Merge main to Release 1.0 (#201)

* Move to mainline sdk changes (#25) * Reuse eBPF SDK Client (#26) * Code refactoring - Sync to SDK's new API interface (#27) * Additional UTs for eBPF pkg (#29) * Additional UTs for eBPF pkg * UT for Global Map recovery flow * format changes * Events refactor (#30) * Remove replace and add comments * Minor refactor * Update AL2023 image * vmlinux generation * update readme (#31) * Third party attribution doc (#32) * Thirdparty attribution doc * Minor nits * minor nit * README Updates (#34) * Update README.md (#35) * Update go.mod and go.sum for master (#38) * Update go.mod and go.sum docker/make file changes * fix up vet * Run Conformance and Performance tests with github actions (#5) * Updated conformance and performance test parameters (#39) * Fix problem with policy not being applied to pods on IPv6 nodes (#40) * Update the session duration to 5 hrs for github actions (#53) * Update scripts to run cyclonus suite and install latest MAO * Handle 0 entries in cli (#60) * Update test pkg (#61) * Ignore policy restrictions against Node IP (#65) * feat: Add flag enable-policy-event-logs (#48) * feat: Add flag enable-policy-event-logs Policy event logging is now disabled by default * feat: Add enable-policy-event-logs flag to readme --------- Co-authored-by: Apurup Chevuru <60630804+achevuru@users.noreply.github.com> * Issue#45 Modified Default Metrics Bind Port (#46) * Issue#45 Modified Default Metrics Bind Port * Modified Health Probe Bind address to 8163 --------- Co-authored-by: Kareem Rady <kareemrady@KR-MBA.local> Co-authored-by: Jayanth Varavani <1111446+jayanthvn@users.noreply.github.com> Co-authored-by: Apurup Chevuru <60630804+achevuru@users.noreply.github.com> * Bump github.com/google/uuid from 1.3.0 to 1.3.1 (#43) Bumps [github.com/google/uuid](https://github.com/google/uuid) from 1.3.0 to 1.3.1. - [Release notes](https://github.com/google/uuid/releases) - [Changelog](https://github.com/google/uuid/blob/master/CHANGELOG.md) - [Commits](google/uuid@v1.3.0...v1.3.1) --- updated-dependencies: - dependency-name: github.com/google/uuid dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Apurup Chevuru <60630804+achevuru@users.noreply.github.com> * Bump github.com/vishvananda/netlink (#42) Bumps [github.com/vishvananda/netlink](https://github.com/vishvananda/netlink) from 1.1.1-0.20210330154013-f5de75959ad5 to 1.2.1-beta.2. - [Release notes](https://github.com/vishvananda/netlink/releases) - [Commits](https://github.com/vishvananda/netlink/commits/v1.2.1-beta.2) --- updated-dependencies: - dependency-name: github.com/vishvananda/netlink dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Add update image script and make targets (#59) * Fixes to cyclonus test script (#69) * Remove KUBECONFIG environment variable from cyclonus test script * With catchALL honor "except" (#58) * Honor except with catchALL * PR feedback * Remove unnecessary header files (#71) * Return exit status if test verification fails * V6 Optimizations (#80) * Bump github.com/aws/amazon-vpc-cni-k8s from 1.13.4 to 1.15.0 (#82) Bumps [github.com/aws/amazon-vpc-cni-k8s](https://github.com/aws/amazon-vpc-cni-k8s) from 1.13.4 to 1.15.0. - [Release notes](https://github.com/aws/amazon-vpc-cni-k8s/releases) - [Changelog](https://github.com/aws/amazon-vpc-cni-k8s/blob/master/CHANGELOG.md) - [Commits](aws/amazon-vpc-cni-k8s@v1.13.4...v1.15.0) --- updated-dependencies: - dependency-name: github.com/aws/amazon-vpc-cni-k8s dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Honor V6 Elf file updates (#84) * Build latest image with conformance tests (#85) * Create a github action to build multi-arch docker image * Update credentials action to v3 * Log rotate support (#87) * Bump go.uber.org/zap from 1.25.0 to 1.26.0 (#81) Bumps [go.uber.org/zap](https://github.com/uber-go/zap) from 1.25.0 to 1.26.0. - [Release notes](https://github.com/uber-go/zap/releases) - [Changelog](https://github.com/uber-go/zap/blob/master/CHANGELOG.md) - [Commits](uber-go/zap@v1.25.0...v1.26.0) --- updated-dependencies: - dependency-name: go.uber.org/zap dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Race condition with init and cw setup (#93) * Bump golang.org/x/net from 0.12.0 to 0.17.0 (#95) Bumps [golang.org/x/net](https://github.com/golang/net) from 0.12.0 to 0.17.0. - [Commits](golang/net@v0.12.0...v0.17.0) --- updated-dependencies: - dependency-name: golang.org/x/net dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * upgrade Go to 1.21.3 and upgrade dependencies * Fix conntrack issue and increase supported port/protocol (#102) * Fix conntrack * Update events * Pull test images from internal test