Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove CRI v1alpha2 #110618

Merged
merged 1 commit into from Nov 3, 2022
Merged

Remove CRI v1alpha2 #110618

merged 1 commit into from Nov 3, 2022

Conversation

saschagrunert
Copy link
Member

@saschagrunert saschagrunert commented Jun 16, 2022
edited

What type of PR is this?

/kind cleanup

What this PR does / why we need it:

After the removal of dockershim we can finally also drop support for CRI v1alpha2.

Which issue(s) this PR fixes:

None

Special notes for your reviewer:

None

Does this PR introduce a user-facing change?

Dropped support for the Container Runtime Interface (CRI) version `v1alpha2`, which means that container runtimes just have to implement `v1`.

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

None

@k8s-ci-robot k8s-ci-robot added do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. release-note Denotes a PR that will be considered when it comes time to generate release notes. kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Jun 16, 2022
@k8s-ci-robot
Copy link
Contributor

@saschagrunert: This issue is currently awaiting triage.

If a SIG or subproject determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added the needs-priority Indicates a PR lacks a `priority/foo` label and requires one. label Jun 16, 2022
@saschagrunert saschagrunert mentioned this pull request Jun 16, 2022
Merged
@k8s-ci-robot k8s-ci-robot added area/kubelet sig/node Categorizes an issue or PR as relevant to SIG Node. and removed do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels Jun 16, 2022
@saschagrunert saschagrunert force-pushed the v1alpha2-removal branch 3 times, most recently from 6157cbb to 49ac6cd Compare June 16, 2022 08:39
@k8s-ci-robot k8s-ci-robot added the sig/security Categorizes an issue or PR as relevant to SIG Security. label Jun 16, 2022
@saschagrunert
Copy link
Member Author

/test pull-kubernetes-e2e-gce-ubuntu-containerd

@saschagrunert
Copy link
Member Author

Looks like we have to wait until containerd 1.5.x goes EOL (still active until Oct 2022): https://github.com/containerd/containerd/blob/main/RELEASES.md

@saschagrunert
Copy link
Member Author

/test pull-kubernetes-e2e-gce-100-performance

@mikebrow
Copy link
Member

mikebrow commented Jun 16, 2022
edited

Looks like we have to wait until containerd 1.5.x goes EOL (still active until Oct 2022): https://github.com/containerd/containerd/blob/main/RELEASES.md

or you have to require containerd v1.6.0 or above.. (edited was 1.6 not 1.5.8 the cherry pick for 1.5 did not merge)

@saschagrunert
Copy link
Member Author

saschagrunert commented Jun 17, 2022
edited

Looks like we could bump the OS image there (and multiple other places): https://github.com/kubernetes/test-infra/blob/master/jobs/e2e_node/containerd/image-config.yaml#L3-L4

Unfortunately I do not have the permissions to see which newer image_family exists. 🤔

@saschagrunert
Copy link
Member Author

/test pull-kubernetes-e2e-gce-100-performance

@saschagrunert
Copy link
Member Author

saschagrunert commented Jun 17, 2022
edited

@thockin @BenTheElder @bobbypage @sergeyevstifeev do you know (or maybe can find out) which recent image familities (pipeline-1-xx) are available for the project ubuntu-os-gke-cloud ?

@pacoxu pacoxu added this to Waiting on Author in SIG Node PR Triage Jun 20, 2022
@mikebrow
Copy link
Member

per slack.. we may postpone removing v1alpha2 until EOL of containerd 1.5 in October/November of 2022

@bobbypage
Copy link
Member

@thockin @BenTheElder @bobbypage @sergeyevstifeev do you know (or maybe can find out) which recent image familities (pipeline-1-xx) are available for the project ubuntu-os-gke-cloud ?

The latest one should be pipeline-1-24, the latest image is ubuntu-gke-2204-1-24-v20220623

saschagrunert added a commit to saschagrunert/test-infra that referenced this pull request Jun 24, 2022
@saschagrunert
Update Ubuntu image to ubuntu-gke-2204-1-24-v20220623 and latest fa…
60cf1a8 
…mily

As per kubernetes/kubernetes#110618 (comment),
we now use the latest `image` ubuntu-gke as well as `image_family` in
test-infra.

Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
@saschagrunert saschagrunert deleted the v1alpha2-removal branch November 3, 2022 10:56
saschagrunert added a commit to saschagrunert/cri-o that referenced this pull request Nov 3, 2022
@saschagrunert
Remove CRI v1alpha2 support
1a2fb38 
Kubernetes v1.26.0 will not support CRI v1alpha2 any more after the
merge of: kubernetes/kubernetes#110618

This means we can also remove the code parts within CRI-O.

Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
@saschagrunert saschagrunert mentioned this pull request Nov 3, 2022
Merged
saschagrunert added a commit to saschagrunert/cri-o that referenced this pull request Nov 3, 2022
@saschagrunert
Remove CRI v1alpha2 support
ef3bed0 
Kubernetes v1.26.0 will not support CRI v1alpha2 any more after the
merge of: kubernetes/kubernetes#110618

This means we can also remove the code parts within CRI-O.

Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
@neolit123 neolit123 mentioned this pull request Nov 4, 2022
Closed
@endocrimes endocrimes mentioned this pull request Nov 5, 2022
Closed
@akhilerm
Copy link
Member

akhilerm commented Nov 7, 2022

I think the containerd job (pull-containerd-node-e2e) to 1.5 branch is failing due to this change. containerd/containerd#7479, containerd/containerd#7633 are PRs to 1.5 branch which have been failing since last 4 days. Even after updating the machine image to cos-stable, the jobs are still failing.

akhilerm added a commit to akhilerm/test-infra that referenced this pull request Nov 7, 2022
@akhilerm
ci: separarte pull-containerd-node-e2e for 1.5 branch
d89a7bf 
separate out the pull-containerd-node-e2e job for containerd 1.5 branch.
Instead of running against kubernetes master, it will will run against
k8s release-1.25 branch because CRI v1alpha2 is deprecated in later releases
which containerd-1.5 does not support

Ref: kubernetes/kubernetes#110618

Signed-off-by: Akhil Mohan <makhil@vmware.com>
akhilerm added a commit to akhilerm/test-infra that referenced this pull request Nov 7, 2022
@akhilerm
ci: separarte pull-containerd-node-e2e for 1.5 branch
d504069 
separate out the pull-containerd-node-e2e job for containerd 1.5 branch.
Instead of running against kubernetes master, it will will run against
k8s release-1.25 branch because CRI v1alpha2 is deprecated in later releases
which containerd-1.5 does not support

