OCPBUGS-21438: Update go.mod for CVE-2023-39325 [Release-4.13] #35
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Contributor
|
@s1061123: This pull request references Jira Issue OCPBUGS-21438, which is invalid:
Comment The bug has been updated to refer to the pull request using the external bug tracker. DetailsIn response to this: Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Contributor
|
/lgtm |
1 similar comment
Contributor
|
/lgtm |
Contributor
|
/label backport-risk-assessed |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: dougbtv, s1061123 The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
@dougbtv: Can not set label backport-risk-assessed: Must be member in one of these teams: [openshift-patch-managers openshift-staff-engineers openshift-release-oversight] DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/label backport-risk-assessed |
openshift-ci bot
pushed a commit
that referenced
this pull request
Oct 17, 2023
* Add pod-iptables option to store pod iptables This change introduces pod-iptables option to store iptables-rules in pod's network namespace. This helps administrator/engineer to troubleshooting. * Fix owners file * Update CI pipeline * Add label to Dockerfile * Update github action to simplify * Use GITHUB_TOKEN for push packages * Update slack URL in README * fix workflows * Fix some timing issue and change memory limit * Add namespace check between pod and multi-networkpolicy * Use TCP as default for Port.Protocol Add ginkgo test to the suite with only default values. Add `renderProtocol` function with fallback logic. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Fix to work namespacveSelector policy, without labelSelector * Support for `NamespaceSelector` (#16) * Add test case for namespace selector The case is about having two namespaces with pods and net-attach-def and a multi networkpolicy that goes through namespace borders. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Add test case with net-attach-def in other ns Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Improve logging in server.go (#19) * Add object information to update events This should make it clearer what k8s object the daemon is working on. Increase verbosity threshlod for invoke handlers logs. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Improve error logging Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Add IPv6 support in TODO list * Set specific version for `revive` tool (#20) "go getting" github.com/mgechev/revive can lead to unreproducible builds, as it download the latest "dev" version. Stick to the latest (v1.2.1) version. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Log filter rules (#23) * Log filter rules Logging iptables rules before applying them can be useful to debug complex scenarios. Setting verbosity level to 6 as they can be quite cumbersome. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Clean up logging code Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Refine policy generation routine to support multiple policies This change refines policy rule generation to introduce conntrack and support multiple policies in a pod. Fix #17 and #18 * Fix capabilities (#25) fix #24 * Update github action to fit to latest golang * Remove docker from support runtime due to obsolated * Bump github.com/containernetworking/cni from 0.7.1 to 0.8.1 (#31) Bumps [github.com/containernetworking/cni](https://github.com/containernetworking/cni) from 0.7.1 to 0.8.1. - [Release notes](https://github.com/containernetworking/cni/releases) - [Commits](containernetworking/cni@v0.7.1...v0.8.1) --- updated-dependencies: - dependency-name: github.com/containernetworking/cni dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump vendor packages. * Graceful shutdown for daemonset (#32) * Remove unused errCh `server.Run()` is not a blocking function and returns always `nil`. There is no need for a struct field channel. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Allow stopping the server Add signal handler for SIGTERM and SIGINT to main.go. Add Stop() method to Options to forward os signals. Add a channel to stop `syncRunner` and clean iptables afterward. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Add sync-period option for fast sync * Remove deprecated parameters in deploy.yml * Add e2e test * e2e-test: Add script to update server image (#35) Add a script to redeploy the server in the kind cluster. It is useful to quickly test new changes without tearing down the cluster and bringing it up again. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Fix yaml syntax error in GH workflow (#36) Signed-off-by: Andrea Panattoni <apanatto@redhat.com> Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Add CodeQL workflow for GitHub code scanning (#38) Co-authored-by: LGTM Migrator <lgtm-migrator@users.noreply.github.com> * Add NOTICE file for Apache license 2.0 (#39) This change adds NOTICE file in repository as [1]. [1]: https://infra.apache.org/apply-license.html#new * IPv6 support in multi-networkpolicy-iptables (#40) * Support IPv6 networks (#27) Make Server generates rules for both IP family. Make iptableBuffer aware of the IP family it is managing, in order to skip wrong addresses. Add unit and e2e tests for IPv6 and dual stack networks. Remove IPv6 item from TODO Signed-off-by: Andrea Panattoni <apanatto@redhat.com> Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * fix merge-conflict to rebase * Add e2e ipv6 ingress tests * IPv6 fix for NDP and DHCPv6 (#37) * Add Requirements section to README Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Allow ipv6 Neighbor Discovery Protocol NDP leverages icmpv6 packets to discover hosts IPv6 addresses. This kind of packet must be allowed between hosts, otherwise some policy-allowed traffic may get blocked. Adjust unit tests expected output strings. See https://www.rfc-editor.org/rfc/rfc2373 Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Allow DHCPv6 traffic Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Refine icmp/dhcpv6 code Signed-off-by: Andrea Panattoni <apanatto@redhat.com> Co-authored-by: Tomofumi Hayashi <tohayash@redhat.com> * Use string instead of byte in unit-test cases In real code, use bytes for performance, however, we don't care about performance for unit-test, hence change bytes to string for ease of troubleshooting. * Make INGRESS/EGRESS-COMMON configurable by command line option This change makes MULTI-{INGRESS,EGRESS}-COMMON chain configurable to provide a way to support various v4/v6 network. * Fix CodeQL warnings * Update docs/configurations.md Co-authored-by: Nikhil Simha <simha.nikhil@gmail.com> * Update docs/configurations.md Co-authored-by: Nikhil Simha <simha.nikhil@gmail.com> * Wait for sync between policy/iptables in e2e tests --------- Signed-off-by: Andrea Panattoni <apanatto@redhat.com> Co-authored-by: Andrea Panattoni <apanatto@redhat.com> Co-authored-by: Nikhil Simha <simha.nikhil@gmail.com> * Fix github action * Avoid using cri-api `v1alpha2` (#43) As of v1.26.0 kubernetes removed support for api cri-api v1alpha2 kubernetes/kubernetes#110618 Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Fix typo in container registry domain (#44) * Update go mod to security vulnerability Update golang.org/x/text to v0.3.8 for vulnerability. * Fix github action * Update vendors to fix dependabot alerts * Add ipblock bat tests in e2e (#48) This change introduces ipblock tests in e2e and enables v6 ingress tests in e2e as well. * Fix iptables rules in multiple items in ingress/egress (#49) This change fixes iptables rules for multiple items in ingress/egress. It also adds e2e tests for that. fix #45 * Update golang to 1.20 * Fix end2end tests (#53) * e2e: Save kind logs as artifacts Saving `kind export logs` output when end-to-end job fails helps debugging flakes and test failures. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * build: set CGO_ENABLED=0 Setting CGO_ENABLED=0 for go builds produces GLIBC independant binaries. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> --------- Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Infer PolicyTypes if missing (#50) * Infer PolicyTypes if missing In cases where Spec.PolicyTypes is not specified, it should default to the existence of Ingress or Egress rules. Updating end2end tests to cover also this scenario. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * e2e: Wait for policy sync during setup Signed-off-by: Andrea Panattoni <apanatto@redhat.com> --------- Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Bump google.golang.org/grpc from 1.38.0 to 1.53.0 (#52) Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.38.0 to 1.53.0. - [Release notes](https://github.com/grpc/grpc-go/releases) - [Commits](grpc/grpc-go@v1.38.0...v1.53.0) --- updated-dependencies: - dependency-name: google.golang.org/grpc dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Update e2e environments (#54) * Fix linter warning (#55) * Bump gopkg.in/yaml.v3 from 3.0.0-20210107192922-496545a6307b to 3.0.0 (#57) Bumps gopkg.in/yaml.v3 from 3.0.0-20210107192922-496545a6307b to 3.0.0. --- updated-dependencies: - dependency-name: gopkg.in/yaml.v3 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump github.com/containernetworking/plugins from 0.8.5 to 0.8.6 (#56) Bumps [github.com/containernetworking/plugins](https://github.com/containernetworking/plugins) from 0.8.5 to 0.8.6. - [Release notes](https://github.com/containernetworking/plugins/releases) - [Commits](containernetworking/plugins@v0.8.5...v0.8.6) --- updated-dependencies: - dependency-name: github.com/containernetworking/plugins dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Update vendor and golang version (#58) --------- Signed-off-by: Andrea Panattoni <apanatto@redhat.com> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Doug Smith <dosmith@redhat.com> Co-authored-by: Andrea Panattoni <apanatto@redhat.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: lgtm-com[bot] <43144390+lgtm-com[bot]@users.noreply.github.com> Co-authored-by: LGTM Migrator <lgtm-migrator@users.noreply.github.com> Co-authored-by: Nikhil Simha <simha.nikhil@gmail.com> Co-authored-by: Peter Stöckli <p-@github.com>
|
@s1061123: all tests passed! Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
openshift-ci bot
pushed a commit
that referenced
this pull request
Nov 2, 2023
