OCPBUGS-21395: Update go.mod for CVE-2023-39325 [Release-4.10] #38
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
openshift-ci-robot
added
jira/valid-reference
|
@s1061123: This pull request references Jira Issue OCPBUGS-21395, which is invalid:
Comment The bug has been updated to refer to the pull request using the external bug tracker. In response to this: Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
s1061123
changed the title
openshift-ci
bot
added
the
approved
openshift-ci bot
pushed a commit
that referenced
this pull request
Oct 17, 2023
* Add pod-iptables option to store pod iptables This change introduces pod-iptables option to store iptables-rules in pod's network namespace. This helps administrator/engineer to troubleshooting. * Fix owners file * Update CI pipeline * Add label to Dockerfile * Update github action to simplify * Use GITHUB_TOKEN for push packages * Update slack URL in README * fix workflows * Fix some timing issue and change memory limit * Add namespace check between pod and multi-networkpolicy * Use TCP as default for Port.Protocol Add ginkgo test to the suite with only default values. Add `renderProtocol` function with fallback logic. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Fix to work namespacveSelector policy, without labelSelector * Support for `NamespaceSelector` (#16) * Add test case for namespace selector The case is about having two namespaces with pods and net-attach-def and a multi networkpolicy that goes through namespace borders. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Add test case with net-attach-def in other ns Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Improve logging in server.go (#19) * Add object information to update events This should make it clearer what k8s object the daemon is working on. Increase verbosity threshlod for invoke handlers logs. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Improve error logging Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Add IPv6 support in TODO list * Set specific version for `revive` tool (#20) "go getting" github.com/mgechev/revive can lead to unreproducible builds, as it download the latest "dev" version. Stick to the latest (v1.2.1) version. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Log filter rules (#23) * Log filter rules Logging iptables rules before applying them can be useful to debug complex scenarios. Setting verbosity level to 6 as they can be quite cumbersome. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Clean up logging code Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Refine policy generation routine to support multiple policies This change refines policy rule generation to introduce conntrack and support multiple policies in a pod. Fix #17 and #18 * Fix capabilities (#25) fix #24 * Update github action to fit to latest golang * Remove docker from support runtime due to obsolated * Bump github.com/containernetworking/cni from 0.7.1 to 0.8.1 (#31) Bumps [github.com/containernetworking/cni](https://github.com/containernetworking/cni) from 0.7.1 to 0.8.1. - [Release notes](https://github.com/containernetworking/cni/releases) - [Commits](containernetworking/cni@v0.7.1...v0.8.1) --- updated-dependencies: - dependency-name: github.com/containernetworking/cni dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump vendor packages. * Graceful shutdown for daemonset (#32) * Remove unused errCh `server.Run()` is not a blocking function and returns always `nil`. There is no need for a struct field channel. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Allow stopping the server Add signal handler for SIGTERM and SIGINT to main.go. Add Stop() method to Options to forward os signals. Add a channel to stop `syncRunner` and clean iptables afterward. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Add sync-period option for fast sync * Remove deprecated parameters in deploy.yml * Add e2e test * e2e-test: Add script to update server image (#35) Add a script to redeploy the server in the kind cluster. It is useful to quickly test new changes without tearing down the cluster and bringing it up again. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Fix yaml syntax error in GH workflow (#36) Signed-off-by: Andrea Panattoni <apanatto@redhat.com> Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Add CodeQL workflow for GitHub code scanning (#38) Co-authored-by: LGTM Migrator <lgtm-migrator@users.noreply.github.com> * Add NOTICE file for Apache license 2.0 (#39) This change adds NOTICE file in repository as [1]. [1]: https://infra.apache.org/apply-license.html#new * IPv6 support in multi-networkpolicy-iptables (#40) * Support IPv6 networks (#27) Make Server generates rules for both IP family. Make iptableBuffer aware of the IP family it is managing, in order to skip wrong addresses. Add unit and e2e tests for IPv6 and dual stack networks. Remove IPv6 item from TODO Signed-off-by: Andrea Panattoni <apanatto@redhat.com> Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * fix merge-conflict to rebase * Add e2e ipv6 ingress tests * IPv6 fix for NDP and DHCPv6 (#37) * Add Requirements section to README Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Allow ipv6 Neighbor Discovery Protocol NDP leverages icmpv6 packets to discover hosts IPv6 addresses. This kind of packet must be allowed between hosts, otherwise some policy-allowed traffic may get blocked. Adjust unit tests expected output strings. See https://www.rfc-editor.org/rfc/rfc2373 Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Allow DHCPv6 traffic Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Refine icmp/dhcpv6 code Signed-off-by: Andrea Panattoni <apanatto@redhat.com> Co-authored-by: Tomofumi Hayashi <tohayash@redhat.com> * Use string instead of byte in unit-test cases In real code, use bytes for performance, however, we don't care about performance for unit-test, hence change bytes to string for ease of troubleshooting. * Make INGRESS/EGRESS-COMMON configurable by command line option This change makes MULTI-{INGRESS,EGRESS}-COMMON chain configurable to provide a way to support various v4/v6 network. * Fix CodeQL warnings * Update docs/configurations.md Co-authored-by: Nikhil Simha <simha.nikhil@gmail.com> * Update docs/configurations.md Co-authored-by: Nikhil Simha <simha.nikhil@gmail.com> * Wait for sync between policy/iptables in e2e tests --------- Signed-off-by: Andrea Panattoni <apanatto@redhat.com> Co-authored-by: Andrea Panattoni <apanatto@redhat.com> Co-authored-by: Nikhil Simha <simha.nikhil@gmail.com> * Fix github action * Avoid using cri-api `v1alpha2` (#43) As of v1.26.0 kubernetes removed support for api cri-api v1alpha2 kubernetes/kubernetes#110618 Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Fix typo in container registry domain (#44) * Update go mod to security vulnerability Update golang.org/x/text to v0.3.8 for vulnerability. * Fix github action * Update vendors to fix dependabot alerts * Add ipblock bat tests in e2e (#48) This change introduces ipblock tests in e2e and enables v6 ingress tests in e2e as well. * Fix iptables rules in multiple items in ingress/egress (#49) This change fixes iptables rules for multiple items in ingress/egress. It also adds e2e tests for that. fix #45 * Update golang to 1.20 * Fix end2end tests (#53) * e2e: Save kind logs as artifacts Saving `kind export logs` output when end-to-end job fails helps debugging flakes and test failures. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * build: set CGO_ENABLED=0 Setting CGO_ENABLED=0 for go builds produces GLIBC independant binaries. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> --------- Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Infer PolicyTypes if missing (#50) * Infer PolicyTypes if missing In cases where Spec.PolicyTypes is not specified, it should default to the existence of Ingress or Egress rules. Updating end2end tests to cover also this scenario. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * e2e: Wait for policy sync during setup Signed-off-by: Andrea Panattoni <apanatto@redhat.com> --------- Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Bump google.golang.org/grpc from 1.38.0 to 1.53.0 (#52) Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.38.0 to 1.53.0. - [Release notes](https://github.com/grpc/grpc-go/releases) - [Commits](grpc/grpc-go@v1.38.0...v1.53.0) --- updated-dependencies: - dependency-name: google.golang.org/grpc dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Update e2e environments (#54) * Fix linter warning (#55) * Bump gopkg.in/yaml.v3 from 3.0.0-20210107192922-496545a6307b to 3.0.0 (#57) Bumps gopkg.in/yaml.v3 from 3.0.0-20210107192922-496545a6307b to 3.0.0. --- updated-dependencies: - dependency-name: gopkg.in/yaml.v3 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump github.com/containernetworking/plugins from 0.8.5 to 0.8.6 (#56) Bumps [github.com/containernetworking/plugins](https://github.com/containernetworking/plugins) from 0.8.5 to 0.8.6. - [Release notes](https://github.com/containernetworking/plugins/releases) - [Commits](containernetworking/plugins@v0.8.5...v0.8.6) --- updated-dependencies: - dependency-name: github.com/containernetworking/plugins dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Update vendor and golang version (#58) --------- Signed-off-by: Andrea Panattoni <apanatto@redhat.com> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Doug Smith <dosmith@redhat.com> Co-authored-by: Andrea Panattoni <apanatto@redhat.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: lgtm-com[bot] <43144390+lgtm-com[bot]@users.noreply.github.com> Co-authored-by: LGTM Migrator <lgtm-migrator@users.noreply.github.com> Co-authored-by: Nikhil Simha <simha.nikhil@gmail.com> Co-authored-by: Peter Stöckli <p-@github.com>
|
@s1061123: all tests passed! Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
/lgtm |
|
/label backport-risk-assessed |
openshift-ci
bot
added
the
backport-risk-assessed
openshift-ci
bot
assigned anuragthehatter, asood-rh, huiran0826, jechen0648, mffiedler, qiowang721, rbbratta, weliang1, yingwang-0320 and zhaozhanqi
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: dougbtv, s1061123 The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci bot
pushed a commit
that referenced
this pull request
Nov 2, 2023
* Add pod-iptables option to store pod iptables This change introduces pod-iptables option to store iptables-rules in pod's network namespace. This helps administrator/engineer to troubleshooting. * Fix owners file * Update CI pipeline * Add label to Dockerfile * Update github action to simplify * Use GITHUB_TOKEN for push packages * Update slack URL in README * fix workflows * Fix some timing issue and change memory limit * Add namespace check between pod and multi-networkpolicy * Use TCP as default for Port.Protocol Add ginkgo test to the suite with only default values. Add `renderProtocol` function with fallback logic. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Fix to work namespacveSelector policy, without labelSelector * Support for `NamespaceSelector` (#16) * Add test case for namespace selector The case is about having two namespaces with pods and net-attach-def and a multi networkpolicy that goes through namespace borders. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Add test case with net-attach-def in other ns Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Improve logging in server.go (#19) * Add object information to update events This should make it clearer what k8s object the daemon is working on. Increase verbosity threshlod for invoke handlers logs. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Improve error logging Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Add IPv6 support in TODO list * Set specific version for `revive` tool (#20) "go getting" github.com/mgechev/revive can lead to unreproducible builds, as it download the latest "dev" version. Stick to the latest (v1.2.1) version. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Log filter rules (#23) * Log filter rules Logging iptables rules before applying them can be useful to debug complex scenarios. Setting verbosity level to 6 as they can be quite cumbersome. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Clean up logging code Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Refine policy generation routine to support multiple policies This change refines policy rule generation to introduce conntrack and support multiple policies in a pod. Fix #17 and #18 * Fix capabilities (#25) fix #24 * Update github action to fit to latest golang * Remove docker from support runtime due to obsolated * Bump github.com/containernetworking/cni from 0.7.1 to 0.8.1 (#31) Bumps [github.com/containernetworking/cni](https://github.com/containernetworking/cni) from 0.7.1 to 0.8.1. - [Release notes](https://github.com/containernetworking/cni/releases) - [Commits](containernetworking/cni@v0.7.1...v0.8.1) --- updated-dependencies: - dependency-name: github.com/containernetworking/cni dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump vendor packages. * Graceful shutdown for daemonset (#32) * Remove unused errCh `server.Run()` is not a blocking function and returns always `nil`. There is no need for a struct field channel. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Allow stopping the server Add signal handler for SIGTERM and SIGINT to main.go. Add Stop() method to Options to forward os signals. Add a channel to stop `syncRunner` and clean iptables afterward. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Add sync-period option for fast sync * Remove deprecated parameters in deploy.yml * Add e2e test * e2e-test: Add script to update server image (#35) Add a script to redeploy the server in the kind cluster. It is useful to quickly test new changes without tearing down the cluster and bringing it up again. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Fix yaml syntax error in GH workflow (#36) Signed-off-by: Andrea Panattoni <apanatto@redhat.com> Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Add CodeQL workflow for GitHub code scanning (#38) Co-authored-by: LGTM Migrator <lgtm-migrator@users.noreply.github.com> * Add NOTICE file for Apache license 2.0 (#39) This change adds NOTICE file in repository as [1]. [1]: https://infra.apache.org/apply-license.html#new * IPv6 support in multi-networkpolicy-iptables (#40) * Support IPv6 networks (#27) Make Server generates rules for both IP family. Make iptableBuffer aware of the IP family it is managing, in order to skip wrong addresses. Add unit and e2e tests for IPv6 and dual stack networks. Remove IPv6 item from TODO Signed-off-by: Andrea Panattoni <apanatto@redhat.com> Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * fix merge-conflict to rebase * Add e2e ipv6 ingress tests * IPv6 fix for NDP and DHCPv6 (#37) * Add Requirements section to README Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Allow ipv6 Neighbor Discovery Protocol NDP leverages icmpv6 packets to discover hosts IPv6 addresses. This kind of packet must be allowed between hosts, otherwise some policy-allowed traffic may get blocked. Adjust unit tests expected output strings. See https://www.rfc-editor.org/rfc/rfc2373 Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Allow DHCPv6 traffic Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Refine icmp/dhcpv6 code Signed-off-by: Andrea Panattoni <apanatto@redhat.com> Co-authored-by: Tomofumi Hayashi <tohayash@redhat.com> * Use string instead of byte in unit-test cases In real code, use bytes for performance, however, we don't care about performance for unit-test, hence change bytes to string for ease of troubleshooting. * Make INGRESS/EGRESS-COMMON configurable by command line option This change makes MULTI-{INGRESS,EGRESS}-COMMON chain configurable to provide a way to support various v4/v6 network. * Fix CodeQL warnings * Update docs/configurations.md Co-authored-by: Nikhil Simha <simha.nikhil@gmail.com> * Update docs/configurations.md Co-authored-by: Nikhil Simha <simha.nikhil@gmail.com> * Wait for sync between policy/iptables in e2e tests --------- Signed-off-by: Andrea Panattoni <apanatto@redhat.com> Co-authored-by: Andrea Panattoni <apanatto@redhat.com> Co-authored-by: Nikhil Simha <simha.nikhil@gmail.com> * Fix github action * Avoid using cri-api `v1alpha2` (#43) As of v1.26.0 kubernetes removed support for api cri-api v1alpha2 kubernetes/kubernetes#110618 Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Fix typo in container registry domain (#44) * Update go mod to security vulnerability Update golang.org/x/text to v0.3.8 for vulnerability. * Fix github action * Update vendors to fix dependabot alerts * Add ipblock bat tests in e2e (#48) This change introduces ipblock tests in e2e and enables v6 ingress tests in e2e as well. * Fix iptables rules in multiple items in ingress/egress (#49) This change fixes iptables rules for multiple items in ingress/egress. It also adds e2e tests for that. fix #45 * Update golang to 1.20 * Fix end2end tests (#53) * e2e: Save kind logs as artifacts Saving `kind export logs` output when end-to-end job fails helps debugging flakes and test failures. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * build: set CGO_ENABLED=0 Setting CGO_ENABLED=0 for go builds produces GLIBC independant binaries. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> --------- Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Infer PolicyTypes if missing (#50) * Infer PolicyTypes if missing In cases where Spec.PolicyTypes is not specified, it should default to the existence of Ingress or Egress rules. Updating end2end tests to cover also this scenario. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * e2e: Wait for policy sync during setup Signed-off-by: Andrea Panattoni <apanatto@redhat.com> --------- Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Bump google.golang.org/grpc from 1.38.0 to 1.53.0 (#52) Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.38.0 to 1.53.0. - [Release notes](https://github.com/grpc/grpc-go/releases) - [Commits](grpc/grpc-go@v1.38.0...v1.53.0) --- updated-dependencies: - dependency-name: google.golang.org/grpc dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Update e2e environments (#54) * Fix linter warning (#55) * Bump gopkg.in/yaml.v3 from 3.0.0-20210107192922-496545a6307b to 3.0.0 (#57) Bumps gopkg.in/yaml.v3 from 3.0.0-20210107192922-496545a6307b to 3.0.0. --- updated-dependencies: - dependency-name: gopkg.in/yaml.v3 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump github.com/containernetworking/plugins from 0.8.5 to 0.8.6 (#56) Bumps [github.com/containernetworking/plugins](https://github.com/containernetworking/plugins) from 0.8.5 to 0.8.6. - [Release notes](https://github.com/containernetworking/plugins/releases) - [Commits](containernetworking/plugins@v0.8.5...v0.8.6) --- updated-dependencies: - dependency-name: github.com/containernetworking/plugins dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Update vendor and golang version (#58) * Bump google.golang.org/grpc from 1.53.0 to 1.56.3 (#59) Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.53.0 to 1.56.3. - [Release notes](https://github.com/grpc/grpc-go/releases) - [Commits](grpc/grpc-go@v1.53.0...v1.56.3) --- updated-dependencies: - dependency-name: google.golang.org/grpc dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Update vendor packages (#60) --------- Signed-off-by: Andrea Panattoni <apanatto@redhat.com> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Doug Smith <dosmith@redhat.com> Co-authored-by: Andrea Panattoni <apanatto@redhat.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: lgtm-com[bot] <43144390+lgtm-com[bot]@users.noreply.github.com> Co-authored-by: LGTM Migrator <lgtm-migrator@users.noreply.github.com> Co-authored-by: Nikhil Simha <simha.nikhil@gmail.com> Co-authored-by: Peter Stöckli <p-@github.com>
|
Issues go stale after 90d of inactivity. Mark the issue as fresh by commenting If this issue is safe to close now please do so with /lifecycle stale |
openshift-ci
bot
added
the
lifecycle/stale
|
Stale issues rot after 30d of inactivity. Mark the issue as fresh by commenting If this issue is safe to close now please do so with /lifecycle rotten |
openshift-ci
bot
added
lifecycle/rotten
|
/label cherry-pick-approved |
openshift-ci
bot
added
the
cherry-pick-approved
|
Rotten issues close after 30d of inactivity. Reopen the issue by commenting /close |
|
@s1061123: This pull request references Jira Issue OCPBUGS-21395. The bug has been updated to no longer refer to the pull request using the external bug tracker. In response to this: Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
@openshift-bot: Closed this PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
pliurh
pushed a commit
to pliurh/multus-networkpolicy
that referenced
this pull request
Apr 8, 2024
Co-authored-by: LGTM Migrator <lgtm-migrator@users.noreply.github.com>
s1061123
added a commit
to s1061123/multus-networkpolicy
that referenced
this pull request
Apr 8, 2024