Ref: kubernetes/kubernetes#110618

Signed-off-by: Akhil Mohan <makhil@vmware.com>
@akhilerm akhilerm mentioned this pull request Nov 7, 2022
Merged
akhilerm added a commit to akhilerm/test-infra that referenced this pull request Nov 8, 2022
@akhilerm
ci: separarte pull-containerd-node-e2e for 1.5 branch
935fa77 
containerd v1.5.x supports CRI v1alpha2, the API that was available at
the time of release for containerd v1.5. containerd v1.6.x has support
for both CRI v1alpha2 and v1; and is being designated a long term
support release.

kubelet master is removing support for CRI v1alpha2, this action has the
effect of forcing kubernetes master(and kubernetes r.next+) users to move
up to containerd v1.6.x where both CRI v1 and v1alpha2 is supported.

Therefore we need to separate out the pull-containerd-node-e2e job for
containerd 1.5 branch, so that patches can still be made to 1.5 branch
till its EOL. Instead of running against kubernetes master, it will run
against k8s release-1.25 branch (the last release which supports CRI v1alpha2)

Ref: kubernetes/kubernetes#110618

Signed-off-by: Akhil Mohan <makhil@vmware.com>
wgahnagl pushed a commit to wgahnagl/cri-o that referenced this pull request Nov 15, 2022
@saschagrunert @wgahnagl
Remove CRI v1alpha2 support
84f98c6 
Kubernetes v1.26.0 will not support CRI v1alpha2 any more after the
merge of: kubernetes/kubernetes#110618

This means we can also remove the code parts within CRI-O.

Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
This was referenced Nov 16, 2022
Merged
Closed
@pacoxu pacoxu mentioned this pull request Dec 23, 2022
Merged
@ErikJiang ErikJiang mentioned this pull request Jan 12, 2023
Closed
@djdongjin djdongjin mentioned this pull request Jan 19, 2023
Merged
zeeke added a commit to zeeke/multi-networkpolicy-iptables that referenced this pull request Feb 1, 2023
@zeeke
Avoid using cri-api v1alpha2
f4da4a0 
As of v1.26.0 kubernetes removed support for api cri-api
v1alpha2
kubernetes/kubernetes#110618

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>
@zeeke zeeke mentioned this pull request Feb 1, 2023
Merged
s1061123 pushed a commit to k8snetworkplumbingwg/multi-networkpolicy-iptables that referenced this pull request Feb 2, 2023
@zeeke
Avoid using cri-api v1alpha2 (#43)
0c6df81 
As of v1.26.0 kubernetes removed support for api cri-api
v1alpha2
kubernetes/kubernetes#110618

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>
openshift-merge-robot pushed a commit to openshift/multus-networkpolicy that referenced this pull request Feb 3, 2023
@s1061123 @dougbtv
@zeeke @dependabot @lgtm-com @lgtm-migrator @nicklesimba
OCPBUGS-6917: Upstream sync 0c6df81 (#22)
98a0bad 
* Add pod-iptables option to store pod iptables

This change introduces pod-iptables option to store iptables-rules
in pod's network namespace. This helps administrator/engineer to
troubleshooting.

* Fix owners file

* Update CI pipeline

* Add label to Dockerfile

* Update github action to simplify

* Use GITHUB_TOKEN for push packages

* Update slack URL in README

* fix workflows

* Fix some timing issue and change memory limit

* Add namespace check between pod and multi-networkpolicy

* Use TCP as default for Port.Protocol

Add ginkgo test to the suite with only default values.
Add `renderProtocol` function with fallback logic.

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>

* Fix to work namespacveSelector policy, without labelSelector

* Support for `NamespaceSelector` (#16)

* Add test case for namespace selector

The case is about having two namespaces with pods
and net-attach-def and a multi networkpolicy that
goes through namespace borders.

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>

* Add test case with net-attach-def in other ns

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>

* Improve logging in server.go (#19)

* Add object information to update events

This should make it clearer what k8s object the
daemon is working on.

Increase verbosity threshlod for invoke handlers logs.

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>

* Improve error logging

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>

* Add IPv6 support in TODO list

* Set specific version for `revive` tool (#20)

"go getting" github.com/mgechev/revive can lead to unreproducible
builds, as it download the latest "dev" version. Stick to the latest
(v1.2.1) version.

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>

* Log filter rules (#23)

* Log filter rules

Logging iptables rules before applying them
can be useful to debug complex scenarios.
Setting verbosity level to 6 as they can be
quite cumbersome.

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>

* Clean up logging code

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>

* Refine policy generation routine to support multiple policies

This change refines policy rule generation to introduce conntrack
and support multiple policies in a pod. Fix #17 and #18

* Fix capabilities (#25)

fix #24

* Update github action to fit to latest golang

* Remove docker from support runtime due to obsolated

* Bump github.com/containernetworking/cni from 0.7.1 to 0.8.1 (#31)

Bumps [github.com/containernetworking/cni](https://github.com/containernetworking/cni) from 0.7.1 to 0.8.1.
- [Release notes](https://github.com/containernetworking/cni/releases)
- [Commits](containernetworking/cni@v0.7.1...v0.8.1)

---
updated-dependencies:
- dependency-name: github.com/containernetworking/cni
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Bump vendor packages.

* Graceful shutdown for daemonset (#32)

* Remove unused errCh

`server.Run()` is not a blocking function and returns always `nil`.
There is no need for a struct field channel.

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>

* Allow stopping the server

Add signal handler for SIGTERM and SIGINT to main.go.
Add Stop() method to Options to forward os signals.
Add a channel to stop `syncRunner` and clean iptables afterward.

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>

* Add sync-period option for fast sync

* Remove deprecated parameters in deploy.yml

* Add e2e test

* e2e-test: Add script to update server image (#35)

Add a script to redeploy the server in the kind cluster. It is
useful to quickly test new changes without tearing down the
cluster and bringing it up again.

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>

* Fix yaml syntax error in GH workflow (#36)

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>

* Add CodeQL workflow for GitHub code scanning (#38)

Co-authored-by: LGTM Migrator <lgtm-migrator@users.noreply.github.com>

* Add NOTICE file for Apache license 2.0 (#39)

This change adds NOTICE file in repository as [1].

