Open
Conversation
nddq
force-pushed
the
cilium/v1.19-rebase
branch
26 times, most recently
from
5aa10cd to
0df8cbd
Compare
Signed-off-by: Quang Nguyen <nguyenquang@microsoft.com>
Signed-off-by: Quang Nguyen <nguyenquang@microsoft.com>
Signed-off-by: Quang Nguyen <nguyenquang@microsoft.com>
Signed-off-by: Quang Nguyen <nguyenquang@microsoft.com>
Signed-off-by: Quang Nguyen <nguyenquang@microsoft.com>
Signed-off-by: Quang Nguyen <nguyenquang@microsoft.com>
Signed-off-by: Quang Nguyen <nguyenquang@microsoft.com>
nddq
force-pushed
the
cilium/v1.19-rebase
branch
from
0df8cbd to
f1bcf41
Compare
SRodi
reviewed
Mar 31, 2026
Member
SRodi
left a comment
SRodi
left a comment
There was a problem hiding this comment.
Thanks for driving this @nddq I agree the IG incompatibility forces us to move DNS/tcpretrans off inspektor-gadget as part of getting to Cilium v1.19.2.
One suggestion to make this easier to review/debug (without overcomplicating rollout): could we split this into two PRs, but keep the plugin names the same and do a straight replacement (no dual-plugin naming / feature flags)?
Proposed split:
- PR: Replace the existing
dns+tcpretransplugins with the ebpf-native implementations and remove the inspektor-gadget dependency (keep external behavior/plugin names the same). - PR: Upgrade
github.com/cilium/ciliumto v1.19.2 (and any required Go/tooling + Hubble/operator adaptation changes).
Rationale: this isolates the “plugin implementation change” from the broader Cilium/control-plane dependency churn, making review and failure attribution simpler. Rollback is still straightforward at the Retina release level if needed (we can do a release straight after the plugins change), so I don’t think we need to introduce extra flags or temporary plugin naming.
Member
Author
|
@SRodi Sounds good! I'll make that change |
This was referenced Mar 31, 2026
Member
Author
github-merge-queue bot
pushed a commit
that referenced
this pull request
Apr 9, 2026
# Description **PR 2 of 2** for removing inspektor-gadget from retina plugins (split from #2148). Replaces the IG-based DNS tracer with a native eBPF socket filter and adds comprehensive kernel-level and Go unit tests. - **BPF program** (`dns.c`): Socket filter on AF_PACKET captures DNS queries/responses (UDP + TCP, IPv4 + IPv6). Uses `bpf_skb_load_bytes` helpers compatible with `BPF_PROG_TEST_RUN`. Query type extracted in BPF via QNAME walking. - **Per-interface dedup filter**: Socket binds to all interfaces (`ifindex=0`) with a BPF-side filter that only captures `PACKET_HOST` on non-default interfaces (veths) while capturing both directions on the default interface (eth0). This avoids double-counting while preserving visibility into same-node pod-to-CoreDNS and NodeLocal DNS traffic. - **Go plugin** (`dns_linux.go`): Perf buffer event loop with gopacket DNS parsing. Populates `dns_config` BPF map with default interface index at Init. No runtime compilation — pre-compiled via `bpf2go@v0.18.0`. - **Test infrastructure** (`ebpftest/packet.go`): `TCPPacketOpts.Payload`, IPv6 `BuildUDPPacket`, DNS packet builders (`BuildDNSQueryPacket`, `BuildDNSResponsePacket`, `BuildDNSTCPQueryPacket`). - **eBPF + unit tests**: 28 tests covering IPv4/IPv6, TCP/UDP, mDNS, edge cases, counter deltas, mock enricher, and `parseDNSPayload`. ## Related Issue Partial fix for #1788 Split from #2148 ## Checklist - [x] I have read the [contributing documentation](https://retina.sh/docs/Contributing/overview). - [x] I signed and signed-off the commits (`git commit -S -s ...