OCPBUGS-6917: Upstream sync 0c6df81 (#22)

* Add pod-iptables option to store pod iptables This change introduces pod-iptables option to store iptables-rules in pod's network namespace. This helps administrator/engineer to troubleshooting. * Fix owners file * Update CI pipeline * Add label to Dockerfile * Update github action to simplify * Use GITHUB_TOKEN for push packages * Update slack URL in README * fix workflows * Fix some timing issue and change memory limit * Add namespace check between pod and multi-networkpolicy * Use TCP as default for Port.Protocol Add ginkgo test to the suite with only default values. Add `renderProtocol` function with fallback logic. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Fix to work namespacveSelector policy, without labelSelector * Support for `NamespaceSelector` (#16) * Add test case for namespace selector The case is about having two namespaces with pods and net-attach-def and a multi networkpolicy that goes through namespace borders. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Add test case with net-attach-def in other ns Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Improve logging in server.go (#19) * Add object information to update events This should make it clearer what k8s object the daemon is working on. Increase verbosity threshlod for invoke handlers logs. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Improve error logging Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Add IPv6 support in TODO list * Set specific version for `revive` tool (#20) "go getting" github.com/mgechev/revive can lead to unreproducible builds, as it download the latest "dev" version. Stick to the latest (v1.2.1) version. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Log filter rules (#23) * Log filter rules Logging iptables rules before applying them can be useful to debug complex scenarios. Setting verbosity level to 6 as they can be quite cumbersome. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Clean up logging code Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Refine policy generation routine to support multiple policies This change refines policy rule generation to introduce conntrack and support multiple policies in a pod. Fix #17 and #18 * Fix capabilities (#25) fix #24 * Update github action to fit to latest golang * Remove docker from support runtime due to obsolated * Bump github.com/containernetworking/cni from 0.7.1 to 0.8.1 (#31) Bumps [github.com/containernetworking/cni](https://github.com/containernetworking/cni) from 0.7.1 to 0.8.1. - [Release notes](https://github.com/containernetworking/cni/releases) - [Commits](containernetworking/cni@v0.7.1...v0.8.1) --- updated-dependencies: - dependency-name: github.com/containernetworking/cni dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump vendor packages. * Graceful shutdown for daemonset (#32) * Remove unused errCh `server.Run()` is not a blocking function and returns always `nil`. There is no need for a struct field channel. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Allow stopping the server Add signal handler for SIGTERM and SIGINT to main.go. Add Stop() method to Options to forward os signals. Add a channel to stop `syncRunner` and clean iptables afterward. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Add sync-period option for fast sync * Remove deprecated parameters in deploy.yml * Add e2e test * e2e-test: Add script to update server image (#35) Add a script to redeploy the server in the kind cluster. It is useful to quickly test new changes without tearing down the cluster and bringing it up again. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Fix yaml syntax error in GH workflow (#36) Signed-off-by: Andrea Panattoni <apanatto@redhat.com> Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Add CodeQL workflow for GitHub code scanning (#38) Co-authored-by: LGTM Migrator <lgtm-migrator@users.noreply.github.com> * Add NOTICE file for Apache license 2.0 (#39) This change adds NOTICE file in repository as [1]. [1]: https://infra.apache.org/apply-license.html#new * IPv6 support in multi-networkpolicy-iptables (#40) * Support IPv6 networks (#27) Make Server generates rules for both IP family. Make iptableBuffer aware of the IP family it is managing, in order to skip wrong addresses. Add unit and e2e tests for IPv6 and dual stack networks. Remove IPv6 item from TODO Signed-off-by: Andrea Panattoni <apanatto@redhat.com> Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * fix merge-conflict to rebase * Add e2e ipv6 ingress tests * IPv6 fix for NDP and DHCPv6 (#37) * Add Requirements section to README Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Allow ipv6 Neighbor Discovery Protocol NDP leverages icmpv6 packets to discover hosts IPv6 addresses. This kind of packet must be allowed between hosts, otherwise some policy-allowed traffic may get blocked. Adjust unit tests expected output strings. See https://www.rfc-editor.org/rfc/rfc2373 Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Allow DHCPv6 traffic Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Refine icmp/dhcpv6 code Signed-off-by: Andrea Panattoni <apanatto@redhat.com> Co-authored-by: Tomofumi Hayashi <tohayash@redhat.com> * Use string instead of byte in unit-test cases In real code, use bytes for performance, however, we don't care about performance for unit-test, hence change bytes to string for ease of troubleshooting. * Make INGRESS/EGRESS-COMMON configurable by command line option This change makes MULTI-{INGRESS,EGRESS}-COMMON chain configurable to provide a way to support various v4/v6 network. * Fix CodeQL warnings * Update docs/configurations.md Co-authored-by: Nikhil Simha <simha.nikhil@gmail.com> * Update docs/configurations.md Co-authored-by: Nikhil Simha <simha.nikhil@gmail.com> * Wait for sync between policy/iptables in e2e tests --------- Signed-off-by: Andrea Panattoni <apanatto@redhat.com> Co-authored-by: Andrea Panattoni <apanatto@redhat.com> Co-authored-by: Nikhil Simha <simha.nikhil@gmail.com> * Fix github action * Avoid using cri-api `v1alpha2` (#43) As of v1.26.0 kubernetes removed support for api cri-api v1alpha2 kubernetes/kubernetes#110618 Signed-off-by: Andrea Panattoni <apanatto@redhat.com> --------- Signed-off-by: Andrea Panattoni <apanatto@redhat.com> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Doug Smith <dosmith@redhat.com> Co-authored-by: Andrea Panattoni <apanatto@redhat.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: lgtm-com[bot] <43144390+lgtm-com[bot]@users.noreply.github.com> Co-authored-by: LGTM Migrator <lgtm-migrator@users.noreply.github.com> Co-authored-by: Nikhil Simha <simha.nikhil@gmail.com>
openshift · Feb 3, 2023 · 98a0bad · 98a0bad
1 parent c52b871
commit 98a0bad
Show file tree