* Add pod-iptables option to store pod iptables This change introduces pod-iptables option to store iptables-rules in pod's network namespace. This helps administrator/engineer to troubleshooting. * Fix owners file * Update CI pipeline * Add label to Dockerfile * Update github action to simplify * Use GITHUB_TOKEN for push packages * Update slack URL in README * fix workflows * Fix some timing issue and change memory limit * Add namespace check between pod and multi-networkpolicy * Use TCP as default for Port.Protocol Add ginkgo test to the suite with only default values. Add `renderProtocol` function with fallback logic. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Fix to work namespacveSelector policy, without labelSelector * Support for `NamespaceSelector` (#16) * Add test case for namespace selector The case is about having two namespaces with pods and net-attach-def and a multi networkpolicy that goes through namespace borders. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Add test case with net-attach-def in other ns Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Improve logging in server.go (#19) * Add object information to update events This should make it clearer what k8s object the daemon is working on. Increase verbosity threshlod for invoke handlers logs. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Improve error logging Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Add IPv6 support in TODO list * Set specific version for `revive` tool (#20) "go getting" github.com/mgechev/revive can lead to unreproducible builds, as it download the latest "dev" version. Stick to the latest (v1.2.1) version. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Log filter rules (#23) * Log filter rules Logging iptables rules before applying them can be useful to debug complex scenarios. Setting verbosity level to 6 as they can be quite cumbersome. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Clean up logging code Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Refine policy generation routine to support multiple policies This change refines policy rule generation to introduce conntrack and support multiple policies in a pod. Fix #17 and #18 * Fix capabilities (#25) fix #24 * Update github action to fit to latest golang * Remove docker from support runtime due to obsolated * Bump github.com/containernetworking/cni from 0.7.1 to 0.8.1 (#31) Bumps [github.com/containernetworking/cni](https://github.com/containernetworking/cni) from 0.7.1 to 0.8.1. - [Release notes](https://github.com/containernetworking/cni/releases) - [Commits](containernetworking/cni@v0.7.1...v0.8.1) --- updated-dependencies: - dependency-name: github.com/containernetworking/cni dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump vendor packages. * Graceful shutdown for daemonset (#32) * Remove unused errCh `server.Run()` is not a blocking function and returns always `nil`. There is no need for a struct field channel. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Allow stopping the server Add signal handler for SIGTERM and SIGINT to main.go. Add Stop() method to Options to forward os signals. Add a channel to stop `syncRunner` and clean iptables afterward. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Add sync-period option for fast sync * Remove deprecated parameters in deploy.yml * Add e2e test * e2e-test: Add script to update server image (#35) Add a script to redeploy the server in the kind cluster. It is useful to quickly test new changes without tearing down the cluster and bringing it up again. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Fix yaml syntax error in GH workflow (#36) Signed-off-by: Andrea Panattoni <apanatto@redhat.com> Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Add CodeQL workflow for GitHub code scanning (#38) Co-authored-by: LGTM Migrator <lgtm-migrator@users.noreply.github.com> * Add NOTICE file for Apache license 2.0 (#39) This change adds NOTICE file in repository as [1]. [1]: https://infra.apache.org/apply-license.html#new * IPv6 support in multi-networkpolicy-iptables (#40) * Support IPv6 networks (#27) Make Server generates rules for both IP family. Make iptableBuffer aware of the IP family it is managing, in order to skip wrong addresses. Add unit and e2e tests for IPv6 and dual stack networks. Remove IPv6 item from TODO Signed-off-by: Andrea Panattoni <apanatto@redhat.com> Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * fix merge-conflict to rebase * Add e2e ipv6 ingress tests * IPv6 fix for NDP and DHCPv6 (#37) * Add Requirements section to README Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Allow ipv6 Neighbor Discovery Protocol NDP leverages icmpv6 packets to discover hosts IPv6 addresses. This kind of packet must be allowed between hosts, otherwise some policy-allowed traffic may get blocked. Adjust unit tests expected output strings. See https://www.rfc-editor.org/rfc/rfc2373 Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Allow DHCPv6 traffic Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Refine icmp/dhcpv6 code Signed-off-by: Andrea Panattoni <apanatto@redhat.com> Co-authored-by: Tomofumi Hayashi <tohayash@redhat.com> * Use string instead of byte in unit-test cases In real code, use bytes for performance, however, we don't care about performance for unit-test, hence change bytes to string for ease of troubleshooting. * Make INGRESS/EGRESS-COMMON configurable by command line option This change makes MULTI-{INGRESS,EGRESS}-COMMON chain configurable to provide a way to support various v4/v6 network. * Fix CodeQL warnings * Update docs/configurations.md Co-authored-by: Nikhil Simha <simha.nikhil@gmail.com> * Update docs/configurations.md Co-authored-by: Nikhil Simha <simha.nikhil@gmail.com> * Wait for sync between policy/iptables in e2e tests --------- Signed-off-by: Andrea Panattoni <apanatto@redhat.com> Co-authored-by: Andrea Panattoni <apanatto@redhat.com> Co-authored-by: Nikhil Simha <simha.nikhil@gmail.com> * Fix github action * Avoid using cri-api `v1alpha2` (#43) As of v1.26.0 kubernetes removed support for api cri-api v1alpha2 kubernetes/kubernetes#110618 Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Fix typo in container registry domain (#44) * Update go mod to security vulnerability Update golang.org/x/text to v0.3.8 for vulnerability. * Fix github action * Update vendors to fix dependabot alerts * Add ipblock bat tests in e2e (#48) This change introduces ipblock tests in e2e and enables v6 ingress tests in e2e as well. * Fix iptables rules in multiple items in ingress/egress (#49) This change fixes iptables rules for multiple items in ingress/egress. It also adds e2e tests for that. fix #45 * Update golang to 1.20 * Fix end2end tests (#53) * e2e: Save kind logs as artifacts Saving `kind export logs` output when end-to-end job fails helps debugging flakes and test failures. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * build: set CGO_ENABLED=0 Setting CGO_ENABLED=0 for go builds produces GLIBC independant binaries. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> --------- Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Infer PolicyTypes if missing (#50) * Infer PolicyTypes if missing In cases where Spec.PolicyTypes is not specified, it should default to the existence of Ingress or Egress rules. Updating end2end tests to cover also this scenario. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * e2e: Wait for policy sync during setup Signed-off-by: Andrea Panattoni <apanatto@redhat.com> --------- Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Bump google.golang.org/grpc from 1.38.0 to 1.53.0 (#52) Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.38.0 to 1.53.0. - [Release notes](https://github.com/grpc/grpc-go/releases) - [Commits](grpc/grpc-go@v1.38.0...v1.53.0) --- updated-dependencies: - dependency-name: google.golang.org/grpc dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Update e2e environments (#54) * Fix linter warning (#55) * Bump gopkg.in/yaml.v3 from 3.0.0-20210107192922-496545a6307b to 3.0.0 (#57) Bumps gopkg.in/yaml.v3 from 3.0.0-20210107192922-496545a6307b to 3.0.0. --- updated-dependencies: - dependency-name: gopkg.in/yaml.v3 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump github.com/containernetworking/plugins from 0.8.5 to 0.8.6 (#56) Bumps [github.com/containernetworking/plugins](https://github.com/containernetworking/plugins) from 0.8.5 to 0.8.6. - [Release notes](https://github.com/containernetworking/plugins/releases) - [Commits](containernetworking/plugins@v0.8.5...v0.8.6) --- updated-dependencies: - dependency-name: github.com/containernetworking/plugins dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Update vendor and golang version (#58) * Bump google.golang.org/grpc from 1.53.0 to 1.56.3 (#59) Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.53.0 to 1.56.3. - [Release notes](https://github.com/grpc/grpc-go/releases) - [Commits](grpc/grpc-go@v1.53.0...v1.56.3) --- updated-dependencies: - dependency-name: google.golang.org/grpc dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Update vendor packages (#60) --------- Signed-off-by: Andrea Panattoni <apanatto@redhat.com> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Doug Smith <dosmith@redhat.com> Co-authored-by: Andrea Panattoni <apanatto@redhat.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: lgtm-com[bot] <43144390+lgtm-com[bot]@users.noreply.github.com> Co-authored-by: LGTM Migrator <lgtm-migrator@users.noreply.github.com> Co-authored-by: Nikhil Simha <simha.nikhil@gmail.com> Co-authored-by: Peter Stöckli <p-@github.com>
Contributor
Author
|
/jira refresh |
Contributor
|
@s1061123: This pull request references Jira Issue OCPBUGS-21438, which is invalid:
Comment The bug has been updated to refer to the pull request using the external bug tracker. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/label cherry-pick-approved |
Contributor
|
/jira refresh |
Contributor
|
@zshi-redhat: This pull request references Jira Issue OCPBUGS-21438, which is valid. The bug has been moved to the POST state. 6 validation(s) were run on this bug
No GitHub users were found matching the public email listed for the QA contact in Jira (weliang@redhat.com), skipping review request. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Contributor
|
@s1061123: Jira Issue OCPBUGS-21438: All pull requests linked via external trackers have merged: Jira Issue OCPBUGS-21438 has been moved to the MODIFIED state. DetailsIn response to this: Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Contributor
|
[ART PR BUILD NOTIFIER] This PR has been included in build ose-multus-networkpolicy-container-v4.13.0-202311140249.p0.g7176ab7.assembly.stream for distgit multus-networkpolicy. |
|
Fix included in accepted release 4.13.0-0.nightly-2023-11-14-104446 |
pliurh
pushed a commit
to pliurh/multus-networkpolicy
that referenced
this pull request
Apr 8, 2024
Add a script to redeploy the server in the kind cluster. It is useful to quickly test new changes without tearing down the cluster and bringing it up again. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> Signed-off-by: Andrea Panattoni <apanatto@redhat.com>
s1061123
added a commit
to s1061123/multus-networkpolicy
that referenced
this pull request
