OCPBUGS-32030: Upstream sync 2404 (#52)

* Add pod-iptables option to store pod iptables This change introduces pod-iptables option to store iptables-rules in pod's network namespace. This helps administrator/engineer to troubleshooting. * Fix owners file * Update CI pipeline * Add label to Dockerfile * Update github action to simplify * Use GITHUB_TOKEN for push packages * Update slack URL in README * fix workflows * Fix some timing issue and change memory limit * Add namespace check between pod and multi-networkpolicy * Use TCP as default for Port.Protocol Add ginkgo test to the suite with only default values. Add `renderProtocol` function with fallback logic. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Fix to work namespacveSelector policy, without labelSelector * Support for `NamespaceSelector` (#16) * Add test case for namespace selector The case is about having two namespaces with pods and net-attach-def and a multi networkpolicy that goes through namespace borders. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Add test case with net-attach-def in other ns Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Improve logging in server.go (#19) * Add object information to update events This should make it clearer what k8s object the daemon is working on. Increase verbosity threshlod for invoke handlers logs. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Improve error logging Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Add IPv6 support in TODO list * Set specific version for `revive` tool (#20) "go getting" github.com/mgechev/revive can lead to unreproducible builds, as it download the latest "dev" version. Stick to the latest (v1.2.1) version. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Log filter rules (#23) * Log filter rules Logging iptables rules before applying them can be useful to debug complex scenarios. Setting verbosity level to 6 as they can be quite cumbersome. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Clean up logging code Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Refine policy generation routine to support multiple policies This change refines policy rule generation to introduce conntrack and support multiple policies in a pod. Fix #17 and #18 * Fix capabilities (#25) fix #24 * Update github action to fit to latest golang * Remove docker from support runtime due to obsolated * Bump github.com/containernetworking/cni from 0.7.1 to 0.8.1 (#31) Bumps [github.com/containernetworking/cni](https://github.com/containernetworking/cni) from 0.7.1 to 0.8.1. - [Release notes](https://github.com/containernetworking/cni/releases) - [Commits](containernetworking/cni@v0.7.1...v0.8.1) --- updated-dependencies: - dependency-name: github.com/containernetworking/cni dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump vendor packages. * Graceful shutdown for daemonset (#32) * Remove unused errCh `server.Run()` is not a blocking function and returns always `nil`. There is no need for a struct field channel. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Allow stopping the server Add signal handler for SIGTERM and SIGINT to main.go. Add Stop() method to Options to forward os signals. Add a channel to stop `syncRunner` and clean iptables afterward. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Add sync-period option for fast sync * Remove deprecated parameters in deploy.yml * Add e2e test * e2e-test: Add script to update server image (#35) Add a script to redeploy the server in the kind cluster. It is useful to quickly test new changes without tearing down the cluster and bringing it up again. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Fix yaml syntax error in GH workflow (#36) Signed-off-by: Andrea Panattoni <apanatto@redhat.com> Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Add CodeQL workflow for GitHub code scanning (#38) Co-authored-by: LGTM Migrator <lgtm-migrator@users.noreply.github.com> * Add NOTICE file for Apache license 2.0 (#39) This change adds NOTICE file in repository as [1]. [1]: https://infra.apache.org/apply-license.html#new * IPv6 support in multi-networkpolicy-iptables (#40) * Support IPv6 networks (#27) Make Server generates rules for both IP family. Make iptableBuffer aware of the IP family it is managing, in order to skip wrong addresses. Add unit and e2e tests for IPv6 and dual stack networks. Remove IPv6 item from TODO Signed-off-by: Andrea Panattoni <apanatto@redhat.com> Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * fix merge-conflict to rebase * Add e2e ipv6 ingress tests * IPv6 fix for NDP and DHCPv6 (#37) * Add Requirements section to README Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Allow ipv6 Neighbor Discovery Protocol NDP leverages icmpv6 packets to discover hosts IPv6 addresses. This kind of packet must be allowed between hosts, otherwise some policy-allowed traffic may get blocked. Adjust unit tests expected output strings. See https://www.rfc-editor.org/rfc/rfc2373 Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Allow DHCPv6 