Merge Main to Release 1.0 (#161)

* Move to mainline sdk changes (#25) * Reuse eBPF SDK Client (#26) * Code refactoring - Sync to SDK's new API interface (#27) * Additional UTs for eBPF pkg (#29) * Additional UTs for eBPF pkg * UT for Global Map recovery flow * format changes * Events refactor (#30) * Remove replace and add comments * Minor refactor * Update AL2023 image * vmlinux generation * update readme (#31) * Third party attribution doc (#32) * Thirdparty attribution doc * Minor nits * minor nit * README Updates (#34) * Update README.md (#35) * Update go.mod and go.sum for master (#38) * Update go.mod and go.sum docker/make file changes * fix up vet * Run Conformance and Performance tests with github actions (#5) * Updated conformance and performance test parameters (#39) * Fix problem with policy not being applied to pods on IPv6 nodes (#40) * Update the session duration to 5 hrs for github actions (#53) * Update scripts to run cyclonus suite and install latest MAO * Handle 0 entries in cli (#60) * Update test pkg (#61) * Ignore policy restrictions against Node IP (#65) * feat: Add flag enable-policy-event-logs (#48) * feat: Add flag enable-policy-event-logs Policy event logging is now disabled by default * feat: Add enable-policy-event-logs flag to readme --------- Co-authored-by: Apurup Chevuru <60630804+achevuru@users.noreply.github.com> * Issue#45 Modified Default Metrics Bind Port (#46) * Issue#45 Modified Default Metrics Bind Port * Modified Health Probe Bind address to 8163 --------- Co-authored-by: Kareem Rady <kareemrady@KR-MBA.local> Co-authored-by: Jayanth Varavani <1111446+jayanthvn@users.noreply.github.com> Co-authored-by: Apurup Chevuru <60630804+achevuru@users.noreply.github.com> * Bump github.com/google/uuid from 1.3.0 to 1.3.1 (#43) Bumps [github.com/google/uuid](https://github.com/google/uuid) from 1.3.0 to 1.3.1. - [Release notes](https://github.com/google/uuid/releases) - [Changelog](https://github.com/google/uuid/blob/master/CHANGELOG.md) - [Commits](google/uuid@v1.3.0...v1.3.1) --- updated-dependencies: - dependency-name: github.com/google/uuid dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Apurup Chevuru <60630804+achevuru@users.noreply.github.com> * Bump github.com/vishvananda/netlink (#42) Bumps [github.com/vishvananda/netlink](https://github.com/vishvananda/netlink) from 1.1.1-0.20210330154013-f5de75959ad5 to 1.2.1-beta.2. - [Release notes](https://github.com/vishvananda/netlink/releases) - [Commits](https://github.com/vishvananda/netlink/commits/v1.2.1-beta.2) --- updated-dependencies: - dependency-name: github.com/vishvananda/netlink dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Add update image script and make targets (#59) * Fixes to cyclonus test script (#69) * Remove KUBECONFIG environment variable from cyclonus test script * With catchALL honor "except" (#58) * Honor except with catchALL * PR feedback * Remove unnecessary header files (#71) * Return exit status if test verification fails * V6 Optimizations (#80) * Bump github.com/aws/amazon-vpc-cni-k8s from 1.13.4 to 1.15.0 (#82) Bumps [github.com/aws/amazon-vpc-cni-k8s](https://github.com/aws/amazon-vpc-cni-k8s) from 1.13.4 to 1.15.0. - [Release notes](https://github.com/aws/amazon-vpc-cni-k8s/releases) - [Changelog](https://github.com/aws/amazon-vpc-cni-k8s/blob/master/CHANGELOG.md) - [Commits](aws/amazon-vpc-cni-k8s@v1.13.4...v1.15.0) --- updated-dependencies: - dependency-name: github.com/aws/amazon-vpc-cni-k8s dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Honor V6 Elf file updates (#84) * Build latest image with conformance tests (#85) * Create a github action to build multi-arch docker image * Update credentials action to v3 * Log rotate support (#87) * Bump go.uber.org/zap from 1.25.0 to 1.26.0 (#81) Bumps [go.uber.org/zap](https://github.com/uber-go/zap) from 1.25.0 to 1.26.0. - [Release notes](https://github.com/uber-go/zap/releases) - [Changelog](https://github.com/uber-go/zap/blob/master/CHANGELOG.md) - [Commits](uber-go/zap@v1.25.0...v1.26.0) --- updated-dependencies: - dependency-name: go.uber.org/zap dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Race condition with init and cw setup (#93) * Bump golang.org/x/net from 0.12.0 to 0.17.0 (#95) Bumps [golang.org/x/net](https://github.com/golang/net) from 0.12.0 to 0.17.0. - [Commits](golang/net@v0.12.0...v0.17.0) --- updated-dependencies: - dependency-name: golang.org/x/net dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * upgrade Go to 1.21.3 and upgrade dependencies * Fix conntrack issue and increase supported port/protocol (#102) * Fix conntrack * Update events * Pull test images from internal test infra accounts (#79) * Pull test images from internal test infra accounts * Test with ARM nodes in e2e conformance tests * Handle PolicyEndpoint split scenario when the target pods are paired … (#106) * Handle PolicyEndpoint split scenario when the target pods are paired with empty ingress/egress rules * Fix UT * inherit firewall rules from larger cidrs (#104) * Update /m * format * Len changes --------- Co-authored-by: Apurup Chevuru <60630804+achevuru@users.noreply.github.com> * Update pr-tests.yaml (#112) * Handle for controller not adding prefix lens (#113) * Update pr-tests.yaml * Minor fix for missing prefixlens * Refactor * Minor refactor (#116) * Update pr-tests.yaml * Minor refactor * README Update (#117) * Update issue templates (#121) * add more checks in pr actions * Bump github.com/go-logr/logr from 1.2.4 to 1.3.0 (#126) Bumps [github.com/go-logr/logr](https://github.com/go-logr/logr) from 1.2.4 to 1.3.0. - [Release notes](https://github.com/go-logr/logr/releases) - [Changelog](https://github.com/go-logr/logr/blob/master/CHANGELOG.md) - [Commits](go-logr/logr@v1.2.4...v1.3.0) --- updated-dependencies: - dependency-name: github.com/go-logr/logr dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump github.com/aws/aws-sdk-go from 1.45.19 to 1.47.5 (#134) Bumps [github.com/aws/aws-sdk-go](https://github.com/aws/aws-sdk-go) from 1.45.19 to 1.47.5. - [Release notes](https://github.com/aws/aws-sdk-go/releases) - [Commits](aws/aws-sdk-go@v1.45.19...v1.47.5) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump k8s.io/client-go from 0.28.2 to 0.28.3 (#123) Bumps [k8s.io/client-go](https://github.com/kubernetes/client-go) from 0.28.2 to 0.28.3. - [Changelog](https://github.com/kubernetes/client-go/blob/master/CHANGELOG.md) - [Commits](kubernetes/client-go@v0.28.2...v0.28.3) --- updated-dependencies: - dependency-name: k8s.io/client-go dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump sigs.k8s.io/controller-runtime from 0.16.2 to 0.16.3 (#122) Bumps [sigs.k8s.io/controller-runtime](https://github.com/kubernetes-sigs/controller-runtime) from 0.16.2 to 0.16.3. - [Release notes](https://github.com/kubernetes-sigs/controller-runtime/releases) - [Changelog](https://github.com/kubernetes-sigs/controller-runtime/blob/main/RELEASE.md) - [Commits](kubernetes-sigs/controller-runtime@v0.16.2...v0.16.3) --- updated-dependencies: - dependency-name: sigs.k8s.io/controller-runtime dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Conntrack cleanup issue with v1.0.5 (#133) * Conntrack cleanup issue with