Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Kindnet network policies #3612

Merged
merged 5 commits into from
Jul 23, 2024
Merged

Kindnet network policies #3612

merged 5 commits into from
Jul 23, 2024
+262 −114

Conversation

aojea
Copy link
Contributor

@aojea aojea commented May 14, 2024

Fixes: #842

Alternative to #3611

In this case network policies is considerd as part of kindnetd, just is different daemonset.

Users can opt-out by disabling kindnetd

@k8s-ci-robot k8s-ci-robot added approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels May 14, 2024
@aojea
Copy link
Contributor Author

aojea commented May 14, 2024

/assign @BenTheElder

I think I prefer this one, looks nicer simpler and is as if network policies is part of kindnet

@aojea aojea mentioned this pull request May 16, 2024
Closed
@BenTheElder
Copy link
Member

I'm still divided on if it's better to bundle with kindnetd or not but I'm leaning this way.

I think if users are sensitive to the base networking they can already disable kindnetd and it's not strictly CNI already.

Trying to think of good reasons this wouldn't be reasonable.

@BenTheElder
Copy link
Member

I think this is the way. I haven't come up with good reasons against this one.

@aojea
Copy link
Contributor Author

aojea commented Jun 23, 2024

I need to cut a new release of network policies to make it a noop if no network policy is applied kubernetes-sigs/kube-network-policies#39 ... it is much safer

@aojea
Copy link
Contributor Author

aojea commented Jun 23, 2024

/hold

@k8s-ci-robot k8s-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jun 23, 2024
@aojea
Copy link
Contributor Author

aojea commented Jun 24, 2024

/hold cancel

waiting for the promotion kubernetes/kubernetes#125681

@k8s-ci-robot k8s-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jun 24, 2024
@aojea
Copy link
Contributor Author

aojea commented Jun 24, 2024

/retest

@aojea aojea closed this Jun 24, 2024
@aojea aojea reopened this Jun 24, 2024
@aojea aojea changed the title Kindnet networkpolicies [WIP] Kindnet networkpolicies Jun 30, 2024
@k8s-ci-robot k8s-ci-robot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jun 30, 2024
BenTheElder
BenTheElder reviewed Jul 1, 2024
View reviewed changes
Copy link
Member

@BenTheElder BenTheElder left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I like where this is headed 👍

Started working on the go 1.22 bump in #3676, we have to also bump runc and should catch up the rest while we're at it.

@BenTheElder
Copy link
Member

what's blocking? I am +1 in concept 👍

@aojea
Copy link
Contributor Author

aojea commented Jul 12, 2024

/retest

what's blocking? I am +1 in concept 👍

😎 vacationing

@aojea aojea changed the title [WIP] Kindnet networkpolicies Kindnet networkpolicies Jul 15, 2024
@k8s-ci-robot k8s-ci-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jul 15, 2024
@aojea
Copy link
Contributor Author

aojea commented Jul 15, 2024

@BenTheElder this is ready

@aojea
Copy link
Contributor Author

aojea commented Jul 15, 2024

/test pull-kind-e2e-kubernetes-1-27

can't find the reason it failed

@aojea aojea changed the title Kindnet networkpolicies Kindnet network policies Jul 19, 2024
@aojea
Copy link
Contributor Author

aojea commented Jul 22, 2024

/hold

missing rbac permissions

@k8s-ci-robot k8s-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jul 22, 2024
@aojea
update rbac permissions for kindnet network policies
c3e24ff 
Change-Id: I381a548754d31f5249c746e7dbf4e50fe776a34a
@aojea
Copy link
Contributor Author

aojea commented Jul 22, 2024

/hold

missing rbac permissions

/hold cancel

added

@k8s-ci-robot k8s-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jul 22, 2024
BenTheElder
BenTheElder reviewed Jul 22, 2024
View reviewed changes
images/kindnetd/go.mod
)

require (
github.com/beorn7/perks v1.0.1 // indirect
github.com/cespare/xxhash/v2 v2.3.0 // indirect
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I assume that you've done the diligence on these and their licenses etc?

looks like most of these are not new but a few are

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

github.com/beorn7/perks, https://github.com/cespare/xxhash github.com/mdlayher/netlink and github.com/florianl/go-nfqueue are MIT

BenTheElder
BenTheElder reviewed Jul 22, 2024
View reviewed changes
Copy link
Member

@BenTheElder BenTheElder left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm
/approve
/hold

@k8s-ci-robot k8s-ci-robot added do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. lgtm "Looks good to me", indicates that a PR is ready to be merged. labels Jul 22, 2024
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: aojea, BenTheElder

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@aojea aojea mentioned this pull request Jul 22, 2024
Merged
@aojea
Copy link
Contributor Author

aojea commented Jul 23, 2024

/hold cancel

go-licenses check ./cmd/kindnetd/ 
W0723 10:42:47.791287 2745051 library.go:101] "golang.org/x/sys/unix" contains non-Go code that can't be inspected for further dependencies:
/usr/local/google/home/aojea/go/pkg/mod/golang.org/x/sys@v0.22.0/unix/asm_linux_amd64.s
W0723 10:42:48.595319 2745051 library.go:101] "github.com/modern-go/reflect2" contains non-Go code that can't be inspected for further dependencies:
/usr/local/google/home/aojea/go/pkg/mod/github.com/modern-go/reflect2@v1.0.2/reflect2_amd64.s
/usr/local/google/home/aojea/go/pkg/mod/github.com/modern-go/reflect2@v1.0.2/relfect2_mips64x.s
/usr/local/google/home/aojea/go/pkg/mod/github.com/modern-go/reflect2@v1.0.2/relfect2_mipsx.s
/usr/local/google/home/aojea/go/pkg/mod/github.com/modern-go/reflect2@v1.0.2/relfect2_ppc64x.s
W0723 10:42:56.947129 2745051 library.go:101] "github.com/cespare/xxhash/v2" contains non-Go code that can't be inspected for further dependencies:
/usr/local/google/home/aojea/go/pkg/mod/github.com/cespare/xxhash/v2@v2.3.0/xxhash_amd64.s
$

@k8s-ci-robot k8s-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jul 23, 2024
@k8s-ci-robot k8s-ci-robot merged commit ed51cf8 into kubernetes-sigs:main Jul 23, 2024
29 checks passed
@jglick jglick mentioned this pull request Aug 16, 2024
Closed
@aojea aojea mentioned this pull request Aug 21, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@stmcginnis stmcginnis stmcginnis left review comments

@BenTheElder BenTheElder BenTheElder left review comments

@danwinship danwinship danwinship left review comments

@neolit123 neolit123 Awaiting requested review from neolit123

Assignees

@BenTheElder BenTheElder

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

NetworkPolicy support
5 participants
@aojea @BenTheElder @k8s-ci-robot @danwinship @stmcginnis