traffic Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Refine icmp/dhcpv6 code Signed-off-by: Andrea Panattoni <apanatto@redhat.com> Co-authored-by: Tomofumi Hayashi <tohayash@redhat.com> * Use string instead of byte in unit-test cases In real code, use bytes for performance, however, we don't care about performance for unit-test, hence change bytes to string for ease of troubleshooting. * Make INGRESS/EGRESS-COMMON configurable by command line option This change makes MULTI-{INGRESS,EGRESS}-COMMON chain configurable to provide a way to support various v4/v6 network. * Fix CodeQL warnings * Update docs/configurations.md Co-authored-by: Nikhil Simha <simha.nikhil@gmail.com> * Update docs/configurations.md Co-authored-by: Nikhil Simha <simha.nikhil@gmail.com> * Wait for sync between policy/iptables in e2e tests --------- Signed-off-by: Andrea Panattoni <apanatto@redhat.com> Co-authored-by: Andrea Panattoni <apanatto@redhat.com> Co-authored-by: Nikhil Simha <simha.nikhil@gmail.com> * Fix github action * Avoid using cri-api `v1alpha2` (#43) As of v1.26.0 kubernetes removed support for api cri-api v1alpha2 kubernetes/kubernetes#110618 Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Fix typo in container registry domain (#44) * Update go mod to security vulnerability Update golang.org/x/text to v0.3.8 for vulnerability. * Fix github action * Update vendors to fix dependabot alerts * Add ipblock bat tests in e2e (#48) This change introduces ipblock tests in e2e and enables v6 ingress tests in e2e as well. * Fix iptables rules in multiple items in ingress/egress (#49) This change fixes iptables rules for multiple items in ingress/egress. It also adds e2e tests for that. fix #45 * Update golang to 1.20 * Fix end2end tests (#53) * e2e: Save kind logs as artifacts Saving `kind export logs` output when end-to-end job fails helps debugging flakes and test failures. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * build: set CGO_ENABLED=0 Setting CGO_ENABLED=0 for go builds produces GLIBC independant binaries. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> --------- Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Infer PolicyTypes if missing (#50) * Infer PolicyTypes if missing In cases where Spec.PolicyTypes is not specified, it should default to the existence of Ingress or Egress rules. Updating end2end tests to cover also this scenario. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * e2e: Wait for policy sync during setup Signed-off-by: Andrea Panattoni <apanatto@redhat.com> --------- Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Bump google.golang.org/grpc from 1.38.0 to 1.53.0 (#52) Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.38.0 to 1.53.0. - [Release notes](https://github.com/grpc/grpc-go/releases) - [Commits](grpc/grpc-go@v1.38.0...v1.53.0) --- updated-dependencies: - dependency-name: google.golang.org/grpc dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Update e2e environments (#54) * Fix linter warning (#55) * Bump gopkg.in/yaml.v3 from 3.0.0-20210107192922-496545a6307b to 3.0.0 (#57) Bumps gopkg.in/yaml.v3 from 3.0.0-20210107192922-496545a6307b to 3.0.0. --- updated-dependencies: - dependency-name: gopkg.in/yaml.v3 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump github.com/containernetworking/plugins from 0.8.5 to 0.8.6 (#56) Bumps [github.com/containernetworking/plugins](https://github.com/containernetworking/plugins) from 0.8.5 to 0.8.6. - [Release notes](https://github.com/containernetworking/plugins/releases) - [Commits](containernetworking/plugins@v0.8.5...v0.8.6) --- updated-dependencies: - dependency-name: github.com/containernetworking/plugins dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Update vendor and golang version (#58) * Bump google.golang.org/grpc from 1.53.0 to 1.56.3 (#59) Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.53.0 to 1.56.3. - [Release notes](https://github.com/grpc/grpc-go/releases) - [Commits](grpc/grpc-go@v1.53.0...v1.56.3) --- updated-dependencies: - dependency-name: google.golang.org/grpc dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Update vendor packages (#60) * Bump google.golang.org/protobuf from 1.30.0 to 1.33.0 (#61) Bumps google.golang.org/protobuf from 1.30.0 to 1.33.0. --- updated-dependencies: - dependency-name: google.golang.org/protobuf dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Fix github workflow and deploy yaml * Fix e2e * Bump k8s API version (#63) --------- Signed-off-by: Andrea Panattoni <apanatto@redhat.com> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Doug Smith <dosmith@redhat.com> Co-authored-by: Andrea Panattoni <apanatto@redhat.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: lgtm-com[bot] <43144390+lgtm-com[bot]@users.noreply.github.com> Co-authored-by: LGTM Migrator <lgtm-migrator@users.noreply.github.com> Co-authored-by: Nikhil Simha <simha.nikhil@gmail.com> Co-authored-by: Peter Stöckli <p-@github.com>
openshift · Apr 10, 2024 · 28f34fa · 28f34fa
1 parent 79dfed5
commit 28f34fa
Show file tree