infra accounts (#79) * Pull test images from internal test infra accounts * Test with ARM nodes in e2e conformance tests * Handle PolicyEndpoint split scenario when the target pods are paired … (#106) * Handle PolicyEndpoint split scenario when the target pods are paired with empty ingress/egress rules * Fix UT * inherit firewall rules from larger cidrs (#104) * Update /m * format * Len changes --------- Co-authored-by: Apurup Chevuru <60630804+achevuru@users.noreply.github.com> * Update pr-tests.yaml (#112) * Handle for controller not adding prefix lens (#113) * Update pr-tests.yaml * Minor fix for missing prefixlens * Refactor * Minor refactor (#116) * Update pr-tests.yaml * Minor refactor * README Update (#117) * Update issue templates (#121) * add more checks in pr actions * Bump github.com/go-logr/logr from 1.2.4 to 1.3.0 (#126) Bumps [github.com/go-logr/logr](https://github.com/go-logr/logr) from 1.2.4 to 1.3.0. - [Release notes](https://github.com/go-logr/logr/releases) - [Changelog](https://github.com/go-logr/logr/blob/master/CHANGELOG.md) - [Commits](go-logr/logr@v1.2.4...v1.3.0) --- updated-dependencies: - dependency-name: github.com/go-logr/logr dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump github.com/aws/aws-sdk-go from 1.45.19 to 1.47.5 (#134) Bumps [github.com/aws/aws-sdk-go](https://github.com/aws/aws-sdk-go) from 1.45.19 to 1.47.5. - [Release notes](https://github.com/aws/aws-sdk-go/releases) - [Commits](aws/aws-sdk-go@v1.45.19...v1.47.5) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump k8s.io/client-go from 0.28.2 to 0.28.3 (#123) Bumps [k8s.io/client-go](https://github.com/kubernetes/client-go) from 0.28.2 to 0.28.3. - [Changelog](https://github.com/kubernetes/client-go/blob/master/CHANGELOG.md) - [Commits](kubernetes/client-go@v0.28.2...v0.28.3) --- updated-dependencies: - dependency-name: k8s.io/client-go dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump sigs.k8s.io/controller-runtime from 0.16.2 to 0.16.3 (#122) Bumps [sigs.k8s.io/controller-runtime](https://github.com/kubernetes-sigs/controller-runtime) from 0.16.2 to 0.16.3. - [Release notes](https://github.com/kubernetes-sigs/controller-runtime/releases) - [Changelog](https://github.com/kubernetes-sigs/controller-runtime/blob/main/RELEASE.md) - [Commits](kubernetes-sigs/controller-runtime@v0.16.2...v0.16.3) --- updated-dependencies: - dependency-name: sigs.k8s.io/controller-runtime dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Conntrack cleanup issue with v1.0.5 (#133) * Conntrack cleanup issue with v1.0.5 * Minor changes * Index with owner * Add padding for v6 * Upgrade SDK * CLI update * minor change * force vulns check to use specified go patch version (#137) * Updating the expected results for known flaky test cases * Memory corruption (#142) * Bump github.com/google/uuid from 1.3.1 to 1.4.0 (#157) Bumps [github.com/google/uuid](https://github.com/google/uuid) from 1.3.1 to 1.4.0. - [Release notes](https://github.com/google/uuid/releases) - [Changelog](https://github.com/google/uuid/blob/master/CHANGELOG.md) - [Commits](google/uuid@v1.3.1...v1.4.0) --- updated-dependencies: - dependency-name: github.com/google/uuid dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump github.com/google/go-cmp from 0.5.9 to 0.6.0 (#156) Bumps [github.com/google/go-cmp](https://github.com/google/go-cmp) from 0.5.9 to 0.6.0. - [Release notes](https://github.com/google/go-cmp/releases) - [Commits](google/go-cmp@v0.5.9...v0.6.0) --- updated-dependencies: - dependency-name: github.com/google/go-cmp dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump github.com/spf13/cobra from 1.7.0 to 1.8.0 (#154) Bumps [github.com/spf13/cobra](https://github.com/spf13/cobra) from 1.7.0 to 1.8.0. - [Release notes](https://github.com/spf13/cobra/releases) - [Commits](spf13/cobra@v1.7.0...v1.8.0) --- updated-dependencies: - dependency-name: github.com/spf13/cobra dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump github.com/prometheus/client_golang from 1.16.0 to 1.17.0 (#153) Bumps [github.com/prometheus/client_golang](https://github.com/prometheus/client_golang) from 1.16.0 to 1.17.0. - [Release notes](https://github.com/prometheus/client_golang/releases) - [Changelog](https://github.com/prometheus/client_golang/blob/main/CHANGELOG.md) - [Commits](prometheus/client_golang@v1.16.0...v1.17.0) --- updated-dependencies: - dependency-name: github.com/prometheus/client_golang dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump k8s.io/client-go from 0.28.3 to 0.28.4 (#155) Bumps [k8s.io/client-go](https://github.com/kubernetes/client-go) from 0.28.3 to 