[1]: https://infra.apache.org/apply-license.html#new

* IPv6 support in multi-networkpolicy-iptables (#40)

* Support IPv6 networks (#27)

Make Server generates rules for both IP family.
Make iptableBuffer aware of the IP family it is managing, in
order to skip wrong addresses.

Add unit and e2e tests for IPv6 and dual stack networks.

Remove IPv6 item from TODO

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>

* fix merge-conflict to rebase

* Add e2e ipv6 ingress tests

* IPv6 fix  for NDP and DHCPv6 (#37)

* Add Requirements section to README

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>

* Allow ipv6 Neighbor Discovery Protocol

NDP leverages icmpv6 packets to discover hosts
IPv6 addresses. This kind of packet must be allowed
between hosts, otherwise some policy-allowed traffic
may get blocked.

Adjust unit tests expected output strings.

See https://www.rfc-editor.org/rfc/rfc2373

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>

* Allow DHCPv6 traffic

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>

* Refine icmp/dhcpv6 code

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>
Co-authored-by: Tomofumi Hayashi <tohayash@redhat.com>

* Use string instead of byte in unit-test cases

In real code, use bytes for performance, however, we don't care
about performance for unit-test, hence change bytes to string
for ease of troubleshooting.

* Make INGRESS/EGRESS-COMMON configurable by command line option

This change makes MULTI-{INGRESS,EGRESS}-COMMON chain configurable
to provide a way to support various v4/v6 network.

* Fix CodeQL warnings

* Update docs/configurations.md

Co-authored-by: Nikhil Simha <simha.nikhil@gmail.com>

* Update docs/configurations.md

Co-authored-by: Nikhil Simha <simha.nikhil@gmail.com>

* Wait for sync between policy/iptables in e2e tests

---------

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>
Co-authored-by: Andrea Panattoni <apanatto@redhat.com>
Co-authored-by: Nikhil Simha <simha.nikhil@gmail.com>

* Fix github action

* Avoid using cri-api `v1alpha2` (#43)

As of v1.26.0 kubernetes removed support for api cri-api
v1alpha2
kubernetes/kubernetes#110618

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>

---------

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: Doug Smith <dosmith@redhat.com>
Co-authored-by: Andrea Panattoni <apanatto@redhat.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: lgtm-com[bot] <43144390+lgtm-com[bot]@users.noreply.github.com>
Co-authored-by: LGTM Migrator <lgtm-migrator@users.noreply.github.com>
Co-authored-by: Nikhil Simha <simha.nikhil@gmail.com>
@maaoBit maaoBit mentioned this pull request Feb 24, 2023
Closed
@mqasimsarfraz mqasimsarfraz mentioned this pull request Apr 3, 2023
Merged
openshift-merge-robot pushed a commit to openshift/multus-networkpolicy that referenced this pull request Jul 14, 2023
@s1061123 @dougbtv
@zeeke @dependabot @lgtm-com @lgtm-migrator @nicklesimba @p-
OCPBUGS-974: Sync upstream (#30)
0d76ba7 
* Add pod-iptables option to store pod iptables

This change introduces pod-iptables option to store iptables-rules
in pod's network namespace. This helps administrator/engineer to
troubleshooting.

* Fix owners file

* Update CI pipeline

* Add label to Dockerfile

* Update github action to simplify

* Use GITHUB_TOKEN for push packages

* Update slack URL in README

* fix workflows

* Fix some timing issue and change memory limit

* Add namespace check between pod and multi-networkpolicy

* Use TCP as default for Port.Protocol

Add ginkgo test to the suite with only default values.
Add `renderProtocol` function with fallback logic.

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>

* Fix to work namespacveSelector policy, without labelSelector

* Support for `NamespaceSelector` (#16)

* Add test case for namespace selector

The case is about having two namespaces with pods
and net-attach-def and a multi networkpolicy that
goes through namespace borders.

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>

* Add test case with net-attach-def in other ns

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>

* Improve logging in server.go (#19)

* Add object information to update events

This should make it clearer what k8s object the
daemon is working on.

Increase verbosity threshlod for invoke handlers logs.

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>

* Improve error logging

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>

* Add IPv6 support in TODO list

* Set specific version for `revive` tool (#20)

"go getting" github.com/mgechev/revive can lead to unreproducible
builds, as it download the latest "dev" version. Stick to the latest
(v1.2.1) version.

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>

* Log filter rules (#23)

* Log filter rules

Logging iptables rules before applying them
can be useful to debug complex scenarios.
Setting verbosity level to 6 as they can be
quite cumbersome.

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>

* Clean up logging code

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>

* Refine policy generation routine to support multiple policies

This change refines policy rule generation to introduce conntrack
and support multiple policies in a pod. Fix #17 and #18

* Fix capabilities (#25)

fix #24

* Update github action to fit to latest golang

* Remove docker from support runtime due to obsolated

* Bump github.com/containernetworking/cni from 0.7.1 to 0.8.1 (#31)

Bumps [github.com/containernetworking/cni](https://github.com/containernetworking/cni) from 0.7.1 to 0.8.1.
- [Release notes](https://github.com/containernetworking/cni/releases)
- [Commits](containernetworking/cni@v0.7.1...v0.8.1)

---
updated-dependencies:
- dependency-name: github.com/containernetworking/cni
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Bump vendor packages.

* Graceful shutdown for daemonset (#32)

* Remove unused errCh

`server.Run()` is not a blocking function and returns always `nil`.
There is no need for a struct field channel.

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>

* Allow stopping the server

Add signal handler for SIGTERM and SIGINT to main.go.
Add Stop() method to Options to forward os signals.
Add a channel to stop `syncRunner` and clean iptables afterward.

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>

* Add sync-period option for fast sync

* Remove deprecated parameters in deploy.yml

* Add e2e test

* e2e-test: Add script to update server image (#35)

Add a script to redeploy the server in the kind cluster. It is
useful to quickly test new changes without tearing down the
cluster and bringing it up again.

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>

* Fix yaml syntax error in GH workflow (#36)

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>

* Add CodeQL workflow for GitHub code scanning (#38)

Co-authored-by: LGTM Migrator <lgtm-migrator@users.noreply.github.com>

* Add NOTICE file for Apache license 2.0 (#39)

This change adds NOTICE file in repository as [1].