Apr 8, 2024
* Add pod-iptables option to store pod iptables This change introduces pod-iptables option to store iptables-rules in pod's network namespace. This helps administrator/engineer to troubleshooting. * Fix owners file * Update CI pipeline * Add label to Dockerfile * Update github action to simplify * Use GITHUB_TOKEN for push packages * Update slack URL in README * fix workflows * Fix some timing issue and change memory limit * Add namespace check between pod and multi-networkpolicy * Use TCP as default for Port.Protocol Add ginkgo test to the suite with only default values. Add `renderProtocol` function with fallback logic. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Fix to work namespacveSelector policy, without labelSelector * Support for `NamespaceSelector` (openshift#16) * Add test case for namespace selector The case is about having two namespaces with pods and net-attach-def and a multi networkpolicy that goes through namespace borders. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Add test case with net-attach-def in other ns Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Improve logging in server.go (openshift#19) * Add object information to update events This should make it clearer what k8s object the daemon is working on. Increase verbosity threshlod for invoke handlers logs. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Improve error logging Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Add IPv6 support in TODO list * Set specific version for `revive` tool (openshift#20) "go getting" github.com/mgechev/revive can lead to unreproducible builds, as it download the latest "dev" version. Stick to the latest (v1.2.1) version. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Log filter rules (openshift#23) * Log filter rules Logging iptables rules before applying them can be useful to debug complex scenarios. Setting verbosity level to 6 as they can be quite cumbersome. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Clean up logging code Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Refine policy generation routine to support multiple policies This change refines policy rule generation to introduce conntrack and support multiple policies in a pod. Fix openshift#17 and openshift#18 * Fix capabilities (openshift#25) fix openshift#24 * Update github action to fit to latest golang * Remove docker from support runtime due to obsolated * Bump github.com/containernetworking/cni from 0.7.1 to 0.8.1 (openshift#31) Bumps [github.com/containernetworking/cni](https://github.com/containernetworking/cni) from 0.7.1 to 0.8.1. - [Release notes](https://github.com/containernetworking/cni/releases) - [Commits](containernetworking/cni@v0.7.1...v0.8.1) --- updated-dependencies: - dependency-name: github.com/containernetworking/cni dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump vendor packages. * Graceful shutdown for daemonset (openshift#32) * Remove unused errCh `server.Run()` is not a blocking function and returns always `nil`. There is no need for a struct field channel. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Allow stopping the server Add signal handler for SIGTERM and SIGINT to main.go. Add Stop() method to Options to forward os signals. Add a channel to stop `syncRunner` and clean iptables afterward. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Add sync-period option for fast sync * Remove deprecated parameters in deploy.yml * Add e2e test * e2e-test: Add script to update server image (openshift#35) Add a script to redeploy the server in the kind cluster. It is useful to quickly test new changes without tearing down the cluster and bringing it up again. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Fix yaml syntax error in GH workflow (openshift#36) Signed-off-by: Andrea Panattoni <apanatto@redhat.com> Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Add CodeQL workflow for GitHub code scanning (openshift#38) Co-authored-by: LGTM Migrator <lgtm-migrator@users.noreply.github.com> * Add NOTICE file for Apache license 2.0 (openshift#39) This change adds NOTICE file in repository as [1]. [1]: https://infra.apache.org/apply-license.html#new * IPv6 support in multi-networkpolicy-iptables (openshift#40) * Support IPv6 networks (openshift#27) Make Server generates rules for both IP family. Make iptableBuffer aware of the IP family it is managing, in order to skip wrong addresses. Add unit and e2e tests for IPv6 and dual stack networks. Remove IPv6 item from TODO Signed-off-by: Andrea Panattoni <apanatto@redhat.com> Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * fix merge-conflict to rebase * Add e2e ipv6 ingress tests * IPv6 fix for NDP and DHCPv6 (openshift#37) * Add Requirements section to README Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Allow ipv6 Neighbor Discovery Protocol NDP leverages icmpv6 packets to discover hosts IPv6 addresses. This kind of packet must be allowed between hosts, otherwise some policy-allowed traffic may get blocked. Adjust unit tests expected output strings. See https://www.rfc-editor.org/rfc/rfc2373 Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Allow DHCPv6 traffic Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Refine icmp/dhcpv6 code Signed-off-by: Andrea Panattoni <apanatto@redhat.com> Co-authored-by: Tomofumi Hayashi <tohayash@redhat.com> * Use string instead of byte in unit-test cases In real code, use bytes for performance, however, we don't care about performance for unit-test, hence change bytes to string for ease of troubleshooting. * Make INGRESS/EGRESS-COMMON configurable by command line option This change makes MULTI-{INGRESS,EGRESS}-COMMON chain configurable to provide a way to support various v4/v6 network. * Fix CodeQL warnings * Update docs/configurations.md Co-authored-by: Nikhil Simha <simha.nikhil@gmail.com> * Update docs/configurations.md Co-authored-by: Nikhil Simha <simha.nikhil@gmail.com> * Wait for sync between policy/iptables in e2e tests --------- Signed-off-by: Andrea Panattoni <apanatto@redhat.com> Co-authored-by: Andrea Panattoni <apanatto@redhat.com> Co-authored-by: Nikhil Simha <simha.nikhil@gmail.com> * Fix github action * Avoid using cri-api `v1alpha2` (openshift#43) As of v1.26.0 kubernetes removed support for api cri-api v1alpha2 kubernetes/kubernetes#110618 Signed-off-by: Andrea Panattoni <apanatto@redhat.com> --------- Signed-off-by: Andrea Panattoni <apanatto@redhat.com> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Doug Smith <dosmith@redhat.com> Co-authored-by: Andrea Panattoni <apanatto@redhat.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: lgtm-com[bot] <43144390+lgtm-com[bot]@users.noreply.github.com> Co-authored-by: LGTM Migrator <lgtm-migrator@users.noreply.github.com> Co-authored-by: Nikhil Simha <simha.nikhil@gmail.com>
s1061123
added a commit
to s1061123/multus-networkpolicy
that referenced
this pull request
Apr 8, 2024
* Add pod-iptables option to store pod iptables This change introduces pod-iptables option to store iptables-rules in pod's network namespace. This helps administrator/engineer to troubleshooting. * Fix owners file * Update CI pipeline * Add label to Dockerfile * Update github action to simplify * Use GITHUB_TOKEN for push packages * Update slack URL in README * fix workflows * Fix some timing issue and change memory limit * Add namespace check between pod and multi-networkpolicy * Use TCP as default for Port.Protocol Add ginkgo test to the suite with only default values. Add `renderProtocol` function with fallback logic. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Fix to work namespacveSelector policy, without labelSelector * Support for `NamespaceSelector` (openshift#16) * Add test case for namespace selector The case is about having two namespaces with pods and net-attach-def and a multi networkpolicy that goes through namespace borders. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Add test case with net-attach-def in other ns Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Improve logging in server.go (openshift#19) * Add object information to update events This should make it clearer what k8s object the daemon is working on. Increase verbosity threshlod for invoke handlers logs. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Improve error logging Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Add IPv6 support in TODO list * Set specific version for `revive` tool (openshift#20) "go getting" github.com/mgechev/revive can lead to unreproducible builds, as it download the latest "dev" version. Stick to the latest (v1.2.1) version. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Log filter rules (openshift#23) * Log filter rules Logging iptables rules before applying them can be useful to debug complex scenarios. Setting verbosity level to 6 as they can be quite cumbersome. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Clean up logging code Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Refine policy generation routine to support multiple policies This change refines policy rule generation to introduce conntrack and support multiple policies in a pod. Fix openshift#17 and openshift#18 * Fix capabilities (openshift#25) fix openshift#24 * Update github action to fit to latest golang * Remove docker from support runtime due to obsolated * Bump github.com/containernetworking/cni from 0.7.1 to 0.8.1 (openshift#31) Bumps [github.com/containernetworking/cni](https://github.com/containernetworking/cni) from 0.7.1 to 0.8.1. - [Release notes](https://github.com/containernetworking/cni/releases) - [Commits](containernetworking/cni@v0.7.1...v0.8.1) --- updated-dependencies: - dependency-name: github.com/containernetworking/cni dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump vendor packages. * Graceful shutdown for daemonset (openshift#32) * Remove unused errCh `server.Run()` is not a blocking function and returns always `nil`. There is no need for a struct field channel. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Allow stopping the server Add signal handler for SIGTERM and SIGINT to main.go. Add Stop() method to Options to forward os signals. Add a channel to stop `syncRunner` and clean iptables afterward. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Add sync-period option for fast sync * Remove deprecated parameters in deploy.yml * Add e2e test * e2e-test: Add script to update server image (openshift#35) Add a script to redeploy the server in the kind cluster. It is useful to quickly test new changes without tearing down the cluster and bringing it up again. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Fix yaml syntax error in GH workflow (openshift#36) Signed-off-by: Andrea Panattoni <apanatto@redhat.com> Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Add CodeQL workflow for GitHub code scanning (openshift#38) Co-authored-by: LGTM Migrator <lgtm-migrator@users.noreply.github.com> * Add NOTICE file for Apache license 2.0 (openshift#39) This change adds NOTICE file in repository as [1]. [1]: https://infra.apache.org/apply-license.html#new * IPv6 support in multi-networkpolicy-iptables (openshift#40) * Support IPv6 networks (openshift#27) Make Server generates rules for both IP family. Make iptableBuffer aware of the IP family it is managing, in order to skip wrong addresses. Add unit and e2e tests for IPv6 and dual stack networks. Remove IPv6 item from TODO Signed-off-by: Andrea Panattoni <apanatto@redhat.com> Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * fix merge-conflict to rebase * Add e2e ipv6 ingress tests * IPv6 fix for NDP and DHCPv6 (openshift#37) * Add Requirements section to README Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Allow ipv6 Neighbor Discovery Protocol NDP leverages icmpv6 packets to discover hosts IPv6 addresses. This kind of packet must be allowed between hosts, otherwise some policy-allowed traffic may get blocked. Adjust unit tests expected output strings. See https://www.rfc-editor.org/rfc/rfc2373 Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Allow DHCPv6 traffic Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Refine icmp/dhcpv6 code Signed-off-by: Andrea Panattoni <apanatto@redhat.com> Co-authored-by: Tomofumi Hayashi <tohayash@redhat.com> * Use string instead of byte in unit-test cases In real code, use bytes for performance, however, we don't care about performance for unit-test, hence change bytes to string for ease of troubleshooting. * Make INGRESS/EGRESS-COMMON configurable by command line option This change makes MULTI-{INGRESS,EGRESS}-COMMON chain configurable to provide a way to support various v4/v6 network. * Fix CodeQL warnings * Update docs/configurations.md Co-authored-by: Nikhil Simha <simha.nikhil@gmail.com> * Update docs/configurations.md Co-authored-by: Nikhil Simha <simha.nikhil@gmail.com> * Wait for sync between policy/iptables in e2e tests --------- Signed-off-by: Andrea Panattoni <apanatto@redhat.com> Co-authored-by: Andrea Panattoni <apanatto@redhat.com> Co-authored-by: Nikhil Simha <simha.nikhil@gmail.com> * Fix github action * Avoid using cri-api `v1alpha2` (openshift#43) As of v1.26.0 kubernetes removed support for api cri-api v1alpha2 kubernetes/kubernetes#110618 Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Fix typo in container registry domain (openshift#44) * Update go mod to security vulnerability Update golang.org/x/text to v0.3.8 for vulnerability. * Fix github action * Update vendors to fix dependabot alerts * Add ipblock bat tests in e2e (openshift#48) This change introduces ipblock tests in e2e and enables v6 ingress tests in e2e as well. * Fix iptables rules in multiple items in ingress/egress (openshift#49) This change fixes iptables rules for multiple items in ingress/egress. It also adds e2e tests for that. fix openshift#45 * Update golang to 1.20 * Fix end2end tests (openshift#53) * e2e: Save kind logs as artifacts Saving `kind export logs` output when end-to-end job fails helps debugging flakes and test failures. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * build: set CGO_ENABLED=0 Setting CGO_ENABLED=0 for go builds produces GLIBC independant binaries. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> --------- Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Infer PolicyTypes if missing (openshift#50) * Infer PolicyTypes if missing In cases where Spec.PolicyTypes is not specified, it should default to the existence of Ingress or Egress rules. Updating end2end tests to cover also this scenario. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * e2e: Wait for policy sync during setup Signed-off-by: Andrea Panattoni <apanatto@redhat.com> --------- Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Bump google.golang.org/grpc from 1.38.0 to 1.53.0 (openshift#52) Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.38.0 to 1.53.0. - [Release notes](https://github.com/grpc/grpc-go/releases) - [Commits](grpc/grpc-go@v1.38.0...v1.53.0) --- updated-dependencies: - dependency-name: google.golang.org/grpc dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Update e2e environments (openshift#54) * Fix linter warning (openshift#55) --------- Signed-off-by: Andrea Panattoni <apanatto@redhat.com> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Doug Smith <dosmith@redhat.com> Co-authored-by: Andrea Panattoni <apanatto@redhat.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: lgtm-com[bot] <43144390+lgtm-com[bot]@users.noreply.github.com> Co-authored-by: LGTM Migrator <lgtm-migrator@users.noreply.github.com> Co-authored-by: Nikhil Simha <simha.nikhil@gmail.com> Co-authored-by: Peter Stöckli <p-@github.com>
openshift-merge-bot bot
pushed a commit
that referenced
this pull request
Apr 10, 2024
* Add pod-iptables option to store pod iptables This change introduces pod-iptables option to store iptables-rules in pod's network namespace. This helps administrator/engineer to troubleshooting. * Fix owners file * Update CI pipeline * Add label to Dockerfile * Update github action to simplify * Use GITHUB_TOKEN for push packages * Update slack URL in README * fix workflows * Fix some timing issue and change memory limit * Add namespace check between pod and multi-networkpolicy * Use TCP as default for Port.Protocol Add ginkgo test to the suite with only default values. Add `renderProtocol` function with fallback logic. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Fix to work namespacveSelector policy, without labelSelector * Support for `NamespaceSelector` (#16) * Add test case for namespace selector The case is about having two namespaces with pods and net-attach-def and a multi networkpolicy that goes through namespace borders. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Add test case with net-attach-def in other ns Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Improve logging in server.go (#19) * Add object information to update events This should make it clearer what k8s object the daemon is working on. Increase verbosity threshlod for invoke handlers logs. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Improve error logging Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Add IPv6 support in TODO list * Set specific version for `revive` tool (#20) "go getting" github.com/mgechev/revive can lead to unreproducible builds, as it download the latest "dev" version. Stick to the latest (v1.2.1) version. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Log filter rules (#23) * Log filter rules Logging iptables rules before applying them can be useful to debug complex scenarios. Setting verbosity level to 6 as they can be quite cumbersome. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Clean up logging code Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Refine policy generation routine to support multiple policies This change refines policy rule generation to introduce conntrack and support multiple policies in a pod. Fix #17 and #18 * Fix capabilities (#25) fix #24 * Update github action to fit to latest golang * Remove docker from support runtime due to obsolated * Bump github.com/containernetworking/cni from 0.7.1 to 0.8.1 (#31) Bumps [github.com/containernetworking/cni](https://github.com/containernetworking/cni) from 0.7.1 to 0.8.1. - [Release notes](https://github.com/containernetworking/cni/releases) - [Commits](containernetworking/cni@v0.7.1...v0.8.1) --- updated-dependencies: - dependency-name: github.com/containernetworking/cni dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump vendor packages. * Graceful shutdown for daemonset (#32) * Remove unused errCh `server.Run()` is not a blocking function and returns always `nil`. There is no need for a struct field channel. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Allow stopping the server Add signal handler for SIGTERM and SIGINT to main.go. Add Stop() method to Options to forward os signals. Add a channel to stop `syncRunner` and clean iptables afterward. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Add sync-period option for fast sync * Remove deprecated parameters in deploy.yml * Add e2e test * e2e-test: Add script to update server image (#35) Add a script to redeploy the server in the kind cluster. It is useful to quickly test new changes without tearing down the cluster and bringing it up again. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Fix yaml syntax error in GH workflow (#36) Signed-off-by: Andrea Panattoni <apanatto@redhat.com> Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Add CodeQL workflow for GitHub code scanning (#38) Co-authored-by: LGTM Migrator <lgtm-migrator@users.noreply.github.com> * Add NOTICE file for Apache license 2.0 (#39) This change adds NOTICE file in repository as [1]. [1]: https://infra.apache.org/apply-license.html#new * IPv6 support in multi-networkpolicy-iptables (#40) * Support IPv6 networks (#27) Make Server generates rules for both IP family. Make iptableBuffer aware of the IP family it is managing, in order to skip wrong addresses. Add unit and e2e tests for IPv6 and dual stack networks. Remove IPv6 item from TODO Signed-off-by: Andrea Panattoni <apanatto@redhat.com> Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * fix merge-conflict to rebase * Add e2e ipv6 ingress tests * IPv6 fix for NDP and DHCPv6 (#37) * Add Requirements section to README Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Allow ipv6 Neighbor Discovery Protocol NDP leverages icmpv6 packets to discover hosts IPv6 addresses. This kind of packet must be allowed between hosts, otherwise some policy-allowed traffic may get blocked. Adjust unit tests expected output strings. See https://www.rfc-editor.org/rfc/rfc2373 Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Allow DHCPv6 traffic Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Refine icmp/dhcpv6 code Signed-off-by: Andrea Panattoni <apanatto@redhat.com> Co-authored-by: Tomofumi Hayashi <tohayash@redhat.com> * Use string instead of byte in unit-test cases In real code, use bytes for performance, however, we don't care about performance for unit-test, hence change bytes to string for ease of troubleshooting. * Make INGRESS/EGRESS-COMMON configurable by command line option This change makes MULTI-{INGRESS,EGRESS}-COMMON chain configurable to provide a way to support various v4/v6 network. * Fix CodeQL warnings * Update docs/configurations.md Co-authored-by: Nikhil Simha <simha.nikhil@gmail.com> * Update docs/configurations.md Co-authored-by: Nikhil Simha <simha.nikhil@gmail.com> * Wait for sync between policy/iptables in e2e tests --------- Signed-off-by: Andrea Panattoni <apanatto@redhat.com> Co-authored-by: Andrea Panattoni <apanatto@redhat.com> Co-authored-by: Nikhil Simha <simha.nikhil@gmail.com> * Fix github action * Avoid using cri-api `v1alpha2` (#43) As of v1.26.0 kubernetes removed support for api cri-api v1alpha2 kubernetes/kubernetes#110618 Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Fix typo in container registry domain (#44) * Update go mod to security vulnerability Update golang.org/x/text to v0.3.8 for vulnerability. * Fix github action * Update vendors to fix dependabot alerts * Add ipblock bat tests in e2e (#48) This change introduces ipblock tests in e2e and enables v6 ingress tests in e2e as well. * Fix iptables rules in multiple items in ingress/egress (#49) This change fixes iptables rules for multiple items in ingress/egress. It also adds e2e tests for that. fix #45 * Update golang to 1.20 * Fix end2end tests (#53) * e2e: Save kind logs as artifacts Saving `kind export logs` output when end-to-end job fails helps debugging flakes and test failures. