels: Do not filter out app.kubernetes.io prefix * vendor, netlink: fix portid check handling * endpoint: Create redirects before bpf map updates. * Makefile: Cache all macros that may be configured * Makefile: Cache all statically defined macros * Makefile: Fix PRIV_TEST_PKGS test selection * Makefile: Fix path for bpf directory files * proxy: Perform dnsproxy Close() in the returned finalizeFunc * health: Change cilium-health host-side veth link device name * endpoint: change transition from restore state * test: misc. runtime policy test fixes * cilium: insert new backend IPs into neigh table * cilium: extend Service{4,6}Value interface to return address * cilium: move default route handling into route pkg * test: remove too many ports validation test from Ginkgo * test: add unit test for sanitization failure with max ports * identity: Use timed ctx for WaitForInitialGlobalIdentities * test: remove RuntimePolicyEnforcement tests * test: remove "Check Endpoint PolicyMap Generation" test * pkg/kvstore: wait for node delete delay in unit tests * test: only close SSH session if context is canceled * eni: Disable installation of local node route * identitymanager: misc. enhancements * policy: Update all rule caches in updateEndpointsCaches() * proxy: Revert on error * k8s: Add CRD Identities as an identity allocator backend * k8s: Add RBAC for k8s CRD cilium identities * k8s: Add ciliumidentity CRD * k8s: Move k8s/informer benchmarks to k8s/informer/benchmarks package * envoy: Add SO_MARK option to listener config * cilium: further improve local address selection * proxy: Do not error out if reading of open ports fails. * test: add `ExecMiddle` function * proxylib: move messages from Info --> Debug level * docs: Fix up unparsed SCM_WEB literals * Revert "health: Add ability to restrict listener address" * Revert "policy: remove `CIDRPolicy` structure" * pkg/{kvstore,node}: delay node delete event in kvstore * policy: explicitly return nil when returning nil SelectorPolicy interface * daemon: Remove svc from cache in syncLBMapsWithK8s * [docs] Add note about custom branches test runs * cilium: encryption, don't send arp to nodes on different subnets * cilium: encryption, add arping dependency * Add github.com/j-keck/arping dependency to vendor/ * cilium: encryption, insert new node IPs into neigh table * cilium: encryption, BPF fib lookup failures do not report drop * cilium: encryption, refactor bpf netdev encrypt into its own function * kvstore: Abstract identity allocator backends * kvstore: Split logic into pkg/allocator * labels: Add LabelArray.StringMap function * allocator: keyToID no longer deletes invalid keys * health: Add ability to restrict listener address * policy: remove `CIDRPolicy` structure * endpoint: Fix handling of proxy statistics. * eni: Retry on attachment index conflict * policymap: Add policymap dump tests * pkg/bpf: Add test for map.DeleteAll() * pkg/bpf: Add test for dumping zeroed entry * pkg/bpf: Fix deletion of all map elements * pkg/bpf: Fix dumping of zeroed elements * operator: restart non-managed kube-dns pods before connecting to etcd * make: fix unnecessery warnings while running make rules * update golang to 1.12.7 for cilium-{operator,docker-plugin} * bpf: remove unused masq-post section from netdev * bpf: don't perform revnat work on egress if not needed * aws/eni: Add metrics for all triggers * trigger: Refactor prometheus metrics functionality * Add k8s client qps and burst as cli flags for the operator * test/k8sT/manifests: test against cilium image built for init container * examples/kubernetes: change Cilium init image to Cilium image * examples: Remove unused microk8s DS YAMLs * endpoint: do not log warning for specific state transition * cilium: fix incorrect removal of stale maps in node-port * cilium: log message when we attempt to set up basic datapath * test: update k8s testing versions to v1.12.10, v1.13.8 and v1.14.4 * update to golang 1.12.7 * datapath: Mark reply packets when NodePort is enabled * datapath: Fix NodePort reply mark rule * bpf: Add 'build_all' target for macro permutations * bpf: Test overlay define combinations * test: Ensure that verifier test runs on clean dir * test: move creation of Istio resources into `It` * docs: Update FQDN policy troubleshooting * docs: Update for L4Filter covering L3 * config: make policy trigger duration configurable * policy: add documentation to L4Filter type * Dockerfile: Add init-container.sh to cilium image * docs: Document 1.6 legacy services impact * docs: Fix warnings * bpf: get rid of third CT lookup when node-port is enabled * cilium: dump human readable CT flags for listing entries * Bump cilium/ubuntu-next version to 31 * Bump cilium/ubuntu-next version to 30 * endpoint: Correctly check whether pod name is available * datapath: Do not fail if route contains gw equal to dst * docs, bpf: Update command of creating netdevsim * lbmap: Get rid of bpfService cache lock * aws/eni: Add trigger to synchronize node with apiserver * aws/eni: Maintain a deficit resolution trigger per node * aws/eni: Do not hold node lock while interacting with apiserver * aws/eni: Avoid Node GET() on each CiliumNode ADD * aws/eni: Do not hold manager lock while sorting * pkg/datapath: add base64 encoded json configuration to config header file * aws/eni: Fall back to Get() when Update() does not return latest revision * ipcache: Fix deadlock between ipcache and endpoint * test: add integration tests for k8s services with external IPs * pkg/k8s: add k8s external IPs support * pkg/k8s: test endpoints and service received by events channel * pkg/k8s: add merge method to merge 2 set of endpoints together * daemon: Fix merge between PRs #8419 and #8486 * examples: Remove legacy services option from CM * cilium: Remove legacy services dumping CLI * bpf: Remove legacy services * lbmap: Remove legacy service map manipulation * lbmap: Store real BackendKey in cache * lbmap: Reuse serviceValueMap * test: Remove testing of legacy services * daemon: Deprecate `enable-legacy-services` option * operator: startSynchronizingServices before kvstore * [CI] retry vm provisioning, increase timeout * daemon: Remove svc-v2 maps when restore is disabled * daemon: Do not remove revNAT if removing svc fails * cilium: retrieve default route and use its device for nodeport * cilium: probe kernel support for host reachable services and bail out early * cilium: allow users to define proto for host reachable services * ginkgo.Jenkinsfile: put VM boot and provision timeout back to 45 minutes * cilium: remove old probe content before restoring assets * eni: Increase default rate limit to 20 qps with burst of 4 * aws/ec2: Fix client-side rate limiter * policy: add benchmark for L3-only egress policy * policy: add benchmark for L3-only Ingress policy generation * policy: refactor `resolve_test.go` * datapath: Avoid MASQing NodePort replies * allocator: change "Allocating key" log to debug * Fix invalid JSON in CNI portmap config * pkg/k8s: take into account for DeletedFinalStateUnknown in ConvertToCiliumNode * operator: move ConvertToCiliumNode to pkg/k8s * operator: remove ciliumnode store from operator * pkg/kvstore: inform user when etcd gets a new LeaseID * pkg/k8s: add conversion for DeleteFinalStateUnknown objects * Add cilium-endpoint-gc-interval flag to cilium-operator * doc: Improve prometheus example * metrics: Remove obsoleted metric EndpointCountRegenerating * kubernetes: Expose metrics port of operator * cli: fix panic in cilium bpf sha get command * examples/kubernetes: add ClusterFirstWithHostNet to cilium-operator * operator: set k8s namespace in cilium operator * Retry provisioning vagrant vms in CI * policy: check if rules already select endpoint in resolveL4{Ingress,Egress}Policy * pkg/k8s: hold mutex while adding events to the queue * policy: Restore changes to search context * Allow QPS/Burst for AWS client to be configurable * fqdn: rename `RuleGen` to `NameManager` * fqdn: remove unused code * aws/ec2: Allocate full list of secondary addresses * eni: Silence noisy info message * eni: Add unit tests for metrics * eni: Provide more specific metric around nodes * eni: Rely on client side rate limiter for pacing * ec2/mock: Implement rate limiting * eni: Support for parallel workers * ec2/mock: Support simulating delays for operations * eni: Convert the EC2 client-side rate limiter metric to a histogram * eni: Handle error when instance is no longer running * eni/metrics/mock: Implement metrics accounting * ec2/mock: Support returning errors for any operation * Change nightly CI job label from fixed to baremetal * contrib/vagrant: config cilium and operator in sysconfig dir for dev VM * examples/kubernetes-ingress: add support for k8s 1.15.0 in dev VM * test: set 1.15 by default in CI Vagrantfile * bpf: Remove unneeded debug instructions to stay below instruction limit * bpf: Prohibit encapsulation traffic from pod when running in encapsulation mode * istio: Update to 1.2.2 * contrib/release: Add cilium-health-responder to uploadrev * health-ep: Report previously shadowed error * health: Re-introduce deletion of endpoint interfaces upon termination * daemon: Change loglevel of "ipcache entry owned by kvstore or agent" * identity/cache: only calculate String() for debug messages if debug=true * pkg/ipcache: cache prefix.String() in allocateCIDRs * CI: NightlyEpsMeasurement uses longer k8s timeouts when needed * CI: EPsMeasurement uses correct timeout in EP operations * CI: Wrap ginkgo.Measure to correctly invoke AfterAll * cli: Restore cilium cleanup behaviour * launcher: Remove unused Stop() function * api/health: Remove /hello endpoint * health: Move cilium-health daemon into cilium-agent * operator: do not depend on cluster DNS to connect to etcd * pkg/kvstore: add etcd lease information into cilium status * Make render-docs port configurable * Dockerfile: Use cilium-envoy with reduced logging. * envoy: Reduce error logging * daemon: Handle NodePort services * k8s: Add NodePorts field to Service struct * loadbalancer: Add L3n4AddrID.Equals() method * daemon: mark host reachable services as beta * bpf: refine wild card lookup for node port services from host * bpf: various minor nodeport improvements * daemon: allow to define a custom nodeport range * bpf: enable nodeport for compilation tests * bpf: skip pinning calls/policy tail call map * iptables: Disable MASQ for NodePort if BPF NodePort enabled * bpf: work around verifier issue in __ct_update_timeout * bpf: Enable NAT with ENABLE_{MASQUERADE,NODEPORT} conditions * bpf: proper error handling for drop notifications * bpf: full data path ipv6 support for node-port * bpf: add support for node to node node-port * bpf, nat: parameterize nat target range for reuse * bpf: wild card lookup for node port services from host * daemon: implicitly enable host services when node port is enabled * bpf: only bother with actual nodeport range * daemon: Add --enable-node-port flag * bpf: Add support for local NodePort * bpf: Extend ct_state to include node_port flag * eni: Fix nodes_at_capacity metric * eni: Only attempt deficit resolution if ENIs