v1.0.5 * Minor changes * Index with owner * Add padding for v6 * Upgrade SDK * CLI update * minor change * force vulns check to use specified go patch version (#137) * Updating the expected results for known flaky test cases * Memory corruption (#142) * Bump github.com/google/uuid from 1.3.1 to 1.4.0 (#157) Bumps [github.com/google/uuid](https://github.com/google/uuid) from 1.3.1 to 1.4.0. - [Release notes](https://github.com/google/uuid/releases) - [Changelog](https://github.com/google/uuid/blob/master/CHANGELOG.md) - [Commits](google/uuid@v1.3.1...v1.4.0) --- updated-dependencies: - dependency-name: github.com/google/uuid dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump github.com/google/go-cmp from 0.5.9 to 0.6.0 (#156) Bumps [github.com/google/go-cmp](https://github.com/google/go-cmp) from 0.5.9 to 0.6.0. - [Release notes](https://github.com/google/go-cmp/releases) - [Commits](google/go-cmp@v0.5.9...v0.6.0) --- updated-dependencies: - dependency-name: github.com/google/go-cmp dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump github.com/spf13/cobra from 1.7.0 to 1.8.0 (#154) Bumps [github.com/spf13/cobra](https://github.com/spf13/cobra) from 1.7.0 to 1.8.0. - [Release notes](https://github.com/spf13/cobra/releases) - [Commits](spf13/cobra@v1.7.0...v1.8.0) --- updated-dependencies: - dependency-name: github.com/spf13/cobra dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump github.com/prometheus/client_golang from 1.16.0 to 1.17.0 (#153) Bumps [github.com/prometheus/client_golang](https://github.com/prometheus/client_golang) from 1.16.0 to 1.17.0. - [Release notes](https://github.com/prometheus/client_golang/releases) - [Changelog](https://github.com/prometheus/client_golang/blob/main/CHANGELOG.md) - [Commits](prometheus/client_golang@v1.16.0...v1.17.0) --- updated-dependencies: - dependency-name: github.com/prometheus/client_golang dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump k8s.io/client-go from 0.28.3 to 0.28.4 (#155) Bumps [k8s.io/client-go](https://github.com/kubernetes/client-go) from 0.28.3 to 0.28.4. - [Changelog](https://github.com/kubernetes/client-go/blob/master/CHANGELOG.md) - [Commits](kubernetes/client-go@v0.28.3...v0.28.4) --- updated-dependencies: - dependency-name: k8s.io/client-go dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Conntrack enhancements (#151) * Env fix * Move to flag * Cleanup * Log line for debugs * minor update * Ignore PE slices tied to same NP during Clean up flow (#159) * Ignore PE slices tied to same NP during Clean up flow * Format changes * UT fix --------- Co-authored-by: Jayanth Varavani <1111446+jayanthvn@users.noreply.github.com> * CLI changes (#152) * CLI changes * Utils * Upgrade SDK * Upgrade sdk * Merge main to rel-1.0 --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Apurup Chevuru <60630804+achevuru@users.noreply.github.com> Co-authored-by: Geoffrey Cline <geoffreyc@outlook.com> Co-authored-by: Jay Deokar <23660509+jaydeokar@users.noreply.github.com> Co-authored-by: K.Hoshi <rxnew.axdseuan@gmail.com> Co-authored-by: Jay Deokar <jsdeokar@amazon.com> Co-authored-by: Tobias Germer <bvrcreepyx@hotmail.de> Co-authored-by: Kareem Rady <82394457+kareem-rady@users.noreply.github.com> Co-authored-by: Kareem Rady <kareemrady@KR-MBA.local> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Jeff Nelson <jdnelson@amazon.com> Co-authored-by: Jeffrey Nelson <jdn5126@gmail.com> Co-authored-by: Hao Zhou <zhuhz@amazon.com> Co-authored-by: Hao Zhou <haouc@users.noreply.github.com>
aws · Dec 6, 2023 · 65468e0 · 65468e0
1 parent c1913d6
commit 65468e0
Show file tree