[1]: https://infra.apache.org/apply-license.html#new

* IPv6 support in multi-networkpolicy-iptables (#40)

* Support IPv6 networks (#27)

Make Server generates rules for both IP family.
Make iptableBuffer aware of the IP family it is managing, in
order to skip wrong addresses.

Add unit and e2e tests for IPv6 and dual stack networks.

Remove IPv6 item from TODO

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>

* fix merge-conflict to rebase

* Add e2e ipv6 ingress tests

* IPv6 fix  for NDP and DHCPv6 (#37)

* Add Requirements section to README

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>

* Allow ipv6 Neighbor Discovery Protocol

NDP leverages icmpv6 packets to discover hosts
IPv6 addresses. This kind of packet must be allowed
between hosts, otherwise some policy-allowed traffic
may get blocked.

Adjust unit tests expected output strings.

See https://www.rfc-editor.org/rfc/rfc2373

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>

* Allow DHCPv6 traffic

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>

* Refine icmp/dhcpv6 code

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>
Co-authored-by: Tomofumi Hayashi <tohayash@redhat.com>

* Use string instead of byte in unit-test cases

In real code, use bytes for performance, however, we don't care
about performance for unit-test, hence change bytes to string
for ease of troubleshooting.

* Make INGRESS/EGRESS-COMMON configurable by command line option

This change makes MULTI-{INGRESS,EGRESS}-COMMON chain configurable
to provide a way to support various v4/v6 network.

* Fix CodeQL warnings

* Update docs/configurations.md

Co-authored-by: Nikhil Simha <simha.nikhil@gmail.com>

* Update docs/configurations.md

Co-authored-by: Nikhil Simha <simha.nikhil@gmail.com>

* Wait for sync between policy/iptables in e2e tests

---------

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>
Co-authored-by: Andrea Panattoni <apanatto@redhat.com>
Co-authored-by: Nikhil Simha <simha.nikhil@gmail.com>

* Fix github action

* Avoid using cri-api `v1alpha2` (#43)

As of v1.26.0 kubernetes removed support for api cri-api
v1alpha2
kubernetes/kubernetes#110618

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>

* Fix typo in container registry domain (#44)

* Update go mod to security vulnerability

Update golang.org/x/text to v0.3.8 for vulnerability.

* Fix github action

* Update vendors to fix dependabot alerts

* Add ipblock bat tests in e2e (#48)

This change introduces ipblock tests in e2e and enables v6
ingress tests in e2e as well.

* Fix iptables rules in multiple items in ingress/egress (#49)

This change fixes iptables rules for multiple items
in ingress/egress. It also adds e2e tests for that.
fix #45

* Update golang to 1.20

* Fix end2end tests (#53)

* e2e: Save kind logs as artifacts

Saving `kind export logs` output when
end-to-end job fails helps debugging flakes
and test failures.

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>

* build: set CGO_ENABLED=0

Setting CGO_ENABLED=0 for go builds
produces GLIBC independant binaries.

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>

---------

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>

* Infer PolicyTypes if missing (#50)

* Infer PolicyTypes if missing

In cases where Spec.PolicyTypes is not specified, it should
default to the existence of Ingress or Egress rules.

Updating end2end tests to cover also this scenario.

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>

* e2e: Wait for policy sync during setup

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>

---------

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>

* Bump google.golang.org/grpc from 1.38.0 to 1.53.0 (#52)

Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.38.0 to 1.53.0.
- [Release notes](https://github.com/grpc/grpc-go/releases)
- [Commits](grpc/grpc-go@v1.38.0...v1.53.0)

---
updated-dependencies:
- dependency-name: google.golang.org/grpc
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Update e2e environments (#54)

* Fix linter warning (#55)

---------

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: Doug Smith <dosmith@redhat.com>
Co-authored-by: Andrea Panattoni <apanatto@redhat.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: lgtm-com[bot] <43144390+lgtm-com[bot]@users.noreply.github.com>
Co-authored-by: LGTM Migrator <lgtm-migrator@users.noreply.github.com>
Co-authored-by: Nikhil Simha <simha.nikhil@gmail.com>
Co-authored-by: Peter Stöckli <p-@github.com>
openshift-ci bot pushed a commit to openshift/multus-networkpolicy that referenced this pull request Oct 17, 2023
@s1061123 @dougbtv
@zeeke @dependabot @lgtm-com @lgtm-migrator @nicklesimba @p-
OCPBUGS-21779: Sync upstream + Fix CVE (#32)
b5f5e0f 
* Add pod-iptables option to store pod iptables

This change introduces pod-iptables option to store iptables-rules
in pod's network namespace. This helps administrator/engineer to
troubleshooting.

* Fix owners file

* Update CI pipeline

* Add label to Dockerfile

* Update github action to simplify

* Use GITHUB_TOKEN for push packages

* Update slack URL in README

* fix workflows

* Fix some timing issue and change memory limit

* Add namespace check between pod and multi-networkpolicy

* Use TCP as default for Port.Protocol

Add ginkgo test to the suite with only default values.
Add `renderProtocol` function with fallback logic.

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>

* Fix to work namespacveSelector policy, without labelSelector

* Support for `NamespaceSelector` (#16)

* Add test case for namespace selector

The case is about having two namespaces with pods
and net-attach-def and a multi networkpolicy that
goes through namespace borders.

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>

* Add test case with net-attach-def in other ns

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>

* Improve logging in server.go (#19)

* Add object information to update events

This should make it clearer what k8s object the
daemon is working on.

Increase verbosity threshlod for invoke handlers logs.

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>

* Improve error logging

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>

* Add IPv6 support in TODO list

* Set specific version for `revive` tool (#20)

"go getting" github.com/mgechev/revive can lead to unreproducible
builds, as it download the latest "dev" version. Stick to the latest
(v1.2.1) version.

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>

* Log filter rules (#23)

* Log filter rules

Logging iptables rules before applying them
can be useful to debug complex scenarios.
Setting verbosity level to 6 as they can be
quite cumbersome.

