Merge tag '1.21.4' into tetratefips-release-1.21

Istio release 1.21.4

.devcontainer/devcontainer.json

@@ -1,6 +1,6 @@
 {
   "name": "istio build-tools",
-  "image": "gcr.io/istio-testing/build-tools:release-1.21-d7352b67b9fdfc7365a3e41207e3aa5cc070037b",
+  "image": "gcr.io/istio-testing/build-tools:release-1.21-4ef8661a6a388d403616444787141bb47a04ee39",
   "privileged": true,
   "remoteEnv": {
     "USE_GKE_GCLOUD_AUTH_PLUGIN": "True",

Makefile.core.mk

@@ -49,7 +49,7 @@ endif
 export VERSION
 
 # Base version of Istio image to use
-BASE_VERSION ?= 1.21-2024-04-26T19-03-19
+BASE_VERSION ?= 1.21-2024-06-02T19-03-50
 ISTIO_BASE_REGISTRY ?= gcr.io/istio-release
 
 export GO111MODULE ?= on

cni/pkg/repair/netns.go

@@ -22,8 +22,6 @@ import (
 
 	netns "github.com/containernetworking/plugins/pkg/ns"
 	"github.com/prometheus/procfs"
-	"github.com/vishvananda/netlink"
-	"golang.org/x/sys/unix"
 	corev1 "k8s.io/api/core/v1"
 
 	"istio.io/istio/pkg/log"
@@ -35,44 +33,40 @@ func getPidNamespace(pid int) string {
 
 func runInHost[T any](f func() (T, error)) (T, error) {
 	var res T
-	ns, err := netns.GetNS(getPidNamespace(1))
-	if err != nil {
-		return res, fmt.Errorf("failed to get host network: %v", err)
-	}
-	err = ns.Do(func(ns netns.NetNS) error {
+	ns := getPidNamespace(1)
+	err := netns.WithNetNSPath(ns, func(_ netns.NetNS) error {
 		var err error
 		res, err = f()
 		return err
 	})
 	if err != nil {
-		return res, fmt.Errorf("in host network: %v", err)
+		return res, fmt.Errorf("in network namespace %v: %v", ns, err)
 	}
-	return res, nil
-}
 
-func findNetworkIDByIP(ip string) (int, error) {
-	link, err := getLinkWithDestinationOf(ip)
-	if err != nil {
-		return 0, fmt.Errorf("find link for %v: %v", ip, err)
-	}
-	return link.Attrs().NetNsID, nil
+	return res, nil
 }
 
-func getLinkWithDestinationOf(ip string) (netlink.Link, error) {
-	routes, err := netlink.RouteListFiltered(
-		netlink.FAMILY_V4,
-		&netlink.Route{Dst: &net.IPNet{IP: net.ParseIP(ip), Mask: net.CIDRMask(32, 32)}},
-		netlink.RT_FILTER_DST)
-	if err != nil {
-		return nil, err
+func checkInterfacesForMatchingAddr(targetAddr net.IP) (match bool, err error) {
+	var interfaces []net.Interface
+	if interfaces, err = net.Interfaces(); err != nil {
+		return false, fmt.Errorf("failed to get interfaces")
 	}
 
-	if len(routes) == 0 {
-		return nil, fmt.Errorf("no routes found for %s", ip)
+	for _, ief := range interfaces {
+		var addrs []net.Addr
+		if addrs, err = ief.Addrs(); err != nil {
+			return
+		}
+		for _, addr := range addrs {
+			switch v := addr.(type) {
+			case *net.IPNet:
+				if v.IP.Equal(targetAddr) {
+					return true, nil
+				}
+			}
+		}
 	}
-
-	linkIndex := routes[0].LinkIndex
-	return netlink.LinkByIndex(linkIndex)
+	return false, fmt.Errorf("no interface has the address %s", targetAddr)
 }
 
