Merge branch 'master' into slack-notifications

projectcalico · Jan 9, 2025 · c6b293b · c6b293b
2 parents 48b7f6b + e069dc0
commit c6b293b
Show file tree

Hide file tree

Showing 68 changed files with 2,154 additions and 301 deletions.
diff --git a/api/pkg/apis/projectcalico/v3/felixconfig.go b/api/pkg/apis/projectcalico/v3/felixconfig.go
@@ -611,6 +611,19 @@ type FelixConfigurationSpec struct {
 	// [Default: Auto]
 	BPFConntrackCleanupMode *BPFConntrackMode `json:"bpfConntrackMode,omitempty" validate:"omitempty,oneof=Auto Userspace BPFProgram"`
 
+	// BPFConntrackTimers overrides the default values for the specified conntrack timer if
+	// set. Each value can be either a duration or `Auto` to pick the value from
+	// a Linux conntrack timeout.
+	//
+	// Configurable timers are: CreationGracePeriod, TCPSynSent,
+	// TCPEstablished, TCPFinsSeen, TCPResetSeen, UDPTimeout, GenericTimeout,
+	// ICMPTimeout.
+	//
+	// Unset values are replaced by the default values with a warning log for
+	// incorrect values.
+	// +optional
+	BPFConntrackTimeouts *BPFConntrackTimeouts `json:"bpfConntrackTimeouts,omitempty" validate:"omitempty"`
+
 	// BPFLogFilters is a map of key=values where the value is
 	// a pcap filter expression and the key is an interface name with 'all'
 	// denoting all interfaces, 'weps' all workload endpoints and 'heps' all host
@@ -947,6 +960,56 @@ type ProtoPort struct {
 	Net string `json:"net,omitempty"`
 }
 
+// +kubebuilder:validation:Pattern=`^(([0-9]*(\.[0-9]*)?(ms|s|h|m|us)+)+|Auto)$`
+type BPFConntrackTimeout string
+
+type BPFConntrackTimeouts struct {
+	//  CreationGracePeriod gives a generic grace period to new connection
+	//  before they are considered for cleanup [Default: 10s].
+	// +optional
+	CreationGracePeriod *BPFConntrackTimeout `json:"creationGracePeriod,omitempty"`
+	// TCPSynSent controls how long it takes before considering this entry for
+	// cleanup after the last SYN without a response. If set to 'Auto', the
+	// value from nf_conntrack_tcp_timeout_syn_sent is used. If nil, Calico uses
+	// its own default value. [Default: 20s].
+	// +optional
+	TCPSynSent *BPFConntrackTimeout `json:"tcpSynSent,omitempty"`
+	// TCPEstablished controls how long it takes before considering this entry for
+	// cleanup after the connection became idle. If set to 'Auto', the
+	// value from nf_conntrack_tcp_timeout_established is used. If nil, Calico uses
+	// its own default value. [Default: 1h].
+	// +optional
+	TCPEstablished *BPFConntrackTimeout `json:"tcpEstablished,omitempty"`
+	// TCPFinsSeen controls how long it takes before considering this entry for
+	// cleanup after the connection was closed gracefully. If set to 'Auto', the
+	// value from nf_conntrack_tcp_timeout_time_wait is used. If nil, Calico uses
+	// its own default value. [Default: Auto].
+	// +optional
+	TCPFinsSeen *BPFConntrackTimeout `json:"tcpFinsSeen,omitempty"`
+	// TCPFinsSeen controls how long it takes before considering this entry for
+	// cleanup after the connection was aborted. If nil, Calico uses its own
+	// default value. [Default: 40s].
+	// +optional
+	TCPResetSeen *BPFConntrackTimeout `json:"tcpResetSeen,omitempty"`
+	// UDPTimeout controls how long it takes before considering this entry for
+	// cleanup after the connection became idle. If nil, Calico uses its own
+	// default value. [Default: 60s].
+	// +optional
+	UDPTimeout *BPFConntrackTimeout `json:"udpTimeout,omitempty"`
+	// GenericTimeout controls how long it takes before considering this
+	// entry for cleanup after the connection became idle. If set to 'Auto', the
+	// value from nf_conntrack_generic_timeout is used. If nil, Calico uses its
+	// own default value. [Default: 10m].
+	// +optional
+	GenericTimeout *BPFConntrackTimeout `json:"genericTimeout,omitempty"`
+	// ICMPTimeout controls how long it takes before considering this
+	// entry for cleanup after the connection became idle. If set to 'Auto', the
+	// value from nf_conntrack_icmp_timeout is used. If nil, Calico uses its
+	// own default value. [Default: 5s].
+	// +optional
+	ICMPTimeout *BPFConntrackTimeout `json:"icmpTimeout,omitempty"`
+}
+
 // New FelixConfiguration creates a new (zeroed) FelixConfiguration struct with the TypeMetadata
 // initialized to the current version.
 func NewFelixConfiguration() *FelixConfiguration {

diff --git a/api/pkg/apis/projectcalico/v3/zz_generated.deepcopy.go b/api/pkg/apis/projectcalico/v3/zz_generated.deepcopy.go
diff --git a/api/pkg/openapi/generated.openapi.go b/api/pkg/openapi/generated.openapi.go
diff --git a/calicoctl/tests/st/calicoctl/test_crud.py b/calicoctl/tests/st/calicoctl/test_crud.py
@@ -2485,7 +2485,7 @@ def check_only_default_profile_returned(self, testdata):
         '  metadata:\n'
         '    creationTimestamp: null\n'
         '    name: projectcalico-default-allow\n'
-        '    resourceVersion: "0"\n'
+        '    resourceVersion: "1"\n'
         '  spec:\n'
         '    egress:\n'
         '    - action: Allow\n'