* Add pod-iptables option to store pod iptables This change introduces pod-iptables option to store iptables-rules in pod's network namespace. This helps administrator/engineer to troubleshooting. * Fix owners file * Update CI pipeline * Add label to Dockerfile * Update github action to simplify * Use GITHUB_TOKEN for push packages * Update slack URL in README * fix workflows * Fix some timing issue and change memory limit * Add namespace check between pod and multi-networkpolicy * Use TCP as default for Port.Protocol Add ginkgo test to the suite with only default values. Add `renderProtocol` function with fallback logic. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Fix to work namespacveSelector policy, without labelSelector * Support for `NamespaceSelector` (openshift#16) * Add test case for namespace selector The case is about having two namespaces with pods and net-attach-def and a multi networkpolicy that goes through namespace borders. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Add test case with net-attach-def in other ns Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Improve logging in server.go (openshift#19) * Add object information to update events This should make it clearer what k8s object the daemon is working on. Increase verbosity threshlod for invoke handlers logs. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Improve error logging Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Add IPv6 support in TODO list * Set specific version for `revive` tool (openshift#20) "go getting" github.com/mgechev/revive can lead to unreproducible builds, as it download the latest "dev" version. Stick to the latest (v1.2.1) version. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Log filter rules (openshift#23) * Log filter rules Logging iptables rules before applying them can be useful to debug complex scenarios. Setting verbosity level to 6 as they can be quite cumbersome. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Clean up logging code Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Refine policy generation routine to support multiple policies This change refines policy rule generation to introduce conntrack and support multiple policies in a pod. Fix openshift#17 and openshift#18 * Fix capabilities (openshift#25) fix openshift#24 * Update github action to fit to latest golang * Remove docker from support runtime due to obsolated * Bump github.com/containernetworking/cni from 0.7.1 to 0.8.1 (openshift#31) Bumps [github.com/containernetworking/cni](https://github.com/containernetworking/cni) from 0.7.1 to 0.8.1. - [Release notes](https://github.com/containernetworking/cni/releases) - [Commits](containernetworking/cni@v0.7.1...v0.8.1) --- updated-dependencies: - dependency-name: github.com/containernetworking/cni dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump vendor packages. * Graceful shutdown for daemonset (openshift#32) * Remove unused errCh `server.Run()` is not a blocking function and returns always `nil`. There is no need for a struct field channel. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Allow stopping the server Add signal handler for SIGTERM and SIGINT to main.go. Add Stop() method to Options to forward os signals. Add a channel to stop `syncRunner` and clean iptables afterward. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Add sync-period option for fast sync * Remove deprecated parameters in deploy.yml * Add e2e test * e2e-test: Add script to update server image (openshift#35) Add a script to redeploy the server in the kind cluster. It is useful to quickly test new changes without tearing down the cluster and bringing it up again. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Fix yaml syntax error in GH workflow (openshift#36) Signed-off-by: Andrea Panattoni <apanatto@redhat.com> Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Add CodeQL workflow for GitHub code scanning (openshift#38) Co-authored-by: LGTM Migrator <lgtm-migrator@users.noreply.github.com> * Add NOTICE file for Apache license 2.0 (openshift#39) This change adds NOTICE file in repository as [1]. [1]: https://infra.apache.org/apply-license.html#new * IPv6 support in multi-networkpolicy-iptables (openshift#40) * Support IPv6 networks (openshift#27) Make Server generates rules for both IP family. Make iptableBuffer aware of the IP family it is managing, in order to skip wrong addresses. Add unit and e2e tests for IPv6 and dual stack networks. Remove IPv6 item from TODO Signed-off-by: Andrea Panattoni <apanatto@redhat.com> Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * fix merge-conflict to rebase * Add e2e ipv6 ingress tests * IPv6 fix for NDP and DHCPv6 (openshift#37) * Add Requirements section to README Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Allow ipv6 Neighbor Discovery Protocol NDP leverages icmpv6 packets to discover hosts IPv6 addresses. This kind of packet must be allowed between hosts, otherwise some policy-allowed traffic may get blocked. Adjust unit tests expected output strings. See https://www.rfc-editor.org/rfc/rfc2373 Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Allow DHCPv6 traffic Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Refine icmp/dhcpv6 code Signed-off-by: Andrea Panattoni <apanatto@redhat.com> Co-authored-by: Tomofumi Hayashi <tohayash@redhat.com> * Use string instead of byte in unit-test cases In real code, use bytes for performance, however, we don't care about performance for unit-test, hence change bytes to string for ease of troubleshooting. * Make INGRESS/EGRESS-COMMON configurable by command line option This change makes MULTI-{INGRESS,EGRESS}-COMMON chain configurable to provide a way to support various v4/v6 network. * Fix CodeQL warnings * Update docs/configurations.md Co-authored-by: Nikhil Simha <simha.nikhil@gmail.com> * Update docs/configurations.md Co-authored-by: Nikhil Simha <simha.nikhil@gmail.com> * Wait for sync between policy/iptables in e2e tests --------- Signed-off-by: Andrea Panattoni <apanatto@redhat.com> Co-authored-by: Andrea Panattoni <apanatto@redhat.com> Co-authored-by: Nikhil Simha <simha.nikhil@gmail.com> * Fix github action * Avoid using cri-api `v1alpha2` (openshift#43) As of v1.26.0 kubernetes removed support for api cri-api v1alpha2 kubernetes/kubernetes#110618 Signed-off-by: Andrea Panattoni <apanatto@redhat.com> --------- Signed-off-by: Andrea Panattoni <apanatto@redhat.com> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Doug Smith <dosmith@redhat.com> Co-authored-by: Andrea Panattoni <apanatto@redhat.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: lgtm-com[bot] <43144390+lgtm-com[bot]@users.noreply.github.com> Co-authored-by: LGTM Migrator <lgtm-migrator@users.noreply.github.com> Co-authored-by: Nikhil Simha <simha.nikhil@gmail.com>
s1061123
added a commit
to s1061123/multus-networkpolicy
that referenced
this pull request
Apr 8, 2024