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>

* Clean up logging code

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>

* Refine policy generation routine to support multiple policies

This change refines policy rule generation to introduce conntrack
and support multiple policies in a pod. Fix #17 and #18

* Fix capabilities (#25)

fix #24

* Update github action to fit to latest golang

* Remove docker from support runtime due to obsolated

* Bump github.com/containernetworking/cni from 0.7.1 to 0.8.1 (#31)

Bumps [github.com/containernetworking/cni](https://github.com/containernetworking/cni) from 0.7.1 to 0.8.1.
- [Release notes](https://github.com/containernetworking/cni/releases)
- [Commits](containernetworking/cni@v0.7.1...v0.8.1)

---
updated-dependencies:
- dependency-name: github.com/containernetworking/cni
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Bump vendor packages.

* Graceful shutdown for daemonset (#32)

* Remove unused errCh

`server.Run()` is not a blocking function and returns always `nil`.
There is no need for a struct field channel.

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>

* Allow stopping the server

Add signal handler for SIGTERM and SIGINT to main.go.
Add Stop() method to Options to forward os signals.
Add a channel to stop `syncRunner` and clean iptables afterward.

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>

* Add sync-period option for fast sync

* Remove deprecated parameters in deploy.yml

* Add e2e test

* e2e-test: Add script to update server image (#35)

Add a script to redeploy the server in the kind cluster. It is
useful to quickly test new changes without tearing down the
cluster and bringing it up again.

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>

* Fix yaml syntax error in GH workflow (#36)

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>

* Add CodeQL workflow for GitHub code scanning (#38)

Co-authored-by: LGTM Migrator <lgtm-migrator@users.noreply.github.com>

* Add NOTICE file for Apache license 2.0 (#39)

This change adds NOTICE file in repository as [1].

[1]: https://infra.apache.org/apply-license.html#new

* IPv6 support in multi-networkpolicy-iptables (#40)

* Support IPv6 networks (#27)

Make Server generates rules for both IP family.
Make iptableBuffer aware of the IP family it is managing, in
order to skip wrong addresses.

Add unit and e2e tests for IPv6 and dual stack networks.

Remove IPv6 item from TODO

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>

* fix merge-conflict to rebase

* Add e2e ipv6 ingress tests

* IPv6 fix  for NDP and DHCPv6 (#37)

* Add Requirements section to README

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>

* Allow ipv6 Neighbor Discovery Protocol

NDP leverages icmpv6 packets to discover hosts
IPv6 addresses. This kind of packet must be allowed
between hosts, otherwise some policy-allowed traffic
may get blocked.

Adjust unit tests expected output strings.

See https://www.rfc-editor.org/rfc/rfc2373

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>

* Allow DHCPv6 traffic

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>

* Refine icmp/dhcpv6 code

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>
Co-authored-by: Tomofumi Hayashi <tohayash@redhat.com>

* Use string instead of byte in unit-test cases

In real code, use bytes for performance, however, we don't care
about performance for unit-test, hence change bytes to string
for ease of troubleshooting.

* Make INGRESS/EGRESS-COMMON configurable by command line option

This change makes MULTI-{INGRESS,EGRESS}-COMMON chain configurable
to provide a way to support various v4/v6 network.

* Fix CodeQL warnings

* Update docs/configurations.md

Co-authored-by: Nikhil Simha <simha.nikhil@gmail.com>

* Update docs/configurations.md

Co-authored-by: Nikhil Simha <simha.nikhil@gmail.com>

* Wait for sync between policy/iptables in e2e tests

---------

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>
Co-authored-by: Andrea Panattoni <apanatto@redhat.com>
Co-authored-by: Nikhil Simha <simha.nikhil@gmail.com>

* Fix github action

* Avoid using cri-api `v1alpha2` (#43)

As of v1.26.0 kubernetes removed support for api cri-api
v1alpha2
kubernetes/kubernetes#110618

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>

* Fix typo in container registry domain (#44)

* Update go mod to security vulnerability

Update golang.org/x/text to v0.3.8 for vulnerability.

* Fix github action

* Update vendors to fix dependabot alerts

* Add ipblock bat tests in e2e (#48)

This change introduces ipblock tests in e2e and enables v6
ingress tests in e2e as well.

* Fix iptables rules in multiple items in ingress/egress (#49)

This change fixes iptables rules for multiple items
in ingress/egress. It also adds e2e tests for that.
fix #45

* Update golang to 1.20

* Fix end2end tests (#53)

* e2e: Save kind logs as artifacts

Saving `kind export logs` output when
end-to-end job fails helps debugging flakes
and test failures.

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>

* build: set CGO_ENABLED=0

Setting CGO_ENABLED=0 for go builds
produces GLIBC independant binaries.

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>

---------

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>

* Infer PolicyTypes if missing (#50)

* Infer PolicyTypes if missing

In cases where Spec.PolicyTypes is not specified, it should
default to the existence of Ingress or Egress rules.

Updating end2end tests to cover also this scenario.

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>

* e2e: Wait for policy sync during setup

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>

---------

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>

* Bump google.golang.org/grpc from 1.38.0 to 1.53.0 (#52)

Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.38.0 to 1.53.0.
- [Release notes](https://github.com/grpc/grpc-go/releases)
- [Commits](grpc/grpc-go@v1.38.0...v1.53.0)

---
updated-dependencies:
- dependency-name: google.golang.org/grpc
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Update e2e environments (#54)

* Fix linter warning (#55)

* Bump gopkg.in/yaml.v3 from 3.0.0-20210107192922-496545a6307b to 3.0.0 (#57)

Bumps gopkg.in/yaml.v3 from 3.0.0-20210107192922-496545a6307b to 3.0.0.

---
updated-dependencies:
- dependency-name: gopkg.in/yaml.v3
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Bump github.com/containernetworking/plugins from 0.8.5 to 0.8.6 (#56)

Bumps [github.com/containernetworking/plugins](https://github.com/containernetworking/plugins) from 0.8.5 to 0.8.6.
- [Release notes](https://github.com/containernetworking/plugins/releases)
- [Commits](containernetworking/plugins@v0.8.5...v0.8.6)

---
updated-dependencies:
- dependency-name: github.com/containernetworking/plugins
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Update vendor and golang version (#58)

---------

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: Doug Smith <dosmith@redhat.com>
Co-authored-by: Andrea Panattoni <apanatto@redhat.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: lgtm-com[bot] <43144390+lgtm-com[bot]@users.noreply.github.com>
Co-authored-by: LGTM Migrator <lgtm-migrator@users.noreply.github.com>
Co-authored-by: Nikhil Simha <simha.nikhil@gmail.com>
Co-authored-by: Peter Stöckli <p-@github.com>
openshift-ci bot pushed a commit to openshift/multus-networkpolicy that referenced this pull request Nov 2, 2023
@s1061123 @dougbtv
@zeeke @dependabot @lgtm-com @lgtm-migrator @nicklesimba @p-
OCPBUGS-22833: Vendor package update (#39)
dc64637 
* Add pod-iptables option to store pod iptables

This change introduces pod-iptables option to store iptables-rules
in pod's network namespace. This helps administrator/engineer to
troubleshooting.