are available * eni: Do not treat out of ENI as error condition * eni: Improve address deficit validation before allocation * eni: Validate updated resource is valid * operator: Fix metrics namespace * doc: Fix typo in ENI metrics * pkg/lock: remove RUnlockIgnoreTime * pkg/lock: removing tracking time of RLock/RUnlock * pkg/k8s: do not parse empty annotations * test/bpf: Convince devs to test BPF programs in CI * test/bpf: Add cgroups programs to verifier test * test/bpf: Add new BPF progs to verifier test * test/bpf: Set pipefail for verifier-test * test/bpf: Refactor verifier test script * operator: only do node's GC upon initialization * cni: Disable DAD for IPv6 * iptables: fix direct routing regression * policy: Fix ChangeUser add/remove order * fqdn: Refactor selector handling in RegisterForIdentityUpdates() * fqdn: Add debugging. * fqdn: Remove/update stale comments * maps/ctmap: fix nil pointer access * maps/lbmap: protect service cache refcount with concurrent access * operator: add warning message if status returns an error * maps: Fix NAT map retrieval with IPv4 disabled and IPv6 enabled * pkg/pidfile: Strip logging statements for use in cilium-health-responder * pkg/kvstore: fix nil pointer in error while doing a transaction in etcd * pkg/ipcache do not calculate PrefixString() twice * pkg/eventqueue: do not print calculate stats if debug is set * pkg/endpointmanager: use reason for regeneration as log field * pkg/policy: do not defer ep.RUnlock * make use of EndpointSet instead of IDSet * pkg/policy: do not defer RUnlock in such small function * return endpoints from the endpoint manager has policy.Endpoints * pkg/policy: use Read mutex instead of Write mutex * daemon: move waitgroup out of ReactToRuleUpdates * simplify endpoint manager's regeneration functions * pkg/endpoint{,manager}: move endpoint functions to endpoint package * daemon: do not get all nodes in "cluster" probe * health/server: receive node diff from daemon * daemon: implement GetClusterNodesHandler * node/manager: add a subscription event based mechanism for node events * api/v1: add cluster/nodes api for cilium-health * pkg/maps: fix panic while accessing nat maps * maps/ctmap: explicitly set which nat file is for each map type * maps/ctmap: add CtKey interface * maps/nat: Add NatKey{4,6} types * maps/ctmap: moved CtKey{4,6} to types.go * cilium/cmd: do not fatal if nat map does not exist * maps/ctmap: move CtEntry to types * envoy: Istio 1.2.0 update * Envoy: Update to the latest proxy build, use latest API * cilium: Add new line to 'cilium policy selectors' with no ids. * pkg/ipcache: do not hold write lock while populating listener * pkg/lock: add semaphored mutex * packet/scripts: rebase install.sh script against upstream * examples/kubernetes: remove container runtime option from cilium-agent * pkg/endpointmanager: protecting endpoints against concurrent access * doc: Document cilium-operator metrics * ipam: Add metrics accounting to CRD plugin * k8s: Expose K8sEventReceived and K8sEventProcessed * doc: Document ENI & CRD allocators * doc: Bump pygments to version 2.4.2 * doc: Split concepts section into multiple files * eni: Support masquerading * cni: Add ENI support * api: Expose masquerade status * datapath: Extend ip routing rule support * ipam: Support setting ENI parameters via CNI configuration * operator: Run operator in host networking mode * operator: Support CILIUM_IPAM env in operator * operator: AWS ENI allocation ability * ipam: Automatically create CiliumNode resource on startup * aws: Add metadata API package * eni: Add ENI allocation logic * ipam: Add CRD-backed allocator * ipam: Provide additional IPAM allocation information * api: Export additional IPAM information * k8s: Register CRDs earlier * math: Add math package for IntMin() and IntMax() * spanstat: Add Seconds() function * ipam: Add --ipam option to allow selecting IPAM backend * k8s: Grant RBAC access to CiliumNode resource * cilium.io/v2: Register CiliumNode CRD * cilium.io/v2: Generate k8s client code for new CiliumNode type * cilium.io/v2: Add CiliumNode type definition * bpf: add metrics to sock addr logic to improve debuggability * cilium, cli: fix wrong traffic direction code in metric map * u8proto: add "any" --> 0 mapping to "ProtoIDs" * client: Remove ClientError * cni: Avoid returning error in DEL command * test: set k8s 1.15 as default k8s version * kvstore: add validation for kvstore lease ttl upper and lower bound. * option: mark kvstore-lease-ttl agent flag as hidden * test: update cilium-cm-patch to test with lower kvstore lease ttl * kvstore: add agent option for kvstore lease TTL * metrics: Merge `cilium_policy_l7_*` into single metric * health: Stop cilium-health instance before starting a new one * health: Split out passive endpoint into separate binary * CI: Clean VMs and reclaim disk in nightly test * api: add field which caches content of LabelSelector string representation of EndpointSelector * move endpoint owner to regeneration package * move ExternalRegenerationMetadata to its own package * bpf: implement unconnected udp based host lb * cilium: update to developer vm to image 157 * cilium: update to cilium-runtime image 2019-06-25 * istio: Update to 1.1.7 * route: Fix table assignment of nexthop route * cilium: encrypt, drop next hop from route spec * cilium: encrypt, align IPv6 and IPv4 variable names * cilium: encrypt, remove duplicate hostRules setup * cilium: encrypt, remove useless comment * cilium: encryptNode handles node encryption rules * policy: Require identity adds, deletes be disjoint. * policy: Reduce logging. * daemon: Do not force policy regeneration on FQDN changes * policy: Fix MatchPattern formatting * policy: Clarify locking. * endpoint: Use accumulated map changes for policy updates * endpoint: Clarify syncPolicyMap function naming * policy: Fix logging * policy: Accumulate MapChanges for identity changes * policy: Introduce MapChanges * policy: Protect against racing policy updates. * daemon: Do not bump policy revision on identity changes. * policy: Remove dead testing code. * endpoint: Log policy map sync deletes * policy: Refactor policymap updates. * policy: Simplify syntax * policy: Pass policy revision to NewL4Policy(). * allocator: fix race condition when allocating local identities upon bootstrap * policy: cache aggregated list of selectors in rule * u8proto: Be compatible with policy/api * test: remove unused function * test: introduce `ExecShort` function * docs: Clarify about legacy services enabled by default * kubernetes-upstream: add seperate stage to run tests * docs: update documentation with k8s 1.15 support * test: run k8s 1.15.0 by default in all PRs * test: test against 1.15.0 * vendor: update k8s to v1.15.0 * endpoint: Remove duplicate check endpoint in disconnecting state * pkg/metrics: re-register newStatusCollector function * CI: Multi-monitor test is resilient to misalignments * bpf: Set random MAC addrs for cilium interfaces * endpoint: Set random MAC addrs for veth when creating it * vendor: Update vishvananda/netlink * mac: Add function to generate a random MAC addr * endpoint: Skip CIDRs in CEP policy for allow-world * endpoint: Encode allow entities:all cep policy with one entry * endpoint: Expand coverage of EndpointPolicy API * endpoint: Convert endpoint status tests to table-driven * endpoint: Refactor API endpointPolicy population * CI: Clean workspace when all stages complete * CI: Clean VMs and reclaim disk after jobs complete * test: do not overwrite context in `GetPodNamesContext` * test: change `GetPodNames` to have a timeout * cilium: strip cilium binary * cilium/cmd: avoid importing pkg/endpoint * split cilium from cilium-agent * CI: Report last seen error in CiliumPreFlightCheck * health: Remove spawn_netns.sh * cilium: encrypt, wildcard src out policy rules * Makefile: Allow TESTPKGS with make tests-privileged * Makefile: Fix coverpkg when specifying TESTPKGS * cilium: add skb_pull_data to bpf_network to avoid revalidate error * cilium: encrypt subnet include node xfrm rules * daemon: proxylib: Copy files if linking is not possible * vagrant: Create cilium group if does not exist * iptables: Remove legacy workaround for kube-proxy of k8s < 1.8 * test: add timeout to `waitToDeleteCilium` helper function * fqdn: correctly populate Source IP and Port in `notifyOnDNSMsg` * datapath: Remove dependency on allocation range for TPROXY rules * agent: Allow writing CNI configuration when ready * nit: fix spelling mistakes in source files. * metrics: Add metric for number of allocated identities * fqdn: propagate mapping of ToFQDNs to identities via SelectorCache instead of the policy repository * policy: add interface for receiving updates on starting / stopping use of a selector * ipcache: always return set of identities regardless of if they are old or new * policy: add means for L4Filter to call into SelectorCache for FQDN --> identity mapping * policy/api: add `ToRegex` function for FQDNSelector * test: add more narration to FQDN test * daemon: fix endpoint restore when endpoints are not available * pkg/lock: fix RUnlockIgnoreTime * Don't set debug to true in monitor test * fix staticchecker warnings for pidfile * fix staticchecker warnings for option * fix staticchecker warnings for nodediscovery * fix staticchecker warnings for node * fix staticchecker warnings for monitor * fix staticchecker warnings for policy * fix staticchecker warnings for service * fix staticchecker warnings for status * fix staticchecker warnings for uuid * fix staticchecker warnings for versioncheck * fix staticchecker warnings for mac * fix staticchecker warnings for loadbalancer * fix staticchecker warnings for labels * fix staticchecker warnings for kafka * fix staticchecker warnings for k8s * fix staticchecker warnings for ipcache * fix staticchecker warnings for ip * fix staticchecker warnings for idpool * fix staticchecker warnings for fqdn * fix staticchecker warnings for eventqueue * fix staticchecker warnings for elf * fix staticchecker warnings for counter * fix staticchecker warnings for controller * fix staticchecker warnings for command * fix staticchecker warnings for bpf * fix staticchecker warnings for clustermesh * fix staticchecker warnings for client * fix staticchecker warnings for alignchecker * doc: Document new default of disabling the container runtime integration * doc: Fix warnings * kubernetes: Disable container runtime integration by default * pkg/k8s: remove TPR vs CRD error * option: Fix --enable-endpoint-routes option * bpf: Fix verifier error when writing to skb->cb[0] * CI: Enable Validate to-entities policies test * test: move TimeoutConfig validation into separate function * test: have `ExecuteContext` return result of `RunCommandContext` directly * test: remove unused helper function, `EndpointStatusLog` * test: remove unused helper function, `WaitEndpointRegenerated` * cilium: docker.go ineffectual assignment * ginkgo.Jenkinsfile: reduce VM boot and provision timeout to 30 minutes * .travis: update travis golang to 1.12.5 * node/manager: add GetNodeIdentities * cilium: encryption, use fib