Release 1.0 merge from main (#136)

* Move to mainline sdk changes (#25) * Reuse eBPF SDK Client (#26) * Code refactoring - Sync to SDK's new API interface (#27) * Additional UTs for eBPF pkg (#29) * Additional UTs for eBPF pkg * UT for Global Map recovery flow * format changes * Events refactor (#30) * Remove replace and add comments * Minor refactor * Update AL2023 image * vmlinux generation * update readme (#31) * Third party attribution doc (#32) * Thirdparty attribution doc * Minor nits * minor nit * README Updates (#34) * Update README.md (#35) * Update go.mod and go.sum for master (#38) * Update go.mod and go.sum docker/make file changes * fix up vet * Run Conformance and Performance tests with github actions (#5) * Updated conformance and performance test parameters (#39) * Fix problem with policy not being applied to pods on IPv6 nodes (#40) * Update the session duration to 5 hrs for github actions (#53) * Update scripts to run cyclonus suite and install latest MAO * Handle 0 entries in cli (#60) * Update test pkg (#61) * Ignore policy restrictions against Node IP (#65) * feat: Add flag enable-policy-event-logs (#48) * feat: Add flag enable-policy-event-logs Policy event logging is now disabled by default * feat: Add enable-policy-event-logs flag to readme --------- Co-authored-by: Apurup Chevuru <[email protected]> * Issue#45 Modified Default Metrics Bind Port (#46) * Issue#45 Modified Default Metrics Bind Port * Modified Health Probe Bind address to 8163 --------- Co-authored-by: Kareem Rady <[email protected]> Co-authored-by: Jayanth Varavani <[email protected]> Co-authored-by: Apurup Chevuru <[email protected]> * Bump github.com/google/uuid from 1.3.0 to 1.3.1 (#43) Bumps [github.com/google/uuid](https://github.com/google/uuid) from 1.3.0 to 1.3.1. - [Release notes](https://github.com/google/uuid/releases) - [Changelog](https://github.com/google/uuid/blob/master/CHANGELOG.md) - [Commits](google/uuid@v1.3.0...v1.3.1) --- updated-dependencies: - dependency-name: github.com/google/uuid dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Apurup Chevuru <[email protected]> * Bump github.com/vishvananda/netlink (#42) Bumps [github.com/vishvananda/netlink](https://github.com/vishvananda/netlink) from 1.1.1-0.20210330154013-f5de75959ad5 to 1.2.1-beta.2. - [Release notes](https://github.com/vishvananda/netlink/releases) - [Commits](https://github.com/vishvananda/netlink/commits/v1.2.1-beta.2) --- updated-dependencies: - dependency-name: github.com/vishvananda/netlink dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Add update image script and make targets (#59) * Fixes to cyclonus test script (#69) * Remove KUBECONFIG environment variable from cyclonus test script * With catchALL honor "except" (#58) * Honor except with catchALL * PR feedback * Remove unnecessary header files (#71) * Return exit status if test verification fails * V6 Optimizations (#80) * Bump github.com/aws/amazon-vpc-cni-k8s from 1.13.4 to 1.15.0 (#82) Bumps [github.com/aws/amazon-vpc-cni-k8s](https://github.com/aws/amazon-vpc-cni-k8s) from 1.13.4 to 1.15.0. - [Release notes](https://github.com/aws/amazon-vpc-cni-k8s/releases) - [Changelog](https://github.com/aws/amazon-vpc-cni-k8s/blob/master/CHANGELOG.md) - [Commits](aws/amazon-vpc-cni-k8s@v1.13.4...v1.15.0) --- updated-dependencies: - dependency-name: github.com/aws/amazon-vpc-cni-k8s dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Honor V6 Elf file updates (#84) * Build latest image with conformance tests (#85) * Create a github action to build multi-arch docker image * Update credentials action to v3 * Log rotate support (#87) * Bump go.uber.org/zap from 1.25.0 to 1.26.0 (#81) Bumps [go.uber.org/zap](https://github.com/uber-go/zap) from 1.25.0 to 1.26.0. - [Release notes](https://github.com/uber-go/zap/releases) - [Changelog](https://github.com/uber-go/zap/blob/master/CHANGELOG.md) - [Commits](uber-go/zap@v1.25.0...v1.26.0) --- updated-dependencies: - dependency-name: go.uber.org/zap dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Race condition with init and cw setup (#93) * Bump golang.org/x/net from 0.12.0 to 0.17.0 (#95) Bumps [golang.org/x/net](https://github.com/golang/net) from 0.12.0 to 0.17.0. - [Commits](golang/net@v0.12.0...v0.17.0) --- updated-dependencies: - dependency-name: golang.org/x/net dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * upgrade Go to 1.21.3 and upgrade dependencies * Fix conntrack issue and increase supported port/protocol (#102) * Fix conntrack * Update events * Pull test images from internal test infra accounts (#79) * Pull test images from internal test infra accounts * Test with ARM nodes in e2e conformance tests * Handle PolicyEndpoint split scenario when the target pods are paired … (#106) * Handle PolicyEndpoint split scenario when the target pods are paired with empty ingress/egress rules * Fix UT * inherit firewall rules from larger cidrs (#104) * Update /m * format * Len changes --------- Co-authored-by: Apurup Chevuru <[email protected]> * Update pr-tests.yaml (#112) * Handle for controller not adding prefix lens (#113) * Update pr-tests.yaml * Minor fix for missing prefixlens * Refactor * Minor refactor (#116) * Update pr-tests.yaml * Minor refactor * README Update (#117) * Update issue templates (#121) * add more checks in pr actions * Bump github.com/go-logr/logr from 1.2.4 to 1.3.0 (#126) Bumps [github.com/go-logr/logr](https://github.com/go-logr/logr) from 1.2.4 to 1.3.0. - [Release notes](https://github.com/go-logr/logr/releases) - [Changelog](https://github.com/go-logr/logr/blob/master/CHANGELOG.md) - [Commits](go-logr/logr@v1.2.4...v1.3.0) --- updated-dependencies: - dependency-name: github.com/go-logr/logr dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump github.com/aws/aws-sdk-go from 1.45.19 to 1.47.5 (#134) Bumps [github.com/aws/aws-sdk-go](https://github.com/aws/aws-sdk-go) from 1.45.19 to 1.47.5. - [Release notes](https://github.com/aws/aws-sdk-go/releases) - [Commits](aws/aws-sdk-go@v1.45.19...v1.47.5) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump k8s.io/client-go from 0.28.2 to 0.28.3 (#123) Bumps [k8s.io/client-go](https://github.com/kubernetes/client-go) from 0.28.2 to 0.28.3. - [Changelog](https://github.com/kubernetes/client-go/blob/master/CHANGELOG.md) - [Commits](kubernetes/client-go@v0.28.2...v0.28.3) --- updated-dependencies: - dependency-name: k8s.io/client-go dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump sigs.k8s.io/controller-runtime from 0.16.2 to 0.16.3 (#122) Bumps [sigs.k8s.io/controller-runtime](https://github.com/kubernetes-sigs/controller-runtime) from 0.16.2 to 0.16.3. - [Release notes](https://github.com/kubernetes-sigs/controller-runtime/releases) - [Changelog](https://github.com/kubernetes-sigs/controller-runtime/blob/main/RELEASE.md) - [Commits](kubernetes-sigs/controller-runtime@v0.16.2...v0.16.3) --- updated-dependencies: - dependency-name: sigs.k8s.io/controller-runtime dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Conntrack cleanup issue with v1.0.5 (#133) * Conntrack cleanup issue with v1.0.5 * Minor changes * Index with owner * Add padding for v6 * Upgrade SDK * CLI update * minor change * Update mod * Remove print --------- Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: Apurup Chevuru <[email protected]> Co-authored-by: Geoffrey Cline <[email protected]> Co-authored-by: Jay Deokar <[email protected]> Co-authored-by: K.Hoshi <[email protected]> Co-authored-by: Jay Deokar <[email protected]> Co-authored-by: Tobias Germer <[email protected]> Co-authored-by: Kareem Rady <[email protected]> Co-authored-by: Kareem Rady <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Jeff Nelson <[email protected]> Co-authored-by: Jeffrey Nelson <[email protected]> Co-authored-by: Hao Zhou <[email protected]> Co-authored-by: Hao Zhou <[email protected]>
aws · Nov 13, 2023 · 9467d83 · 9467d83
1 parent b348d61
commit 9467d83
Show file tree