* Fix owners file

* Update CI pipeline

* Add label to Dockerfile

* Update github action to simplify

* Use GITHUB_TOKEN for push packages

* Update slack URL in README

* fix workflows

* Fix some timing issue and change memory limit

* Add namespace check between pod and multi-networkpolicy

* Use TCP as default for Port.Protocol

Add ginkgo test to the suite with only default values.
Add `renderProtocol` function with fallback logic.

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>

* Fix to work namespacveSelector policy, without labelSelector

* Support for `NamespaceSelector` (#16)

* Add test case for namespace selector

The case is about having two namespaces with pods
and net-attach-def and a multi networkpolicy that
goes through namespace borders.

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>

* Add test case with net-attach-def in other ns

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>

* Improve logging in server.go (#19)

* Add object information to update events

This should make it clearer what k8s object the
daemon is working on.

Increase verbosity threshlod for invoke handlers logs.

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>

* Improve error logging

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>

* Add IPv6 support in TODO list

* Set specific version for `revive` tool (#20)

"go getting" github.com/mgechev/revive can lead to unreproducible
builds, as it download the latest "dev" version. Stick to the latest
(v1.2.1) version.

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>

* Log filter rules (#23)

* Log filter rules

Logging iptables rules before applying them
can be useful to debug complex scenarios.
Setting verbosity level to 6 as they can be
quite cumbersome.

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>

* Clean up logging code

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>

* Refine policy generation routine to support multiple policies

This change refines policy rule generation to introduce conntrack
and support multiple policies in a pod. Fix #17 and #18

* Fix capabilities (#25)

fix #24

* Update github action to fit to latest golang

* Remove docker from support runtime due to obsolated

* Bump github.com/containernetworking/cni from 0.7.1 to 0.8.1 (#31)

Bumps [github.com/containernetworking/cni](https://github.com/containernetworking/cni) from 0.7.1 to 0.8.1.
- [Release notes](https://github.com/containernetworking/cni/releases)
- [Commits](containernetworking/cni@v0.7.1...v0.8.1)

---
updated-dependencies:
- dependency-name: github.com/containernetworking/cni
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Bump vendor packages.

* Graceful shutdown for daemonset (#32)

* Remove unused errCh

`server.Run()` is not a blocking function and returns always `nil`.
There is no need for a struct field channel.

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>

* Allow stopping the server

Add signal handler for SIGTERM and SIGINT to main.go.
Add Stop() method to Options to forward os signals.
Add a channel to stop `syncRunner` and clean iptables afterward.

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>

* Add sync-period option for fast sync

* Remove deprecated parameters in deploy.yml

* Add e2e test

* e2e-test: Add script to update server image (#35)

Add a script to redeploy the server in the kind cluster. It is
useful to quickly test new changes without tearing down the
cluster and bringing it up again.

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>

* Fix yaml syntax error in GH workflow (#36)

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>

* Add CodeQL workflow for GitHub code scanning (#38)

Co-authored-by: LGTM Migrator <lgtm-migrator@users.noreply.github.com>

* Add NOTICE file for Apache license 2.0 (#39)

This change adds NOTICE file in repository as [1].

[1]: https://infra.apache.org/apply-license.html#new

* IPv6 support in multi-networkpolicy-iptables (#40)

* Support IPv6 networks (#27)

Make Server generates rules for both IP family.
Make iptableBuffer aware of the IP family it is managing, in
order to skip wrong addresses.

Add unit and e2e tests for IPv6 and dual stack networks.

Remove IPv6 item from TODO

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>

* fix merge-conflict to rebase

* Add e2e ipv6 ingress tests

* IPv6 fix  for NDP and DHCPv6 (#37)

* Add Requirements section to README

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>

* Allow ipv6 Neighbor Discovery Protocol

NDP leverages icmpv6 packets to discover hosts
IPv6 addresses. This kind of packet must be allowed
between hosts, otherwise some policy-allowed traffic
may get blocked.

Adjust unit tests expected output strings.

See https://www.rfc-editor.org/rfc/rfc2373

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>

* Allow DHCPv6 traffic

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>

* Refine icmp/dhcpv6 code

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>
Co-authored-by: Tomofumi Hayashi <tohayash@redhat.com>

* Use string instead of byte in unit-test cases

In real code, use bytes for performance, however, we don't care
about performance for unit-test, hence change bytes to string
for ease of troubleshooting.

* Make INGRESS/EGRESS-COMMON configurable by command line option

This change makes MULTI-{INGRESS,EGRESS}-COMMON chain configurable
to provide a way to support various v4/v6 network.

* Fix CodeQL warnings

* Update docs/configurations.md

Co-authored-by: Nikhil Simha <simha.nikhil@gmail.com>

* Update docs/configurations.md

Co-authored-by: Nikhil Simha <simha.nikhil@gmail.com>

* Wait for sync between policy/iptables in e2e tests

---------

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>
Co-authored-by: Andrea Panattoni <apanatto@redhat.com>
Co-authored-by: Nikhil Simha <simha.nikhil@gmail.com>

* Fix github action

* Avoid using cri-api `v1alpha2` (#43)

As of v1.26.0 kubernetes removed support for api cri-api
v1alpha2
kubernetes/kubernetes#110618

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>

* Fix typo in container registry domain (#44)

* Update go mod to security vulnerability

Update golang.org/x/text to v0.3.8 for vulnerability.

* Fix github action

* Update vendors to fix dependabot alerts

* Add ipblock bat tests in e2e (#48)

This change introduces ipblock tests in e2e and enables v6
ingress tests in e2e as well.

* Fix iptables rules in multiple items in ingress/egress (#49)

This change fixes iptables rules for multiple items
in ingress/egress. It also adds e2e tests for that.
fix #45

* Update golang to 1.20

* Fix end2end tests (#53)

* e2e: Save kind logs as artifacts

Saving `kind export logs` output when
end-to-end job fails helps debugging flakes
and test failures.