Hide file tree

Showing 42 changed files with 3,588 additions and 858 deletions.
diff --git a/.github/workflows/build-images.yml b/.github/workflows/build-images.yml
@@ -1,16 +1,19 @@
 name: build-images
 on: [pull_request]
 jobs:
-  build:
-    name: Docker build
+  build-images:
     runs-on: ubuntu-latest
     env:
-      DOCKER_CLI_EXPERIMENTAL: enabled
-      GO111MODULE: on
-      REPOSITORY: nfvpe/multi-networkpolicy-iptables
+      REPOSITORY: ghcr.io/${{ github.repository }}
     steps:
       - name: Check out code into the Go module directory
         uses: actions/checkout@v2
 
-      - name: Build latest-amd64
-        run: docker build -t ${REPOSITORY}:latest-amd64 .
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v1
+
+      - name: Build container image
+        uses: docker/build-push-action@v2
+        with:
+          push: false
+          tags: gchr.io/${{ github.repository }}:latest-amd64
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -1,53 +1,27 @@
-name: build
 on: [push, pull_request]
+name: build
 jobs:
-
   build:
-    name: Build and test
+    strategy:
+      matrix:
+        go-version: [1.17.x, 1.18.x]
+        goarch: [amd64, arm64]
     runs-on: ubuntu-latest
     if: >
       (( github.event.pull_request.head.repo.owner.login != github.event.pull_request.base.repo.owner.login ) &&
         github.event_name == 'pull_request' ) || (github.event_name == 'push' && github.event.commits != '[]' )
     env:
       GO111MODULE: on
-      TARGET: amd64
     steps:
-      - name: Set up Go 1.13
-        uses: actions/setup-go@v1
-        with:
-          go-version: 1.13
-        id: go
-
-      - name: Check out code into the Go module directory
-        uses: actions/checkout@v2
-
-      - name: install goberalls
-        run: go get github.com/mattn/goveralls
-
-      - name: install golint
-        run: GOBIN=$(pwd)/bin go get golang.org/x/lint/golint
-
-      - name: golint
-        run: ./bin/golint ./... | grep -v vendor | grep -v ALL_CAPS | xargs -r false
-
-      - name: gofmt
-        run: go fmt ./...
-
-      - name: go vet
-        run: go vet ./...
-
-      - name: go test
-        run: go test ./...
-
-      - name: Build
-        run: GOARCH="${TARGET}" go build ./cmd/multi-networkpolicy-iptables/
-
-# TBD:
-#      - name: Go test
-#        run: sudo ./test.sh
-#
-#      - name: goveralls
-#        uses: shogo82148/actions-goveralls@v1
-#        with:
-#          path-to-profile: coverage.out
-
+    - name: Install Go
+      uses: actions/setup-go@v2
+      with:
+        go-version: ${{ matrix.go-version }}
+
+    - name: Check out code into the Go module directory
+      uses: actions/checkout@v2
+
+    - name: Build
+      env:
+        GOARCH: ${{ matrix.goarch }}
+      run: go build -o multi-networkpolicy-iptables_${{ matrix.goarch }} ./cmd/multi-networkpolicy-iptables/
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -0,0 +1,41 @@
+name: "CodeQL"
+
+on:
+  push:
+    branches: [ "master" ]
+  pull_request:
+    branches: [ "master" ]
+  schedule:
+    - cron: "58 6 * * 4"
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ go ]
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v2
+        with:
+          languages: ${{ matrix.language }}
+          queries: +security-and-quality
+
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@v2
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v2
+        with:
+          category: "/language:${{ matrix.language }}"
diff --git a/.github/workflows/kind-e2e.yml b/.github/workflows/kind-e2e.yml
@@ -0,0 +1,35 @@
+name: e2e-kind
+on: [push, pull_request]
+jobs:
+  e2e-kind:
+    runs-on: ubuntu-latest
+    if: >
+      (( github.event.pull_request.head.repo.owner.login != github.event.pull_request.base.repo.owner.login ) &&
+        github.event_name == 'pull_request' ) || (github.event_name == 'push' && github.event.commits != '[]' )
+    steps:
+      - name: Install bats
+        run: sudo apt install bats
+
+      - name: Check out code into the Go module directory
+        uses: actions/checkout@v2
+
+      - name: Setup registry
+        run: docker run -d --restart=always -p "5000:5000" --name "kind-registry" registry:2
+
+      - name: Get tools
+        working-directory: ./e2e
+        run: ./get_tools.sh
+
+      - name: Setup cluster
+        working-directory: ./e2e
+        run: ./setup_cluster.sh
+
+      - name: "Test: simple"
+        working-directory: ./e2e
+        run: |
+          export TERM=dumb
+          bats ./tests/simple-v4-ingress.bats
+          bats ./tests/simple-v4-egress.bats
+          bats ./tests/stacked.bats
+          # this should be validated once the v6 issue is fixed.
+          #bats ./v6work/simple-v6-ingress.bats
diff --git a/.github/workflows/push-master.yml b/.github/workflows/push-master.yml
@@ -3,43 +3,47 @@ on:
   push:
     branches:
       - master
+env:
+  image-push-owner: 'k8snetworkplumbingwg'
 jobs:
-  build:
-    name: Docker build
+  push-master:
     runs-on: ubuntu-latest
     env:
-      DOCKER_CLI_EXPERIMENTAL: enabled
       GO111MODULE: on
-      TARGET: amd64
-      REPOSITORY: nfvpe/multi-networkpolicy-iptables
-      REPOSITORY_USER: nfvperobot
+      REPOSITORY: ghcr.io/${{ github.repository }}
     steps:
       - name: Check out code into the Go module directory
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
 
-      - name: Build latest-amd64
-        run: docker build -t ${REPOSITORY}:latest-amd64 .
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
 