Hide file tree

Showing 14 changed files with 284 additions and 185 deletions.
diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md
@@ -0,0 +1,38 @@
+---
+name: Bug report
+about: Report a bug in aws-network-policy-agent project.
+title: ''
+labels: bug
+assignees: ''
+
+---
+
+<!--
+For urgent operational issues, please contact AWS Support directly at https://aws.amazon.com/premiumsupport/
+
+If you think you have found a potential security issue, please do not post it as an issue. Instead, follow the instructions at https://aws.amazon.com/security/vulnerability-reporting/ or email AWS Security directly at [email protected]
+
+-->
+
+**What happened**:
+<!--
+Include log lines if possible
+-->
+
+**Attach logs**
+<!--
+Please collect the logs by running [CNI Log Collection tool] `sudo bash /opt/cni/bin/aws-cni-support.sh` and email the log archive to [email protected]
+-->
+
+**What you expected to happen**:
+
+**How to reproduce it (as minimally and precisely as possible)**:
+
+**Anything else we need to know?**:
+
+**Environment**:
+- Kubernetes version (use `kubectl version`):
+- CNI Version
+- Network Policy Agent Version
+- OS (e.g: `cat /etc/os-release`):
+- Kernel (e.g. `uname -a`):
diff --git a/.github/ISSUE_TEMPLATE/feature_request.md b/.github/ISSUE_TEMPLATE/feature_request.md
@@ -0,0 +1,20 @@
+---
+name: Feature request
+about: Suggest an enhancement to the aws-network-policy-agent project
+title: ''
+labels: enhancement
+assignees: ''
+
+---
+
+<!--
+For urgent operational issues, please contact AWS Support directly at https://aws.amazon.com/premiumsupport/
+
+If you think you have found a potential security issue, please do not post it as an issue. Instead, follow the instructions at https://aws.amazon.com/security/vulnerability-reporting/ or email AWS Security directly at [email protected]
+
+Please only use this template for submitting enhancement requests.
+-->
+
+**What would you like to be added**:
+
+**Why is this needed**:
diff --git a/.github/ISSUE_TEMPLATE/support-request-question.md b/.github/ISSUE_TEMPLATE/support-request-question.md
@@ -0,0 +1,30 @@
+---
+name: Support Request/Question
+about: Support request or question relating to aws-network-policy-agent project.
+title: ''
+labels: needs investigation, question
+assignees: ''
+
+---
+
+<!--
+For urgent operational issues, please contact AWS Support directly at https://aws.amazon.com/premiumsupport/
+
+If you think you have found a potential security issue, please do not post it as an issue. Instead, follow the instructions at https://aws.amazon.com/security/vulnerability-reporting/ or email AWS Security directly at [email protected]
+
+-->
+
+**What happened**:
+
+<!--
+If you are looking for help, check the [troubleshooting guide](https://github.com/aws/amazon-vpc-cni-k8s/blob/master/docs/troubleshooting.md)
+
+If you are unable to find the answers and would like to create an issue, upload the logs by running [CNI Log Collection tool](https://docs.aws.amazon.com/eks/latest/userguide/troubleshooting.html#troubleshoot-cni) and email the log archive to [email protected]
+-->
+
+**Environment**:
+- Kubernetes version (use `kubectl version`):
+- CNI Version
+- Network Policy Agent Version
+- OS (e.g: `cat /etc/os-release`):
+- Kernel (e.g. `uname -a`):
diff --git a/.github/workflows/e2e-conformance.yaml b/.github/workflows/e2e-conformance.yaml
@@ -59,4 +59,4 @@ jobs:
           AWS_EKS_NODEAGENT_IMAGE: ${{ needs.build-image.outputs.AWS_EKS_NODEAGENT_IMAGE }}
           TEST_IMAGE_REGISTRY: ${{ secrets.TEST_IMAGE_REGISTRY }}
         run: |
-          ./scripts/run-tests.sh
+          ./scripts/run-tests.sh
diff --git a/.github/workflows/pr-tests.yaml b/.github/workflows/pr-tests.yaml
@@ -17,9 +17,15 @@ jobs:
       - name: Checkout latest commit in the PR
         uses: actions/checkout@v3
       - name: Set up Go
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@v4
         with:
-          go-version: "1.20"
+          go-version-file: go.mod
+          check-latest: true
+          cache-dependency-path: "**/go.sum"
+      - uses: actions/cache@v3
+        with:
+          path: |
+            ~/go/bin
       - name: Set up tools
         run: |
           go install golang.org/x/lint/golint@latest
@@ -44,9 +50,27 @@ jobs:
         uses: docker/setup-qemu-action@v2
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v2
-      - name: Set up Go
-        uses: actions/setup-go@v3
-        with:
-          go-version: "1.20"
       - name: Build Network Policy Agent images
-        run: make docker-buildx 
+        run: make docker-buildx
+  deprecated-apigroups:
+    name: Detect deprecated apiGroups
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - run: |
+          version=$(curl -sL https://api.github.com/repos/FairwindsOps/pluto/releases/latest | jq -r ".tag_name")
+          number=${version:1}
+          wget https://github.com/FairwindsOps/pluto/releases/download/${version}/pluto_${number}_linux_amd64.tar.gz
+          sudo tar -C /usr/local -xzf pluto_${number}_linux_amd64.tar.gz
+      - run: |
+          /usr/local/pluto detect-files -d .
+  vuln_check:
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+      - name: Install `govulncheck`
+        run: go install golang.org/x/vuln/cmd/govulncheck@latest
+      - name: Run `govulncheck`
+        run: ~/go/bin/govulncheck ./...
diff --git a/README.md b/README.md
@@ -80,6 +80,8 @@ Default: false
 
