OCPBUGS-44354: Sync 20250204 #66
Conversation
This change introduces pod-iptables option to store iptables-rules in pod's network namespace. This helps administrator/engineer to troubleshooting.
…tables Add pod-iptables option to store pod iptables
Fix some timing issue and change memory limit
Add namespace check between pod and multi-networkpolicy
Add ginkgo test to the suite with only default values. Add `renderProtocol` function with fallback logic. Signed-off-by: Andrea Panattoni <[email protected]>
Use TCP as default for Port.Protocol
Fix to work namespacveSelector policy, without labelSelector
* Add test case for namespace selector The case is about having two namespaces with pods and net-attach-def and a multi networkpolicy that goes through namespace borders. Signed-off-by: Andrea Panattoni <[email protected]> * Add test case with net-attach-def in other ns Signed-off-by: Andrea Panattoni <[email protected]>
* Add object information to update events This should make it clearer what k8s object the daemon is working on. Increase verbosity threshlod for invoke handlers logs. Signed-off-by: Andrea Panattoni <[email protected]> * Improve error logging Signed-off-by: Andrea Panattoni <[email protected]>
"go getting" github.com/mgechev/revive can lead to unreproducible builds, as it download the latest "dev" version. Stick to the latest (v1.2.1) version. Signed-off-by: Andrea Panattoni <[email protected]>
* Log filter rules Logging iptables rules before applying them can be useful to debug complex scenarios. Setting verbosity level to 6 as they can be quite cumbersome. Signed-off-by: Andrea Panattoni <[email protected]> * Clean up logging code Signed-off-by: Andrea Panattoni <[email protected]>
This change refines policy rule generation to introduce conntrack and support multiple policies in a pod. Fix openshift#17 and openshift#18
Refine policy generation routine to support multiple policies
Update github action to fit to latest golang
Remove docker from support runtime due to obsolated
…t#31) Bumps [github.com/containernetworking/cni](https://github.com/containernetworking/cni) from 0.7.1 to 0.8.1. - [Release notes](https://github.com/containernetworking/cni/releases) - [Commits](containernetworking/cni@v0.7.1...v0.8.1) --- updated-dependencies: - dependency-name: github.com/containernetworking/cni dependency-type: direct:production ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
openshift-ci-robot
added
the
jira/invalid-bug
|
@zeeke: This pull request references Jira Issue OCPBUGS-44354, which is invalid:
Comment The bug has been updated to refer to the pull request using the external bug tracker. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
/retest |
1 similar comment
|
/retest |
This dependency bump solves a security issue: ``` ✗ [Medium] Improper Neutralization of Directives in Statically Saved Code Path: vendor/github.com/spf13/cobra/command.go, line 888 Info: Unsanitized input from a CLI argument flows into text.template.New, where it is used to construct a template that gets rendered. This may result in a Server-Side Template Injection vulnerability. ``` Signed-off-by: Andrea Panattoni <[email protected]>
|
Wait for to fix the |
Checking the number of files in `/var/lib/multi-networkpolicy/iptables/` brings to a number of test flakes in GitHub CI lanes. This flakes are not reproducible in local development environments, therefore they are likely due to a low resource system. Beside these checks can flake, the component under test behavior looks good from the assertion point of view, which is the meaningful part for the these tests. Remove any verification about the `/var/lib/multi-networkpolicy/iptables/` folder in e2e tests Signed-off-by: Andrea Panattoni <[email protected]>
Simplify demo instruction
e2e: Avoid checking the number of iptables file
Bump `github.com/spf13/[email protected]`
|
@zeeke: all tests passed! Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
/jira refresh |
openshift-ci-robot
added
the
jira/valid-bug
|
@zeeke: This pull request references Jira Issue OCPBUGS-44354, which is valid. The bug has been moved to the POST state. 3 validation(s) were run on this bug
Requesting review from QA contact: In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
openshift-ci-robot
removed
the
jira/invalid-bug
|
@zeeke: This pull request references Jira Issue OCPBUGS-44354, which is valid. 3 validation(s) were run on this bug
Requesting review from QA contact: In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
/label cherry-pick-approved |
|
@ajaggapa: Can not set label cherry-pick-approved: Must be member in one of these teams: [] In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: cgoncalves, zeeke The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
@zeeke: Jira Issue OCPBUGS-44354: All pull requests linked via external trackers have merged: Jira Issue OCPBUGS-44354 has been moved to the MODIFIED state. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
[ART PR BUILD NOTIFIER] Distgit: multus-networkpolicy |
|
/payload-job periodic-ci-openshift-release-master-ci-4.19-e2e-gcp-ovn-techpreview-serial Please ignore for now. We are testing some payload failures |
|
@xueqzhan: trigger 4 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command
See details on https://pr-payload-tests.ci.openshift.org/runs/ci/4e1fc890-ff7f-11ef-95b9-649d08431dfa-0 |
Despite #64 being intended to be the first merge-based sync with upstream, the merge-commit has not been created and this PR contains all the upstream commit hashes.
Real changes, which can be browsed on the
File changestab, relate to the u/s PR:portsvalue k8snetworkplumbingwg/multi-networkpolicy-iptables#71github.com/spf13/[email protected]k8snetworkplumbingwg/multi-networkpolicy-iptables#72