`). - [x] I have correctly attributed the author(s) of the code. - [x] I have tested the changes locally. - [x] I have followed the project's style guidelines. - [ ] I have updated the documentation, if necessary. - [x] I have added tests, if applicable. ## Testing Completed All 28 tests pass (14 eBPF + 14 unit). Validated on AKS cluster (`retinaTest-v119`, 3-node, k8s v1.33.6): | Scenario | Result | |---|---| | Pod → CoreDNS same node | Captured, count=1 per query | | Pod → CoreDNS different node | Captured, count=1 per query | | NodeLocal DNS (169.254.20.10) | Both hops captured (pod→cache, cache→CoreDNS) — expected | | Multi-NIC | Not tested (single-NIC AKS nodes) | | Double-counting | None detected | Hubble and standard mode DNS metrics flowing with correct pod-level labels. ## Additional Notes - After both plugin PRs merge, inspektor-gadget can be fully removed in the Cilium v1.19 upgrade PR - The old IG tracer used `ifindex=0` with no dedup, which caused double-counting on multi-interface paths. The new BPF dedup filter resolves this while maintaining same-node and NodeLocal DNS visibility. --- Please refer to the [CONTRIBUTING.md](../CONTRIBUTING.md) file for more information on how to contribute to this project. Signed-off-by: Quang Nguyen <nguyenquang@microsoft.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Cilium v1.19.2 pins
cilium/ebpfat a post-v0.20.0 commit that removedCollectionSpec.RewriteConstants(). Inspektor-gadget v0.27.0 calls this method in every package Retina imports, causing a fatal compile error. Upgrading IG is not an option — v0.42.0 removed the built-intrace/dnsandtrace/tcpretransgadgets entirely (inspektor-gadget/inspektor-gadget#4573), and the earliest IG version compatible withcilium/ebpfv0.20.x is v0.47.0+ where these packages are long gone. The DNS and tcpretrans plugins are rewritten using native cilium/ebpf.Key dependency changes:
github.com/cilium/ciliumv1.18.0-pre.1 → v1.19.2github.com/cilium/ebpfv0.18.0 → v0.20.1k8s.io/*v0.32.x → v0.35.3sigs.k8s.io/controller-runtimev0.20.4 → v0.23.3go1.24.11 → 1.25.0Changes by area:
slog.Handlerandlogr.Loggerbridges (pkg/log/zap.go). Migrate all DI-injected loggers fromlogrus.FieldLoggerto*slog.Loggeracross agent, operator, and Hubble componentsbpf_skb_load_bytesfor zero-conversion IP extraction. Same metrics as before (dns_request_count,dns_response_count)tracepoint/tcp/tcp_retransmit_skb(stable kernel API) withBPF_CORE_READfor verifier-safe field access. TCP flags read fromtcp_skb_cb. Supports both IPv4 and IPv6hubblecell.Core→hubblecell.Cell, forcemetricscell.Serverinstantiation. DI cell broken into sub-cells (infrastructureCell,ipcacheCell,watcherCell,stubsCell) for fault isolation. Uses Cilium'spkg/datapath/fake/typesandpkg/testutils/identityinstead of hand-rolled stubscilium/operator/k8s(behind_linuxbuild tag), add in-memory kvstore client for identity GCRelated Issue
Fixes #1788
Checklist
git commit -S -s ...).Testing Completed
E2E run: https://github.com/microsoft/retina/actions/runs/23731276655
Additionally verified on manually provisioned AKS clusters:
adv_dns_request_count/adv_dns_response_countwith full pod-level labels (ip, namespace, podname, query, query_type, workload_kind, workload_name),forward_count/forward_bytes,tcp_state,drop_count/drop_bytes,adv_node_apiserver_latency,adv_tcpretrans_counthubble_dns_queries_total,hubble_flows_processed_total,hubble_drop_totalon port 9965adv_tcpretrans_countcorrectly attributed to source podAdditional Notes
inspektor-gadgetdependency is fully removedCompile()andGenerate()are no-ops retained for plugin manager lifecycle compatibility