0.28.4. - [Changelog](https://github.com/kubernetes/client-go/blob/master/CHANGELOG.md) - [Commits](kubernetes/client-go@v0.28.3...v0.28.4) --- updated-dependencies: - dependency-name: k8s.io/client-go dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Conntrack enhancements (#151) * Env fix * Move to flag * Cleanup * Log line for debugs * minor update * Ignore PE slices tied to same NP during Clean up flow (#159) * Ignore PE slices tied to same NP during Clean up flow * Format changes * UT fix --------- Co-authored-by: Jayanth Varavani <1111446+jayanthvn@users.noreply.github.com> * CLI changes (#152) * CLI changes * Utils * Upgrade SDK * Upgrade sdk * Update builder image to latest golang version * fix logger error; remove version log * Add workflow to run manual e2e tests on specific instance type (#148) * Add region parameter to describe instances * Add prefix to identify log stream for network policy events (#178) * Bump github.com/go-logr/logr from 1.3.0 to 1.4.1 Bumps [github.com/go-logr/logr](https://github.com/go-logr/logr) from 1.3.0 to 1.4.1. - [Release notes](https://github.com/go-logr/logr/releases) - [Changelog](https://github.com/go-logr/logr/blob/master/CHANGELOG.md) - [Commits](go-logr/logr@v1.3.0...v1.4.1) --- updated-dependencies: - dependency-name: github.com/go-logr/logr dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> * Bump k8s.io/client-go from 0.28.4 to 0.29.0 Bumps [k8s.io/client-go](https://github.com/kubernetes/client-go) from 0.28.4 to 0.29.0. - [Changelog](https://github.com/kubernetes/client-go/blob/master/CHANGELOG.md) - [Commits](kubernetes/client-go@v0.28.4...v0.29.0) --- updated-dependencies: - dependency-name: k8s.io/client-go dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> * Log the to be deleted conntrack entries in readable format * dependabot updates * Handle replica and VIP (#179) * Check the new addon versions in the right regions * Update CI scripts to the test on latest available k8s cluster * Bump github.com/aws/amazon-vpc-cni-k8s from 1.16.0 to 1.16.2 (#196) Bumps [github.com/aws/amazon-vpc-cni-k8s](https://github.com/aws/amazon-vpc-cni-k8s) from 1.16.0 to 1.16.2. - [Release notes](https://github.com/aws/amazon-vpc-cni-k8s/releases) - [Changelog](https://github.com/aws/amazon-vpc-cni-k8s/blob/v1.16.2/CHANGELOG.md) - [Commits](aws/amazon-vpc-cni-k8s@v1.16.0...v1.16.2) --- updated-dependencies: - dependency-name: github.com/aws/amazon-vpc-cni-k8s dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump github.com/aws/aws-sdk-go from 1.49.13 to 1.50.9 (#199) Bumps [github.com/aws/aws-sdk-go](https://github.com/aws/aws-sdk-go) from 1.49.13 to 1.50.9. - [Release notes](https://github.com/aws/aws-sdk-go/releases) - [Commits](aws/aws-sdk-go@v1.49.13...v1.50.9) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump k8s.io/apimachinery from 0.29.0 to 0.29.1 (#197) Bumps [k8s.io/apimachinery](https://github.com/kubernetes/apimachinery) from 0.29.0 to 0.29.1. - [Commits](kubernetes/apimachinery@v0.29.0...v0.29.1) --- updated-dependencies: - dependency-name: k8s.io/apimachinery dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump golang.org/x/sys from 0.15.0 to 0.16.0 (#195) Bumps [golang.org/x/sys](https://github.com/golang/sys) from 0.15.0 to 0.16.0. - [Commits](golang/sys@v0.15.0...v0.16.0) --- updated-dependencies: - dependency-name: golang.org/x/sys dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump k8s.io/client-go from 0.29.0 to 0.29.1 (#194) Bumps [k8s.io/client-go](https://github.com/kubernetes/client-go) from 0.29.0 to 0.29.1. - [Changelog](https://github.com/kubernetes/client-go/blob/master/CHANGELOG.md) - [Commits](kubernetes/client-go@v0.29.0...v0.29.1) --- updated-dependencies: - dependency-name: k8s.io/client-go dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Handle PE split cleanup and duplicate l4info (#185) --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Apurup Chevuru <60630804+achevuru@users.noreply.github.com> Co-authored-by: Geoffrey Cline <geoffreyc@outlook.com> Co-authored-by: Jay Deokar <23660509+jaydeokar@users.noreply.github.com> Co-authored-by: K.Hoshi <rxnew.axdseuan@gmail.com> Co-authored-by: Jay Deokar <jsdeokar@amazon.com> Co-authored-by: Tobias Germer <bvrcreepyx@hotmail.de> Co-authored-by: Kareem Rady <82394457+kareem-rady@users.noreply.github.com> Co-authored-by: Kareem Rady <kareemrady@KR-MBA.local> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Jeff Nelson <jdnelson@amazon.com> Co-authored-by: Jeffrey Nelson <jdn5126@gmail.com> Co-authored-by: Hao Zhou <zhuhz@amazon.com> Co-authored-by: Hao Zhou <haouc@users.noreply.github.com>
aws · Feb 2, 2024 · c33424e · c33424e
1 parent b45a70f
commit c33424e
Show file tree

