Merge tag '1.27.2' into sync-istio-1-27-2

Author: FilipB

.devcontainer/devcontainer.json

@@ -1,6 +1,6 @@
 {
   "name": "istio build-tools",
-  "image": "gcr.io/istio-testing/build-tools:release-1.27-56a42ed008b9070d88166dbec82e798d9eca43de",
+  "image": "gcr.io/istio-testing/build-tools:release-1.27-0ef669e3326567c47323402f8af247931fce234f",
   "privileged": true,
   "remoteEnv": {
     "USE_GKE_GCLOUD_AUTH_PLUGIN": "True",

Makefile.core.mk

@@ -49,7 +49,7 @@ endif
 export VERSION
 
 # Base version of Istio image to use
-BASE_VERSION ?= 1.27-2025-07-30T19-02-15
+BASE_VERSION ?= 1.27-2025-10-02T19-02-00
 ISTIO_BASE_REGISTRY ?= gcr.io/istio-release
 
 export GO111MODULE ?= on

cni/pkg/cmd/root.go

@@ -132,25 +132,27 @@ var rootCmd = &cobra.Command{
 			// if it is, we do NOT remove the plugin, and do
 			// NOT do ambient watch server cleanup
 			defer func() {
-				var isUpgrade bool
+				var shouldStopCleanup bool
 				if cfg.InstallConfig.AmbientDisableSafeUpgrade {
 					log.Info("Ambient node agent safe upgrade explicitly disabled via env")
-					isUpgrade = false
+					shouldStopCleanup = false
 				} else {
-					isUpgrade = ambientAgent.ShouldStopForUpgrade("istio-cni", nodeagent.PodNamespace)
+					shouldStopCleanup = ambientAgent.ShouldStopCleanup("istio-cni", nodeagent.PodNamespace, cfg.InstallConfig.IstioOwnedCNIConfig)
 				}
-				log.Infof("Ambient node agent shutting down - is upgrade shutdown? %t", isUpgrade)
+				log.Infof("Ambient node agent shutting down - should stop cleanup? %t", shouldStopCleanup)
+
+				// TODO(jaellio) - do we want to add support for a partial cleanup
 				// if we are doing an "upgrade shutdown", then
 				// we do NOT want to remove/cleanup the CNI plugin.
 				//
 				// This is important - we want it to remain in place to "stall"
 				// new ambient-enabled pods while our replacement spins up.
-				if !isUpgrade {
+				if !shouldStopCleanup {
 					if cleanErr := installer.Cleanup(); cleanErr != nil {
 						log.Error(cleanErr.Error())
 					}
 				}
-				ambientAgent.Stop(isUpgrade)
+				ambientAgent.Stop(shouldStopCleanup)
 			}()
 
 			ambientAgent.Start()

cni/pkg/iptables/iptables.go

@@ -145,9 +145,14 @@ func NewIptablesConfigurator(
 
 		ipt6Ver, err := hostDeps.DetectIptablesVersion(true)
 		if err != nil {
-			return err
+			if hostCfg.EnableIPv6 {
+				return err
+			}
+			log.Warnf("Failed to detect a working ip6tables binary; continuing because IPv6 support is disabled (ENABLE_INBOUND_IPV6=false): %v", err)
+			ipt6Ver = dep.IptablesVersion{}
+		} else {
+			log.Debugf("found iptables v6 binary: %+v", ipt6Ver)
 		}
-		log.Debugf("found iptables v6 binary: %+v", iptVer)
 