-      - name: Tag snapshot
-        run: |
-          docker tag ${REPOSITORY}:latest-amd64 ${REPOSITORY}:snapshot-amd64
-
-      - name: Login to registry
-        if: github.repository == 'k8snetworkplumbingwg/multi-networkpolicy-iptables'
-        run: docker login -u ${REPOSITORY_USER} -p ${{ secrets.REPOSITORY_PASS }}
+      - name: Login to GitHub Container Registry
+        if: github.repository_owner == 'k8snetworkplumbingwg'
+        uses: docker/login-action@v2
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Push latest/snapshot images
-        if: github.repository == 'k8snetworkplumbingwg/multi-networkpolicy-iptables'
-        run: |
-          docker push ${REPOSITORY}:latest-amd64
-          docker push ${REPOSITORY}:snapshot-amd64
+      - name: Push to GitHub Container Registry
+        if: github.repository_owner == 'k8snetworkplumbingwg'
+        uses: docker/build-push-action@v3
+        with:
+          push: true
+          platform: linux/arm64
+          tags: |
+            ghcr.io/${{ github.repository }}:latest-amd64
+            ghcr.io/${{ github.repository }}:snapshot-amd64
 
       - name: Create manifest for multi-arch images
-        if: github.repository == 'k8snetworkplumbingwg/multi-networkpolicy-iptables'
+        if: github.repository_owner == 'k8snetworkplumbingwg'
         run: |
+          docker pull ${REPOSITORY}:snapshot-amd64
           docker manifest create ${REPOSITORY}:snapshot ${REPOSITORY}:snapshot-amd64
           docker manifest annotate ${REPOSITORY}:snapshot ${REPOSITORY}:snapshot-amd64 --arch amd64
           docker manifest push ${REPOSITORY}:snapshot
+          docker pull ${REPOSITORY}:latest-amd64
           docker manifest create ${REPOSITORY}:latest ${REPOSITORY}:latest-amd64
           docker manifest annotate ${REPOSITORY}:latest ${REPOSITORY}:latest-amd64 --arch amd64
           docker manifest push ${REPOSITORY}:latest

diff --git a/.github/workflows/push-release.yml b/.github/workflows/push-release.yml
@@ -1,51 +1,53 @@
-name: push-stable
+name: push-release
 on:
   push:
     tags:
       - v*
 jobs:
-  build:
+  push-release:
     name: Docker build
     runs-on: ubuntu-latest
     env:
-      DOCKER_CLI_EXPERIMENTAL: enabled
       GO111MODULE: on
-      TARGET: amd64
-      REPOSITORY: nfvpe/multi-networkpolicy-iptables
-      REPOSITORY_USER: nfvperobot
+      REPOSITORY: ghcr.io/${{ github.repository }}
     steps:
       - name: Check out code into the Go module directory
         uses: actions/checkout@v2
 
-      - name: Build latest-amd64
-        run: docker build -t ${REPOSITORY}:latest-amd64 .
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v1
 
-      - name: Tag stable
-        run: |
-          docker tag ${REPOSITORY}:latest-amd64 ${REPOSITORY}:stable-amd64
-          docker tag ${REPOSITORY}:latest-amd64 ${REPOSITORY}:${GITHUB_REF##*/}-amd64
+      - name: Login to GitHub Container Registry
+        if: github.repository_owner == 'k8snetworkplumbingwg'
+        uses: docker/login-action@v1
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Login to registry
-        if: github.repository == 'k8snetworkplumbingwg/multi-networkpolicy-iptables'
-        run: docker login -u ${REPOSITORY_USER} -p ${{ secrets. REPOSITORY_PASS }}
+      - name: Docker meta
+        id: docker_meta
+        uses: crazy-max/ghaction-docker-meta@v1
+        with:
+          images: ${{ env.REPOSITORY }}
+          tag-latest: false
 
-      - name: Push latest/snapshot images
-        if: github.repository == 'k8snetworkplumbingwg/multi-networkpolicy-iptables'
-        run: |
-          docker push ${REPOSITORY}:latest-amd64
-          docker push ${REPOSITORY}:stable-amd64
-          docker push ${REPOSITORY}:${GITHUB_REF##*/}-amd64
+      - name: Push to GitHub Container Registry
+        if: github.repository_owner == 'k8snetworkplumbingwg'
+        uses: docker/build-push-action@v2
+        with:
+          push: true
+          tags: |
+            ghcr.io/${{ github.repository }}:stable-amd64
+            ${{ steps.docker_meta.outputs.tags }}-amd64
 