Hide file tree

Showing 12 changed files with 239 additions and 83 deletions.
diff --git a/.github/workflows/e2e-conformance.yaml b/.github/workflows/e2e-conformance.yaml
@@ -53,7 +53,6 @@ jobs:
       - name: Run e2e conformance test
         env:
           RUN_CONFORMANCE_TESTS: true
-          K8S_VERSION: 1.27
           IP_FAMILY: ${{ matrix.ip-family }}
           INSTANCE_TYPE: ${{ matrix.instance-type }}
           AWS_EKS_NODEAGENT_IMAGE: ${{ needs.build-image.outputs.AWS_EKS_NODEAGENT_IMAGE }}

diff --git a/.github/workflows/performance-tests.yaml b/.github/workflows/performance-tests.yaml
@@ -52,7 +52,6 @@ jobs:
       - name: Run performance tests
         env:
           RUN_PERFORMANCE_TESTS: true
-          K8S_VERSION: 1.27
           NODES_CAPACITY: 3
           INSTANCE_TYPE: c5.xlarge
           IP_FAMILY: ${{ matrix.ip-family }}

diff --git a/controllers/policyendpoints_controller.go b/controllers/policyendpoints_controller.go
@@ -153,24 +153,45 @@ func (r *PolicyEndpointsReconciler) cleanUpPolicyEndpoint(ctx context.Context, r
 
 	start := time.Now()
 