 // getPodNetNs finds the network namespace for a given pod. There is not a great way to do this. Network namespaces live
@@ -88,12 +82,11 @@ func getLinkWithDestinationOf(ip string) (netlink.Link, error) {
 //
 // Instead, we traverse the procfs. Comments on this method are inline.
 func getPodNetNs(pod *corev1.Pod) (string, error) {
-	// First, find the network namespace id by looking the interface with the given Pod IP.
-	// This could break on some platforms if they do not have an interface-per-pod.
-	wantID, err := findNetworkIDByIP(pod.Status.PodIP)
-	if err != nil {
-		return "", fmt.Errorf("network id: %v", err)
+	parsedPodAddr := net.ParseIP(pod.Status.PodIP)
+	if parsedPodAddr == nil {
+		return "", fmt.Errorf("failed to parse addr: %s", pod.Status.PodIP)
 	}
+
 	fs, err := procfs.NewFS("/host/proc")
 	if err != nil {
 		return "", fmt.Errorf("read procfs: %v", err)
@@ -104,27 +97,26 @@ func getPodNetNs(pod *corev1.Pod) (string, error) {
 	}
 	oldest := uint64(math.MaxUint64)
 	best := ""
-	// We will iterate over all processes. Our goal is to find a process with the same network ID as we found above.
+
+	// We will iterate over all processes. Our goal is to find a process whose namespace has a veth with an IP matching the pod.
 	// There should be 1 or 2 processes that match: the pause container should always be there, and the istio-validation *might*.
 	// We want the pause container, as the istio-validation one may exit before we are done.
 	// We do this by detecting the longest running process. We could look at `cmdline`, but is likely more reliable to weird platforms.
 	for _, p := range procs {
+		match := false
 		ns := getPidNamespace(p.PID)
-		fd, err := unix.Open(ns, unix.O_RDONLY, 0)
-		if err != nil {
-			// Not uncommon, many processes are transient and we have a TOCTOU here.
-			// No problem, must not be the one we are after.
-			log.Debugf("failed to open pid %v: %v", p.PID, err)
-			continue
-		}
-		id, err := netlink.GetNetNsIdByFd(fd)
-		_ = unix.Close(fd)
+
+		err := netns.WithNetNSPath(ns, func(_ netns.NetNS) error {
+			var err error
+			match, err = checkInterfacesForMatchingAddr(parsedPodAddr)
+			return err
+		})
 		if err != nil {
-			log.Debugf("failed to get netns for pid %v: %v", p.PID, err)
+			log.Warnf("failed to check proc %d netns interfaces: %v", p.PID, err)
 			continue
 		}
 
-		if id != wantID {
+		if !match {
 			// Not the network we want, skip
 			continue
 		}

common/.commonfiles.sha

@@ -1 +1 @@
-64416b4a9442d76b15860f0873d8b6dfa0358b1d
+994ec08882325c03642242b65a43f77eb6615a4f

common/scripts/setup_env.sh

@@ -75,7 +75,7 @@ fi
 TOOLS_REGISTRY_PROVIDER=${TOOLS_REGISTRY_PROVIDER:-gcr.io}
 PROJECT_ID=${PROJECT_ID:-istio-testing}
 if [[ "${IMAGE_VERSION:-}" == "" ]]; then
-  IMAGE_VERSION=release-1.21-d7352b67b9fdfc7365a3e41207e3aa5cc070037b
+  IMAGE_VERSION=release-1.21-4ef8661a6a388d403616444787141bb47a04ee39
 fi
 if [[ "${IMAGE_NAME:-}" == "" ]]; then
   IMAGE_NAME=build-tools