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>

* build: set CGO_ENABLED=0

Setting CGO_ENABLED=0 for go builds
produces GLIBC independant binaries.

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>

---------

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>

* Infer PolicyTypes if missing (#50)

* Infer PolicyTypes if missing

In cases where Spec.PolicyTypes is not specified, it should
default to the existence of Ingress or Egress rules.

Updating end2end tests to cover also this scenario.

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>

* e2e: Wait for policy sync during setup

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>

---------

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>

* Bump google.golang.org/grpc from 1.38.0 to 1.53.0 (#52)

Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.38.0 to 1.53.0.
- [Release notes](https://github.com/grpc/grpc-go/releases)
- [Commits](grpc/grpc-go@v1.38.0...v1.53.0)

---
updated-dependencies:
- dependency-name: google.golang.org/grpc
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Update e2e environments (#54)

* Fix linter warning (#55)

* Bump gopkg.in/yaml.v3 from 3.0.0-20210107192922-496545a6307b to 3.0.0 (#57)

Bumps gopkg.in/yaml.v3 from 3.0.0-20210107192922-496545a6307b to 3.0.0.

---
updated-dependencies:
- dependency-name: gopkg.in/yaml.v3
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Bump github.com/containernetworking/plugins from 0.8.5 to 0.8.6 (#56)

Bumps [github.com/containernetworking/plugins](https://github.com/containernetworking/plugins) from 0.8.5 to 0.8.6.
- [Release notes](https://github.com/containernetworking/plugins/releases)
- [Commits](containernetworking/plugins@v0.8.5...v0.8.6)

---
updated-dependencies:
- dependency-name: github.com/containernetworking/plugins
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Update vendor and golang version (#58)

* Bump google.golang.org/grpc from 1.53.0 to 1.56.3 (#59)

Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.53.0 to 1.56.3.
- [Release notes](https://github.com/grpc/grpc-go/releases)
- [Commits](grpc/grpc-go@v1.53.0...v1.56.3)

---
updated-dependencies:
- dependency-name: google.golang.org/grpc
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Update vendor packages (#60)

---------

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: Doug Smith <dosmith@redhat.com>
Co-authored-by: Andrea Panattoni <apanatto@redhat.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: lgtm-com[bot] <43144390+lgtm-com[bot]@users.noreply.github.com>
Co-authored-by: LGTM Migrator <lgtm-migrator@users.noreply.github.com>
Co-authored-by: Nikhil Simha <simha.nikhil@gmail.com>
Co-authored-by: Peter Stöckli <p-@github.com>
@rameshkothamasu rameshkothamasu mentioned this pull request Feb 22, 2024
Open
This was referenced Mar 9, 2024
Open
Closed
openshift-merge-bot bot pushed a commit to openshift/multus-networkpolicy that referenced this pull request Apr 10, 2024
@s1061123 @dougbtv
@zeeke @dependabot @lgtm-com @lgtm-migrator @nicklesimba @p-
OCPBUGS-32030: Upstream sync 2404 (#52)
28f34fa 
* Add pod-iptables option to store pod iptables

This change introduces pod-iptables option to store iptables-rules
in pod's network namespace. This helps administrator/engineer to
troubleshooting.

* Fix owners file

* Update CI pipeline

* Add label to Dockerfile

* Update github action to simplify

* Use GITHUB_TOKEN for push packages

* Update slack URL in README

* fix workflows

* Fix some timing issue and change memory limit

* Add namespace check between pod and multi-networkpolicy

* Use TCP as default for Port.Protocol

Add ginkgo test to the suite with only default values.
Add `renderProtocol` function with fallback logic.

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>

* Fix to work namespacveSelector policy, without labelSelector

* Support for `NamespaceSelector` (#16)

* Add test case for namespace selector

The case is about having two namespaces with pods
and net-attach-def and a multi networkpolicy that
goes through namespace borders.

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>

* Add test case with net-attach-def in other ns

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>

* Improve logging in server.go (#19)

* Add object information to update events

This should make it clearer what k8s object the
daemon is working on.

Increase verbosity threshlod for invoke handlers logs.

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>

* Improve error logging

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>

* Add IPv6 support in TODO list

* Set specific version for `revive` tool (#20)

"go getting" github.com/mgechev/revive can lead to unreproducible
builds, as it download the latest "dev" version. Stick to the latest
(v1.2.1) version.

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>

* Log filter rules (#23)

* Log filter rules

Logging iptables rules before applying them
can be useful to debug complex scenarios.
Setting verbosity level to 6 as they can be
quite cumbersome.

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>

* Clean up logging code

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>

* Refine policy generation routine to support multiple policies

This change refines policy rule generation to introduce conntrack
and support multiple policies in a pod. Fix #17 and #18

* Fix capabilities (#25)

fix #24

* Update github action to fit to latest golang

* Remove docker from support runtime due to obsolated

* Bump github.com/containernetworking/cni from 0.7.1 to 0.8.1 (#31)

Bumps [github.com/containernetworking/cni](https://github.com/containernetworking/cni) from 0.7.1 to 0.8.1.
- [Release notes](https://github.com/containernetworking/cni/releases)
- [Commits](containernetworking/cni@v0.7.1...v0.8.1)

---
updated-dependencies:
- dependency-name: github.com/containernetworking/cni
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Bump vendor packages.

* Graceful shutdown for daemonset (#32)

* Remove unused errCh

`server.Run()` is not a blocking function and returns always `nil`.
There is no need for a struct field channel.

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>

* Allow stopping the server

Add signal handler for SIGTERM and SIGINT to main.go.
Add Stop() method to Options to forward os signals.
Add a channel to stop `syncRunner` and clean iptables afterward.

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>

* Add sync-period option for fast sync

* Remove deprecated parameters in deploy.yml

* Add e2e test

* e2e-test: Add script to update server image (#35)

Add a script to redeploy the server in the kind cluster. It is
useful to quickly test new changes without tearing down the
cluster and bringing it up again.

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>

* Fix yaml syntax error in GH workflow (#36)

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>

* Add CodeQL workflow for GitHub code scanning (#38)

Co-authored-by: LGTM Migrator <lgtm-migrator@users.noreply.github.com>

* Add NOTICE file for Apache license 2.0 (#39)

This change adds NOTICE file in repository as [1].