-	// No need to fill this since we will cleanup all pods
-	podIdentifiers := make(map[string]bool)
+	// Get all podIdentifiers since we need to decide if pinpath has to be deleted on local node
+	parentNP := utils.GetParentNPNameFromPEName(req.NamespacedName.Name)
+	resourceName := req.NamespacedName.Name
+	resourceNamespace := req.NamespacedName.Namespace
+	targetPods, podIdentifiers, podsToBeCleanedUp := r.deriveTargetPodsForParentNP(ctx, parentNP, resourceNamespace, resourceName)
+
+	r.policyEndpointSelectorMap.Delete(policyEndpointIdentifier)
+
+	r.log.Info("cleanUpPolicyEndpoint: ", "Pods to cleanup - ", len(podsToBeCleanedUp), "and Pods to be updated - ", len(targetPods))
+
+	// targetPods are pods which would need map update
+	if len(targetPods) > 0 {
+		r.log.Info("Updating active pods...")
+		err := r.updatePolicyEnforcementStatusForPods(ctx, req.NamespacedName.Name, targetPods, podIdentifiers, false)
+		if err != nil {
+			r.log.Info("failed to update bpf probes for ", "policy endpoint ", req.NamespacedName.Name)
+			return err
+		}
+		duration := msSince(start)
+		policyTearDownLatency.WithLabelValues(req.NamespacedName.Name, req.NamespacedName.Namespace).Observe(duration)
+	}
 
-	if targetPods, ok := r.policyEndpointSelectorMap.Load(policyEndpointIdentifier); ok {
-		err := r.updatePolicyEnforcementStatusForPods(ctx, req.NamespacedName.Name, targetPods.([]types.NamespacedName), podIdentifiers)
+	// podsToBeCleanedUp - pods which are no longer selected by this policy
+	if len(podsToBeCleanedUp) > 0 {
+		r.log.Info("Cleaning up current policy against below pods..")
+		err := r.updatePolicyEnforcementStatusForPods(ctx, req.NamespacedName.Name, podsToBeCleanedUp, podIdentifiers, true)
 		if err != nil {
 			r.log.Info("failed to clean up bpf probes for ", "policy endpoint ", req.NamespacedName.Name)
 			return err
 		}
-		r.policyEndpointSelectorMap.Delete(policyEndpointIdentifier)
 		duration := msSince(start)
 		policyTearDownLatency.WithLabelValues(req.NamespacedName.Name, req.NamespacedName.Namespace).Observe(duration)
 	}
+
 	return nil
 }
 
 func (r *PolicyEndpointsReconciler) updatePolicyEnforcementStatusForPods(ctx context.Context, policyEndpointName string,
-	targetPods []types.NamespacedName, podIdentifiers map[string]bool) error {
+	targetPods []types.NamespacedName, podIdentifiers map[string]bool, isDeleteFlow bool) error {
 	var err error
 	// 1. If the pods are already deleted, we move on.
 	// 2. If the pods have another policy or policies active against them, we update the maps to purge the entries
@@ -190,7 +211,7 @@ func (r *PolicyEndpointsReconciler) updatePolicyEnforcementStatusForPods(ctx con
 			deletePinPath = !found
 		}
 
-		cleanupErr := r.cleanupeBPFProbes(ctx, targetPod, policyEndpointName, deletePinPath)
+		cleanupErr := r.cleanupeBPFProbes(ctx, targetPod, policyEndpointName, deletePinPath, isDeleteFlow)
 		if cleanupErr != nil {
 			r.log.Info("Cleanup/Update unsuccessful for Pod ", "Name: ", targetPod.Name, "Namespace: ", targetPod.Namespace)
 			err = errors.Join(err, cleanupErr)
@@ -208,11 +229,14 @@ func (r *PolicyEndpointsReconciler) reconcilePolicyEndpoint(ctx context.Context,
 
 	// Identify pods local to the node. PolicyEndpoint resource will include `HostIP` field and
 	// network policy agent relies on it to filter local pods
-	targetPods, podIdentifiers, podsToBeCleanedUp := r.deriveTargetPodsForParentNP(ctx, policyEndpoint)
+	parentNP := policyEndpoint.Spec.PolicyRef.Name
+	resourceNamespace := policyEndpoint.Namespace
+	resourceName := policyEndpoint.Name
+	targetPods, podIdentifiers, podsToBeCleanedUp := r.deriveTargetPodsForParentNP(ctx, parentNP, resourceNamespace, resourceName)
 