lookup and set dmac/smac when possible * cilium: bpf, add HAVE_FIB_LOOKUP to use when fib is available * cilium: bpf, use ifdef instead of if * bpf: Fix string conversion to byte array * daemon: fix typo in policy trigger log * daemon: remove unused imports * daemon: move writeNetdevHeader to datapath.go * daemon: move writePreFilterHeader to datapath.go * daemon: move clearCiliumVeths to datapath.go * daemon: move listFilterIfs to datapath.go * daemon: move deleteHostDevice to datapath.go * daemon: move createNodeConfigHeaderfile to datapath.go * daemon: move compileBase to new file, datapath.go * Preload vagrant boxes in k8s upstream jenkinsfile * cilium: encrypt, use ipcache to lookup IPsec destination IP * cilium: Add option ipv*-pod-subnets to enable chaining + encryption * cilium: remove debug statement that is not helpful * cilium: encryptNode do not encrypt local traffic * cilium: remove unnecessary worldID check before encryption * examples/kubernetes: removing leftover system:nodes group in RBAC * pkg/health: Fix IPv6 URL format in HTTP probe * test: use context with timeout to ensure that Cilium log gathering takes <= 5 minutes * daemon: Separate FQDN callbacks into real functions * test: be sure to close SSH client after a given Describe completes * pkg/ipam: protect map against concurrent access * k8s: Introduce test for multiple From/To selectors * k8s: Fix policies with multiple From/To selectors * cilium: Fix parsing of embedded JSON * test: make sure that `GetPodNames` times out after 30 seconds * pkg/datapath/ipcache: only log if not running in debug * pkg/ipcache: only log if not running in debug * pkg/ipcache: only log if not running in debug * daemon: Remove unnecessary and unsafe arg append for init.sh * bpf: Get rid of CGO in bpf_linux.go * test: create session and run commands asynchronously * endpoint: Only rewrite headerfile when ep changes * endpoint: Remove deprecated options format * endpoint: Don't serialize endpoint status * daemon: move IPAM bootstrap functions to ipam.go * daemon: separate kvstore initialization into separate function * daemon: factor out restore initialization logic into separate function * daemon: move `GetServiceList` to loadbalancer.go * daemon: split up configuration API implementation into separate file * endpoint: Log all regeneration statistics * cilium: encrypt-node needs rp_filter zerod otherwise packets are lost * cilium: encrypt-node option adds incorrect route * datapath/linux: Configure Rlimits earlier * docs: Add BPF section about invalidated references to skb->data * Revert "cilium: fix up source address selection for cluster ip" * agent: Remove disappearing local addresses from ipcache * agent: Relax endpoints and host synchronization controller interval * agent: Add all local addresses to endpoints map and ipcache * datapath: Add LocalAddresses() to retrieve all local addresses * test: Refactor SetUpCilium*() helpers * test: Rename IPv*Host to FakeIPv*WorldAddress * test: bump to k8s 1.14.3 * pkg/endpoint: only log LogPeriodicSystemLoad if endpoint is in debug * pkg/loadinfo: use context to stop LogPeriodicSystemLoad function * test: error out if no-spec policies is allowed in k8s >= 1.15 * test/provision: upgrade k8s 1.15 to 1.15.0-beta.2 * Gopkg: update klog with the same version set in k8s.io/kubernetes * Gopkg: update github.com/modern-go/reflect2 * test: bump k8s 1.13 to 1.13.7 * test: Enable IPv6 forwarding in test VMs * monitor: Error out early if endpoint doesn't exist * docs: Remove architecture target links * endpoint: Add tests,benchmarks for headerfile write * endpoint: Drop bpf dependency in header write * endpoint: Drop unnecessary parameter * pkg/kvstore: introduced a dedicated session for locks * pkg/kvstore: implement new *IfLocked methods for etcd * kvstore/allocator: make the allocator aware of kvstore lock holding * pkg/kvstore: add Comparator() to KVLocker * pkg/kvstore: add new *IfLocked methods to perform txns * Makefiles: Fix find for non-existing directories * cilium-builder: Configure llc link to llc-7 * test: add serial ports to CI VMs * *.Jenkinsfile: remove leftover failFast * test: have timeout for `Exec` * test: Prevent from breaking connections to migrate-svc * Update to cilium-builder image 2019-06-05 * cilium-builder: Configure clang link to clang-7 * endpoint: log when regenError is non-nil in Regenerate * test/packet: add instructions to run CI on packet.net * endpoint: make sure `updateRegenerationStatistics` is called within anonymous function * test: do not spawn goroutines to wait for canceled context in `RunCommandContext` * node/store: Do not delete node key in kvstore on node registration failure * kvstore/store: Do not remove local key on sync failure * node: Delay handling of node delete events received via kvstore * test/provision: bump k8s 1.12 to 1.12.9 * test/k8sT: refactor guestbook deployment from json to yaml * cilium: adds option to pull node traffic into Cilium for encryption * cilium: encryption: encrypt ot any endpoint with a key assigned * cilium: encryption: bpf_netdev should set cb[] with key not marks * examples/kubernetes: add missing CILIUM_CUSTOM_CNI_CONF in DaemonSets * test: Add k8s test manifest files for Cilium v1.5 * test: Disable legacy services for upgrades from >= v1.5 * test: Do not set bpf-ct-global-tcp-max * test bump image of upgrade / downgrade test to v1.5 * test: provide context which will be cancled to `CiliumExecContext` * pkg/kvstore: do not always UpdateIfDifferent with and without lease * policy: Fix selector policy detach when races * endpoint: Set the identity cache revision only when successful * ctmap: Fix conntrack map filtering * ipcache: Fix automatic recovery of deleted ipcache entries * examples: Remove duplicate CILIUM_CNI_CHAINING_MODE * pkg/kvstore: perform update if value or lease are different * doc: Add EKS node-init DaemonSet to mount BPF filesystem * cni: Add cniVersion in cni config file * monitor: Mark unused drop error codes * bpf: Improve identity reporting for drops * kvstore/allocator: do not immediately delete master keys if unused * pkg/kvstore: store Modified Revision number KeyValuePairs map * kvstore/allocator: do not re-allocate localKeys * kvstore/allocator: move invalidKey to cache.go * kvstore/allocator: add lookupKey method * allocator: Provide additional info message on key allocation and deletion * allocator: Fix garbage collector to compare prefix * allocator: Make GetNoCache() deterministic * test: Fix NodeCleanMetadata by using --overwrite * operator: Fix health check API * policy: Remove unnecessary Identity iterator * policy: Add unit tests for allow-all map entries * policy/api: Export 'reserved:none' selector * policy: Handle policy disabled via new map entry * policy: Handle allow-all via new map entry * bpf: Add policymap support for allow-all entries * bpf: Refactor policy entry accounting * kvstore/allocator: protect concurrent access of slave keys * kvstore/allocator: release ID from idpool on error * kvstore/allocator: do not re-get slave key on allocation * pkg/kvstore: Run GetPrefix with limit of 1 * allocator: Verify locally allocated key * docs: Add note about keeping enable-legacy-services * docs: Add note about running preflight-with-rm-svc-v2.yaml * examples: Add preflight DaemonSet for svc-v2 removal * ipam: Fix IPAM status when IPv4 is disabled * envoy: Use LPM ipcache instead of xDS when available. * ipcache: Support adding listeners, add xDS listener on demand. * pkg/labels: ignore all labels that match the regex "annotation.*" * tests, k8s: add monitor dump helper for debugging * bugtool: add raw dumps of all lb and lb-related maps * envoy: Prevent resending NACKed resources also when there are no ACK observers. * endpoint: Guard against deleted endpoints in regenerate * ipam: add tests for blacklist methods for IPAM * ipam: improve blacklisting mechanism in IPAM * service: Reduce backend ID allocation space * cilium: fix up source address selection for cluster ip * endpoint: make endpoint regeneration completion log debug level * policy: fix log message in `IdentitySelectionUpdated` * cni: Fix incorrect merge of e99bee54 and 43e0c4e2a * agent: Support reading CNI configuration from agent to set per node settings * doc: Document aws-cni chaining mode * cni: Add support for AWS CNI chaining * cni: Add generic veth chaining plugin * cni: Fix parsing of previous result * cni: Add ability for a chaining plugin to be called on delete * CI: Longer git clone timeouts * test: Adjust call map size * bpf: Remove unneeded debug messages * monitor: Dynamically adjust monitor queue size based on CPUs available * monitor: Remove 1.0 listener * monitor: Move cilium-node-monitor into cilium-agent * fix: add annotate-k8s-node flag to daemon * Vagrantfile: Support NETNEXT="true" * test: Add CI test for --enable-endpoint-routes mode * agent: Add --enable-endpoint-routes option * Docs: Fix typo in upgrade instructions * daemon: move IPSec bootstrap into separate function * daemon: move setting of Node / datapath / health IPs to separate function * daemon: separate clustermesh bootstrap into separate function * daemon: separate IPAM bootstrap into separate function * daemon: separate workloads bootstrapping into separate function * kubernetes: Set default aggregation level to maximum * Add kvstore quorum check to Cilium precheck * daemon: Make policymap size configurable * cilium: ingress direct route tracepoint and metric for encrypt packets * cilium: ingress overlay tracepoint and metric for encrypted packets * cilium: convert fowarding_reason from int to uint8 * test: fix incorrect deletion statement for policy * Add SECURITY.md * endpoint: Remove stale comment * dockerfile: update builder and runtime images * Vagrantfile: remove already instaled dependencies * Gopkg: update cilium/proxy * Dockerfile.builder: pin go-bindata and ineffassign versions * Dockerfile.runtime: pin a gops version and drop go-bindata * bugtool: add output of `cilium policy cache -o json` * cmd: add `cilium policy cache` command * client: add wrapper function to get SelectorCache * daemon: implement API to retrieve SelectorCache contents * policy: return API model representation of SelectorCache * api: add API model for SelectorCache contents * proxylib: Fix egress enforcement * policy: fix wildcarding at L7 for DNS * endpoint: Dump policy map only when syncing from the controller * Recover from ginkgo fail in WithTimeout helper * docs: move well known identities to the concepts section * docs: update well-known-identities documentation * Add jenkins stage for loading vagrant boxes * identity: Eliminate unit test raciness * maps/metricsmap: fix cilium bpf metrics list output * pkg/maps: create CtKeyGlobal structures * cilium: sockmap fix compile warnings from lb services v2 * cilium: bpf sockmap, pull LB define from compile stage * add support for k8s 1.14.2 * Separate envs for tests in jenkins k8s pipeline * cilium: encryption, remove xfrm rules on nodeDelete events * cilium: remove encryption route and rules if crypto is disabled * pkg/kvstore: acquire a random initlock * pkg/maps: use pointer in receivers for GetKeyPtr and GetValuePtr * ipam: Fix IPAM debuginfo race on bootstrap * docs: add filenames to the spelling list * docs: fix formating inconsistencies in encryption guide * docs: fix formating inconsistencies in contributing guide * docs: fix formating inconsistencies in kata-gce guide * docs: fix cni-chaining-portmap.rst:25: WARNING: Title underline too short. * test: add v1.15.0-beta.0 to the CI * cni: Fix incorrect logging in failure case * Envoy: Use an image with proxylib injection fix. * bpf: force recreation of regular ct entry upon service collision * pkg/endpoint: fix assignment in nil map on restore * daemon: add option to skip CRD creation * policy: Remove more dead code. * policy: Use selector cache in policy computation * policy: Make policy cache a member of Repository, hide internals * identity: notify owner on identity creation / releasing * endpoint: update Owner interface to include new functions * selectorcache: Remove globals. * policy: Update SelectorCache functionality. * labels: Add Same() for comparing two LabelArrays. * identity: Initialize well-known identities before the policy repository. * checker: Add support for using google/go-cmp * policy: Add special treatment for namespace * CI: WithTimeout helper uses a buffered channel * CI: copyWait SSH helper uses a buffered channel * pkg/ipcache: initialize globalmap at import time * test/provision: bump k8s testing to v1.13.6 * regexpmap: change naming of internal fields * bpf: do propagate backend, and rev nat to new entry * test: Enable K8sServicesTest Checks service on same node test * datapath: Redo backend selection if stale CT_SERVICE entry is found * node: Do not require the internal IP to be part of the allocation range * bpf: Use ipcache to determine unroutable destinations * daemon/Makefile: rm -f on make clean for links * test: add more narration using `By` to preflight check steps * CI: Consolidate Vagrant box information into 1 file * operator: Only connect to kvstore when needed * cilium: encode table attribute in Route delete * ipam: Allow IPAM backend to provide its own status * ipam: Provide ipam information in debuginfo * ipam: Define interface for allocator * bpf: Fix object file list * doc: Adjust documentation with new dynamic gc interval * ctmap: Introduce variable conntrack gc interval * daemon: Do not restore service if adding to cache fails * daemon: Improve logging of service restoration * bpf: Workaround for verifier bug in proxy hairpin code * bpf: Continue to enforce policy at source endpoint unless disabled * bpf: Allow ARP through at ingress for ENABLE_ARP_RESPONDER * iptables: Only install IPsec related rules when enabled * policy: fix rules count in trace output. * policy: Remove dead code * policy: Remove denied identities maps * cilium: IsLocal() needs to compare both Name and Cluster * test: Trim trailing newline in ByLines method * envoy: Do not use deprecated configuration options. * ipam: Add flag to disable reservation of IPs of local routes * daemon: Remove stale maps only after restoring all endpoints * ipam: Make router IP allocation independent of allocation CIDR * ipam: Use Blacklist() to reserve IP in allocation range * cilium: K8s Delete event indicates agent should gracefully shutdown * [CI] Don't overwrite minRequired in WaitforNPods * docs: fix architecture images' URL * fqdn: DNSProxy does not fold similar DNS requests * maps: Remove disabled svc v2 maps * pkg/node: Set empty string if address is nil * api: do not allow FQDNSelectors to contain both MatchName and MatchPattern * docs: add missing cilium-operator-sa.yaml for k8s 1.14 upgrade guide * datapath: Add flag to specify prefix for interface name of endpoints * cni: Fix unexpected end of JSON input on errors * Bump vagrant box version for tests to 151 * operator: fix concurrent access of variable in cnp garbage collection * endpoint: Add ability to install per endpoint route * endpoint: Do not release and restore IP for endpoint's with external IPAM * api: Add EndpointDatapathConfiguration to PUT /endpoint/ * bpf: Allow to disable BPF based routing * bpf: Skip ingress policy at egress of source if egress prog is in use * loader: Support attaching program at egress for to-container section * loader: Allow to specify direction of BPF programs * bpf: Enable ARP pass-through mode * bpf: Add to-container section to bpf_lxc * docs: give better troubleshooting for conntrack-gc-interval * test: replace guestbook test docker image * docs: fix various spelling issues in kata gsg * kvstore: Provide currently held locks via debuginfo * kvstore: Release expired local locks via go routine * kvstore: Warn if Unlock() fails * ipam: Use static service loopback address * docs: Add an install guide to use Kata Containers with Cilium * bpf: use double word for v6 addr copy and comparison * daemon: create minimal status response with brief is passed * api/v1: add brief option in server side for cilium status * fqdn: utilize new function to remove IPs for set of FQDNSelector * policy: provide functionality to remove identities from multiple FQDNSelectors * policy: factor out mutually-exclusive portion of UpdateFQDNSelector into separate function * fqdn: plumb mapping of FQDNSelector --> set of IPs to SelectorCache * identity: add String() function for Identity * ip: factor out common logic into helper functions * ipcache: return set of allocated identities from AllocateCIDRs * policy: add FQDNSelector handling to SelectorCache * policy API: add String() function for FQDNSelector * CI: Consolidate WaitforNPods and WaitForPodsRunning * CI: WaitForNPods uses count of pods * Dockerfile: update golang to 1.12.5 * pkg/envoy: use proto.Equal instead comparing strings * metrics: add map_ops_total by default * dnsproxy: Do not bind to IPv4 or IPv6 when disabled * kvstore: Wait for kvstore to reach quorum * test: Disable broken Checks service on same node test * test: Disable broken Validate toEntities Cluster test * test: Set CT TCP map size in v1.3 ConfigMaps * docs: Improve configmap documentation * cilium/cmd: dump bpf lb list if map exists * test/provision: update k8s testing versions to v1.11.10 and v1.12.8 * maps/ctmap: add ctmap benchmark * pkg/bpf: use own binary which does not require to create buffers * pkg/bpf: make use of new UpdateElementWithPointers function * pkg/bpf: add newer LookupElement, GetNextKey and UpdateElement functions * pkg/{bpf,datapath,maps}: use same MapKey and MapValue in map iterations * pkg/bpf: add DeepCopyMapKey and DeepCopyMapValue * daemon: Use all labels to restore endpoint identity * docs,examples: Fix up custom CNI for microk8s * datapath/iptables: Warn when ipv6 modules not available * Docs: minor fixes to AWS EKS and AWS Metadata filtering GSGs * bpf: Disable UDP support in svc LB for host applications * test: Do not set enable-legacy-services in v1.4 ConfigMap * pkg/kvstore: disable metric collection if KVStore metrics are not enabled * pkg/bpf: only account for bpf syscalls if syscall metric is enabled * pkg/metrics: set all metrics as a no-op unless they are enabled * common: add MapStringStructToSlice function * pkg/metrics: set subsystems and labels as constants * pkg/option: add metrics option to enable or disable from default metrics * pkg/metrics: add no-op implementations for disabled metrics * daemon: use constant SubsystemAgent from pkg/metrics * pkg/metrics: use interfaces for all metrics * pkg/metrics: add CounterVec and GaugeVec interfaces * docs: Add note about updating external resources after release * pkg/buildqueue: remove unused package * bpf: Set BPF_F_NO_PREALLOC before comparing maps * examples/kubernetes: add node to cilium RBAC * pkg/k8s: patch node annotations * Change displayName also on aborted builds * pkg/metrics: add namespace to fqdn_gc_deletions_total * Bump vagrant box versions for tests * examples/kubernetes: add node/status to cilium RBAC * pkg/k8s: patch node status with NetworkUnavailable as false * pkg/k8s: switch AnnotateNode as a controller * doc: Document portmap CNI chaining * kubernetes: Add cni-chaining-mode to ConfigMap * cni: Add support for portmap chaining * daemon: Do not init config when running with --cmdref * daemon: Set $HOME as dir to look for default config ciliumd.yaml * cli: Do not cli init when running cilium-agent * components: Fix cilium-agent process detection * test: Increase timeout of boot VM stage to 45 minutes * bpf: Force preallocation for SNAT maps of LRU type * CI: Ensure k8s execs cancel contexts * test: Add readiness probe to demo deployments * docs: Add k8s 1.14 to supported versions for testing * cni: Require CILIUM_CUSTOM_CNI_CONF env to be set to preserve CNI configuration file * Jenkins separate directories for parallel builds * test: Wait for netperf server to be up before connecting to it * test: Add readiness probe to netperf server * policy: Generate L3-only filter also for rules with requirements. * policy: Report 'found all labels' only when 'Matches()' succeeds. * k8s: add useragent (#7791) * CI: Log at INFO and above for all unit tests * CI: Wait on create/delete in helpers.SampleContainersAction * CI: Stop monitor after all test assertions * dev VM: update coredns to 1.3.1 * dev VM: update k8s version to v1.14.1 * endpoint: Fix bug with endpoint state metrics * datapath/iptables: Warn when iptables modules are not available * CI: Check that cilium actually stops when desired * policy: Declare L3 filter key in api * docs: Update policy trace examples * cni: Convert existing flannel chaining to new chaining API * cni: Add plugin API to support arbitrary chaining combinations * policy: Rework egress policy trace to L4PolicyMap * policy: Rework ingress policy trace to L4PolicyMap * test: Specify protocol during policy trace * policy/api: Add helper for PortProtocol supersets * policy: Support L3 tracing of L4PolicyMap * policy: Improve debuggability of test case * policy: Add SearchContext.TraceEnabled() * policy: Add logging helper to SearchContext * policy: Drop usage of deniedIdentities in testing code * k8s: Move NewInformer into separate package * kubernetes/node-init: delete cilium running before kubelet restart * kubernetes/node-init: add more aggressive node-init script * kubernetes/node-init: Install cilium cni config before restart kubelet * kubernetes/node-init: do not run script on an already setup node * kubernetes/node-init: run cilium-node-init in hostNetwork * kubernetes/node-init: run cilium-node-init on any tainted node * metrics: Remove obsoleted KVStoreOperationsTotal metric * kvstore/etcd: Fix staticchecker warnings * kvstore: Fix staticchecker warnings * kvstore/store: Fix staticchecker warnings * kvstore/allocator: Fix staticchecker warnings * Test: Add size mismatch log entry to failed ones. * daemon: Replace viper.BindEnv with option.BindEnvWithLegacyEnvFallback * option: Add BindEnvWithLegacyEnvFallback function * CI: Disable RuntimeMonitorTest With Sample Containers Cilium monitor event types * policy: add debug log when error from `updateEndpointsCaches` is non-nil * policy: ensure Endpoint lock held while accessing