 		configurator.ipt6V = ipt6Ver
 		return nil
@@ -489,7 +494,9 @@ func (cfg *IptablesConfigurator) executeCommands(log *istiolog.Scope, iptablesBu
 			log.Info("Removing guardrails")
 			guardrailsCleanup := iptablesBuilder.BuildCleanupGuardrails()
 			_ = cfg.executeIptablesCommands(log, &cfg.iptV, guardrailsCleanup)
-			_ = cfg.executeIptablesCommands(log, &cfg.ipt6V, guardrailsCleanup)
+			if cfg.cfg.EnableIPv6 {
+				_ = cfg.executeIptablesCommands(log, &cfg.ipt6V, guardrailsCleanup)
+			}
 		}
 	}()
 	residueExists, deltaExists := iptablescapture.VerifyIptablesState(log, cfg.ext, iptablesBuilder, &cfg.iptV, &cfg.ipt6V)
@@ -503,9 +510,13 @@ func (cfg *IptablesConfigurator) executeCommands(log *istiolog.Scope, iptablesBu
 			log.Info("Setting up guardrails")
 			guardrailsCleanup := iptablesBuilder.BuildCleanupGuardrails()
 			guardrailsRules := iptablesBuilder.BuildGuardrails()
-			for _, ver := range []*dep.IptablesVersion{&cfg.iptV, &cfg.ipt6V} {
-				cfg.tryExecuteIptablesCommands(log, ver, guardrailsCleanup)
-				if err := cfg.executeIptablesCommands(log, ver, guardrailsRules); err != nil {
+			iptVersions := []dep.IptablesVersion{cfg.iptV}
+			if cfg.cfg.EnableIPv6 {
+				iptVersions = append(iptVersions, cfg.ipt6V)
+			}
+			for _, ver := range iptVersions {
+				cfg.tryExecuteIptablesCommands(log, &ver, guardrailsCleanup)
+				if err := cfg.executeIptablesCommands(log, &ver, guardrailsRules); err != nil {
 					return err
 				}
 				guardrails = true
@@ -514,7 +525,9 @@ func (cfg *IptablesConfigurator) executeCommands(log *istiolog.Scope, iptablesBu
 		// Remove old iptables
 		log.Info("Performing cleanup of existing iptables")
 		cfg.tryExecuteIptablesCommands(log, &cfg.iptV, iptablesBuilder.BuildCleanupV4())
-		cfg.tryExecuteIptablesCommands(log, &cfg.ipt6V, iptablesBuilder.BuildCleanupV6())
+		if cfg.cfg.EnableIPv6 {
+			cfg.tryExecuteIptablesCommands(log, &cfg.ipt6V, iptablesBuilder.BuildCleanupV6())
+		}
 
 		// Remove leftovers from non-matching istio iptables cfg
 		if cfg.cfg.Reconcile {
@@ -540,7 +553,7 @@ func (cfg *IptablesConfigurator) cleanupIstioLeftovers(log *istiolog.Scope, ext
 	iptV *dep.IptablesVersion, ipt6V *dep.IptablesVersion,
 ) {
 	for _, ipVer := range []*dep.IptablesVersion{iptV, ipt6V} {
-		if ipVer == nil {
+		if ipVer.DetectedBinary == "" {
 			continue
 		}
 		output, err := ext.Run(log, true, iptablesconstants.IPTablesSave, ipVer, nil)

cni/pkg/iptables/iptables_test.go

@@ -22,6 +22,7 @@ import (
 
 	"istio.io/istio/cni/pkg/scopes"
 	testutil "istio.io/istio/pilot/test/util"
+	"istio.io/istio/pkg/test/util/assert"
 	dep "istio.io/istio/tools/istio-iptables/pkg/dependencies"
 )
 
@@ -47,6 +48,23 @@ func TestIptablesPodOverrides(t *testing.T) {
 	}
 }
 
+func TestIPv6NotAvailable(t *testing.T) {
+	setup(t)
+	cfg := constructTestConfig()
+	ext := &dep.DependenciesStub{
+		ForceIPv6DetectionFail: true,
+	}
+
+	// Istio shouldn't fail if we're working with IPv4 interfaces only, and ip6tables is unavailable.
+	cfg.EnableIPv6 = false
+	_, _, err := NewIptablesConfigurator(cfg, cfg, ext, ext, EmptyNlDeps())
+	assert.NoError(t, err)
+
+	cfg.EnableIPv6 = true
+	_, _, err = NewIptablesConfigurator(cfg, cfg, ext, ext, EmptyNlDeps())
+	assert.Error(t, err)
+}
+
 func TestIptablesHostRules(t *testing.T) {
 	cases := GetCommonHostTestCases()
 

cni/pkg/nodeagent/server.go

@@ -21,7 +21,9 @@ import (
 	"sync/atomic"
 	"time"
 
+	"github.com/cenkalti/backoff/v4"
 	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/client-go/rest"
 
@@ -31,7 +33,10 @@ import (
 
 const defaultZTunnelKeepAliveCheckInterval = 5 * time.Second
 
-var log = scopes.CNIAgent
+var (
+	log              = scopes.CNIAgent
+	tokenWaitBackoff = time.Second
+)
 
 type MeshDataplane interface {
 	// MUST be called first, (even before Start()).
@@ -119,18 +124,47 @@ func (s *Server) Stop(skipCleanup bool) {
 	s.dataplane.Stop(skipCleanup)
 }
 