Hide file tree

Showing 2,374 changed files with 297,434 additions and 57,558 deletions.
diff --git a/.github/workflows/build-images.yml b/.github/workflows/build-images.yml
@@ -7,13 +7,13 @@ jobs:
       REPOSITORY: ghcr.io/${{ github.repository }}
     steps:
       - name: Check out code into the Go module directory
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
+        uses: docker/setup-buildx-action@v3
 
       - name: Build container image
-        uses: docker/build-push-action@v2
+        uses: docker/build-push-action@v5
         with:
           push: false
           tags: ghcr.io/${{ github.repository }}:latest-amd64
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -14,12 +14,12 @@ jobs:
       GO111MODULE: on
     steps:
     - name: Install Go
-      uses: actions/setup-go@v2
+      uses: actions/setup-go@v5
       with:
         go-version: ${{ matrix.go-version }}
 
     - name: Check out code into the Go module directory
-      uses: actions/checkout@v2
+      uses: actions/checkout@v4
 
     - name: Build
       env:

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -24,7 +24,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Initialize CodeQL
         uses: github/codeql-action/init@v2

diff --git a/.github/workflows/kind-e2e.yml b/.github/workflows/kind-e2e.yml
@@ -11,7 +11,7 @@ jobs:
         run: sudo apt install bats
 
       - name: Check out code into the Go module directory
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Setup registry
         run: docker run -d --restart=always -p "5000:5000" --name "kind-registry" registry:2
@@ -48,7 +48,7 @@ jobs:
           ./e2e/bin/kind export logs /tmp/kind-logs
 
       - name: Upload logs
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v4
         if: ${{ failure() }}
         with:
           name: kind-logs-e2e

diff --git a/.github/workflows/push-master.yml b/.github/workflows/push-master.yml
@@ -13,38 +13,27 @@ jobs:
       REPOSITORY: ghcr.io/${{ github.repository }}
     steps:
       - name: Check out code into the Go module directory
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
 
       - name: Login to GitHub Container Registry
         if: github.repository_owner == 'k8snetworkplumbingwg'
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Push to GitHub Container Registry
         if: github.repository_owner == 'k8snetworkplumbingwg'
-        uses: docker/build-push-action@v3
+        uses: docker/build-push-action@v5
         with:
           push: true
-          platform: linux/amd64
           tags: |
-            ghcr.io/${{ github.repository }}:latest-amd64
-            ghcr.io/${{ github.repository }}:snapshot-amd64
-
-      - name: Create manifest for multi-arch images
-        if: github.repository_owner == 'k8snetworkplumbingwg'
-        run: |
-          docker pull ${REPOSITORY}:snapshot-amd64
-          docker manifest create ${REPOSITORY}:snapshot ${REPOSITORY}:snapshot-amd64
-          docker manifest annotate ${REPOSITORY}:snapshot ${REPOSITORY}:snapshot-amd64 --arch amd64
-          docker manifest push ${REPOSITORY}:snapshot
-          docker pull ${REPOSITORY}:latest-amd64
-          docker manifest create ${REPOSITORY}:latest ${REPOSITORY}:latest-amd64
-          docker manifest annotate ${REPOSITORY}:latest ${REPOSITORY}:latest-amd64 --arch amd64
-          docker manifest push ${REPOSITORY}:latest
-
+            ghcr.io/${{ github.repository }}:latest
+            ghcr.io/${{ github.repository }}:snapshot
+          platforms: linux/amd64
+          sbom: false
+          provenance: false
diff --git a/.github/workflows/push-release.yml b/.github/workflows/push-release.yml
@@ -12,42 +12,35 @@ jobs:
       REPOSITORY: ghcr.io/${{ github.repository }}
     steps:
       - name: Check out code into the Go module directory
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
+        uses: docker/setup-buildx-action@v3
 
       - name: Login to GitHub Container Registry
         if: github.repository_owner == 'k8snetworkplumbingwg'
-        uses: docker/login-action@v1
+        uses: docker/login-action@v3
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Docker meta
         id: docker_meta
-        uses: crazy-max/ghaction-docker-meta@v1
+        uses: docker/metadata-action@v5
         with:
           images: ${{ env.REPOSITORY }}
-          tag-latest: false
+          flavor:
+            latest=false
 