identity * policy: add RLockAlive, RUnlock to Endpoint interface * endpoint: fix comment for GetSecurityIdentity * ginko: adjust timeout to something more appropriate * test: make function provided to WithTimeout run asynchronously * docs: Add upgrade guide from >=1.4.0 to 1.5 * nodediscovery: Try to register node forever * bpf: make services available for host applications * cilium: split cgroups handling into own package * cilium: update container runtime image to include iproute2 changes * docs: Mention enable-legacy-services flag in upgrade docs * operator: Add more logging to see where the operator blocks on startup * operator: Start health API earlier * distillery: Manage via identitymanager * identitymanager: Improve coverage * identitymanager: Add new identity callback * distillery: Remove old comment * test: Suffix K8s-1.10 with net-next * doc: fix up Ubuntu apt-get install command * endpoint: do not serialize JSON for EventQueue field * test: run with NETNEXT=true for K8s-1.10 * vendor: update google.golang.org/genproto to latest commit * vendor: update golang.org/x/time to latest commit * vendor: update golang.org/x/sync to latest commit * vendor: update golang.org/x/net to latest commit of v1.12 branch * vendor: update golang.org/x/crypto to latest commit of v1.12 branch * vendor: update github.com/vishvananda/netlink to latest commit * vendor: update github.com/spf13/viper to v1.3.2 * vendor: update github.com/cpuguy83/go-md2man to v1.0.10 * vendor: update github.com/spf13/cobra to latest commit * vendor: update github.com/sirupsen/logrus to v1.4.1 * vendor: update github.com/shirou/gopsutil to v2.19.03 * vendor: update github.com/mattn/go-shellwords to v1.0.5 * vendor: update github.com/hashicorp/consul to v1.4.4 * vendor: update github.com/gorilla/mux/releases to v1.7.1 * vendor: update github.com/go-openapi/* to v0.19.0 * vendor: update github.com/containerd/typeurl to latest version * vendor: update github.com/containerd/containerd to v1.2.6 * vendor: update github.com/c9s/goprocinfo to latest version * contrib: fix up check-fmt.sh * policy: Add selector cache * identity: Include event details also for local identities * policy: Add and use Revision in SelectorPolicy * distillery: Fix cardinality of cachedSelectorPolicy * distillery: Skip policy resolution for same revision * endpoint: Consume policy from the distillery * policy: Add distillery package * testutils: Implement TestEndpoint.GetSecurityIdentity() * operator: add ca-certificates to operator * policy: Use NumericIdentity for rule selector cache * docs: Document how to get started with MicroK8s * examples: Generate microk8s YAMLs * examples: Add YAML generation for microk8s * contrib: Simplify microk8s prepull YAML * identity: Change globalIdentity to wrap a LabelArray * identity: Support creating a new Identity with a LabelArray * labels: Support creating LabelArrays directly. * labels: Always produce a sorted LabelArray() * iptables: Correctly remove Cilium chains when IPv6 is disabled * k8s: Fix unformatted go source code * VERSION: bump version to 1.5.90 * examples: Do not bind mount /sbin/modprobe * Update cilium-runtime image * contrib: Install modprobe to cilium-runtime image * Update README.rst * ipcache: print tunnel endpoint for RemoteEndpointInfo * k8s: fix panic of closed channel * daemon: Use controller context for health endpoint * fix error log when sync EpToPolicy map * operator: GC nodes from existing CNPs * contrib: Fix cherry-pick script * daemon: Log duration of service restoration and migration * operator: GC leftover nodes in the kvstore * kvstore/store: add SharedKeysMap() method * pkg/kvstore: refactored GetKeyName() to own interface * test: Add test for service migration between legacy and v2 * istio: Update to release 1.1.3 * Check for dup container id before ep creation * examples: do not specify "type: Directory" for mounting `/lib/modules` * docs: Update kubernetes compatibility list * docs: Update urllib3 dependency to address CVE-2019-11324 * test: only run VXLAN + Encryption test on net-next kernels * bugtool: Add tests for filepath walk * bugtool: Copy symlinks as-is * bugtool: Be more resilient to file errors * bugtool: Factor out path walk function * docs: clarify kernel version for BPF based masquerading * proxy: fix unit test breakage * bpf: Use iptables TPROXY and shared proxy listeners * vendor: Use cilium/dns for miekg/dns, Use extended SessionUDP * fqdn: Adapt to TPROXY * proxy: Add CT map name to the network policy to support local CT maps. * endpointmanager: Add LookupIP() * kafka: Remove unused field. * redirect: rename 'id' as 'listenerName' * Envoy: Do not configure policy name * Dockerfile: Update proxy dependency * CI: Change Kafka runtime tests to use local conntrack maps. * loader: Improve logging of template build failures * policy/rule: Convert selection cache to identity * policy: Split SelectorPolicy from EndpointPolicy * daemon: Don't populate rule selector cache on restore * identitymanager: Support subscribing to events * identitymanager: Simplify labels in test * test: Allow Cilium 1.4 to be run with K8s 1.14 * cilium: enable sockops connectivity test with k8sT * cilium: sockmap, disable feature when missing BPF support * cilium, template: add cilium_encrypt_state to ignored prefixes * cilium: sockmap logging is a bit redundant clean it up * bugtool: Fix up newline characters in error messages * cni: Stop removing CNI_CONF_NAME on preStop * cilium: enable encrypt + vxlan test again * datapath/iptables: Check iptables kernel modules * modules: Add utility for checking loaded kernel modules * set: Add utility for subset checks * k8s: Merge initContainer cleanup with cilium cleanup * k8s: Fix leak of k8s controller on kvstore connect & disconnect * k8s: Disable k8s event handover to kvstore by default * daemon: Panic if executable name does not match cilium{-agent,-node-monitor,} * Add `dep check` to travis build * endpoint: Rebuild datapath on `endpoint regenerate` * endpoint: Rename ELF rewrite generation mode * policy: rename functions to reflect that L3-only policy is also generated * policy: fix typo in comment * policy: remove duplicate requirements check on Ingress * policy: add comment explaining why we can't generate wildcard L3 and wildcard L4 policy keys * policy: refactor canReach{Ingress,Egress} to use helper functions * policy: rename functions which analyze ToEndpoints and FromEndpoints * polcy: move calls to `selectRule` out of requirements analysis helper functions * policy: move function applying on rule to rule.go * policy: fix incorrect comments for function descriptions * policy: insert wildcard selector for L4 rules which allow all at L3 * policy: do not create wildcard at L3 PolicyMap Key for L3-only keys * test: specify which container is trying to access world * policy: factor out calculation of egress requirements / label-based L3 into separate functions * policy: factor out calculation of ingress requirements / label-based L3 into separate functions * policy: store L3-only policy in L4Filter * cmd: add `cilium identity list --endpoints` command * daemon: handle identity/endpoints API * api: add identity/endpoints api * endpoint: update global identitymanager when identity changes * add identitymanager package * docs: Add containerd to self-managed installation section * cilium-health: Rebuild health-ep via identity set * endpoint: change how endpoint BPF reloading / writing logs are emitted * misc: fix up various log messages * move readEPsFromDirNames to pkg/endpoint * test: Check whether v2 and legacy svc maps are in sync * test: Extend BpfLBList to list legacy svc BPF maps * cli: Add flag to list legacy service BPF maps * bpf, snat: dump external v4/v6 addresses more clearly into node config * node, address: fix bug where internal IP is selected over external * bpf, snat: select lru map if available otherwise fall back to htab * bpf, snat: reject unknown ethertypes early * bpf, snat: add cilium monitor support for pre/post snat engine * CI: Check Cilium Operator only when supported * FQDN: Add regexMap benchmark tests. * FQDN: RegexpMap optimize for read operations. * [k8s-upstream-test] Replace deprecated provider * examples: Add --enable-legacy-service=false to ConfigMap * test: decrease HelperTimeout to 4 minutes * cilium: Encryption overhead MTU accounting * update Vagrantfiles to version 145 * test: Fix hang when endpoints never become ready * daemon: Don't log endpoint restore if IP alloc fails * daemon: Refactor individual endpoint restore * refine CODEOWNERS * test: toEntities: Add verbose output for host * daemon: Set backend ID in local LB cache * service: Add LookupBackendID method * DNSPoller: Use fqdn.Cache as history * FQDN: MinTTL implemented in the fqdn Cache. * test: Fix gofmt reported miss-formats in runtime tests * contrib: Exit early if no git remote is found * daemon: Improve config file log handling * daemon: Only invoke daemon init in daemon * daemon,lbmap: Remove orphan backends * daemon,lbmap: Remove orphan v2 services * lbmap: Add BackendAddrID.IsIPv6 method * lbmap: Fix BackendAddrID of IPv6 backend * logfields: Fix BackendID logfield value * daemon: Use v2 services when syncing with k8s * daemon: Remove legacy svc BPF maps if they are disabled * daemon,lbmap: Do not update legacy svc if they are disabled * lbmap: Update revNAT table from v2 routines * lbmap: Exclude master service earlier in dump function * lbmap,daemon: Make removal of lbmap cache more explict * daemon,bpf: Add --enable-legacy-services flags * loadbalancer: Sort backends by ID when listing * cli: Use svc v2 maps when listing * bpf: Add Map.UnpinIfExists method * bpf: Add Map.DumpWithCallbackIfExists method * Fix backporting scripts for https users * test: Update Istio test to 1.1.2 with proxy 1.1.3. * istio: Update istio proxy to 1.1.3 * CI: Enforce sensible timeouts. * envoy: Update to enable path normalization * test: Disable flaky encapsulation encryption test * Revert "test: Disable flaky encapsulation encryption test" * cilium: fix dropping Health node IP updates * cilium: combine tunnel and non-tunnel cases into single branch * cilium: remove relax() calls to get more free insns * cilium: remove unecessary zero'ing of ip6 endpoint key * cilium: transparent encryption, use correct keys during key rotation * Doc: Update jinja dependency for documentation building * Various bugfixes & improvements to daemon config handling * ipam: Provide ownership information of IP allocations * kubernetes-upstream: update to k8s 1.14 * k8s: Don't bother to create CEP if endpoint is already disconnecting * k8s: Don't error when CEP does not exist on endpoint exit * Node: Try to prioritize the InternalIPv[46] from restore. * Vagrantfiles: bump version to 144 * bugtool: get cilium ConfigMap in bugtool output * endpoint: Improve logging around headerfile writes * cni: Fix CNI delete side-effects * endpoint: Delegate IP release on endpoint creation failure * cni: Always release created resources on failure of CNI ADD * endpointmanager: Avoid regenerating restoring endpoints * endpoint: Sanitize ep.SecurityIdentity