Hide file tree

Showing 11 changed files with 153 additions and 125 deletions.
diff --git a/controllers/policyendpoints_controller.go b/controllers/policyendpoints_controller.go
@@ -20,8 +20,6 @@ import (
 	"context"
 	"errors"
 	"net"
-	"os"
-	"strconv"
 	"sync"
 	"time"
 
@@ -41,7 +39,6 @@ import (
 )
 
 const (
-	envLocalConntrackCacheCleanupPeriod              = "CONNTRACK_CACHE_CLEANUP_PERIOD"
 	defaultLocalConntrackCacheCleanupPeriodInSeconds = 300
 )
 
@@ -77,7 +74,7 @@ func prometheusRegister() {
 
 // NewPolicyEndpointsReconciler constructs new PolicyEndpointReconciler
 func NewPolicyEndpointsReconciler(k8sClient client.Client, log logr.Logger,
-	enablePolicyEventLogs, enableCloudWatchLogs bool, enableIPv6 bool, enableNetworkPolicy bool) (*PolicyEndpointsReconciler, error) {
+	enablePolicyEventLogs, enableCloudWatchLogs bool, enableIPv6 bool, enableNetworkPolicy bool, conntrackTTL int) (*PolicyEndpointsReconciler, error) {
 	r := &PolicyEndpointsReconciler{
 		k8sClient: k8sClient,
 		log:       log,
@@ -88,7 +85,7 @@ func NewPolicyEndpointsReconciler(k8sClient client.Client, log logr.Logger,
 	} else {
 		r.nodeIP, _ = imds.GetMetaData("ipv6")
 	}
-	conntrackTTL := r.getLocalConntrackCacheCleanupPeriod()
+	r.log.Info("ConntrackTTL", "cleanupPeriod", conntrackTTL)
 	var err error
 	if enableNetworkPolicy {
 		r.ebpfClient, err = ebpf.NewBpfClient(&r.policyEndpointeBPFContext, r.nodeIP,
@@ -155,7 +152,6 @@ func (r *PolicyEndpointsReconciler) cleanUpPolicyEndpoint(ctx context.Context, r
 		req.NamespacedName.Namespace)
 
 	start := time.Now()
-
 	if targetPods, ok := r.policyEndpointSelectorMap.Load(policyEndpointIdentifier); ok {
 		err := r.updatePolicyEnforcementStatusForPods(ctx, req.NamespacedName.Name, targetPods.([]types.NamespacedName))
 		if err != nil {
@@ -210,7 +206,7 @@ func (r *PolicyEndpointsReconciler) reconcilePolicyEndpoint(ctx context.Context,
 	for podIdentifier, _ := range podIdentifiers {
 		// Derive Ingress IPs from the PolicyEndpoint
 		ingressRules, egressRules, isIngressIsolated, isEgressIsolated, err := r.deriveIngressAndEgressFirewallRules(ctx, podIdentifier,
-			policyEndpoint.Namespace)
+			policyEndpoint.Namespace, policyEndpoint.Name, false)
 		if err != nil {
 			r.log.Error(err, "Error Parsing policy Endpoint resource", "name:", policyEndpoint.Name)
 			return err
@@ -287,7 +283,8 @@ func (r *PolicyEndpointsReconciler) cleanupeBPFProbes(ctx context.Context, targe
 	// Detach eBPF probes attached to the local pods (if required). We should detach eBPF probes if this
 	// is the only PolicyEndpoint resource that applies to this pod. If not, just update the Ingress/Egress Map contents
 	if _, ok := r.podIdentifierToPolicyEndpointMap.Load(podIdentifier); ok {
-		ingressRules, egressRules, isIngressIsolated, isEgressIsolated, err = r.deriveIngressAndEgressFirewallRules(ctx, podIdentifier, targetPod.Namespace)
+		ingressRules, egressRules, isIngressIsolated, isEgressIsolated, err = r.deriveIngressAndEgressFirewallRules(ctx, podIdentifier, targetPod.Namespace,
+			policyEndpoint, true)
 		if err != nil {
 			r.log.Error(err, "Error Parsing policy Endpoint resource", "name ", policyEndpoint)
 			return err
@@ -337,7 +334,7 @@ func (r *PolicyEndpointsReconciler) cleanupeBPFProbes(ctx context.Context, targe
 }
 