diff --git a/cni-plugin/pkg/plugin/plugin.go b/cni-plugin/pkg/plugin/plugin.go
@@ -45,6 +45,7 @@ import (
 	"github.com/projectcalico/calico/cni-plugin/pkg/k8s"
 	"github.com/projectcalico/calico/cni-plugin/pkg/types"
 	libapi "github.com/projectcalico/calico/libcalico-go/lib/apis/v3"
+	"github.com/projectcalico/calico/libcalico-go/lib/backend/k8s/resources"
 	"github.com/projectcalico/calico/libcalico-go/lib/clientv3"
 	cerrors "github.com/projectcalico/calico/libcalico-go/lib/errors"
 	"github.com/projectcalico/calico/libcalico-go/lib/logutils"
@@ -260,7 +261,21 @@ func cmdAdd(args *skel.CmdArgs) (err error) {
 	}
 
 	// Check if there's an existing endpoint by listing the existing endpoints based on the WEP name prefix.
-	endpoints, err := calicoClient.WorkloadEndpoints().List(ctx, options.ListOptions{Name: wepPrefix, Namespace: wepIDs.Namespace, Prefix: true})
+
+	// We know that, in KDD, even though there may be >1 endpoint, we're only
+	// looking up one backing Pod.  Send it a hint that we really want it to
+	// do a Get instead of a list.  CNI plugin only has RBAC permissions to do
+	// a get on Pod resources.  The default used to be to do a Get if possible,
+	// and we relied on that here, but the default was changed to fix an issue
+	// with watching from the returned resource revision.  We don't watch here
+	// so we can opt in to the old behavior.
+	ctx = resources.ContextWithWorkloadEndpointListMode(ctx, resources.WorkloadEndpointListModeForceGet)
+
+	endpoints, err := calicoClient.WorkloadEndpoints().List(ctx, options.ListOptions{
+		Name:      wepPrefix,
+		Namespace: wepIDs.Namespace,
+		Prefix:    true,
+	})
 	if err != nil {
 		return
 	}

diff --git a/felix/bpf-gpl/conntrack_cleanup.c b/felix/bpf-gpl/conntrack_cleanup.c
@@ -61,17 +61,17 @@ static __u64 calculate_max_age(const struct calico_ct_key *key, const struct cal
 				   value->b_to_a.syn_seen && value->b_to_a.ack_seen ) {
 			max_age = __globals.tcp_established;
 		} else {
-			max_age = __globals.tcp_pre_established;
+			max_age = __globals.tcp_syn_sent;
 		}
 		break;
 	case IPPROTO_UDP:
-		max_age = __globals.udp_last_seen;
+		max_age = __globals.udp_timeout;
 		break;
 	case IPPROTO_ICMP_46:
-		max_age = __globals.icmp_last_seen;
+		max_age = __globals.icmp_timeout;
 		break;
 	default:
-		max_age = __globals.generic_last_seen;
+		max_age = __globals.generic_timeout;
 		break;
 	}
 	return max_age;

diff --git a/felix/bpf-gpl/globals.h b/felix/bpf-gpl/globals.h
@@ -74,16 +74,16 @@ struct cali_xdp_preamble_globals {
 struct cali_ct_cleanup_globals {
     __u64 creation_grace;
 
-    __u64 tcp_pre_established;
+    __u64 tcp_syn_sent;
     __u64 tcp_established;
     __u64 tcp_fins_seen;
     __u64 tcp_reset_seen;
 
-    __u64 udp_last_seen;
+    __u64 udp_timeout;
 
-    __u64 generic_last_seen;
+    __u64 generic_timeout;
 
-    __u64 icmp_last_seen;
+    __u64 icmp_timeout;
 };
 
 #endif /* __CALI_GLOBALS_H__ */
diff --git a/felix/bpf/conntrack/bpf_scanner.go b/felix/bpf/conntrack/bpf_scanner.go
@@ -118,13 +118,13 @@ func (s *BPFProgLivenessScanner) ensureBPFExpiryProgram() (*libbpf.Obj, error) {
 
 	ctCleanupData := &libbpf.CTCleanupGlobalData{
 		CreationGracePeriod: s.timeouts.CreationGracePeriod,
-		TCPPreEstablished:   s.timeouts.TCPPreEstablished,
+		TCPSynSent:          s.timeouts.TCPSynSent,
 		TCPEstablished:      s.timeouts.TCPEstablished,
 		TCPFinsSeen:         s.timeouts.TCPFinsSeen,
 		TCPResetSeen:        s.timeouts.TCPResetSeen,
-		UDPLastSeen:         s.timeouts.UDPLastSeen,
-		GenericIPLastSeen:   s.timeouts.GenericIPLastSeen,
-		ICMPLastSeen:        s.timeouts.ICMPLastSeen}
+		UDPTimeout:          s.timeouts.UDPTimeout,
+		GenericTimeout:      s.timeouts.GenericTimeout,
+		ICMPTimeout:         s.timeouts.ICMPTimeout}
 
 	obj, err := bpf.LoadObject(binaryToLoad, ctCleanupData, ctMapParams.VersionedName())
 	if err != nil {