-func (s *Server) ShouldStopForUpgrade(selfName, selfNamespace string) bool {
+// ShouldStopCleanup of istio-cni config and binary when upgrading or on node reboot
+func (s *Server) ShouldStopCleanup(selfName, selfNamespace string, istioOwnedCNIConfig bool) bool {
 	dsName := fmt.Sprintf("%s-node", selfName)
-	cniDS, err := s.kubeClient.Kube().AppsV1().DaemonSets(selfNamespace).Get(context.Background(), dsName, metav1.GetOptions{})
-	log.Debugf("Daemonset %s has deletion timestamp?: %+v", dsName, cniDS.DeletionTimestamp)
-	if err == nil && cniDS != nil && cniDS.DeletionTimestamp == nil {
-		log.Infof("terminating, but parent DS %s is still present, this is an upgrade, leaving plugin in place", dsName)
-		return true
+	shouldStopCleanup := false
+	var numRetries uint64
+	// use different defaults when using an istio owned CNI config file
+	if istioOwnedCNIConfig {
+		shouldStopCleanup = true
+		numRetries = 2
 	}
-
-	// If the DS is gone, it's definitely not an upgrade, so carry on like normal.
-	log.Infof("parent DS %s is gone or marked for deletion, this is not an upgrade, shutting down normally %s", dsName, err)
-	return false
+	err := backoff.Retry(
+		func() error {
+			cniDS, err := s.kubeClient.Kube().AppsV1().DaemonSets(selfNamespace).Get(context.Background(), dsName, metav1.GetOptions{})
+
+			if err == nil && cniDS != nil && cniDS.DeletionTimestamp == nil {
+				log.Infof("terminating, but parent DaemonSet %s is still present, this is an upgrade or a node reboot, leaving plugin in place", dsName)
+				shouldStopCleanup = true
+				return nil
+			}
+			if errors.IsNotFound(err) || (cniDS != nil && cniDS.DeletionTimestamp != nil) {
+				// If the DS is gone, or marked for deletion, this is not an upgrade.
+				// We can safely shut down the plugin.
+				log.Infof("parent DaemonSet %s is not found or marked for deletion, this is not an upgrade, shutting down normally", dsName)
+				shouldStopCleanup = false
+				return nil
+			}
+			if errors.IsUnauthorized(err) {
+				log.Infof("permission to get parent DaemonSet %s has been revoked manually or due to uninstall, this is not an upgrade, "+
+					"shutting down normally", dsName)
+				shouldStopCleanup = false
+				return nil
+			}
+			log.Infof("failed to get parent DS %s, retrying: %v", dsName, err)
+			return err
+		},
+		// Limiting retries to 3 so other shutdown tasks can complete before the graceful shutdown period ends
+		backoff.WithMaxRetries(backoff.NewConstantBackOff(tokenWaitBackoff), numRetries))
+	if err != nil {
+		log.Infof("failed to get parent DaemonSet %s, returning %t: %v", dsName, shouldStopCleanup, err)
+	}
+	return shouldStopCleanup
 }
 
 // buildKubeClient creates the kube client

cni/pkg/plugin/plugin.go

@@ -164,23 +164,26 @@ func CmdAdd(args *skel.CmdArgs) (err error) {
 		return err
 	}
 
+	// Preemptively check if the pod is a CNI pod.
+	// It is possible that the kubeconfig is not available if it hasn't been written yet
+	// by the CNI pod or it is invalid which cause the CNI pod to be unable to start if
+	// on the creation of a new K8s client. We preemptively check if the pod is a CNI pod
+	// to avoid a deadlock on the kubeconfig when the k8s client is unnecessary to process
+	// the CNI add event for the CNI pod itself.
+	if conf.AmbientEnabled {
+		k8sArgs := K8sArgs{}
+		if err := types.LoadArgs(args.Args, &k8sArgs); err != nil {
+			return fmt.Errorf("failed to load args: %v", err)
+		}
+		if isCNIPod(conf, &k8sArgs) {
+			// If we are in a degraded state and this is our own agent pod, skip
+			return pluginResponse(conf)
+		}
+	}
+
 	// Create a kube client
 	client, err := newK8sClient(*conf)
-	// If creation of a kube client fails, check if the pod is a CNI pod.
-	// It is possible that the kubeconfig is not available if it hasn't been written yet
-	// by the CNI pod which could be unable to start if we failed here. We skip this
-	// failure for the CNI pod to avoid a deadlock.
 	if err != nil {
-		if conf.AmbientEnabled {
-			k8sArgs := K8sArgs{}
-			if err := types.LoadArgs(args.Args, &k8sArgs); err != nil {
-				return fmt.Errorf("failed to load args after failed attempt to get client: %v", err)
-			}
-			if isCNIPod(conf, &k8sArgs) {
-				// If we are in a degraded state and this is our own agent pod, skip
-				return pluginResponse(conf)
-			}
-		}
 		return fmt.Errorf("failed to createNewK8sClient: %v", err)
 	}
 