go.mod

@@ -104,8 +104,8 @@ require (
 	gopkg.in/yaml.v2 v2.4.0
 	gopkg.in/yaml.v3 v3.0.1
 	helm.sh/helm/v3 v3.14.2
-	istio.io/api v1.21.3-0.20240422111456-ce2c1feea604
-	istio.io/client-go v1.21.3-0.20240422111956-6caf45ef5297
+	istio.io/api v1.21.4-0.20240611230649-337ff9a6cea2
+	istio.io/client-go v1.21.4-0.20240611231558-63d10ab13ad0
 	k8s.io/api v0.29.0
 	k8s.io/apiextensions-apiserver v0.29.0
 	k8s.io/apimachinery v0.29.0

go.sum

@@ -1089,10 +1089,10 @@ helm.sh/helm/v3 v3.14.2/go.mod h1:2itvvDv2WSZXTllknfQo6j7u3VVgMAvm8POCDgYH424=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
-istio.io/api v1.21.3-0.20240422111456-ce2c1feea604 h1:rBkCndZuKojMaNBV6iC7zD/q8zwDKDaWs+1t8mrf13Q=
-istio.io/api v1.21.3-0.20240422111456-ce2c1feea604/go.mod h1:TFCMUCAHRjxBv1CsIsFCsYHPHi4axVI4vdIzVr8eFjY=
-istio.io/client-go v1.21.3-0.20240422111956-6caf45ef5297 h1:79TwlDwAC9BOIsmNJuoBj1DFeifnntHKovTU3C8a6PM=
-istio.io/client-go v1.21.3-0.20240422111956-6caf45ef5297/go.mod h1:9LEzw82gl2VZrc9fNnWrkGMmhWSrYsgcgi650KY3LII=
+istio.io/api v1.21.4-0.20240611230649-337ff9a6cea2 h1:vStTheu7D9Xk9/oZI5uRl9r0Vqn01jOXKxSCwqvxQ0s=
+istio.io/api v1.21.4-0.20240611230649-337ff9a6cea2/go.mod h1:TFCMUCAHRjxBv1CsIsFCsYHPHi4axVI4vdIzVr8eFjY=
+istio.io/client-go v1.21.4-0.20240611231558-63d10ab13ad0 h1:vXjyWFDCB8eESFe6rL7MWKPBJF7uAZ3aZzWN4veoWR4=
+istio.io/client-go v1.21.4-0.20240611231558-63d10ab13ad0/go.mod h1:SOLAAx2S26noWzUYPxfzRUiDl/aqDPpYVu68g/qz4S4=
 k8s.io/api v0.18.2/go.mod h1:SJCWI7OLzhZSvbY7U8zwNl9UA4o1fizoug34OV/2r78=
 k8s.io/api v0.18.4/go.mod h1:lOIQAKYgai1+vz9J7YcDZwC26Z0zQewYOGWdyIPUUQ4=
 k8s.io/api v0.29.0 h1:NiCdQMY1QOp1H8lfRyeEf8eOwV6+0xA6XEE44ohDX2A=

istio.deps

@@ -4,13 +4,13 @@
     "name": "PROXY_REPO_SHA",
     "repoName": "proxy",
     "file": "",
-    "lastStableSHA": "6e17fceba9bf16510d80f98b3523672b58f2ce5e"
+    "lastStableSHA": "aff23c1d4e167fa8c7d23eb22d0cd79b6f197a83"
   },
   {
     "_comment": "",
     "name": "ZTUNNEL_REPO_SHA",
     "repoName": "ztunnel",
     "file": "",
-    "lastStableSHA": "c37d477baab61d9109386e27a9ad36e2058ee6ce"
+    "lastStableSHA": "84e8e226070e951f97705376ee14e09cabd0d911"
   }
 ]

manifests/charts/gateway/values.yaml

@@ -34,8 +34,8 @@ defaults:
   # Define the security context for the pod.
   # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443.
   # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl.
-  securityContext: ~
-  containerSecurityContext: ~
+  securityContext: {}
+  containerSecurityContext: {}
 
   service:
     # Type of service. Set to "None" to disable the service entirely

manifests/charts/istio-control/istio-discovery/files/gateway-injection-template.yaml