on restore * daemon: pass context down into QueueEndpointBuild * loader: check whether context is cancelled * daemon: pass down context on endpoint creation into regeneration functionality * endpoint: use parent context with prepareForProxyUpdates * endpoint: add Context field to regenerationContext * exec: return for any error from context * agent: Delete endpoints which failed to restore synchronously * Vagrant: Bump image to 143. * Change suiteName to not match test folders names. * Documentation: clean up upgrade instructions * identity: Don't serialize reference counts * allocator: Relax number of iterations in unit testing * policy: Fix metrics for policy revision * Test: Runtime validate that endpoints are restored correctly. * test: update k8s test versions to v1.14.1 * vendor: update k8s dependencies to 1.14.1 * cilium: docs update encryption algo example to use GCM * cilium: support aead state keys * cilium: ipsec tests should use decodeIPSecKey for strings to hex * cilium: Policy rules are no longer unique for key * cilium: ipsec_linux only set spi bit in xfrm mark on egress * cilium: ipsec_linux, remote DeleteIPSecEndpint and use SPI version * kvstore: Simplify Client() blocking behavior * kvstore: Return from LockPath() when local locking is cancelled * kvstore: Protect Unlock() from timeout overwrite * allocator: Provide info and warning messages around key allocation * allocator: Block Allocate() and Release() until key list is initialized * Don't use local remote in backporting scripts * docs: Document cilium-operator in concepts section. * cilium, bpf: fix panic when run with newer LLVM * daemon: remove host-allows-world option * agent: Fix --contrack-gc-interval option * bpf: Avoid unnecessary error when ending parallel map mode * test: Disable flaky encapsulation encryption test * datapath: Fix panic when updating tunnel mapping * kubernetes: Relax readiness and liveness probe interval * endpoint: Provide additional info messages while creating endpoint * endpoint: Guarantee to reject endpoint creation with reserved labels * endpoint: Correctly filter labels on endpoint creation * endpoint: Provide clear error messages to PUT /endpoint/{id} * endpoint: Update the logger after endpoint initialization * ipsec: Remove leftover warning message used for debugging * node/store: delete ipcache entries for node events * datapath: Optimize connection-tracking GC interval * CODEOWNERS: add @cilium/operator as operator/ codeowner * Simplify operator shutdown * service: Use all bits of uint32 to allocate backend IDs * service: Make local ID allocator more service agnostic * bpf,lbmap: Change backend ID to uint32 * loadbalancer: Add BackendID type * Mon Jul 29 2019 mrostecki@opensuse.org - Update to version 1.5.5: * lbmap: Get rid of bpfService cache lock * retry vm provisioning, increase timeout * daemon: Remove svc-v2 maps when restore is disabled * daemon: Do not remove revNAT if removing svc fails * pkg/k8s: add conversion for DeleteFinalStateUnknown objects * cli: fix panic in cilium bpf sha get command * Retry provisioning vagrant vms in CI * pkg/k8s: hold mutex while adding events to the queue * Change nightly CI job label from fixed to baremetal * test: set 1.15 by default in CI Vagrantfile * daemon: Change loglevel of "ipcache entry owned by kvstore or agent" * pkg/kvstore: add etcd lease information into cilium status * pkg/k8s: do not parse empty annotations * maps/lbmap: protect service cache refcount with concurrent access * operator: add warning message if status returns an error * pkg/kvstore: fix nil pointer in error while doing a transaction in etcd * examples/kubernetes: bump cilium to v1.5.4 * bpf: Remove unneeded debug instructions to stay below instruction limit * bpf: Prohibit encapsulation traffic from pod when running in encapsulation mode * pkg/endpointmanager: protecting endpoints against concurrent access * test: set k8s 1.15 as default k8s version * CI: Clean VMs and reclaim disk in nightly test * allocator: fix race condition when allocating local identities upon bootstrap * identity: Initialize well-known identities before the policy repository. * cilium: docker.go ineffectual assignment * Disable automatic direct node routes test * kubernetes-upstream: add seperate stage to run tests * docs: update documentation with k8s 1.15 support * test: run k8s 1.15.0 by default in all PRs * test: test against 1.15.0 * vendor: update k8s to v1.15.0 * bpf: Set random MAC addrs for cilium interfaces * endpoint: Set random MAC addrs for veth when creating it * vendor: Update vishvananda/netlink * mac: Add function to generate a random MAC addr * test: remove unused function * test: introduce `ExecShort` function * docs: Clarify about legacy services enabled by default * pkg/metrics: re-register newStatusCollector function * CI: Clean workspace when all stages complete * CI: Clean VMs and reclaim disk after jobs complete * CI: Report last seen error in CiliumPreFlightCheck * fqdn: correctly populate Source IP and Port in `notifyOnDNSMsg` * test: do not overwrite context in `GetPodNamesContext` * test: change `GetPodNames` to have a timeout * test: make sure that `GetPodNames` times out after 30 seconds * CI: Ensure k8s execs cancel contexts * test: Fix NodeCleanMetadata by using --overwrite * test: add timeout to `waitToDeleteCilium` helper function * .travis: update travis golang to 1.12.5 * Don't set debug to true in monitor test * pkg/lock: fix RUnlockIgnoreTime * daemon: fix endpoint restore when endpoints are not available * Preload vagrant boxes in k8s upstream jenkinsfile * pkg/health: Fix IPv6 URL format in HTTP probe * test: use context with timeout to ensure that Cilium log gathering takes <= 5 minutes * k8s: Introduce test for multiple From/To selectors * k8s: Fix policies with multiple From/To selectors * test: create session and run commands asynchronously * test: bump to k8s 1.14.3 * test: error out if no-spec policies is allowed in k8s >= 1.15 * test/provision: upgrade k8s 1.15 to 1.15.0-beta.2 * test: have timeout for `Exec` * pkg/kvstore: introduced a dedicated session for locks * pkg/kvstore: implement new *IfLocked methods for etcd * kvstore/allocator: make the allocator aware of kvstore lock holding * pkg/kvstore: add Comparator() to KVLocker * pkg/kvstore: add new *IfLocked methods to perform txns * test: bump k8s 1.13 to 1.13.7 * test: Enable IPv6 forwarding in test VMs * docs: Remove architecture target links * test: add serial ports to CI VMs * *.Jenkinsfile: remove leftover failFast * endpoint: make sure `updateRegenerationStatistics` is called within anonymous function * Prepare for v1.5.3 * test: do not spawn goroutines to wait for canceled context in `RunCommandContext` * node/store: Do not delete node key in kvstore on node registration failure * kvstore/store: Do not remove local key on sync failure * node: Delay handling of node delete events received via kvstore * test/provision: bump k8s 1.12 to 1.12.9 * pkg/kvstore: do not always UpdateIfDifferent with and without lease * Don't overwrite minRequired in WaitforNPods * daemon: Don't log endpoint restore if IP alloc fails * daemon: Refactor individual endpoint restore * test: provide context which will be cancled to `CiliumExecContext` * Jenkinsfile: backport all Jenkinsfile from master * doc: Document regressions in 1.5.0 and 1.5.1 * Prepare for release v1.5.2 * test: Disable unstable K8sDatapathConfig Encapsulation Check connectivity with transparent encryption and VXLAN encapsulation * Add kvstore quorum check to Cilium precheck * pkg/kvstore: acquire a random initlock * kvstore: Wait for kvstore to reach quorum * ipcache: Fix automatic recovery of deleted ipcache entries * tests, k8s: add monitor dump helper for debugging * bugtool: add raw dumps of all lb and lb-related maps * pkg/labels: ignore all labels that match the regex "annotation.*" * docs: Add note about keeping enable-legacy-services * docs: Add note about running preflight-with-rm-svc-v2.yaml * examples: Add preflight DaemonSet for svc-v2 removal * operator: Fix health check API * doc: Add EKS node-init DaemonSet to mount BPF filesystem * pkg/kvstore: perform update if value or lease are different * kvstore/allocator: do not immediately delete master keys if unused * pkg/kvstore: store Modified Revision number KeyValuePairs map * kvstore/allocator: do not re-allocate localKeys * kvstore/allocator: move invalidKey to cache.go * kvstore/allocator: add lookupKey method * allocator: Provide additional info message on key allocation and deletion * allocator: Fix garbage collector to compare prefix * allocator: Make GetNoCache() deterministic * kvstore/allocator: protect concurrent access of slave keys * kvstore/allocator: release ID from idpool on error * kvstore/allocator: do not re-get slave key on allocation * pkg/kvstore: Run GetPrefix with limit of 1 * allocator: Verify locally allocated key * envoy: Prevent resending NACKed resources also when there are no ACK observers. * endpoint: Guard against deleted endpoints in regenerate * service: Reduce backend ID allocation space * cilium: fix up source address selection for cluster ip * CI: Log at INFO and above for all unit tests * bpf: Fix dump parsers of encrypt and sockmap maps * pkg/maps: use pointer in receivers for GetKeyPtr and GetValuePtr * test: fix incorrect deletion statement for policy * proxylib: Fix egress enforcement * Recover from ginkgo fail in WithTimeout helper * docs: move well known identities to the concepts section * docs: update well-known-identities documentation * add support for k8s 1.14.2 * test: add v1.15.0-beta.0 to the CI * cni: Fix incorrect logging in failure case * daemon: Make policymap size configurable * Add jenkins stage for loading vagrant boxes * bpf: Remove several debug messages * Revert "pkg/bpf: add DeepCopyMapKey and DeepCopyMapValue" * Revert "pkg/{bpf,datapath,maps}: use same MapKey and MapValue in map iterations" * Revert "pkg/bpf: add newer LookupElement, GetNextKey and UpdateElement functions" * Revert "pkg/bpf: use own binary which does not require to create buffers" * Revert "maps/ctmap: add ctmap benchmark" * bpf: force recreation of regular ct entry upon service collision * pkg/endpoint: fix assignment in nil map on restore * pkg/ipcache: initialize globalmap at import time * test/provision: bump k8s testing to v1.13.6 * bpf: do propagate backend, and rev nat to new entry * datapath: Redo backend selection if stale CT_SERVICE entry is found * daemon/Makefile: rm -f on make clean for links * CI: Consolidate Vagrant box information into 1 file * cilium: encode table attribute in Route delete * daemon: Remove stale maps only after restoring all endpoints * envoy: Do not use deprecated configuration options. * cilium: IsLocal() needs to compare both Name and Cluster * daemon: Do not restore service if adding to cache fails * daemon: Improve logging of service restoration * doc: Adjust documentation with new dynamic gc interval * ctmap: Introduce variable conntrack gc interval * pkg/envoy: use proto.Equal instead comparing strings * test: replace guestbook test docker image * docs: give