Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Browse the repository at this point in the history
* Add pod-iptables option to store pod iptables This change introduces pod-iptables option to store iptables-rules in pod's network namespace. This helps administrator/engineer to troubleshooting. * Fix owners file * Update CI pipeline * Add label to Dockerfile * Update github action to simplify * Use GITHUB_TOKEN for push packages * Update slack URL in README * fix workflows * Fix some timing issue and change memory limit * Add namespace check between pod and multi-networkpolicy * Use TCP as default for Port.Protocol Add ginkgo test to the suite with only default values. Add `renderProtocol` function with fallback logic. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Fix to work namespacveSelector policy, without labelSelector * Support for `NamespaceSelector` (#16) * Add test case for namespace selector The case is about having two namespaces with pods and net-attach-def and a multi networkpolicy that goes through namespace borders. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Add test case with net-attach-def in other ns Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Improve logging in server.go (#19) * Add object information to update events This should make it clearer what k8s object the daemon is working on. Increase verbosity threshlod for invoke handlers logs. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Improve error logging Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Add IPv6 support in TODO list * Set specific version for `revive` tool (#20) "go getting" github.com/mgechev/revive can lead to unreproducible builds, as it download the latest "dev" version. Stick to the latest (v1.2.1) version. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Log filter rules (#23) * Log filter rules Logging iptables rules before applying them can be useful to debug complex scenarios. Setting verbosity level to 6 as they can be quite cumbersome. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Clean up logging code Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Refine policy generation routine to support multiple policies This change refines policy rule generation to introduce conntrack and support multiple policies in a pod. Fix #17 and #18 * Fix capabilities (#25) fix #24 * Update github action to fit to latest golang * Remove docker from support runtime due to obsolated * Bump github.com/containernetworking/cni from 0.7.1 to 0.8.1 (#31) Bumps [github.com/containernetworking/cni](https://github.com/containernetworking/cni) from 0.7.1 to 0.8.1. - [Release notes](https://github.com/containernetworking/cni/releases) - [Commits](containernetworking/cni@v0.7.1...v0.8.1) --- updated-dependencies: - dependency-name: github.com/containernetworking/cni dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump vendor packages. * Graceful shutdown for daemonset (#32) * Remove unused errCh `server.Run()` is not a blocking function and returns always `nil`. There is no need for a struct field channel. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Allow stopping the server Add signal handler for SIGTERM and SIGINT to main.go. Add Stop() method to Options to forward os signals. Add a channel to stop `syncRunner` and clean iptables afterward. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Add sync-period option for fast sync * Remove deprecated parameters in deploy.yml * Add e2e test * e2e-test: Add script to update server image (#35) Add a script to redeploy the server in the kind cluster. It is useful to quickly test new changes without tearing down the cluster and bringing it up again. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Fix yaml syntax error in GH workflow (#36) Signed-off-by: Andrea Panattoni <apanatto@redhat.com> Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Add CodeQL workflow for GitHub code scanning (#38) Co-authored-by: LGTM Migrator <lgtm-migrator@users.noreply.github.com> * Add NOTICE file for Apache license 2.0 (#39) This change adds NOTICE file in repository as [1]. [1]: https://infra.apache.org/apply-license.html#new * IPv6 support in multi-networkpolicy-iptables (#40) * Support IPv6 networks (#27) Make Server generates rules for both IP family. Make iptableBuffer aware of the IP family it is managing, in order to skip wrong addresses. Add unit and e2e tests for IPv6 and dual stack networks. Remove IPv6 item from TODO Signed-off-by: Andrea Panattoni <apanatto@redhat.com> Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * fix merge-conflict to rebase * Add e2e ipv6 ingress tests * IPv6 fix for NDP and DHCPv6 (#37) * Add Requirements section to README Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Allow ipv6 Neighbor Discovery Protocol NDP leverages icmpv6 packets to discover hosts IPv6 addresses. This kind of packet must be allowed between hosts, otherwise some policy-allowed traffic may get blocked. Adjust unit tests expected output strings. See https://www.rfc-editor.org/rfc/rfc2373 Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Allow DHCPv6 traffic Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Refine icmp/dhcpv6 code Signed-off-by: Andrea Panattoni <apanatto@redhat.com> Co-authored-by: Tomofumi Hayashi <tohayash@redhat.com> * Use string instead of byte in unit-test cases In real code, use bytes for performance, however, we don't care about performance for unit-test, hence change bytes to string for ease of troubleshooting. * Make INGRESS/EGRESS-COMMON configurable by command line option This change makes MULTI-{INGRESS,EGRESS}-COMMON chain configurable to provide a way to support various v4/v6 network. * Fix CodeQL warnings * Update docs/configurations.md Co-authored-by: Nikhil Simha <simha.nikhil@gmail.com> * Update docs/configurations.md Co-authored-by: Nikhil Simha <simha.nikhil@gmail.com> * Wait for sync between policy/iptables in e2e tests --------- Signed-off-by: Andrea Panattoni <apanatto@redhat.com> Co-authored-by: Andrea Panattoni <apanatto@redhat.com> Co-authored-by: Nikhil Simha <simha.nikhil@gmail.com> * Fix github action * Avoid using cri-api `v1alpha2` (#43) As of v1.26.0 kubernetes removed support for api cri-api v1alpha2 kubernetes/kubernetes#110618 Signed-off-by: Andrea Panattoni <apanatto@redhat.com> --------- Signed-off-by: Andrea Panattoni <apanatto@redhat.com> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Doug Smith <dosmith@redhat.com> Co-authored-by: Andrea Panattoni <apanatto@redhat.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: lgtm-com[bot] <43144390+lgtm-com[bot]@users.noreply.github.com> Co-authored-by: LGTM Migrator <lgtm-migrator@users.noreply.github.com> Co-authored-by: Nikhil Simha <simha.nikhil@gmail.com>
- Loading branch information