@@ -13,9 +13,13 @@ metadata:
   }
 spec:
   securityContext:
+  {{- if .Values.gateways.securityContext }}
+    {{- toYaml .Values.gateways.securityContext | nindent 4 }}
+  {{- else }}
     sysctls:
     - name: net.ipv4.ip_unprivileged_port_start
       value: "0"
+  {{- end }}
   containers:
   - name: istio-proxy
   {{- if contains "/" .Values.global.proxy.image }}

manifests/charts/istio-control/istio-discovery/files/kube-gateway.yaml

@@ -63,10 +63,14 @@ spec:
       {{- if .KubeVersion122 }}
       {{/* safe since 1.22: https://github.com/kubernetes/kubernetes/pull/103326. */}}
       securityContext:
+      {{- if .Values.gateways.securityContext }}
+        {{- toYaml .Values.gateways.securityContext | nindent 8 }}
+      {{- else }}
         sysctls:
         - name: net.ipv4.ip_unprivileged_port_start
           value: "0"
       {{- end }}
+      {{- end }}
       serviceAccountName: {{.ServiceAccount | quote}}
       containers:
       - name: istio-proxy

manifests/charts/istio-control/istio-discovery/templates/istiod-injector-configmap.yaml

@@ -12,7 +12,10 @@ metadata:
 data:
 {{/* Scope the values to just top level fields used in the template, to reduce the size. */}}
   values: |-
-{{ pick .Values "global" "istio_cni" "sidecarInjectorWebhook" "revision" | toPrettyJson | indent 4 }}
+{{ $vals := pick .Values "global" "istio_cni" "sidecarInjectorWebhook" "revision" -}}
+{{ $gatewayVals := pick .Values.gateways "securityContext" -}}
+{{ $vals = set $vals "gateways" $gatewayVals -}}
+{{ $vals | toPrettyJson | indent 4 }}
 
   # To disable injection: use omitSidecarInjectorConfigMap, which disables the webhook patching
   # and istiod webhook functionality.

manifests/charts/istio-control/istio-discovery/values.yaml

@@ -491,3 +491,10 @@ defaults:
   istio_cni:
     enabled: false
     chained: true
+
+  # Gateway Settings
+  gateways:
+    # Define the security context for the pod.
+    # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443.
+    # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl.
+    securityContext: {}

manifests/charts/istiod-remote/files/gateway-injection-template.yaml

@@ -13,9 +13,13 @@ metadata:
   }
 spec:
   securityContext:
+  {{- if .Values.gateways.securityContext }}
+    {{- toYaml .Values.gateways.securityContext | nindent 4 }}
+  {{- else }}
     sysctls:
     - name: net.ipv4.ip_unprivileged_port_start
       value: "0"
+  {{- end }}
   containers:
   - name: istio-proxy
   {{- if contains "/" .Values.global.proxy.image }}

manifests/charts/istiod-remote/templates/istiod-injector-configmap.yaml

@@ -12,7 +12,10 @@ metadata:
 data:
 {{/* Scope the values to just top level fields used in the template, to reduce the size. */}}
   values: |-
-{{ pick .Values "global" "istio_cni" "sidecarInjectorWebhook" "revision" | toPrettyJson | indent 4 }}
+{{ $vals := pick .Values "global" "istio_cni" "sidecarInjectorWebhook" "revision" -}}
+{{ $gatewayVals := pick .Values.gateways "securityContext" -}}
+{{ $vals = set $vals "gateways" $gatewayVals -}}
+{{ $vals | toPrettyJson | indent 4 }}
 
   # To disable injection: use omitSidecarInjectorConfigMap, which disables the webhook patching
   # and istiod webhook functionality.

manifests/charts/istiod-remote/values.yaml

@@ -415,3 +415,9 @@ defaults:
   istio_cni:
     enabled: false
     chained: true
+  # Gateway Settings
+  gateways:
+    # Define the security context for the pod.
+    # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443.
+    # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl.
+    securityContext: {}