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * build: set CGO_ENABLED=0 Setting CGO_ENABLED=0 for go builds produces GLIBC independant binaries. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> --------- Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Infer PolicyTypes if missing (#50) * Infer PolicyTypes if missing In cases where Spec.PolicyTypes is not specified, it should default to the existence of Ingress or Egress rules. Updating end2end tests to cover also this scenario. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * e2e: Wait for policy sync during setup Signed-off-by: Andrea Panattoni <apanatto@redhat.com> --------- Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Bump google.golang.org/grpc from 1.38.0 to 1.53.0 (#52) Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.38.0 to 1.53.0. - [Release notes](https://github.com/grpc/grpc-go/releases) - [Commits](grpc/grpc-go@v1.38.0...v1.53.0) --- updated-dependencies: - dependency-name: google.golang.org/grpc dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Update e2e environments (#54) * Fix linter warning (#55) * Bump gopkg.in/yaml.v3 from 3.0.0-20210107192922-496545a6307b to 3.0.0 (#57) Bumps gopkg.in/yaml.v3 from 3.0.0-20210107192922-496545a6307b to 3.0.0. --- updated-dependencies: - dependency-name: gopkg.in/yaml.v3 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump github.com/containernetworking/plugins from 0.8.5 to 0.8.6 (#56) Bumps [github.com/containernetworking/plugins](https://github.com/containernetworking/plugins) from 0.8.5 to 0.8.6. - [Release notes](https://github.com/containernetworking/plugins/releases) - [Commits](containernetworking/plugins@v0.8.5...v0.8.6) --- updated-dependencies: - dependency-name: github.com/containernetworking/plugins dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Update vendor and golang version (#58) * Bump google.golang.org/grpc from 1.53.0 to 1.56.3 (#59) Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.53.0 to 1.56.3. - [Release notes](https://github.com/grpc/grpc-go/releases) - [Commits](grpc/grpc-go@v1.53.0...v1.56.3) --- updated-dependencies: - dependency-name: google.golang.org/grpc dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Update vendor packages (#60) * Bump google.golang.org/protobuf from 1.30.0 to 1.33.0 (#61) Bumps google.golang.org/protobuf from 1.30.0 to 1.33.0. --- updated-dependencies: - dependency-name: google.golang.org/protobuf dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Fix github workflow and deploy yaml * Fix e2e * Bump k8s API version (#63) --------- Signed-off-by: Andrea Panattoni <apanatto@redhat.com> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Doug Smith <dosmith@redhat.com> Co-authored-by: Andrea Panattoni <apanatto@redhat.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: lgtm-com[bot] <43144390+lgtm-com[bot]@users.noreply.github.com> Co-authored-by: LGTM Migrator <lgtm-migrator@users.noreply.github.com> Co-authored-by: Nikhil Simha <simha.nikhil@gmail.com> Co-authored-by: Peter Stöckli <p-@github.com>
openshift-merge-bot bot
pushed a commit
that referenced
this pull request
Oct 31, 2024
* Add pod-iptables option to store pod iptables This change introduces pod-iptables option to store iptables-rules in pod's network namespace. This helps administrator/engineer to troubleshooting. * Fix owners file * Update CI pipeline * Add label to Dockerfile * Update github action to simplify * Use GITHUB_TOKEN for push packages * Update slack URL in README * fix workflows * Fix some timing issue and change memory limit * Add namespace check between pod and multi-networkpolicy * Use TCP as default for Port.Protocol Add ginkgo test to the suite with only default values. Add `renderProtocol` function with fallback logic. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Fix to work namespacveSelector policy, without labelSelector * Support for `NamespaceSelector` (#16) * Add test case for namespace selector The case is about having two namespaces with pods and net-attach-def and a multi networkpolicy that goes through namespace borders. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Add test case with net-attach-def in other ns Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Improve logging in server.go (#19) * Add object information to update events This should make it clearer what k8s object the daemon is working on. Increase verbosity threshlod for invoke handlers logs. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Improve error logging Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Add IPv6 support in TODO list * Set specific version for `revive` tool (#20) "go getting" github.com/mgechev/revive can lead to unreproducible builds, as it download the latest "dev" version. Stick to the latest (v1.2.1) version. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Log filter rules (#23) * Log filter rules Logging iptables rules before applying them can be useful to debug complex scenarios. Setting verbosity level to 6 as they can be quite cumbersome. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Clean up logging code Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Refine policy generation routine to support multiple policies This change refines policy rule generation to introduce conntrack and support multiple policies in a pod. Fix #17 and #18 * Fix capabilities (#25) fix #24 * Update github action to fit to latest golang * Remove docker from support runtime due to obsolated * Bump github.com/containernetworking/cni from 0.7.1 to 0.8.1 (#31) Bumps [github.com/containernetworking/cni](https://github.com/containernetworking/cni) from 0.7.1 to 0.8.1. - [Release notes](https://github.com/containernetworking/cni/releases) - [Commits](containernetworking/cni@v0.7.1...v0.8.1) --- updated-dependencies: - dependency-name: github.com/containernetworking/cni dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump vendor packages. * Graceful shutdown for daemonset (#32) * Remove unused errCh `server.Run()` is not a blocking function and returns always `nil`. There is no need for a struct field channel. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Allow stopping the server Add signal handler for SIGTERM and SIGINT to main.go. Add Stop() method to Options to forward os signals. Add a channel to stop `syncRunner` and clean iptables afterward. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Add sync-period option for fast sync * Remove deprecated parameters in deploy.yml * Add e2e test * e2e-test: Add script to update server image (#35) Add a script to redeploy the server in the kind cluster. It is useful to quickly test new changes without tearing down the cluster and bringing it up again. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Fix yaml syntax error in GH workflow (#36) Signed-off-by: Andrea Panattoni <apanatto@redhat.com> Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Add CodeQL workflow for GitHub code scanning (#38) Co-authored-by: LGTM Migrator <lgtm-migrator@users.noreply.github.com> * Add NOTICE file for Apache license 2.0 (#39) This change adds NOTICE file in repository as [1]. [1]: https://infra.apache.org/apply-license.html#new * IPv6 support in multi-networkpolicy-iptables (#40) * Support IPv6 networks (#27) Make Server generates rules for both IP family. Make iptableBuffer aware of the IP family it is managing, in order to skip wrong addresses. Add unit and e2e tests for IPv6 and dual stack networks. Remove IPv6 item from TODO Signed-off-by: Andrea Panattoni <apanatto@redhat.com> Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * fix merge-conflict to rebase * Add e2e ipv6 ingress tests * IPv6 fix for NDP and DHCPv6 (#37) * Add Requirements section to README Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Allow ipv6 Neighbor Discovery Protocol NDP leverages icmpv6 packets to discover hosts IPv6 addresses. This kind of packet must be allowed between hosts, otherwise some policy-allowed traffic may get blocked. Adjust unit tests expected output strings. See https://www.rfc-editor.org/rfc/rfc2373 Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Allow DHCPv6 traffic Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Refine icmp/dhcpv6 code Signed-off-by: Andrea Panattoni <apanatto@redhat.com> Co-authored-by: Tomofumi Hayashi <tohayash@redhat.com> * Use string instead of byte in unit-test cases In real code, use bytes for performance, however, we don't care about performance for unit-test, hence change bytes to string for ease of troubleshooting. * Make INGRESS/EGRESS-COMMON configurable by command line option This change makes MULTI-{INGRESS,EGRESS}-COMMON chain configurable to provide a way to support various v4/v6 network. * Fix CodeQL warnings * Update docs/configurations.md Co-authored-by: Nikhil Simha <simha.nikhil@gmail.com> * Update docs/configurations.md Co-authored-by: Nikhil Simha <simha.nikhil@gmail.com> * Wait for sync between policy/iptables in e2e tests --------- Signed-off-by: Andrea Panattoni <apanatto@redhat.com> Co-authored-by: Andrea Panattoni <apanatto@redhat.com> Co-authored-by: Nikhil Simha <simha.nikhil@gmail.com> * Fix github action * Avoid using cri-api `v1alpha2` (#43) As of v1.26.0 kubernetes removed support for api cri-api v1alpha2 kubernetes/kubernetes#110618 Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Fix typo in container registry domain (#44) * Update go mod to security vulnerability Update golang.org/x/text to v0.3.8 for vulnerability. * Fix github action * Update vendors to fix dependabot alerts * Add ipblock bat tests in e2e (#48) This change introduces ipblock tests in e2e and enables v6 ingress tests in e2e as well. * Fix iptables rules in multiple items in ingress/egress (#49) This change fixes iptables rules for multiple items in ingress/egress. It also adds e2e tests for that. fix #45 * Update golang to 1.20 * Fix end2end tests (#53) * e2e: Save kind logs as artifacts Saving `kind export logs` output when end-to-end job fails helps debugging flakes and test failures. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * build: set CGO_ENABLED=0 Setting CGO_ENABLED=0 for go builds produces GLIBC independant binaries. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> --------- Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Infer PolicyTypes if missing (#50) * Infer PolicyTypes if missing In cases where Spec.PolicyTypes is not specified, it should default to the existence of Ingress or Egress rules. Updating end2end tests to cover also this scenario. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * e2e: Wait for policy sync during setup Signed-off-by: Andrea Panattoni <apanatto@redhat.com> --------- Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Bump google.golang.org/grpc from 1.38.0 to 1.53.0 (#52) Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.38.0 to 1.53.0. - [Release notes](https://github.com/grpc/grpc-go/releases) - [Commits](grpc/grpc-go@v1.38.0...v1.53.0) --- updated-dependencies: - dependency-name: google.golang.org/grpc dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Update e2e environments (#54) * Fix linter warning (#55) * Bump gopkg.in/yaml.v3 from 3.0.0-20210107192922-496545a6307b to 3.0.0 (#57) Bumps gopkg.in/yaml.v3 from 3.0.0-20210107192922-496545a6307b to 3.0.0. --- updated-dependencies: - dependency-name: gopkg.in/yaml.v3 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump github.com/containernetworking/plugins from 0.8.5 to 0.8.6 (#56) Bumps [github.com/containernetworking/plugins](https://github.com/containernetworking/plugins) from 0.8.5 to 0.8.6. - [Release notes](https://github.com/containernetworking/plugins/releases) - [Commits](containernetworking/plugins@v0.8.5...v0.8.6) --- updated-dependencies: - dependency-name: github.com/containernetworking/plugins dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Update vendor and golang version (#58) * Bump google.golang.org/grpc from 1.53.0 to 1.56.3 (#59) Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.53.0 to 1.56.3. - [Release notes](https://github.com/grpc/grpc-go/releases) - [Commits](grpc/grpc-go@v1.53.0...v1.56.3) --- updated-dependencies: - dependency-name: google.golang.org/grpc dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Update vendor packages (#60) * Bump google.golang.org/protobuf from 1.30.0 to 1.33.0 (#61) Bumps google.golang.org/protobuf from 1.30.0 to 1.33.0. --- updated-dependencies: - dependency-name: google.golang.org/protobuf dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Fix github workflow and deploy yaml * Fix e2e * Bump k8s API version (#63) * Make sure that policies with no valid peers are enforced If a policy rule has a `from` (or `to`) selector that matches no pods, the subject pod has to not be reached by (or has to not reach) any pods. The following example helps clarify the reasons behind these: Given a scenario with 3 pods (A, B, C) and a rule like: ``` podSelector: matchLabels: name: A ingress: - from: - podSelector: matchLabels: name: B policyTypes: - Ingress ``` Pod A can be reached only by pod B. Pod C can't reach A, and this has to be ensured even if pod B is deleted. Add an end-to-end test case to validate this scenario and adjust unit tests accordingly. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Run all e2e tests in `./e2e/tests/*.bats` Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * ds: Remove mpty lines in Dockerfile Signed-off-by: Andrea Panattoni <apanatto@redhat.com> --------- Signed-off-by: Andrea Panattoni <apanatto@redhat.com> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Tomofumi Hayashi <tohayash@redhat.com> Co-authored-by: Doug Smith <dosmith@redhat.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: lgtm-com[bot] <43144390+lgtm-com[bot]@users.noreply.github.com> Co-authored-by: LGTM Migrator <lgtm-migrator@users.noreply.github.com> Co-authored-by: Nikhil Simha <simha.nikhil@gmail.com> Co-authored-by: Peter Stöckli <p-@github.com>
openshift-merge-bot bot
pushed a commit
that referenced
this pull request
Mar 5, 2025
* Add pod-iptables option to store pod iptables This change introduces pod-iptables option to store iptables-rules in pod's network namespace. This helps administrator/engineer to troubleshooting. * Fix owners file * Update CI pipeline * Add label to Dockerfile * Update github action to simplify * Use GITHUB_TOKEN for push packages * Update slack URL in README * fix workflows * Fix some timing issue and change memory limit * Add namespace check between pod and multi-networkpolicy * Use TCP as default for Port.Protocol Add ginkgo test to the suite with only default values. Add `renderProtocol` function with fallback logic. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Fix to work namespacveSelector policy, without labelSelector * Support for `NamespaceSelector` (#16) * Add test case for namespace selector The case is about having two namespaces with pods and net-attach-def and a multi networkpolicy that goes through namespace borders. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Add test case with net-attach-def in other ns Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Improve logging in server.go (#19) * Add object information to update events This should make it clearer what k8s object the daemon is working on. Increase verbosity threshlod for invoke handlers logs. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Improve error logging Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Add IPv6 support in TODO list * Set specific version for `revive` tool (#20) "go getting" github.com/mgechev/revive can lead to unreproducible builds, as it download the latest "dev" version. Stick to the latest (v1.2.1) version. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Log filter rules (#23) * Log filter rules Logging iptables rules before applying them can be useful to debug complex scenarios. Setting verbosity level to 6 as they can be quite cumbersome. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Clean up logging code Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Refine policy generation routine to support multiple policies This change refines policy rule generation to introduce conntrack and support multiple policies in a pod. Fix #17 and #18 * Fix capabilities (#25) fix #24 * Update github action to fit to latest golang * Remove docker from support runtime due to obsolated * Bump github.com/containernetworking/cni from 0.7.1 to 0.8.1 (#31) Bumps [github.com/containernetworking/cni](https://github.com/containernetworking/cni) from 0.7.1 to 0.8.1. - [Release notes](https://github.com/containernetworking/cni/releases) - [Commits](containernetworking/cni@v0.7.1...v0.8.1) --- updated-dependencies: - dependency-name: github.com/containernetworking/cni dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump vendor packages. * Graceful shutdown for daemonset (#32) * Remove unused errCh `server.Run()` is not a blocking function and returns always `nil`. There is no need for a struct field channel. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Allow stopping the server Add signal handler for SIGTERM and SIGINT to main.go. Add Stop() method to Options to forward os signals. Add a channel to stop `syncRunner` and clean iptables afterward. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Add sync-period option for fast sync * Remove deprecated parameters in deploy.yml * Add e2e test * e2e-test: Add script to update server image (#35) Add a script to redeploy the server in the kind cluster. It is useful to quickly test new changes without tearing down the cluster and bringing it up again. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Fix yaml syntax error in GH workflow (#36) Signed-off-by: Andrea Panattoni <apanatto@redhat.com> Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Add CodeQL workflow for GitHub code scanning (#38) Co-authored-by: LGTM Migrator <lgtm-migrator@users.noreply.github.com> * Add NOTICE file for Apache license 2.0 (#39) This change adds NOTICE file in repository as [1]. [1]: https://infra.apache.org/apply-license.html#new * IPv6 support in multi-networkpolicy-iptables (#40) * Support IPv6 networks (#27) Make Server generates rules for both IP family. Make iptableBuffer aware of the IP family it is managing, in order to skip wrong addresses. Add unit and e2e tests for IPv6 and dual stack networks. Remove IPv6 item from TODO Signed-off-by: Andrea Panattoni <apanatto@redhat.com> Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * fix merge-conflict to rebase * Add e2e ipv6 ingress tests * IPv6 fix for NDP and DHCPv6 (#37) * Add Requirements section to README Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Allow ipv6 Neighbor Discovery Protocol NDP leverages icmpv6 packets to discover hosts IPv6 addresses. This kind of packet must be allowed between hosts, otherwise some policy-allowed traffic may get blocked. Adjust unit tests expected output strings. See https://www.rfc-editor.org/rfc/rfc2373 Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Allow DHCPv6 traffic Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Refine icmp/dhcpv6 code Signed-off-by: Andrea Panattoni <apanatto@redhat.com> Co-authored-by: Tomofumi Hayashi <tohayash@redhat.com> * Use string instead of byte in unit-test cases In real code, use bytes for performance, however, we don't care about performance for unit-test, hence change bytes to string for ease of troubleshooting. * Make INGRESS/EGRESS-COMMON configurable by command line option This change makes MULTI-{INGRESS,EGRESS}-COMMON chain configurable to provide a way to support various v4/v6 network. * Fix CodeQL warnings * Update docs/configurations.md Co-authored-by: Nikhil Simha <simha.nikhil@gmail.com> * Update docs/configurations.md Co-authored-by: Nikhil Simha <simha.nikhil@gmail.com> * Wait for sync between policy/iptables in e2e tests --------- Signed-off-by: Andrea Panattoni <apanatto@redhat.com> Co-authored-by: Andrea Panattoni <apanatto@redhat.com> Co-authored-by: Nikhil Simha <simha.nikhil@gmail.com> * Fix github action * Avoid using cri-api `v1alpha2` (#43) As of v1.26.0 kubernetes removed support for api cri-api v1alpha2 kubernetes/kubernetes#110618 Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Fix typo in container registry domain (#44) * Update go mod to security vulnerability Update golang.org/x/text to v0.3.8 for vulnerability. * Fix github action * Update vendors to fix dependabot alerts * Add ipblock bat tests in e2e (#48) This change introduces ipblock tests in e2e and enables v6 ingress tests in e2e as well. * Fix iptables rules in multiple items in ingress/egress (#49) This change fixes iptables rules for multiple items in ingress/egress. It also adds e2e tests for that. fix #45 * Update golang to 1.20 * Fix end2end tests (#53) * e2e: Save kind logs as artifacts Saving `kind export logs` output when end-to-end job fails helps debugging flakes and test failures. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * build: set CGO_ENABLED=0 Setting CGO_ENABLED=0 for go builds produces GLIBC independant binaries. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> --------- Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Infer PolicyTypes if missing (#50) * Infer PolicyTypes if missing In cases where Spec.PolicyTypes is not specified, it should default to the existence of Ingress or Egress rules. Updating end2end tests to cover also this scenario. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * e2e: Wait for policy sync during setup Signed-off-by: Andrea Panattoni <apanatto@redhat.com> --------- Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Bump google.golang.org/grpc from 1.38.0 to 1.53.0 (#52) Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.38.0 to 1.53.0. - [Release notes](https://github.com/grpc/grpc-go/releases) - [Commits](grpc/grpc-go@v1.38.0...v1.53.0) --- updated-dependencies: - dependency-name: google.golang.org/grpc dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Update e2e environments (#54) * Fix linter warning (#55) * Bump gopkg.in/yaml.v3 from 3.0.0-20210107192922-496545a6307b to 3.0.0 (#57) Bumps gopkg.in/yaml.v3 from 3.0.0-20210107192922-496545a6307b to 3.0.0. --- updated-dependencies: - dependency-name: gopkg.in/yaml.v3 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump github.com/containernetworking/plugins from 0.8.5 to 0.8.6 (#56) Bumps [github.com/containernetworking/plugins](https://github.com/containernetworking/plugins) from 0.8.5 to 0.8.6. - [Release notes](https://github.com/containernetworking/plugins/releases) - [Commits](containernetworking/plugins@v0.8.5...v0.8.6) --- updated-dependencies: - dependency-name: github.com/containernetworking/plugins dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Update vendor and golang version (#58) * Bump google.golang.org/grpc from 1.53.0 to 1.56.3 (#59) Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.53.0 to 1.56.3. - [Release notes](https://github.com/grpc/grpc-go/releases) - [Commits](grpc/grpc-go@v1.53.0...v1.56.3) --- updated-dependencies: - dependency-name: google.golang.org/grpc dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Update vendor packages (#60) * Bump google.golang.org/protobuf from 1.30.0 to 1.33.0 (#61) Bumps google.golang.org/protobuf from 1.30.0 to 1.33.0. --- updated-dependencies: - dependency-name: google.golang.org/protobuf dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Fix github workflow and deploy yaml * Fix e2e * Bump k8s API version (#63) * Simplify demo instruction - Fix outdated url - Do not rely on git and go only kubectl and curl are needed - Fix wrong iptables command * Make sure that policies with no valid peers are enforced If a policy rule has a `from` (or `to`) selector that matches no pods, the subject pod has to not be reached by (or has to not reach) any pods. The following example helps clarify the reasons behind these: Given a scenario with 3 pods (A, B, C) and a rule like: ``` podSelector: matchLabels: name: A ingress: - from: - podSelector: matchLabels: name: B policyTypes: - Ingress ``` Pod A can be reached only by pod B. Pod C can't reach A, and this has to be ensured even if pod B is deleted. Add an end-to-end test case to validate this scenario and adjust unit tests accordingly. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Run all e2e tests in `./e2e/tests/*.bats` Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * e2e: Install bond-cni on the `kind` cluster Update `setup_cluster.sh` to create needed resources for the bond-cni plugin. Configure MultiNetworkpolicy iptables daemon to handle bond NetworkAttachmentDefinitions. * e2e: Add basic bond-cni test case Verify ingress/egress scenarios works for `bond` network types. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * e2e: Increase verbosity in kind tests Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * ci: Save kind logs after each failed test Some e2e test restart the multi-networkpolicy daemon, making the logs gathering at the end of the CI job useless. Create a script to loop over all the test files and collect logs every time a test fails. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Log iptables before syncing Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * e2e: Stabilize `ipblock` test cases Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Support default `ports` value If an Ingress/Egress Ports field does not specify a `Port` value, but it has a valid `Protocol`, then the rule should match every possible port number. Add unit and end2end test to cover the feature Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Bump `github.com/spf13/cobra@v1.9.1` This dependency bump solves a security issue: ``` ✗ [Medium] Improper Neutralization of Directives in Statically Saved Code Path: vendor/github.com/spf13/cobra/command.go, line 888 Info: Unsanitized input from a CLI argument flows into text.template.New, where it is used to construct a template that gets rendered. This may result in a Server-Side Template Injection vulnerability. ``` Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * e2e: Avoid checking the number of iptables file Checking the number of files in `/var/lib/multi-networkpolicy/iptables/` brings to a number of test flakes in GitHub CI lanes. This flakes are not reproducible in local development environments, therefore they are likely due to a low resource system. Beside these checks can flake, the component under test behavior looks good from the assertion point of view, which is the meaningful part for the these tests. Remove any verification about the `/var/lib/multi-networkpolicy/iptables/` folder in e2e tests Signed-off-by: Andrea Panattoni <apanatto@redhat.com> --------- Signed-off-by: Andrea Panattoni <apanatto@redhat.com> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Tomofumi Hayashi <tohayash@redhat.com> Co-authored-by: Doug Smith <dosmith@redhat.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: lgtm-com[bot] <43144390+lgtm-com[bot]@users.noreply.github.com> Co-authored-by: LGTM Migrator <lgtm-migrator@users.noreply.github.com> Co-authored-by: Nikhil Simha <simha.nikhil@gmail.com> Co-authored-by: Peter Stöckli <p-@github.com> Co-authored-by: Mengxin Liu <liumengxinfly@gmail.com>
openshift-merge-bot bot
pushed a commit
that referenced
this pull request
Jun 19, 2025
* Add pod-iptables option to store pod iptables This change introduces pod-iptables option to store iptables-rules in pod's network namespace. This helps administrator/engineer to troubleshooting. * Fix owners file * Update CI pipeline * Add label to Dockerfile * Update github action to simplify * Use GITHUB_TOKEN for push packages * Update slack URL in README * fix workflows * Fix some timing issue and change memory limit * Add namespace check between pod and multi-networkpolicy * Use TCP as default for Port.Protocol Add ginkgo test to the suite with only default values. Add `renderProtocol` function with fallback logic. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Fix to work namespacveSelector policy, without labelSelector * Support for `NamespaceSelector` (#16) * Add test case for namespace selector The case is about having two namespaces with pods and net-attach-def and a multi networkpolicy that goes through namespace borders. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Add test case with net-attach-def in other ns Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Improve logging in server.go (#19) * Add object information to update events This should make it clearer what k8s object the daemon is working on. Increase verbosity threshlod for invoke handlers logs. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Improve error logging Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Add IPv6 support in TODO list * Set specific version for `revive` tool (#20) "go getting" github.com/mgechev/revive can lead to unreproducible builds, as it download the latest "dev" version. Stick to the latest (v1.2.1) version. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Log filter rules (#23) * Log filter rules Logging iptables rules before applying them can be useful to debug complex scenarios. Setting verbosity level to 6 as they can be quite cumbersome. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Clean up logging code Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Refine policy generation routine to support multiple policies This change refines policy rule generation to introduce conntrack and support multiple policies in a pod. Fix #17 and #18 * Fix capabilities (#25) fix #24 * Update github action to fit to latest golang * Remove docker from support runtime due to obsolated * Bump github.com/containernetworking/cni from 0.7.1 to 0.8.1 (#31) Bumps [github.com/containernetworking/cni](https://github.com/containernetworking/cni) from 0.7.1 to 0.8.1. - [Release notes](https://github.com/containernetworking/cni/releases) - [Commits](containernetworking/cni@v0.7.1...v0.8.1) --- updated-dependencies: - dependency-name: github.com/containernetworking/cni dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump vendor packages. * Graceful shutdown for daemonset (#32) * Remove unused errCh `server.Run()` is not a blocking function and returns always `nil`. There is no need for a struct field channel. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Allow stopping the server Add signal handler for SIGTERM and SIGINT to main.go. Add Stop() method to Options to forward os signals. Add a channel to stop `syncRunner` and clean iptables afterward. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Add sync-period option for fast sync * Remove deprecated parameters in deploy.yml * Add e2e test * e2e-test: Add script to update server image (#35) Add a script to redeploy the server in the kind cluster. It is useful to quickly test new changes without tearing down the cluster and bringing it up again. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Fix yaml syntax error in GH workflow (#36) Signed-off-by: Andrea Panattoni <apanatto@redhat.com> Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Add CodeQL workflow for GitHub code scanning (#38) Co-authored-by: LGTM Migrator <lgtm-migrator@users.noreply.github.com> * Add NOTICE file for Apache license 2.0 (#39) This change adds NOTICE file in repository as [1]. [1]: https://infra.apache.org/apply-license.html#new * IPv6 support in multi-networkpolicy-iptables (#40) * Support IPv6 networks (#27) Make Server generates rules for both IP family. Make iptableBuffer aware of the IP family it is managing, in order to skip wrong addresses. Add unit and e2e tests for IPv6 and dual stack networks. Remove IPv6 item from TODO Signed-off-by: Andrea Panattoni <apanatto@redhat.com> Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * fix merge-conflict to rebase * Add e2e ipv6 ingress tests * IPv6 fix for NDP and DHCPv6 (#37) * Add Requirements section to README Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Allow ipv6 Neighbor Discovery Protocol NDP leverages icmpv6 packets to discover hosts IPv6 addresses. This kind of packet must be allowed between hosts, otherwise some policy-allowed traffic may get blocked. Adjust unit tests expected output strings. See https://www.rfc-editor.org/rfc/rfc2373 Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Allow DHCPv6 traffic Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Refine icmp/dhcpv6 code Signed-off-by: Andrea Panattoni <apanatto@redhat.com> Co-authored-by: Tomofumi Hayashi <tohayash@redhat.com> * Use string instead of byte in unit-test cases In real code, use bytes for performance, however, we don't care about performance for unit-test, hence change bytes to string for ease of troubleshooting. * Make INGRESS/EGRESS-COMMON configurable by command line option This change makes MULTI-{INGRESS,EGRESS}-COMMON chain configurable to provide a way to support various v4/v6 network. * Fix CodeQL warnings * Update docs/configurations.md Co-authored-by: Nikhil Simha <simha.nikhil@gmail.com> * Update docs/configurations.md Co-authored-by: Nikhil Simha <simha.nikhil@gmail.com> * Wait for sync between policy/iptables in e2e tests --------- Signed-off-by: Andrea Panattoni <apanatto@redhat.com> Co-authored-by: Andrea Panattoni <apanatto@redhat.com> Co-authored-by: Nikhil Simha <simha.nikhil@gmail.com> * Fix github action * Avoid using cri-api `v1alpha2` (#43) As of v1.26.0 kubernetes removed support for api cri-api v1alpha2 kubernetes/kubernetes#110618 Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Fix typo in container registry domain (#44) * Update go mod to security vulnerability Update golang.org/x/text to v0.3.8 for vulnerability. * Fix github action * Update vendors to fix dependabot alerts * Add ipblock bat tests in e2e (#48) This change introduces ipblock tests in e2e and enables v6 ingress tests in e2e as well. * Fix iptables rules in multiple items in ingress/egress (#49) This change fixes iptables rules for multiple items in ingress/egress. It also adds e2e tests for that. fix #45 * Update golang to 1.20 * Fix end2end tests (#53) * e2e: Save kind logs as artifacts Saving `kind export logs` output when end-to-end job fails helps debugging flakes and test failures. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * build: set CGO_ENABLED=0 Setting CGO_ENABLED=0 for go builds produces GLIBC independant binaries. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> --------- Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Infer PolicyTypes if missing (#50) * Infer PolicyTypes if missing In cases where Spec.PolicyTypes is not specified, it should default to the existence of Ingress or Egress rules. Updating end2end tests to cover also this scenario. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * e2e: Wait for policy sync during setup Signed-off-by: Andrea Panattoni <apanatto@redhat.com> --------- Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Bump google.golang.org/grpc from 1.38.0 to 1.53.0 (#52) Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.38.0 to 1.53.0. - [Release notes](https://github.com/grpc/grpc-go/releases) - [Commits](grpc/grpc-go@v1.38.0...v1.53.0) --- updated-dependencies: - dependency-name: google.golang.org/grpc dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Update e2e environments (#54) * Fix linter warning (#55) * Bump gopkg.in/yaml.v3 from 3.0.0-20210107192922-496545a6307b to 3.0.0 (#57) Bumps gopkg.in/yaml.v3 from 3.0.0-20210107192922-496545a6307b to 3.0.0. --- updated-dependencies: - dependency-name: gopkg.in/yaml.v3 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump github.com/containernetworking/plugins from 0.8.5 to 0.8.6 (#56) Bumps [github.com/containernetworking/plugins](https://github.com/containernetworking/plugins) from 0.8.5 to 0.8.6. - [Release notes](https://github.com/containernetworking/plugins/releases) - [Commits](containernetworking/plugins@v0.8.5...v0.8.6) --- updated-dependencies: - dependency-name: github.com/containernetworking/plugins dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Update vendor and golang version (#58) * Bump google.golang.org/grpc from 1.53.0 to 1.56.3 (#59) Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.53.0 to 1.56.3. - [Release notes](https://github.com/grpc/grpc-go/releases) - [Commits](grpc/grpc-go@v1.53.0...v1.56.3) --- updated-dependencies: - dependency-name: google.golang.org/grpc dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Update vendor packages (#60) * Bump google.golang.org/protobuf from 1.30.0 to 1.33.0 (#61) Bumps google.golang.org/protobuf from 1.30.0 to 1.33.0. --- updated-dependencies: - dependency-name: google.golang.org/protobuf dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Fix github workflow and deploy yaml * Fix e2e * Bump k8s API version (#63) * Simplify demo instruction - Fix outdated url - Do not rely on git and go only kubectl and curl are needed - Fix wrong iptables command * Make sure that policies with no valid peers are enforced If a policy rule has a `from` (or `to`) selector that matches no pods, the subject pod has to not be reached by (or has to not reach) any pods. The following example helps clarify the reasons behind these: Given a scenario with 3 pods (A, B, C) and a rule like: ``` podSelector: matchLabels: name: A ingress: - from: - podSelector: matchLabels: name: B policyTypes: - Ingress ``` Pod A can be reached only by pod B. Pod C can't reach A, and this has to be ensured even if pod B is deleted. Add an end-to-end test case to validate this scenario and adjust unit tests accordingly. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Run all e2e tests in `./e2e/tests/*.bats` Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * e2e: Install bond-cni on the `kind` cluster Update `setup_cluster.sh` to create needed resources for the bond-cni plugin. Configure MultiNetworkpolicy iptables daemon to handle bond NetworkAttachmentDefinitions. * e2e: Add basic bond-cni test case Verify ingress/egress scenarios works for `bond` network types. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * e2e: Increase verbosity in kind tests Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * ci: Save kind logs after each failed test Some e2e test restart the multi-networkpolicy daemon, making the logs gathering at the end of the CI job useless. Create a script to loop over all the test files and collect logs every time a test fails. Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Log iptables before syncing Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * e2e: Stabilize `ipblock` test cases Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Support default `ports` value If an Ingress/Egress Ports field does not specify a `Port` value, but it has a valid `Protocol`, then the rule should match every possible port number. Add unit and end2end test to cover the feature Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Bump `github.com/spf13/cobra@v1.9.1` This dependency bump solves a security issue: ``` ✗ [Medium] Improper Neutralization of Directives in Statically Saved Code Path: vendor/github.com/spf13/cobra/command.go, line 888 Info: Unsanitized input from a CLI argument flows into text.template.New, where it is used to construct a template that gets rendered. This may result in a Server-Side Template Injection vulnerability. ``` Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * e2e: Avoid checking the number of iptables file Checking the number of files in `/var/lib/multi-networkpolicy/iptables/` brings to a number of test flakes in GitHub CI lanes. This flakes are not reproducible in local development environments, therefore they are likely due to a low resource system. Beside these checks can flake, the component under test behavior looks good from the assertion point of view, which is the meaningful part for the these tests. Remove any verification about the `/var/lib/multi-networkpolicy/iptables/` folder in e2e tests Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * deps: bump `github.com/k8snetworkplumbingwg/multi-networkpolicy@v1.0.1` Bumped dependency with commands: ``` $ go get github.com/k8snetworkplumbingwg/multi-networkpolicy@v1.0.1 go: downloading github.com/k8snetworkplumbingwg/multi-networkpolicy v1.0.1 go: downloading k8s.io/code-generator v0.28.8 go: downloading k8s.io/gengo v0.0.0-20220902162205-c0856e24416d go: downloading k8s.io/klog v1.0.0 go: downloading golang.org/x/tools v0.16.1 go: downloading golang.org/x/mod v0.14.0 go: upgraded github.com/k8snetworkplumbingwg/multi-networkpolicy v0.0.0-20200903074708-7b3ce95ae804 => v1.0.1 $ go mod tidy $ go mod vendor ``` Signed-off-by: Andrea Panattoni <apanatto@redhat.com> * Adds support for endPort to policyrules.go This commit simply adds a small conditional checking whether port.EndPort is not nil, in which case it writes the iptable rule with flag `--dport N:N`, else it write the same iptables rule as before. * Adds a basic unit test for endPort in the port specification Verfies that a port specification which includes endPort writes the expected iptables rule with `--dport N:N`, and that one that doesn't include endPort writes the normal iptables rule with `--dport N`. * Adds endPort functionality to renderEgressPorts() This was an oversight on my part, as our use case only requires ingress rules, but the functionality needs to be available for both ingress and egress rules. Additionally, I reformated the logic, per PR reviewer suggestions, to eliminate some redudnacy and make the code cleaner and more readable. * Add basic unit test for endPort usage in egress rules * ds: fix vendor/ folder by running go mod vendor Signed-off-by: Andrea Panattoni <apanatto@redhat.com> --------- Signed-off-by: Andrea Panattoni <apanatto@redhat.com> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Tomofumi Hayashi <tohayash@redhat.com> Co-authored-by: Doug Smith <dosmith@redhat.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: lgtm-com[bot] <43144390+lgtm-com[bot]@users.noreply.github.com> Co-authored-by: LGTM Migrator <lgtm-migrator@users.noreply.github.com> Co-authored-by: Nikhil Simha <simha.nikhil@gmail.com> Co-authored-by: Peter Stöckli <p-@github.com> Co-authored-by: Mengxin Liu <liumengxinfly@gmail.com> Co-authored-by: Nathan Kinkade <kinkade@measurementlab.net>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
16 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.