@@ -404,6 +407,6 @@ func isCNIPod(conf *Config, k8sArgs *K8sArgs) bool {
 		log.Infof("in a degraded state and %v looks like our own agent pod, skipping", k8sArgs.K8S_POD_NAME)
 		return true
 	}
-	log.Warnf("not a CNI pod, podName: %s, podNamespace: %s", k8sArgs.K8S_POD_NAME, k8sArgs.K8S_POD_NAMESPACE)
+	log.Warnf("not a CNI pod, podName: %s, podNamespace: %s, conf pod namespace: %s", k8sArgs.K8S_POD_NAME, k8sArgs.K8S_POD_NAMESPACE, conf.PodNamespace)
 	return false
 }

cni/pkg/plugin/sidecar_redirect.go

@@ -275,18 +275,20 @@ func NewRedirect(pi *PodInfo) (*Redirect, error) {
 		return nil, fmt.Errorf("annotation value error for value %s; annotationFound = %t: %v",
 			"excludeInterfaces", isFound, valErr)
 	}
-	// kubeVirtInterfaces is deprecated, so check it first, but prefer`reroute-virtual-interfaces`
-	// if both are defined.
-	isFound, redir.rerouteVirtualInterfaces, valErr = getAnnotationOrDefault("kubevirtInterfaces", pi.Annotations)
-	if valErr != nil {
-		return nil, fmt.Errorf("annotation value error for value %s; annotationFound = %t: %v",
-			"kubevirtInterfaces", isFound, valErr)
-	}
+	// kubeVirtInterfaces is deprecated, so prefer`reroute-virtual-interfaces` if both are defined.
 	isFound, redir.rerouteVirtualInterfaces, valErr = getAnnotationOrDefault("reroute-virtual-interfaces", pi.Annotations)
 	if valErr != nil {
 		return nil, fmt.Errorf("annotation value error for value %s; annotationFound = %t: %v",
 			"reroute-virtual-interfaces", isFound, valErr)
 	}
+	// Only check deprecated kubevirtInterfaces if reroute-virtual-interfaces was not found
+	if !isFound {
+		isFound, redir.rerouteVirtualInterfaces, valErr = getAnnotationOrDefault("kubevirtInterfaces", pi.Annotations)
+		if valErr != nil {
+			return nil, fmt.Errorf("annotation value error for value %s; annotationFound = %t: %v",
+				"kubevirtInterfaces", isFound, valErr)
+		}
+	}
 	if v, found := pi.ProxyEnvironments["ISTIO_META_DNS_CAPTURE"]; found {
 		// parse and set the bool value of dnsRedirect
 		redir.dnsRedirect, valErr = strconv.ParseBool(v)

common/.commonfiles.sha

@@ -1 +1 @@
-e00505c43a460ae40f8a26e1a1d62ffebb68d918
+cb5e4cb5a36094ef48591f380a797be5442b80ae

common/scripts/setup_env.sh

@@ -75,7 +75,7 @@ fi
 TOOLS_REGISTRY_PROVIDER=${TOOLS_REGISTRY_PROVIDER:-gcr.io}
 PROJECT_ID=${PROJECT_ID:-istio-testing}
 if [[ "${IMAGE_VERSION:-}" == "" ]]; then
-  IMAGE_VERSION=release-1.27-56a42ed008b9070d88166dbec82e798d9eca43de
+  IMAGE_VERSION=release-1.27-0ef669e3326567c47323402f8af247931fce234f
 fi
 if [[ "${IMAGE_NAME:-}" == "" ]]; then
   IMAGE_NAME=build-tools