 func (r *PolicyEndpointsReconciler) deriveIngressAndEgressFirewallRules(ctx context.Context,
-	podIdentifier string, resourceNamespace string) ([]ebpf.EbpfFirewallRules, []ebpf.EbpfFirewallRules, bool, bool, error) {
+	podIdentifier string, resourceNamespace string, resourceName string, isDeleteFlow bool) ([]ebpf.EbpfFirewallRules, []ebpf.EbpfFirewallRules, bool, bool, error) {
 	var ingressRules, egressRules []ebpf.EbpfFirewallRules
 	isIngressIsolated, isEgressIsolated := false, false
 	currentPE := &policyk8sawsv1.PolicyEndpoint{}
@@ -349,6 +346,17 @@ func (r *PolicyEndpointsReconciler) deriveIngressAndEgressFirewallRules(ctx cont
 				Name:      policyEndpointResource,
 				Namespace: resourceNamespace,
 			}
+
+			if isDeleteFlow {
+				deletedPEParentNPName := utils.GetParentNPNameFromPEName(resourceName)
+				currentPEParentNPName := utils.GetParentNPNameFromPEName(policyEndpointResource)
+				if deletedPEParentNPName == currentPEParentNPName {
+					r.log.Info("PE belongs to same NP. Ignore and move on since it's a delete flow",
+						"deletedPE", resourceName, "currentPE", policyEndpointResource)
+					continue
+				}
+			}
+
 			if err := r.k8sClient.Get(ctx, peNamespacedName, currentPE); err != nil {
 				if apierrors.IsNotFound(err) {
 					continue
@@ -514,7 +522,7 @@ func (r *PolicyEndpointsReconciler) updatePodIdentifierToPEMap(ctx context.Conte
 	defer r.podIdentifierToPolicyEndpointMapMutex.Unlock()
 	var policyEndpoints []string
 
-	r.log.Info("Total PEs for Parent NP:", "Count: ", len(parentPEList))
+	r.log.Info("Current PE Count for Parent NP:", "Count: ", len(parentPEList))
 	if currentPESet, ok := r.podIdentifierToPolicyEndpointMap.Load(podIdentifier); ok {
 		policyEndpoints = currentPESet.([]string)
 		for _, policyEndpointResourceName := range parentPEList {
@@ -577,22 +585,6 @@ func (r *PolicyEndpointsReconciler) SetupWithManager(ctx context.Context, mgr ct
 		Complete(r)
 }
 
-func (r *PolicyEndpointsReconciler) getLocalConntrackCacheCleanupPeriod() time.Duration {
-	periodStr, found := os.LookupEnv(envLocalConntrackCacheCleanupPeriod)
-	if !found {
-		return defaultLocalConntrackCacheCleanupPeriodInSeconds
-	}
-	if cleanupPeriod, err := strconv.Atoi(periodStr); err == nil {
-		if cleanupPeriod < 1 {
-			r.log.Info("conntrack cache cleanup is set to less than 1s. Reverting to default value")
-			return defaultLocalConntrackCacheCleanupPeriodInSeconds
-		}
-		r.log.Info("Setting CONNTRACK_CACHE_CLEANUP_PERIOD %v", cleanupPeriod)
-		return time.Duration(cleanupPeriod) * time.Second
-	}
-	return defaultLocalConntrackCacheCleanupPeriodInSeconds
-}
-
 func (r *PolicyEndpointsReconciler) derivePolicyEndpointsOfParentNP(ctx context.Context, parentNP, resourceNamespace string) []string {
 	var parentPolicyEndpointList []string
 

diff --git a/controllers/policyendpoints_controller_test.go b/controllers/policyendpoints_controller_test.go
@@ -329,7 +329,7 @@ func TestDeriveIngressAndEgressFirewallRules(t *testing.T) {
 