* Add pod-iptables option to store pod iptables This change introduces pod-iptables option to store iptables-rules in pod's network namespace. This helps administrator/engineer to troubleshooting. * Fix owners file * Update CI pipeline * Add label to Dockerfile * Update github action to simplify * Use GITHUB_TOKEN for push packages * Update slack URL in README * fix workflows * Fix some timing issue and change memory limit * Add namespace check between pod and multi-networkpolicy * Use TCP as default for Port.Protocol Add ginkgo test to the suite with only default values. Add `renderProtocol` function with fallback logic. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Fix to work namespacveSelector policy, without labelSelector * Support for `NamespaceSelector` (openshift#16) * Add test case for namespace selector The case is about having two namespaces with pods and net-attach-def and a multi networkpolicy that goes through namespace borders. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Add test case with net-attach-def in other ns Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Improve logging in server.go (openshift#19) * Add object information to update events This should make it clearer what k8s object the daemon is working on. Increase verbosity threshlod for invoke handlers logs. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Improve error logging Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Add IPv6 support in TODO list * Set specific version for `revive` tool (openshift#20) "go getting" github.com/mgechev/revive can lead to unreproducible builds, as it download the latest "dev" version. Stick to the latest (v1.2.1) version. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Log filter rules (openshift#23) * Log filter rules Logging iptables rules before applying them can be useful to debug complex scenarios. Setting verbosity level to 6 as they can be quite cumbersome. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Clean up logging code Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Refine policy generation routine to support multiple policies This change refines policy rule generation to introduce conntrack and support multiple policies in a pod. Fix openshift#17 and openshift#18 * Fix capabilities (openshift#25) fix openshift#24 * Update github action to fit to latest golang * Remove docker from support runtime due to obsolated * Bump github.com/containernetworking/cni from 0.7.1 to 0.8.1 (openshift#31) Bumps [github.com/containernetworking/cni](https://github.com/containernetworking/cni) from 0.7.1 to 0.8.1. - [Release notes](https://github.com/containernetworking/cni/releases) - [Commits](containernetworking/cni@v0.7.1...v0.8.1) --- updated-dependencies: - dependency-name: github.com/containernetworking/cni dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump vendor packages. * Graceful shutdown for daemonset (openshift#32) * Remove unused errCh `server.Run()` is not a blocking function and returns always `nil`. There is no need for a struct field channel. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Allow stopping the server Add signal handler for SIGTERM and SIGINT to main.go. Add Stop() method to Options to forward os signals. Add a channel to stop `syncRunner` and clean iptables afterward. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Add sync-period option for fast sync * Remove deprecated parameters in deploy.yml * Add e2e test * e2e-test: Add script to update server image (openshift#35) Add a script to redeploy the server in the kind cluster. It is useful to quickly test new changes without tearing down the cluster and bringing it up again. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Fix yaml syntax error in GH workflow (openshift#36) Signed-off-by: Andrea Panattoni <apanatto@redhat.com> Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Add CodeQL workflow for GitHub code scanning (openshift#38) Co-authored-by: LGTM Migrator <lgtm-migrator@users.noreply.github.com> * Add NOTICE file for Apache license 2.0 (openshift#39) This change adds NOTICE file in repository as [1]. [1]: https://infra.apache.org/apply-license.html#new * IPv6 support in multi-networkpolicy-iptables (openshift#40) * Support IPv6 networks (openshift#27) Make Server generates rules for both IP family. Make iptableBuffer aware of the IP family it is managing, in order to skip wrong addresses. Add unit and e2e tests for IPv6 and dual stack networks. Remove IPv6 item from TODO Signed-off-by: Andrea Panattoni <apanatto@redhat.com> Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * fix merge-conflict to rebase * Add e2e ipv6 ingress tests * IPv6 fix for NDP and DHCPv6 (openshift#37) * Add Requirements section to README Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Allow ipv6 Neighbor Discovery Protocol NDP leverages icmpv6 packets to discover hosts IPv6 addresses. This kind of packet must be allowed between hosts, otherwise some policy-allowed traffic may get blocked. Adjust unit tests expected output strings. See https://www.rfc-editor.org/rfc/rfc2373 Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Allow DHCPv6 traffic Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Refine icmp/dhcpv6 code Signed-off-by: Andrea Panattoni <apanatto@redhat.com> Co-authored-by: Tomofumi Hayashi <tohayash@redhat.com> * Use string instead of byte in unit-test cases In real code, use bytes for performance, however, we don't care about performance for unit-test, hence change bytes to string for ease of troubleshooting. * Make INGRESS/EGRESS-COMMON configurable by command line option This change makes MULTI-{INGRESS,EGRESS}-COMMON chain configurable to provide a way to support various v4/v6 network. * Fix CodeQL warnings * Update docs/configurations.md Co-authored-by: Nikhil Simha <simha.nikhil@gmail.com> * Update docs/configurations.md Co-authored-by: Nikhil Simha <simha.nikhil@gmail.com> * Wait for sync between policy/iptables in e2e tests --------- Signed-off-by: Andrea Panattoni <apanatto@redhat.com> Co-authored-by: Andrea Panattoni <apanatto@redhat.com> Co-authored-by: Nikhil Simha <simha.nikhil@gmail.com> * Fix github action * Avoid using cri-api `v1alpha2` (openshift#43) As of v1.26.0 kubernetes removed support for api cri-api v1alpha2 kubernetes/kubernetes#110618 Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Fix typo in container registry domain (openshift#44) * Update go mod to security vulnerability Update golang.org/x/text to v0.3.8 for vulnerability. * Fix github action * Update vendors to fix dependabot alerts * Add ipblock bat tests in e2e (openshift#48) This change introduces ipblock tests in e2e and enables v6 ingress tests in e2e as well. * Fix iptables rules in multiple items in ingress/egress (openshift#49) This change fixes iptables rules for multiple items in ingress/egress. It also adds e2e tests for that. fix openshift#45 * Update golang to 1.20 * Fix end2end tests (openshift#53) * e2e: Save kind logs as artifacts Saving `kind export logs` output when end-to-end job fails helps debugging flakes and test failures. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * build: set CGO_ENABLED=0 Setting CGO_ENABLED=0 for go builds produces GLIBC independant binaries. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> --------- Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Infer PolicyTypes if missing (openshift#50) * Infer PolicyTypes if missing In cases where Spec.PolicyTypes is not specified, it should default to the existence of Ingress or Egress rules. Updating end2end tests to cover also this scenario. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * e2e: Wait for policy sync during setup Signed-off-by: Andrea Panattoni <apanatto@redhat.com> --------- Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Bump google.golang.org/grpc from 1.38.0 to 1.53.0 (openshift#52) Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.38.0 to 1.53.0. - [Release notes](https://github.com/grpc/grpc-go/releases) - [Commits](grpc/grpc-go@v1.38.0...v1.53.0) --- updated-dependencies: - dependency-name: google.golang.org/grpc dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Update e2e environments (openshift#54) * Fix linter warning (openshift#55) --------- Signed-off-by: Andrea Panattoni <apanatto@redhat.com> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Doug Smith <dosmith@redhat.com> Co-authored-by: Andrea Panattoni <apanatto@redhat.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: lgtm-com[bot] <43144390+lgtm-com[bot]@users.noreply.github.com> Co-authored-by: LGTM Migrator <lgtm-migrator@users.noreply.github.com> Co-authored-by: Nikhil Simha <simha.nikhil@gmail.com> Co-authored-by: Peter Stöckli <p-@github.com>