better troubleshooting for conntrack-gc-interval * operator: fix concurrent access of variable in cnp garbage collection * Bump vagrant box version for tests to 151 * cni: Fix unexpected end of JSON input on errors * docs: add missing cilium-operator-sa.yaml for k8s 1.14 upgrade guide * maps: Remove disabled svc v2 maps * fqdn: DNSProxy does not fold similar DNS requests * docs: fix architecture images' URL * CI: Consolidate WaitforNPods and WaitForPodsRunning * CI: WaitForNPods uses count of pods * Dockerfile: update golang to 1.12.5 * metrics: add map_ops_total by default * Bump vagrant box versions for tests * Jenkins separate directories for parallel builds * Fri Jun 07 2019 Michal Rostecki <mrostecki@opensuse.org> - Switch container image URI from devel:kubic:containers to openSUSE:Containers:Tumbleweed. * Fri Jun 07 2019 ndas@suse.de - Update to version 1.5.3: * pkg/kvstore: do not always UpdateIfDifferent with and without lease * daemon: Refactor individual endpoint restore * daemon: Don't log endpoint restore if IP alloc fails * Don't overwrite minRequired in WaitforNPods * node: Delay handling of node delete events received via kvstore * kvstore/store: Do not remove local key on sync failure * node/store: Do not delete node key in kvstore on node registration failure * Jenkinsfile: backport all Jenkinsfile from master * test/provision: bump k8s 1.12 to 1.12.9 * test: do not spawn goroutines to wait for canceled context in `RunCommandContext` * test: provide context which will be cancled to `CiliumExecContext` * Mon Jun 03 2019 ndas@suse.de - Add cniVersion in cilium cni config * Fri May 10 2019 Michal Rostecki <mrostecki@opensuse.org> - Update to version 1.5.1: * Important Bugfixes: * Fix bug where Cilium would refuse to start if ipv6 netfilter modules are unavailable. * Warn when iptables modules are not available. * Use all labels to restore endpoint identity to correctly filter labels upon restart. * Fix cases where multiple bindings are provided to CLI flags. * New Functionality / Enhancements: * Add node-init script to automatically restart pods managed by kubenet on GKE * Add functionality to enable or disable metrics for specific subsystems * bpf syscall metrics are disabled by default for performance * Update node, node/status to allow for patch operations in Cilium RBAC * Patch, instead of update, node annotations for better performance * Annotate node status with NetworkUnavailable as false * Performance increase by not allocating any memory when iterating over BPF maps * CLI now prints tunnel endpoint for RemoteEndpointInfo * Try to register node forever in nodediscovery * Remove unused buildqueue package * Minor Bug Fixes: * endpoint: do not serialize JSON for EventQueue field * Avoid unlocked access of endpoint security identity when calculating what rules select an endpoint * Only dump bpf lb list if map exists * Fix bug where endpoint state metrics get stuck with nonzero endpoints in restoring state * Do not init config when running with --cmdref parameter * Improve separation between cilium-agent and cilium CLI * Add cilium namespace to fqdn_gc_deletions_total metric * Force preallocation for SNAT maps of LRU type * Set BPF_F_NO_PREALLOC before comparing maps * Operator: * Improve cilium-operator bootstrap sequence (Start health API earlier, add more logging to see where the operator blocks on startup) * Add ca-certificates to operator * Documentation: * Add upgrade guide from >=1.4.0 to 1.5 * Mention enable-legacy-services flag in upgrade docs * Add k8s 1.14 to supported versions for testing * Improve configmap documentation * Document how to get started with MicroK8s, and provide example YAMLs * Fix typo in encryption algorithm: GMC -> GCM * Fix up Ubuntu apt-get install command * Minor fixes to AWS EKS and AWS Metadata filtering GSGs * CI: * Wait for endpoints to be ready after containers are created, deleted * Ensure that `go fmt` check always runs correctly in CI * Increase test suite timeouts to allow for cases where tests take longer * Do not set enable-legacy-services in v1.4 ConfigMap * Update k8s testing versions to v1.11.10 and v1.12.8 * Make function provided to WithTimeout run asynchronously to avoid test suites getting stuck - Add cilium-k8s-yaml package with Kubernetes yaml file to run Cilium containers. * Fri May 10 2019 ndas@suse.de - Add missing gzip package, cilium does zgrep of /proc/config.gz * Mon May 06 2019 Michal Rostecki <mrostecki@opensuse.org> - Update to version 1.5.0: * BPF programs templating which alows to inject information into ELF files instead of compiling separate programs with separate data for each endpoint. * BPF-based masquerading support - a native BPF-based SNAT engine. * Optimizations for policy engine and load balancer. - Remove patches which are accepted upstream: * cilium-allow-to-add-extra-go-build-flags.patch * cilium-allow-to-specify-cni-install-dirs.patch * Tue Apr 16 2019 Michal Rostecki <mrostecki@opensuse.org> - Add cilium-operator package which provides the Kubernetes operator that does garbage collector work for Cilium. - Do not require cilium and docker in cilium-init package. * Fri Apr 12 2019 Michał Rostecki <mrostecki@opensuse.org> - Add cilium-init package, which provides the script for Cilium init container. * Fri Mar 29 2019 mrostecki@opensuse.org - Update to version 1.4.2: * Prepare for v1.4.2 release * cilium: ipsec, zero cb[0] to avoid incorrectly encrypting * contrib: Update backporting README * contrib: Fix cherry-pick to avoid omitting parts of patch * cilium: push decryption up so we can decrypt even if not endpoint * cilium: populate wildcard src->dst policy for ipsec * daemon: Remove old health EP state dirs in restore * api: Return 500 when API handlers panic. * ipcache: Protect from delete events for alive IP but mismatching key * store: Protect from deletion of local key via kvstore event * test: Wait for cilium to start in runtime provision * contrib: fix extraction of cilium-docker binary * contrib: Update rebase-bindata to use fix-sha.sh * contrib: Add new script to auto-fix bpf.sha * cherry-pick: Print sha when applying patch. * check-stable: Sort PRs by merge date * workloads: Don't spin up receive queue in periodic watcher * workloads: Change watcher interval from 30 seconds to 5 minutes * workloads: Synchroneous handling of container events * endpoints: Add optional callback to WaitForPolicyRevision * daemon: Track policy implementation delay by source * agent: Wait to regenerate restore endpoints until ipcache has been populated * ipcache: Provide WaitForInitialSync() to wait for kvstore sync * pkg/kvstore: add 15 min TTL for the first session lease * policy: Add missing import error metric calls * endpoint: Fix ENABLE_NAT46 endpoint config validation * endpoint: Fix and quieten endpoint revert logs * test: Get rid of JoinEP flakes * ctmap: Print source addresses in ctmap cli * cilium: fix bailing out on auto-complete when v4/v6 ranges are specified * test: Test upgrade from v1.3 to master * doc: Fix --tofqdns-pre-cache reference * doc: Fix delete pod commend in clustermesh guide * bpf: Enable pipefail option in init.sh * cilium: bpftool included DS reports error on bpf_sockops load * cilium: sockmap remove socket.h dependency * cilium: sockmap, convert BPF_ANY to BPF_NOEXIST * 1: fix when have black hole route container pod CIDR can cause postIpAMFailure range is full * pkg/kvstore: do not use default instance to create new instance module * bpf: Do not account tx for CT_SERVICE * cilium.io/v2: set DerivativePolicies json to derivativePolicies * fqdn-poller: Ensure monitor events contain all data * ctmap: Fix order of CtKey{4,6} struct fields * release: fix uploadrev script to work with changes made after 1.3 * datapath: Fix nil dereference in logging statement * Prepare 1.4.1 release * k8s/utils: wrap kubernetes controller with ControllerSyncer * k8s/utils: make the ControllerSynced fields public * allocator: Wait until kvstore is connected before allocating global identities * policy: Fix ipcache synchronization on startup * cilium: ipsec, fix kube-proxy compatability * cilium: ipsec, remove bogus mark set * cilium: ipsec, zero CB_SRC_IDENTITY to ensure we don't incorrectly encrypt * cilium: k8s watcher, push internal Cilium IPs through annotations * policy: Add unit tests for ResolvePolicy() for L7 + ingress wildcards * identity/cache: Allow using GetIdentityCache() without initializing allocator * Change endpoint policy status map to regular map * Minor disambiguation to 1.4 release/upgrade doc * examples: Fix docker-compose mount points * docs: Add note about triggering builds with net-next * FQDN: Set always a empty ToCIDRSet in case of no entries in cache. * docs: re write k8s setup for ipsec * datapath/linux: log errors for ipsec setup * linux/ipsec: decode ipsec keys from hex * cilium preflight command for FQDN poller upgrade * docs: Add FQDN Poller upgrade impact & instructions * docs: Small changes to toFQDN and DNS sections * docs: Move "Obtaining DNS Data" to L7 section * cilium preflight container prepares tofqdn-pre-cache * pkg/identity: add well known identity for cilium-etcd-operator * pkg/kvstore: wait until etcd configuration files are available * policy/api: generate missing deepcopy code * vendor: fix Gopkg.lock * datapath: Clean up stale ipvlan maps * cilium, bpf: only account tx for egress direction * examples: Update docker-compose examples * lookup rule for the given IP family * cilium-operator.Dockerfile: set `klog` logging values from cilium-operator * datapath: Clean up config map on startup * datapath: Fix map cleanup for CT maps * Update k8s-install-gke.rst * cilium-docker-plugin: set default CMD to /usr/bin/cilium-docker * api/v1: remove requirements of labels in endpoints API * apis/cilium.io: do not regenerate deepcopy for unnecessary structs * Mon Mar 11 2019 ndas@suse.de - Move cilium-docker files to cilium-cni * Mon Mar 04 2019 Michał Rostecki <mrostecki@opensuse.org> - Add gcc as a runtime dependency. BPF programs need to have libgcc and libgcc_s linked in. https://github.com/cilium/cilium/issues/7273 * Mon Mar 04 2019 Michał Rostecki <mrostecki@opensuse.org> - Provide an explanation why glibc-devel-32bit is needed. - Ship cilium-cni and cilium-docker in separate packages. * Fri Mar 01 2019 Michał Rostecki <mrostecki@opensuse.org> - Add missing runtime dependencies which are needed to execute scripts shipped with Cilium and to compile BPF programs. * Wed Feb 27 2019 ndas@suse.de - Fix license. BPF code templates are licensed under GPLv2 while the rest is under Apache License, v2 (see https://github.com/cilium/cilium#license) Cilium (the component licensed on Apache 2.0, written in Go) does two things with BPF program sources (licensed on GPL-2.0): * it executes llvm/clang to compile BPF program sources to object files * it executes tc (a utility which is a part of iproute2) to load object files into the kernel So, Cilium as a Go program only does execv calls on external utilities (llvm and iproute2) to perform some actions on BPF program sources and objects. * Mon Feb 25 2019 ndas@suse.de - Add missing GPL2 