       - name: Create manifest for multi-arch images
-        if: github.repository == 'k8snetworkplumbingwg/multi-networkpolicy-iptables'
+        if: github.repository_owner == 'k8snetworkplumbingwg'
         run: |
-          docker manifest create ${REPOSITORY}:stable ${REPOSITORY}:stable-amd64
-          docker manifest annotate ${REPOSITORY}:stable ${REPOSITORY}:stable-amd64 --arch amd64
-          docker manifest push ${REPOSITORY}:stable
-          docker manifest create ${REPOSITORY}:latest ${REPOSITORY}:latest-amd64
-          docker manifest annotate ${REPOSITORY}:latest ${REPOSITORY}:latest-amd64 --arch amd64
-          docker manifest push ${REPOSITORY}:latest
-          docker manifest create ${REPOSITORY}:${GITHUB_REF##*/} ${REPOSITORY}:${GITHUB_REF##*/}-amd64
-          docker manifest annotate ${REPOSITORY}:${GITHUB_REF##*/} ${REPOSITORY}:${GITHUB_REF##*/}-amd64 --arch amd64
-          docker manifest push ${REPOSITORY}:${GITHUB_REF##*/}
+          docker manifest create ${{ env.REPOSITORY }}:stable ${{ env.REPOSITORY }}:stable-amd64
+          docker manifest annotate ${{ env.REPOSITORY }}:stable ${{ env.REPOSITORY }}:stable-amd64 --arch amd64
+          docker manifest push ${{ env.REPOSITORY }}:stable
+          docker manifest create ${{ steps.docker_meta.outputs.tags }} ${{ steps.docker_meta.outputs.tags }}-amd64
+          docker manifest annotate ${{ steps.docker_meta.outputs.tags }} ${{ steps.docker_meta.outputs.tags }}-amd64 --arch amd64
+          docker manifest push ${{ steps.docker_meta.outputs.tags }}
 
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -0,0 +1,47 @@
+on: [push, pull_request]
+name: test
+jobs:
+  test:
+    strategy:
+      matrix:
+        go-version: [1.18.x]
+        os: [ubuntu-latest] #, macos-latest, windows-latest]
+    runs-on: ${{ matrix.os }}
+    steps:
+    - name: Install Go
+      uses: actions/setup-go@v2
+      with:
+        go-version: ${{ matrix.go-version }}
+
+    - name: Checkout code
+      uses: actions/checkout@v2
+
+    - name: Run Revive Action by pulling pre-built image
+      uses: docker://morphy/revive-action:v2
+      with:
+        exclude: "./vendor/..."
+
+    - name: Run go fmt
+      run: diff -u <(echo -n) <(gofmt -d -s ./cmd/ ./pkg/)
+
+    - name: Run go vet
+      run: go vet ./...
+
+    - name: Test
+      run: sudo go test -v -coverprofile=profile.cov ./...
+
+    - name: Send coverage
+      uses: shogo82148/actions-goveralls@v1
+      with:
+        path-to-profile: profile.cov
+        flag-name: Go-${{ matrix.go }}
+        parallel: true
+
+  # notifies that all test jobs are finished.
+  finish:
+    needs: test
+    runs-on: ubuntu-latest
+    steps:
+      - uses: shogo82148/actions-goveralls@v1
+        with:
+          parallel-finished: true
diff --git a/.gitignore b/.gitignore
@@ -3,7 +3,7 @@ bin/
 e2e/bin/
 
 # binary at the top
-./multi-networkpolicy-iptables
+/multi-networkpolicy-iptables
 
 # GOPATH created by the build script
 gopath/

diff --git a/Dockerfile b/Dockerfile
@@ -8,6 +8,7 @@ RUN cd /usr/src/multi-networkpolicy-iptables && \
     go build ./cmd/multi-networkpolicy-iptables/
 
 FROM centos:centos7
+LABEL org.opencontainers.image.source https://github.com/k8snetworkplumbingwg/multi-networkpolicy-iptables
 RUN yum install -y iptables-utils
 COPY --from=build /usr/src/multi-networkpolicy-iptables/multi-networkpolicy-iptables /usr/bin
 WORKDIR /usr/bin

diff --git a/NOTICE b/NOTICE
@@ -0,0 +1 @@
+Copyright 2020 Kubernetes Network Plumbing Working Group