openshift-merge-bot bot
pushed a commit
that referenced
this pull request
Apr 10, 2024
* Add pod-iptables option to store pod iptables This change introduces pod-iptables option to store iptables-rules in pod's network namespace. This helps administrator/engineer to troubleshooting. * Fix owners file * Update CI pipeline * Add label to Dockerfile * Update github action to simplify * Use GITHUB_TOKEN for push packages * Update slack URL in README * fix workflows * Fix some timing issue and change memory limit * Add namespace check between pod and multi-networkpolicy * Use TCP as default for Port.Protocol Add ginkgo test to the suite with only default values. Add `renderProtocol` function with fallback logic. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Fix to work namespacveSelector policy, without labelSelector * Support for `NamespaceSelector` (#16) * Add test case for namespace selector The case is about having two namespaces with pods and net-attach-def and a multi networkpolicy that goes through namespace borders. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Add test case with net-attach-def in other ns Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Improve logging in server.go (#19) * Add object information to update events This should make it clearer what k8s object the daemon is working on. Increase verbosity threshlod for invoke handlers logs. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Improve error logging Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Add IPv6 support in TODO list * Set specific version for `revive` tool (#20) "go getting" github.com/mgechev/revive can lead to unreproducible builds, as it download the latest "dev" version. Stick to the latest (v1.2.1) version. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Log filter rules (#23) * Log filter rules Logging iptables rules before applying them can be useful to debug complex scenarios. Setting verbosity level to 6 as they can be quite cumbersome. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Clean up logging code Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Refine policy generation routine to support multiple policies This change refines policy rule generation to introduce conntrack and support multiple policies in a pod. Fix #17 and #18 * Fix capabilities (#25) fix #24 * Update github action to fit to latest golang * Remove docker from support runtime due to obsolated * Bump github.com/containernetworking/cni from 0.7.1 to 0.8.1 (#31) Bumps [github.com/containernetworking/cni](https://github.com/containernetworking/cni) from 0.7.1 to 0.8.1. - [Release notes](https://github.com/containernetworking/cni/releases) - [Commits](containernetworking/cni@v0.7.1...v0.8.1) --- updated-dependencies: - dependency-name: github.com/containernetworking/cni dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump vendor packages. * Graceful shutdown for daemonset (#32) * Remove unused errCh `server.Run()` is not a blocking function and returns always `nil`. There is no need for a struct field channel. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Allow stopping the server Add signal handler for SIGTERM and SIGINT to main.go. Add Stop() method to Options to forward os signals. Add a channel to stop `syncRunner` and clean iptables afterward. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Add sync-period option for fast sync * Remove deprecated parameters in deploy.yml * Add e2e test * e2e-test: Add script to update server image (#35) Add a script to redeploy the server in the kind cluster. It is useful to quickly test new changes without tearing down the cluster and bringing it up again. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Fix yaml syntax error in GH workflow (#36) Signed-off-by: Andrea Panattoni <apanatto@redhat.com> Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Add CodeQL workflow for GitHub code scanning (#38) Co-authored-by: LGTM Migrator <lgtm-migrator@users.noreply.github.com> * Add NOTICE file for Apache license 2.0 (#39) This change adds NOTICE file in repository as [1]. [1]: https://infra.apache.org/apply-license.html#new * IPv6 support in multi-networkpolicy-iptables (#40) * Support IPv6 networks (#27) Make Server generates rules for both IP family. Make iptableBuffer aware of the IP family it is managing, in order to skip wrong addresses. Add unit and e2e tests for IPv6 and dual stack networks. Remove IPv6 item from TODO Signed-off-by: Andrea Panattoni <apanatto@redhat.com> Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * fix merge-conflict to rebase * Add e2e ipv6 ingress tests * IPv6 fix for NDP and DHCPv6 (#37) * Add Requirements section to README Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Allow ipv6 Neighbor Discovery Protocol NDP leverages icmpv6 packets to discover hosts IPv6 addresses. This kind of packet must be allowed between hosts, otherwise some policy-allowed traffic may get blocked. Adjust unit tests expected output strings. See https://www.rfc-editor.org/rfc/rfc2373 Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Allow DHCPv6 traffic Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Refine icmp/dhcpv6 code Signed-off-by: Andrea Panattoni <apanatto@redhat.com> Co-authored-by: Tomofumi Hayashi <tohayash@redhat.com> * Use string instead of byte in unit-test cases In real code, use bytes for performance, however, we don't care about performance for unit-test, hence change bytes to string for ease of troubleshooting. * Make INGRESS/EGRESS-COMMON configurable by command line option This change makes MULTI-{INGRESS,EGRESS}-COMMON chain configurable to provide a way to support various v4/v6 network. * Fix CodeQL warnings * Update docs/configurations.md Co-authored-by: Nikhil Simha <simha.nikhil@gmail.com> * Update docs/configurations.md Co-authored-by: Nikhil Simha <simha.nikhil@gmail.com> * Wait for sync between policy/iptables in e2e tests --------- Signed-off-by: Andrea Panattoni <apanatto@redhat.com> Co-authored-by: Andrea Panattoni <apanatto@redhat.com> Co-authored-by: Nikhil Simha <simha.nikhil@gmail.com> * Fix github action * Avoid using cri-api `v1alpha2` (#43) As of v1.26.0 kubernetes removed support for api cri-api v1alpha2 kubernetes/kubernetes#110618 Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Fix typo in container registry domain (#44) * Update go mod to security vulnerability Update golang.org/x/text to v0.3.8 for vulnerability. * Fix github action * Update vendors to fix dependabot alerts * Add ipblock bat tests in e2e (#48) This change introduces ipblock tests in e2e and enables v6 ingress tests in e2e as well. * Fix iptables rules in multiple items in ingress/egress (#49) This change fixes iptables rules for multiple items in ingress/egress. It also adds e2e tests for that. fix #45 * Update golang to 1.20 * Fix end2end tests (#53) * e2e: Save kind logs as artifacts Saving `kind export logs` output when end-to-end job fails helps debugging flakes and test failures. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * build: set CGO_ENABLED=0 Setting CGO_ENABLED=0 for go builds produces GLIBC independant binaries. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> --------- Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Infer PolicyTypes if missing (#50) * Infer PolicyTypes if missing In cases where Spec.PolicyTypes is not specified, it should default to the existence of Ingress or Egress rules. Updating end2end tests to cover also this scenario. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * e2e: Wait for policy sync during setup Signed-off-by: Andrea Panattoni <apanatto@redhat.com> --------- Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Bump google.golang.org/grpc from 1.38.0 to 1.53.0 (#52) Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.38.0 to 1.53.0. - [Release notes](https://github.com/grpc/grpc-go/releases) - [Commits](grpc/grpc-go@v1.38.0...v1.53.0) --- updated-dependencies: - dependency-name: google.golang.org/grpc dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Update e2e environments (#54) * Fix linter warning (#55) * Bump gopkg.in/yaml.v3 from 3.0.0-20210107192922-496545a6307b to 3.0.0 (#57) Bumps gopkg.in/yaml.v3 from 3.0.0-20210107192922-496545a6307b to 3.0.0. --- updated-dependencies: - dependency-name: gopkg.in/yaml.v3 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump github.com/containernetworking/plugins from 0.8.5 to 0.8.6 (#56) Bumps [github.com/containernetworking/plugins](https://github.com/containernetworking/plugins) from 0.8.5 to 0.8.6. - [Release notes](https://github.com/containernetworking/plugins/releases) - [Commits](containernetworking/plugins@v0.8.5...v0.8.6) --- updated-dependencies: - dependency-name: github.com/containernetworking/plugins dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Update vendor and golang version (#58) * Bump google.golang.org/grpc from 1.53.0 to 1.56.3 (#59) Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.53.0 to 1.56.3. - [Release notes](https://github.com/grpc/grpc-go/releases) - [Commits](grpc/grpc-go@v1.53.0...v1.56.3) --- updated-dependencies: - dependency-name: google.golang.org/grpc dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Update vendor packages (#60) * Bump google.golang.org/protobuf from 1.30.0 to 1.33.0 (#61) Bumps google.golang.org/protobuf from 1.30.0 to 1.33.0. --- updated-dependencies: - dependency-name: google.golang.org/protobuf dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Fix github workflow and deploy yaml * Fix e2e * Bump k8s API version (#63) --------- Signed-off-by: Andrea Panattoni <apanatto@redhat.com> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Doug Smith <dosmith@redhat.com> Co-authored-by: Andrea Panattoni <apanatto@redhat.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: lgtm-com[bot] <43144390+lgtm-com[bot]@users.noreply.github.com> Co-authored-by: LGTM Migrator <lgtm-migrator@users.noreply.github.com> Co-authored-by: Nikhil Simha <simha.nikhil@gmail.com> Co-authored-by: Peter Stöckli <p-@github.com>
openshift-merge-bot bot
pushed a commit
that referenced
this pull request
Oct 31, 2024
* Add pod-iptables option to store pod iptables This change introduces pod-iptables option to store iptables-rules in pod's network namespace. This helps administrator/engineer to troubleshooting. * Fix owners file * Update CI pipeline * Add label to Dockerfile * Update github action to simplify * Use GITHUB_TOKEN for push packages * Update slack URL in README * fix workflows * Fix some timing issue and change memory limit * Add namespace check between pod and multi-networkpolicy * Use TCP as default for Port.Protocol Add ginkgo test to the suite with only default values. Add `renderProtocol` function with fallback logic. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Fix to work namespacveSelector policy, without labelSelector * Support for `NamespaceSelector` (#16) * Add test case for namespace selector The case is about having two namespaces with pods and net-attach-def and a multi networkpolicy that goes through namespace borders. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Add test case with net-attach-def in other ns Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Improve logging in server.go (#19) * Add object information to update events This should make it clearer what k8s object the daemon is working on. Increase verbosity threshlod for invoke handlers logs. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Improve error logging Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Add IPv6 support in TODO list * Set specific version for `revive` tool (#20) "go getting" github.com/mgechev/revive can lead to unreproducible builds, as it download the latest "dev" version. Stick to the latest (v1.2.1) version. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Log filter rules (#23) * Log filter rules Logging iptables rules before applying them can be useful to debug complex scenarios. Setting verbosity level to 6 as they can be quite cumbersome. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Clean up logging code Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Refine policy generation routine to support multiple policies This change refines policy rule generation to introduce conntrack and support multiple policies in a pod. Fix #17 and #18 * Fix capabilities (#25) fix #24 * Update github action to fit to latest golang * Remove docker from support runtime due to obsolated * Bump github.com/containernetworking/cni from 0.7.1 to 0.8.1 (#31) Bumps [github.com/containernetworking/cni](https://github.com/containernetworking/cni) from 0.7.1 to 0.8.1. - [Release notes](https://github.com/containernetworking/cni/releases) - [Commits](containernetworking/cni@v0.7.1...v0.8.1) --- updated-dependencies: - dependency-name: github.com/containernetworking/cni dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump vendor packages. * Graceful shutdown for daemonset (#32) * Remove unused errCh `server.Run()` is not a blocking function and returns always `nil`. There is no need for a struct field channel. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Allow stopping the server Add signal handler for SIGTERM and SIGINT to main.go. Add Stop() method to Options to forward os signals. Add a channel to stop `syncRunner` and clean iptables afterward. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Add sync-period option for fast sync * Remove deprecated parameters in deploy.yml * Add e2e test * e2e-test: Add script to update server image (#35) Add a script to redeploy the server in the kind cluster. It is useful to quickly test new changes without tearing down the cluster and bringing it up again. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Fix yaml syntax error in GH workflow (#36) Signed-off-by: Andrea Panattoni <apanatto@redhat.com> Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Add CodeQL workflow for GitHub code scanning (#38) Co-authored-by: LGTM Migrator <lgtm-migrator@users.noreply.github.com> * Add NOTICE file for Apache license 2.0 (#39) This change adds NOTICE file in repository as [1]. [1]: https://infra.apache.org/apply-license.html#new * IPv6 support in multi-networkpolicy-iptables (#40) * Support IPv6 networks (#27) Make Server generates rules for both IP family. Make iptableBuffer aware of the IP family it is managing, in order to skip wrong addresses. Add unit and e2e tests for IPv6 and dual stack networks. Remove IPv6 item from TODO Signed-off-by: Andrea Panattoni <apanatto@redhat.com> Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * fix merge-conflict to rebase * Add e2e ipv6 ingress tests * IPv6 fix for NDP and DHCPv6 (#37) * Add Requirements section to README Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Allow ipv6 Neighbor Discovery Protocol NDP leverages icmpv6 packets to discover hosts IPv6 addresses. This kind of packet must be allowed between hosts, otherwise some policy-allowed traffic may get blocked. Adjust unit tests expected output strings. See https://www.rfc-editor.org/rfc/rfc2373 Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Allow DHCPv6 traffic Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Refine icmp/dhcpv6 code Signed-off-by: Andrea Panattoni <apanatto@redhat.com> Co-authored-by: Tomofumi Hayashi <tohayash@redhat.com> * Use string instead of byte in unit-test cases In real code, use bytes for performance, however, we don't care about performance for unit-test, hence change bytes to string for ease of troubleshooting. * Make INGRESS/EGRESS-COMMON configurable by command line option This change makes MULTI-{INGRESS,EGRESS}-COMMON chain configurable to provide a way to support various v4/v6 network. * Fix CodeQL warnings * Update docs/configurations.md Co-authored-by: Nikhil Simha <simha.nikhil@gmail.com> * Update docs/configurations.md Co-authored-by: Nikhil Simha <simha.nikhil@gmail.com> * Wait for sync between policy/iptables in e2e tests --------- Signed-off-by: Andrea Panattoni <apanatto@redhat.com> Co-authored-by: Andrea Panattoni <apanatto@redhat.com> Co-authored-by: Nikhil Simha <simha.nikhil@gmail.com> * Fix github action * Avoid using cri-api `v1alpha2` (#43) As of v1.26.0 kubernetes removed support for api cri-api v1alpha2 kubernetes/kubernetes#110618 Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Fix typo in container registry domain (#44) * Update go mod to security vulnerability Update golang.org/x/text to v0.3.8 for vulnerability. * Fix github action * Update vendors to fix dependabot alerts * Add ipblock bat tests in e2e (#48) This change introduces ipblock tests in e2e and enables v6 ingress tests in e2e as well. * Fix iptables rules in multiple items in ingress/egress (#49) This change fixes iptables rules for multiple items in ingress/egress. It also adds e2e tests for that. fix #45 * Update golang to 1.20 * Fix end2end tests (#53) * e2e: Save kind logs as artifacts Saving `kind export logs` output when end-to-end job fails helps debugging flakes and test failures. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * build: set CGO_ENABLED=0 Setting CGO_ENABLED=0 for go builds produces GLIBC independant binaries. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> --------- Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Infer PolicyTypes if missing (#50) * Infer PolicyTypes if missing In cases where Spec.PolicyTypes is not specified, it should default to the existence of Ingress or Egress rules. Updating end2end tests to cover also this scenario. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * e2e: Wait for policy sync during setup Signed-off-by: Andrea Panattoni <apanatto@redhat.com> --------- Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Bump google.golang.org/grpc from 1.38.0 to 1.53.0 (#52) Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.38.0 to 1.53.0. - [Release notes](https://github.com/grpc/grpc-go/releases) - [Commits](grpc/grpc-go@v1.38.0...v1.53.0) --- updated-dependencies: - dependency-name: google.golang.org/grpc dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Update e2e environments (#54) * Fix linter warning (#55) * Bump gopkg.in/yaml.v3 from 3.0.0-20210107192922-496545a6307b to 3.0.0 (#57) Bumps gopkg.in/yaml.v3 from 3.0.0-20210107192922-496545a6307b to 3.0.0. --- updated-dependencies: - dependency-name: gopkg.in/yaml.v3 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump github.com/containernetworking/plugins from 0.8.5 to 0.8.6 (#56) Bumps [github.com/containernetworking/plugins](https://github.com/containernetworking/plugins) from 0.8.5 to 0.8.6. - [Release notes](https://github.com/containernetworking/plugins/releases) - [Commits](containernetworking/plugins@v0.8.5...v0.8.6) --- updated-dependencies: - dependency-name: github.com/containernetworking/plugins dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Update vendor and golang version (#58) * Bump google.golang.org/grpc from 1.53.0 to 1.56.3 (#59) Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.53.0 to 1.56.3. - [Release notes](https://github.com/grpc/grpc-go/releases) - [Commits](grpc/grpc-go@v1.53.0...v1.56.3) --- updated-dependencies: - dependency-name: google.golang.org/grpc dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Update vendor packages (#60) * Bump google.golang.org/protobuf from 1.30.0 to 1.33.0 (#61) Bumps google.golang.org/protobuf from 1.30.0 to 1.33.0. --- updated-dependencies: - dependency-name: google.golang.org/protobuf dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Fix github workflow and deploy yaml * Fix e2e * Bump k8s API version (#63) * Make sure that policies with no valid peers are enforced If a policy rule has a `from` (or `to`) selector that matches no pods, the subject pod has to not be reached by (or has to not reach) any pods. The following example helps clarify the reasons behind these: Given a scenario with 3 pods (A, B, C) and a rule like: ``` podSelector: matchLabels: name: A ingress: - from: - podSelector: matchLabels: name: B policyTypes: - Ingress ``` Pod A can be reached only by pod B. Pod C can't reach A, and this has to be ensured even if pod B is deleted. Add an end-to-end test case to validate this scenario and adjust unit tests accordingly. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Run all e2e tests in `./e2e/tests/*.bats` Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * ds: Remove mpty lines in Dockerfile Signed-off-by: Andrea Panattoni <apanatto@redhat.com> --------- Signed-off-by: Andrea Panattoni <apanatto@redhat.com> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Tomofumi Hayashi <tohayash@redhat.com> Co-authored-by: Doug Smith <dosmith@redhat.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: lgtm-com[bot] <43144390+lgtm-com[bot]@users.noreply.github.com> Co-authored-by: LGTM Migrator <lgtm-migrator@users.noreply.github.com> Co-authored-by: Nikhil Simha <simha.nikhil@gmail.com> Co-authored-by: Peter Stöckli <p-@github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.