       - name: Push to GitHub Container Registry
         if: github.repository_owner == 'k8snetworkplumbingwg'
-        uses: docker/build-push-action@v2
+        uses: docker/build-push-action@v5
         with:
           push: true
           tags: |
-            ghcr.io/${{ github.repository }}:stable-amd64
-            ${{ steps.docker_meta.outputs.tags }}-amd64
-
-      - name: Create manifest for multi-arch images
-        if: github.repository_owner == 'k8snetworkplumbingwg'
-        run: |
-          docker manifest create ${{ env.REPOSITORY }}:stable ${{ env.REPOSITORY }}:stable-amd64
-          docker manifest annotate ${{ env.REPOSITORY }}:stable ${{ env.REPOSITORY }}:stable-amd64 --arch amd64
-          docker manifest push ${{ env.REPOSITORY }}:stable
-          docker manifest create ${{ steps.docker_meta.outputs.tags }} ${{ steps.docker_meta.outputs.tags }}-amd64
-          docker manifest annotate ${{ steps.docker_meta.outputs.tags }} ${{ steps.docker_meta.outputs.tags }}-amd64 --arch amd64
-          docker manifest push ${{ steps.docker_meta.outputs.tags }}
-
+            ghcr.io/${{ github.repository }}:stable
+            ${{ steps.docker_meta.outputs.tags }}
+          platforms: linux/amd64
+          sbom: false
+          provenance: false
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -9,12 +9,12 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Install Go
-      uses: actions/setup-go@v2
+      uses: actions/setup-go@v5
       with:
         go-version: ${{ matrix.go-version }}
 
     - name: Checkout code
-      uses: actions/checkout@v2
+      uses: actions/checkout@v4
 
     - name: Run Revive Action by pulling pre-built image
       uses: docker://morphy/revive-action:v2

diff --git a/deploy.yml b/deploy.yml
@@ -121,7 +121,7 @@ spec:
       serviceAccountName: multi-networkpolicy
       containers:
       - name: multi-networkpolicy
-        image: ghcr.io/k8snetworkplumbingwg/multi-networkpolicy-iptables:snapshot-amd64
+        image: ghcr.io/k8snetworkplumbingwg/multi-networkpolicy-iptables:snapshot
         imagePullPolicy: Always
         command: ["/usr/bin/multi-networkpolicy-iptables"]
         args:

diff --git a/e2e/get_tools.sh b/e2e/get_tools.sh
@@ -5,7 +5,7 @@ if [ ! -d bin ]; then
 	mkdir bin
 fi
 
-curl -Lo ./bin/kind "https://github.com/kubernetes-sigs/kind/releases/download/v0.20.0/kind-$(uname)-amd64"
+curl -Lo ./bin/kind "https://github.com/kubernetes-sigs/kind/releases/download/v0.22.0/kind-$(uname)-amd64"
 chmod +x ./bin/kind
 curl -Lo ./bin/kubectl https://storage.googleapis.com/kubernetes-release/release/`curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt`/bin/linux/amd64/kubectl
 chmod +x ./bin/kubectl

diff --git a/e2e/multi-network-policy-iptables-e2e.yml b/e2e/multi-network-policy-iptables-e2e.yml
@@ -122,7 +122,6 @@ spec:
       containers:
       - name: multi-networkpolicy
         image: localhost:5000/multus-networkpolicy-iptables:e2e
-        imagePullPolicy: Always
         command: ["/usr/bin/multi-networkpolicy-iptables"]
         args:
         - "--host-prefix=/host"

diff --git a/e2e/setup_cluster.sh b/e2e/setup_cluster.sh
@@ -8,58 +8,23 @@ export PATH=./bin:${PATH}
 OCI_BIN="${OCI_BIN:-docker}"
 
 kind_network='kind'
-reg_name='kind-registry'
-reg_port='5000'
-running="$($OCI_BIN inspect -f '{{.State.Running}}' "${reg_name}" 2>/dev/null || true)"
-if [ "${running}" != 'true' ]; then
-  $OCI_BIN run -d --restart=always -p "${reg_port}:5000" --name "${reg_name}" registry:2
-fi
 
 $OCI_BIN build -t localhost:5000/multus-networkpolicy-iptables:e2e -f ../Dockerfile ..
-$OCI_BIN push localhost:5000/multus-networkpolicy-iptables:e2e
-
-reg_host="${reg_name}"
-echo "Registry Host: ${reg_host}"
 