License for eBPF source codes * Wed Feb 13 2019 Michał Rostecki <mrostecki@opensuse.org> - Update to version 1.4.0: * doc: Fix key generation for encryption * doc: Add validation and troubleshooting section to encryption GSG * datapath: Report IPsec route installation errors * datapath: Fix IPsec with IPv4 or IPv6 disabled * docs: Add ipvlan-based datapath limitations and requirements * doc, configmap: add missing entries * examples/kubernetes: Add tofqdns-enable-poller option * doc: Minor update to encryption guide * cilium: transparent encryption with ipsec getting started docs * Note about apiserver outside of cluster - Add upstream patch which allows to set additional `go build` flags * cilium-allow-to-add-extra-go-build-flags.patch - Add upstream patch which allows to specify installation directories for CNI files * cilium-allow-to-specify-cni-install-dirs.patch - Make use of golang-packaging macros. - Add rc* symlinks. * Thu Feb 07 2019 Michał Rostecki <mrostecki@opensuse.org> - Run code checkers/linters only on openSUSE Tumbleweed. * Wed Feb 06 2019 Michał Rostecki <mrostecki@opensuse.org> - Add devel package which contains a header and .so file. - Improve descriptions of all packages. - Set BINDIR, DESTDIR and LIBDIR variables properly instead of manual installation of files in those destinations. - Install bash completion script. - Execute ldconfig in post and postun phases of the lib package. - Fix Source attribute. * Tue Feb 05 2019 ndas@suse.de - Updated to 1.4-rc7 * pkg/datapath/ipcache: stop leaking FD * pkg/fqdn: make any operation in the sourceRuleCopy * daemon: change policyAdd message type from Info to Debug for dns policies * pkg/endpoint: do not leak go routines if endpoint is disconnected * pkg/endpoint: ignore negative time durations in metrics * Endpoint: set a new context per endpoint regeneration * endpoint: revert endpoint BPF config map update if regenerateBPF fails * bpf: pin endpoint configuration map * endpoint: Unlock endpoint to prevent deadlocks. * daemon: Allow releasing builder while waiting for proxy ACKs * endpoint: Make regenaration timeout greater than ExecTimeout * endpoint: Eliminate ExecTimeout, ctx. * daemon: Use sync.Once, rewamp comments. * bpf: Fix node-port access to l7 proxy * bpf: Templatize endpoint configuration * maps: Add BPFConfigMap for endpoint configuration * endpoint: Support dynamic BPF configuration * bpf: Relax verifier in IPv6 drop case * bpf: Fix tcp flag access * bpf: Don't reset TCP timer on final ACK * cilium: spelling: sha is an acronym replace with SHA * bpf: Provide more specific drop reasons * proxylib: Update proxylib.h with go 1.11 * agent: Fix invalid printf style invocations * gitignore: Ingore cilium-ring-dump binary * lbmap: Retrieve service ID when dumping BPF map * service: Restore service IDs before connecting to Kubernetes apiserver * service: Restore bpfservie cache on startup * lbmap: Add unit test for getBackends() * idpool: Factor out IDPool from allocator into package for reuse * idpool: Fix leaseAvailableID() and slice out of bounds * node: Don't insert own node into tunnel map * bpf: Avoid routing loops for former local endpoint IPs * test: Use cilium-etcd-operator * clustermesh: Fix race when shutting down clustermesh * clustermesh: Wait for controllers to be shutdown when closing * cni: Synchroneous pod label retrieval on CNI add * identity: Block createEndpoint() while identity is being resolved * bpf: Remove source MAC address validation * bpf: Remove destination MAC address verification * agent: Ignore IPV4_GATEWAY=0x0 when restoring - details changelogs are in https://github.com/cilium/cilium/projects/11 - disable bash completion - added a new package libcilium1 - build with go1.10(need fix for cgo alignchecker issue) * Tue Sep 04 2018 ndas@suse.de - change 00-cilium-cni.conf -> 10-cilium-cni.conf to keep sync with salt * Mon Sep 03 2018 ndas@suse.de - Use proper bash-completion dir - Updated to 1.2.1 * docker, bpf: add iproute2 version which works around missing af_alg * docker, bpf: add bpftool for debugging and introspection * test/k8sT: use specific commit for cilium/star-wars-demo YAMLs * pkg/k8s: properly handle empty NamespaceSelector * lxcmap: Improve error messages in DeleteElement() * lxcmap: Fix always returning an error on delete * ctmap: Mark IPv6 CT GC as completed on success * endpoint: Fix endpoint regeneration failure metric * Block locked code in TriggerPolicyUpdates * Ignore non-existing link error in cni del * fqdn: Strip toCIDRSet rules to be more resilient * fqdn: Use UUIDs to manage rules * fqdn: Inject IPs on initial rule insert * xds: Ignore completion timeouts on resource upsert and delete * endpoint: Log when BPF regeneration times out not because of Envoy * endpoint: In BPF regeneration, create/remove listeners early * doc: Restructure and simplify upgrade guide * doc: Restructure installation guides * doc: AWS EKS installation guide * identity: Wait for initial set of security identities before restoring endpoints * Wed Aug 08 2018 ndas@suse.de - Updated to 1.2.0-rc1 * Inter cluster service routing * BPF based flow aggregation * BGP with kube-router more at https://github.com/cilium/cilium/releases/tag/v1.2.0-rc1 - Add cilium group * Mon Jun 04 2018 dcassany@suse.com - Refactor %license usage to simpler form * Mon Jun 04 2018 dcassany@suse.com - Make use of %license macro * Wed Apr 25 2018 ndas@suse.de - Updated to v1.0.0 Bugfixes Changes: * etcd: Clear the etcd status error when connectivity is OK (3824, @rlenglet) * ipcache: Fix ipcache deletion of old identities on update (3865, @rlenglet) * bpf: Fix tracing message for egress policy (3806, @joestringer) [- envoy-optional.patch] - use url for source * Wed Apr 18 2018 ndas@suse.de - skip doc, less depedency - remove libelf1, zypper/rpm should auto resolve - define _fillupdir if not so * Mon Apr 16 2018 ndas@suse.de - clean up spec file - use %fillup_only for cilium sysconfig - move cilium-cni to %{_libexecdir}/cni like all other cni-plugins * Mon Apr 16 2018 jengelh@inai.de - Combine %service_* macro calls to reduce generated code. - Trim filler wording from description. - Use modern tar invocation syntax. * Mon Apr 09 2018 mrostecki@suse.com - Updated to v1.0.0-rc10 * API preparation for 1.0 Changed the base prefix of the API from /v1beta to /v1 tada. The API will become stable with the 1.0 release. This makes client binaries with version < 1.0.0-rc10. * Bugfixes Changes policymap: Avoid using golang arrays in entry (#3506, @joestringer) etcd: Run etcd version check in the background (#3499, @tgraf) Test: Fix bugtool on kubernetes 1.7 (#3487, @eloycoto) Fix L4-only policy egress to world and CIDR-only egress to world (#3486, @joestringer) proxy: Use the same proxy map size as in BPF (#3485, @rlenglet) bpf: Do not route packets from egress proxy back into cilium_host (#3473, @tgraf) Continue to show timestamps in error cases in CiliumNetworkPolicy NodeStatus. (#3461, @aanm) policy: Add missing EntitySlice autogen code (#3458, @raybejjani) Fix l3-dependent L4/L7 rules applying to CIDR egress traffic (#3434, @joestringer) Other Changes bugtool: add ip rule and cilium-health status commands (#3500, @ianvernon) Policy: Kafka multi-topic request support (#3445, @manalibhutiyani) - build cilium without envoy [+envoy-optional.patch] * Fri Jan 19 2018 ndas@suse.de - Updated to v1.0.0-rc2 * Major Changes Tech preview of Envoy as Cilium HTTP proxy, adding HTTP2 and gRPC support. (#1580, @jrajahalme) Introduce "cilium-health", a new tool for investigating cluster connectivity issues. (#2052, @joestringer) cilium-agent collects and serves prometheus metrics (#2127, @raybejjani) bugtool and debuginfo (#2044, @scanf) Add nightly test infrastructure (#2212, @ianvernon) Separate ingress and egress default deny modes with better control (#2156, @manalibhutiyani) k8s: add support for IPBlock and Egress Rules with IPBlock (#2096, @ianvernon) Kafka: Support access logging for Kafka requests/responses (#1870, @manalibhutiyani) Added cilium endpoint log command that returns the endpoint's status log (#2060, @raybejjani) Change endpoint status log in cilium endpoint get to show only the most recent log Routes connecting the host to the Cilium IP space is now implemented as individual route for each node in the cluster. This allows to assign IPs which are part of the cluster CIDR to endpoints outside of the cluster as long as the IPs are never used as node CIDRs. (#1888, @tgraf) Standardized structured logging (#1801, #1828, #1836, #1826, #1833, #1834, #1827, #1829, #1832, #1835, @raybejjani) * Bugfixes Changes Fix L4Filter JSON marshalling (#1871, @joestringer) Fix swapped src dst IPs on Conntrack related messages on the monitor's output (#2228, @aanm) Fix output of cilium endpoint list for endpoints using multiple labels. (#2225, @aanm) bpf: fix verifier error in dameon debug mode with newer LLVM versions (#2181, @borkmann) pkg/kvstore: fixed race in internal mutex map (#2179, @aanm) Proxy ingress policy fix for LLVM 4.0 and greater. Resolves return code 500 'Internal Error' seen with some policies and traffic patterns. (#2162, @jrfastab) Printing patch clang and kernel patch versions when starting cilium. (#2137, @aanm) Clean up Connection Tracking entries when a new policy no longer allows it. #1667, #1823 (#2136, @aanm) k8s: fix data race in d.loadBalancer.K8sEndpoints (#2129, @aanm) Add internal queue for k8s watcher updates #1966 (#2123, @aanm) k8s: fix missing deep copy when updating status (#2115, @aanm) Accept traffic to Cilium in FORWARD chain (#2112, @tgraf) Also clear the masquerade bit in the FORWARD chain to skip the masquerade rule installed by kube-proxy Fix SNAT issue in combination with kube-proxy, when masquerade rule installed by kube-proxy takes precedence over rule installed by Cilium. (#2108, @tgraf) Fixed infinite loop when importing CNP to kubernetes with an empty kafka version (#2090, @aanm) Mark cilium pod as CriticalPod in the DaemonSet (#2024, @manalibhutiyani) proxy: Provide identities { host | world | cluster } in SourceEndpoint (#2022, @manalibhutiyani) In kubernetes mode, fixed bug that was allowing cilium to start up even if the kubernetes api-server was not reachable #1973 (#2014, @aanm) Support policy with EndpointSelector missing (#1987, @raybejjani) Implemented deep copy functionality when receiving events from kubernetes watcher #1885 (#1986, @aanm) pkg/labels: Filter out pod-template-generation label (#1979, @michi-covalent) bpf: Double timeout on building BPF programs (#1949, @raybejjani) policy: add PolicyTrace msg to AllowsRLocked() when L4 policies not evaluated (#1939, @gnahckire) Handle Kafka responses correctly (#1924, @manalibhutiyani) bpf: Avoid excessive proxymap updates (#2210, @joestringer) cilium-agent correctly restarts listening for CiliumNetworkPolicy changes when it sees decoding errors (#1899, @raybejjani) * Wed Nov 08 2017 ndas@suse.de - Initial version 0.12
/usr/bin/cilium-operator /usr/bin/cilium-operator-aws /usr/bin/cilium-operator-azure /usr/bin/cilium-operator-generic
Generated by rpm2html 1.8.1
Fabrice Bellet, Tue Jul 9 14:00:23 2024