 		mockClient := mock_client.NewMockClient(ctrl)
 		policyEndpointReconciler, _ := NewPolicyEndpointsReconciler(mockClient, logr.New(&log.NullLogSink{}),
-			false, false, false, false)
+			false, false, false, false, 300)
 		var policyEndpointsList []string
 		policyEndpointsList = append(policyEndpointsList, tt.policyEndpointName)
 		policyEndpointReconciler.podIdentifierToPolicyEndpointMap.Store(tt.podIdentifier, policyEndpointsList)
@@ -347,7 +347,7 @@ func TestDeriveIngressAndEgressFirewallRules(t *testing.T) {
 
 		t.Run(tt.name, func(t *testing.T) {
 			gotIngressRules, gotEgressRules, gotIsIngressIsolated, gotIsEgressIsolated, gotError := policyEndpointReconciler.deriveIngressAndEgressFirewallRules(context.Background(),
-				tt.podIdentifier, tt.resourceNamespace)
+				tt.podIdentifier, tt.resourceNamespace, tt.policyEndpointName, false)
 			assert.Equal(t, tt.want.ingressRules, gotIngressRules)
 			assert.Equal(t, tt.want.egressRules, gotEgressRules)
 			assert.Equal(t, tt.want.isIngressIsolated, gotIsIngressIsolated)

diff --git a/go.mod b/go.mod
@@ -4,25 +4,25 @@ go 1.21
 
 require (
 	github.com/aws/amazon-vpc-cni-k8s v1.15.1
-	github.com/aws/aws-ebpf-sdk-go v1.0.4
+	github.com/aws/aws-ebpf-sdk-go v1.0.6
 	github.com/aws/aws-sdk-go v1.47.5
 	github.com/go-logr/logr v1.3.0
 	github.com/go-logr/zapr v1.2.4
 	github.com/golang/mock v1.6.0
-	github.com/google/go-cmp v0.5.9
-	github.com/google/uuid v1.3.1
+	github.com/google/go-cmp v0.6.0
+	github.com/google/uuid v1.4.0
 	github.com/pkg/errors v0.9.1
-	github.com/prometheus/client_golang v1.16.0
-	github.com/spf13/cobra v1.7.0
+	github.com/prometheus/client_golang v1.17.0
+	github.com/spf13/cobra v1.8.0
 	github.com/spf13/pflag v1.0.5
 	github.com/stretchr/testify v1.8.4
 	github.com/vishvananda/netlink v1.2.1-beta.2
 	go.uber.org/zap v1.26.0
-	golang.org/x/sys v0.14.0
+	golang.org/x/sys v0.15.0
 	gopkg.in/natefinch/lumberjack.v2 v2.2.1
-	k8s.io/api v0.28.3
-	k8s.io/apimachinery v0.28.3
-	k8s.io/client-go v0.28.3
+	k8s.io/api v0.28.4
+	k8s.io/apimachinery v0.28.4
+	k8s.io/client-go v0.28.4
 	sigs.k8s.io/controller-runtime v0.16.3
 )
 
@@ -52,17 +52,18 @@ require (
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
-	github.com/prometheus/client_model v0.4.0 // indirect
+	github.com/prometheus/client_model v0.4.1-0.20230718164431-9a2bf3000d16 // indirect
 	github.com/prometheus/common v0.44.0 // indirect
-	github.com/prometheus/procfs v0.10.1 // indirect
+	github.com/prometheus/procfs v0.11.1 // indirect
 	github.com/vishvananda/netns v0.0.4 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	golang.org/x/exp v0.0.0-20230315142452-642cacee5cc0 // indirect
-	golang.org/x/net v0.17.0 // indirect
+	golang.org/x/net v0.19.0 // indirect
 	golang.org/x/oauth2 v0.8.0 // indirect
-	golang.org/x/term v0.13.0 // indirect
-	golang.org/x/text v0.13.0 // indirect
+	golang.org/x/term v0.15.0 // indirect
+	golang.org/x/text v0.14.0 // indirect
 	golang.org/x/time v0.3.0 // indirect
+	golang.org/x/tools v0.16.0 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
 	google.golang.org/protobuf v1.31.0 // indirect