 # deploy cluster with kind
 cat <<EOF | kind create cluster --config=-
 kind: Cluster
 apiVersion: kind.x-k8s.io/v1alpha4
-containerdConfigPatches:
-- |-
-  [plugins."io.containerd.grpc.v1.cri".registry.mirrors."localhost:${reg_port}"]
-    endpoint = ["http://${reg_host}:${reg_port}"]
 nodes:
   - role: control-plane
   - role: worker
 networking:
   disableDefaultCNI: true
-  podSubnet: 10.244.0.0/16
-EOF
-
-cat <<EOF | kubectl apply -f -
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: local-registry-hosting
-  namespace: kube-public
-data:
-  localRegistryHosting.v1: |
-    host: "localhost:${reg_port}"
-    help: "https://kind.sigs.k8s.io/docs/user/local-registry/"
+  podSubnet: 192.168.0.0/16
 EOF
 
-# reconnect container registry if it is not connected
-containers=$($OCI_BIN network inspect ${kind_network} -f "{{range .Containers}}{{.Name}} {{end}}")
-needs_connect="true"
-for c in $containers; do
-  if [ "$c" = "${reg_name}" ]; then
-    needs_connect="false"
-  fi
-done
-if [ "${needs_connect}" = "true" ]; then
-  $OCI_BIN network connect "${kind_network}" "${reg_name}" || true
-fi
+# load multus image from container host to kind node
+kind load docker-image localhost:5000/multus-networkpolicy-iptables:e2e
 
 kind export kubeconfig
 sleep 1

diff --git a/e2e/tests/ipblock-stacked.bats b/e2e/tests/ipblock-stacked.bats
@@ -22,7 +22,7 @@ setup() {
 
 @test "check generated iptables rules" {
 	# wait for sync
-	sleep 3
+	sleep 5
         run kubectl -n test-ipblock-stacked exec pod-server -it -- sh -c "iptables-save | grep MULTI-0-INGRESS"
 	[ "$status" -eq  "0" ]
         run kubectl -n test-ipblock-stacked exec pod-client-a -it -- sh -c "iptables-save | grep MULTI-0-INGRESS"

diff --git a/e2e/tests/ipblock.bats b/e2e/tests/ipblock.bats
@@ -22,7 +22,7 @@ setup() {
 
 @test "check generated iptables rules" {
 	# wait for sync
-	sleep 3
+	sleep 5
         run kubectl -n test-ipblock exec pod-server -it -- sh -c "iptables-save | grep MULTI-0-INGRESS"
 	[ "$status" -eq  "0" ]
         run kubectl -n test-ipblock exec pod-client-a -it -- sh -c "iptables-save | grep MULTI-0-INGRESS"

diff --git a/e2e/tests/simple-v4-egress-list.bats b/e2e/tests/simple-v4-egress-list.bats
@@ -23,7 +23,7 @@ setup() {
 	[ "$status" -eq  "0" ]
 
 	# wait for sync
-	sleep 3
+	sleep 5
 }
 
 @test "test-simple-v4-egress-list check client-a -> server" {

diff --git a/e2e/tests/simple-v4-egress.bats b/e2e/tests/simple-v4-egress.bats
@@ -24,7 +24,7 @@ setup() {
 
 @test "check generated iptables rules" {
 	# wait for sync
-	sleep 3
+	sleep 5
 	# check pod-server has multi-networkpolicy iptables rules for ingress
         run kubectl -n test-simple-v4-egress exec pod-server -- sh -c "iptables-save | grep MULTI-0-EGRESS"
 	[ "$status" -eq  "0" ]
@@ -36,7 +36,7 @@ setup() {
 	[ "$status" -eq  "1" ]
 
 	# wait for sync
-	sleep 3
+	sleep 5
 	# check that iptables files in pod-iptables
 	pod_name=$(kubectl -n kube-system get pod -o wide | grep 'kind-worker' | grep multi-net | cut -f 1 -d ' ')
 	run kubectl -n kube-system exec ${pod_name} -- \
@@ -80,7 +80,7 @@ setup() {
 
 	# enable multi-networkpolicy again
 	kubectl -n kube-system patch daemonsets multi-networkpolicy-ds-amd64 --type json -p='[{"op": "remove", "path": "/spec/template/spec/nodeSelector/non-existing"}]'
-	sleep 3
+	sleep 5
 	kubectl -n kube-system wait --for=condition=ready -l app=multi-networkpolicy pod --timeout=${kubewait_timeout}
 }
 