[1]: https://infra.apache.org/apply-license.html#new

* IPv6 support in multi-networkpolicy-iptables (#40)

* Support IPv6 networks (#27)

Make Server generates rules for both IP family.
Make iptableBuffer aware of the IP family it is managing, in
order to skip wrong addresses.

Add unit and e2e tests for IPv6 and dual stack networks.

Remove IPv6 item from TODO

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>

* fix merge-conflict to rebase

* Add e2e ipv6 ingress tests

* IPv6 fix  for NDP and DHCPv6 (#37)

* Add Requirements section to README

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>

* Allow ipv6 Neighbor Discovery Protocol

NDP leverages icmpv6 packets to discover hosts
IPv6 addresses. This kind of packet must be allowed
between hosts, otherwise some policy-allowed traffic
may get blocked.

Adjust unit tests expected output strings.

See https://www.rfc-editor.org/rfc/rfc2373

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>

* Allow DHCPv6 traffic

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>

* Refine icmp/dhcpv6 code

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>
Co-authored-by: Tomofumi Hayashi <tohayash@redhat.com>

* Use string instead of byte in unit-test cases

In real code, use bytes for performance, however, we don't care
about performance for unit-test, hence change bytes to string
for ease of troubleshooting.

* Make INGRESS/EGRESS-COMMON configurable by command line option

This change makes MULTI-{INGRESS,EGRESS}-COMMON chain configurable
to provide a way to support various v4/v6 network.

* Fix CodeQL warnings

* Update docs/configurations.md

Co-authored-by: Nikhil Simha <simha.nikhil@gmail.com>

* Update docs/configurations.md

Co-authored-by: Nikhil Simha <simha.nikhil@gmail.com>

* Wait for sync between policy/iptables in e2e tests

---------

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>
Co-authored-by: Andrea Panattoni <apanatto@redhat.com>
Co-authored-by: Nikhil Simha <simha.nikhil@gmail.com>

* Fix github action

* Avoid using cri-api `v1alpha2` (#43)

As of v1.26.0 kubernetes removed support for api cri-api
v1alpha2
kubernetes/kubernetes#110618

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>

* Fix typo in container registry domain (#44)

* Update go mod to security vulnerability

Update golang.org/x/text to v0.3.8 for vulnerability.

* Fix github action

* Update vendors to fix dependabot alerts

* Add ipblock bat tests in e2e (#48)

This change introduces ipblock tests in e2e and enables v6
ingress tests in e2e as well.

* Fix iptables rules in multiple items in ingress/egress (#49)

This change fixes iptables rules for multiple items
in ingress/egress. It also adds e2e tests for that.
fix #45

* Update golang to 1.20

* Fix end2end tests (#53)

* e2e: Save kind logs as artifacts

Saving `kind export logs` output when
end-to-end job fails helps debugging flakes
and test failures.

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>

* build: set CGO_ENABLED=0

Setting CGO_ENABLED=0 for go builds
produces GLIBC independant binaries.

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>

---------

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>

* Infer PolicyTypes if missing (#50)

* Infer PolicyTypes if missing

In cases where Spec.PolicyTypes is not specified, it should
default to the existence of Ingress or Egress rules.

Updating end2end tests to cover also this scenario.

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>

* e2e: Wait for policy sync during setup

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>

---------

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>

* Bump google.golang.org/grpc from 1.38.0 to 1.53.0 (#52)

Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.38.0 to 1.53.0.
- [Release notes](https://github.com/grpc/grpc-go/releases)
- [Commits](grpc/grpc-go@v1.38.0...v1.53.0)

---
updated-dependencies:
- dependency-name: google.golang.org/grpc
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Update e2e environments (#54)

* Fix linter warning (#55)

* Bump gopkg.in/yaml.v3 from 3.0.0-20210107192922-496545a6307b to 3.0.0 (#57)

Bumps gopkg.in/yaml.v3 from 3.0.0-20210107192922-496545a6307b to 3.0.0.

---
updated-dependencies:
- dependency-name: gopkg.in/yaml.v3
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Bump github.com/containernetworking/plugins from 0.8.5 to 0.8.6 (#56)

Bumps [github.com/containernetworking/plugins](https://github.com/containernetworking/plugins) from 0.8.5 to 0.8.6.
- [Release notes](https://github.com/containernetworking/plugins/releases)
- [Commits](containernetworking/plugins@v0.8.5...v0.8.6)

---
updated-dependencies:
- dependency-name: github.com/containernetworking/plugins
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Update vendor and golang version (#58)

* Bump google.golang.org/grpc from 1.53.0 to 1.56.3 (#59)

Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.53.0 to 1.56.3.
- [Release notes](https://github.com/grpc/grpc-go/releases)
- [Commits](grpc/grpc-go@v1.53.0...v1.56.3)

---
updated-dependencies:
- dependency-name: google.golang.org/grpc
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Update vendor packages (#60)

* Bump google.golang.org/protobuf from 1.30.0 to 1.33.0 (#61)

Bumps google.golang.org/protobuf from 1.30.0 to 1.33.0.

---
updated-dependencies:
- dependency-name: google.golang.org/protobuf
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Fix github workflow and deploy yaml

* Fix e2e

* Bump k8s API version (#63)

---------

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: Doug Smith <dosmith@redhat.com>
Co-authored-by: Andrea Panattoni <apanatto@redhat.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: lgtm-com[bot] <43144390+lgtm-com[bot]@users.noreply.github.com>
Co-authored-by: LGTM Migrator <lgtm-migrator@users.noreply.github.com>
Co-authored-by: Nikhil Simha <simha.nikhil@gmail.com>
Co-authored-by: Peter Stöckli <p-@github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mrunalp mrunalp mrunalp approved these changes

@mikebrow mikebrow mikebrow approved these changes

@bobbypage bobbypage Awaiting requested review from bobbypage

@sjenning sjenning Awaiting requested review from sjenning

Assignees

@dims dims

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/kubelet cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. lgtm "Looks good to me", indicates that a PR is ready to be merged. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/node Categorizes an issue or PR as relevant to SIG Node. sig/security Categorizes an issue or PR as relevant to SIG Security. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
SIG Node PR Triage
Done
[sig-release] Bug Triage
Archived in project
Milestone
v1.26
Development

Successfully merging this pull request may close these issues.

None yet
10 participants
@saschagrunert @k8s-ci-robot @mikebrow @bobbypage @k8s-triage-robot @rata @dims @akhilerm @mrunalp @BenTheElder