 Network Policy agent can operate in either IPv4 or IPv6 mode. Setting this flag to `true` in the manifest will configure it in IPv6 mode.
 
+**Note:** VPC CNI by default creates an egress only IPv4 interface for IPv6 pods and this network interface will not be secured by the Network policy feature. Network policies will only be enforced on the Pod's primary interface (i.e.,) `eth0`. If you want to block the egress IPv4 access, please disable the interface creation via [ENABLE_V4_EGRESS](https://github.com/aws/amazon-vpc-cni-k8s#enable_v4_egress-v1151) flag in VPC CNI. 
+
 ## Network Policy Agent CLI
 The Amazon VPC CNI plugin for Kubernetes installs eBPF SDK collection of tools on the nodes. You can use the eBPF SDK tools to identify issues with network policies. For example, the following command lists the programs that are running on the node.
 

diff --git a/go.mod b/go.mod
@@ -4,9 +4,9 @@ go 1.21
 
 require (
 	github.com/aws/amazon-vpc-cni-k8s v1.15.1
-	github.com/aws/aws-ebpf-sdk-go v1.0.3
-	github.com/aws/aws-sdk-go v1.45.19
-	github.com/go-logr/logr v1.2.4
+	github.com/aws/aws-ebpf-sdk-go v1.0.4
+	github.com/aws/aws-sdk-go v1.47.5
+	github.com/go-logr/logr v1.3.0
 	github.com/go-logr/zapr v1.2.4
 	github.com/golang/mock v1.6.0
 	github.com/google/go-cmp v0.5.9
@@ -18,19 +18,19 @@ require (
 	github.com/stretchr/testify v1.8.4
 	github.com/vishvananda/netlink v1.2.1-beta.2
 	go.uber.org/zap v1.26.0
-	golang.org/x/sys v0.13.0
+	golang.org/x/sys v0.14.0
 	gopkg.in/natefinch/lumberjack.v2 v2.2.1
-	k8s.io/api v0.28.2
-	k8s.io/apimachinery v0.28.2
-	k8s.io/client-go v0.28.2
-	sigs.k8s.io/controller-runtime v0.16.2
+	k8s.io/api v0.28.3
+	k8s.io/apimachinery v0.28.3
+	k8s.io/client-go v0.28.3
+	sigs.k8s.io/controller-runtime v0.16.3
 )
 
 require (
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/cespare/xxhash/v2 v2.2.0 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
-	github.com/emicklei/go-restful/v3 v3.10.1 // indirect
+	github.com/emicklei/go-restful/v3 v3.11.0 // indirect
 	github.com/evanphx/json-patch/v5 v5.6.0 // indirect
 	github.com/fsnotify/fsnotify v1.6.0 // indirect
 	github.com/go-openapi/jsonpointer v0.19.6 // indirect
@@ -69,8 +69,8 @@ require (
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	k8s.io/apiextensions-apiserver v0.28.0 // indirect
-	k8s.io/component-base v0.28.1 // indirect
+	k8s.io/apiextensions-apiserver v0.28.3 // indirect
+	k8s.io/component-base v0.28.3 // indirect
 	k8s.io/klog/v2 v2.100.1 // indirect
 	k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9 // indirect
 	k8s.io/utils v0.0.0-20230406110748-d93618cff8a2 // indirect