@@ -90,7 +90,7 @@ setup() {
 	run kubectl -n test-simple-v4-egress wait --for=delete -l app=test-simple-v4-egress pod --timeout=${kubewait_timeout}
 	[ "$status" -eq  "0" ]
 
-	sleep 3
+	sleep 5
 	# check that no iptables files in pod-iptables
 	pod_name=$(kubectl -n kube-system get pod -o wide | grep 'kind-worker' | grep multi-net | cut -f 1 -d ' ')
 	run kubectl -n kube-system exec ${pod_name} -- \

diff --git a/e2e/tests/simple-v4-ingress-list.bats b/e2e/tests/simple-v4-ingress-list.bats
@@ -23,7 +23,7 @@ setup() {
 	[ "$status" -eq  "0" ]
 
 	# wait for sync
-	sleep 3
+	sleep 5
 }
 
 @test "test-simple-v4-ingress-list check client-a -> server" {

diff --git a/e2e/tests/simple-v4-ingress.bats b/e2e/tests/simple-v4-ingress.bats
@@ -24,7 +24,7 @@ setup() {
 
 @test "check generated iptables rules" {
 	# wait for sync
-	sleep 3
+	sleep 5
 	# check pod-server has multi-networkpolicy iptables rules for ingress
         run kubectl -n test-simple-v4-ingress exec pod-server -- sh -c "iptables-save | grep MULTI-0-INGRESS"
 	[ "$status" -eq  "0" ]
@@ -36,7 +36,7 @@ setup() {
 	[ "$status" -eq  "1" ]
 
 	# wait for sync
-	sleep 3
+	sleep 5
 	# check that iptables files in pod-iptables
 	pod_name=$(kubectl -n kube-system get pod -o wide | grep 'kind-worker' | grep multi-net | cut -f 1 -d ' ')
 	run kubectl -n kube-system exec ${pod_name} -- \
@@ -80,7 +80,7 @@ setup() {
 
 	# enable multi-networkpolicy again
 	kubectl -n kube-system patch daemonsets multi-networkpolicy-ds-amd64 --type json -p='[{"op": "remove", "path": "/spec/template/spec/nodeSelector/non-existing"}]'
-	sleep 3
+	sleep 5
 	kubectl -n kube-system wait --for=condition=ready -l app=multi-networkpolicy pod --timeout=${kubewait_timeout}
 }
 
@@ -90,7 +90,7 @@ setup() {
 	run kubectl -n test-simple-v4-ingress wait --for=delete -l app=test-simple-v4-ingress pod --timeout=${kubewait_timeout}
 	[ "$status" -eq  "0" ]
 
-	sleep 3
+	sleep 5
 	# check that no iptables files in pod-iptables
 	pod_name=$(kubectl -n kube-system get pod -o wide | grep 'kind-worker' | grep multi-net | cut -f 1 -d ' ')
 	run kubectl -n kube-system exec ${pod_name} -- \

diff --git a/e2e/tests/simple-v6-ingress-list.bats b/e2e/tests/simple-v6-ingress-list.bats
@@ -24,7 +24,7 @@ setup() {
 	[ "$status" -eq  "0" ]
 
 	# wait for sync
-	sleep 3
+	sleep 5
 }
 
 @test "test-simple-v6-ingress-list check client-a -> server" {

diff --git a/e2e/tests/simple-v6-ingress.bats b/e2e/tests/simple-v6-ingress.bats
@@ -25,7 +25,7 @@ setup() {
 
 @test "check generated ip6tables rules" {
 	# wait for sync
-	sleep 3
+	sleep 5
 
 	# check pod-server has multi-networkpolicy ip6tables rules for ingress
         run kubectl -n test-simple-v6-ingress exec pod-server -- sh -c "ip6tables-save | grep MULTI-0-INGRESS"
@@ -80,7 +80,7 @@ setup() {
 
 	# enable multi-networkpolicy again
 	kubectl -n kube-system patch daemonsets multi-networkpolicy-ds-amd64 --type json -p='[{"op": "remove", "path": "/spec/template/spec/nodeSelector/non-existing"}]'
-	sleep 3
+	sleep 5
 	kubectl -n kube-system wait --for=condition=ready -l app=multi-networkpolicy pod --timeout=${kubewait_timeout}
 }