 	// Check if we need to remove this policy against any existing pods against which this policy
 	// is currently active. podIdentifiers will have the pod identifiers of the targetPods from the derived PEs
-	err := r.updatePolicyEnforcementStatusForPods(ctx, policyEndpoint.Name, podsToBeCleanedUp, podIdentifiers)
+	err := r.updatePolicyEnforcementStatusForPods(ctx, policyEndpoint.Name, podsToBeCleanedUp, podIdentifiers, false)
 	if err != nil {
 		r.log.Error(err, "failed to update policy enforcement status for existing pods")
 		return err
@@ -284,7 +308,7 @@ func (r *PolicyEndpointsReconciler) configureeBPFProbes(ctx context.Context, pod
 }
 
 func (r *PolicyEndpointsReconciler) cleanupeBPFProbes(ctx context.Context, targetPod types.NamespacedName,
-	policyEndpoint string, deletePinPath bool) error {
+	policyEndpoint string, deletePinPath, isDeleteFlow bool) error {
 
 	var err error
 	var ingressRules, egressRules []ebpf.EbpfFirewallRules
@@ -299,7 +323,7 @@ func (r *PolicyEndpointsReconciler) cleanupeBPFProbes(ctx context.Context, targe
 	// is the only PolicyEndpoint resource that applies to this pod. If not, just update the Ingress/Egress Map contents
 	if _, ok := r.podIdentifierToPolicyEndpointMap.Load(podIdentifier); ok {
 		ingressRules, egressRules, isIngressIsolated, isEgressIsolated, err = r.deriveIngressAndEgressFirewallRules(ctx, podIdentifier, targetPod.Namespace,
-			policyEndpoint, true)
+			policyEndpoint, isDeleteFlow)
 		if err != nil {
 			r.log.Error(err, "Error Parsing policy Endpoint resource", "name ", policyEndpoint)
 			return err
@@ -442,50 +466,80 @@ func (r *PolicyEndpointsReconciler) updateeBPFMaps(ctx context.Context, podIdent
 }
 
 func (r *PolicyEndpointsReconciler) deriveTargetPodsForParentNP(ctx context.Context,
-	policyEndpoint *policyk8sawsv1.PolicyEndpoint) ([]types.NamespacedName, map[string]bool, []types.NamespacedName) {
-	var targetPods, podsToBeCleanedUp []types.NamespacedName
+	parentNP, resourceNamespace, resourceName string) ([]types.NamespacedName, map[string]bool, []types.NamespacedName) {
+	var targetPods, podsToBeCleanedUp, currentPods []types.NamespacedName
 	podIdentifiers := make(map[string]bool)
 	currentPE := &policyk8sawsv1.PolicyEndpoint{}
 
-	r.log.Info("Parent NP resource:", "Name: ", policyEndpoint.Spec.PolicyRef.Name)
-	parentPEList := r.derivePolicyEndpointsOfParentNP(ctx, policyEndpoint.Spec.PolicyRef.Name, policyEndpoint.Namespace)
+	r.log.Info("Parent NP resource:", "Name: ", parentNP)
+	parentPEList := r.derivePolicyEndpointsOfParentNP(ctx, parentNP, resourceNamespace)
 	r.log.Info("Total PEs for Parent NP:", "Count: ", len(parentPEList))
 
+	policyEndpointIdentifier := utils.GetPolicyEndpointIdentifier(resourceName,
+		resourceNamespace)
+	// Gather the current set of pods (local to the node) that are configured with this policy rules.
+	existingPods, podsPresent := r.policyEndpointSelectorMap.Load(policyEndpointIdentifier)
+	if podsPresent {
+		existingPodsSlice := existingPods.([]types.NamespacedName)
+		for _, pods := range existingPodsSlice {
+			currentPods = append(currentPods, pods)
+			r.log.Info("Current pods for this slice : ", "Pod name", pods.Name, "Pod namespace", pods.Namespace)
+		}
+	}
+
+	if len(parentPEList) == 0 {
+		podsToBeCleanedUp = append(podsToBeCleanedUp, currentPods...)
+		r.policyEndpointSelectorMap.Delete(policyEndpointIdentifier)
+		r.log.Info("No PEs left: ", "number of pods to cleanup - ", len(podsToBeCleanedUp))
+	}
+
 	for _, policyEndpointResource := range parentPEList {
 		r.log.Info("Derive PE Object ", "Name ", policyEndpointResource)
 		peNamespacedName := types.NamespacedName{
 			Name:      policyEndpointResource,
-			Namespace: policyEndpoint.Namespace,
+			Namespace: resourceNamespace,
 		}
 		if err := r.k8sClient.Get(ctx, peNamespacedName, currentPE); err != nil {
 			if apierrors.IsNotFound(err) {
 				continue
 			}
 		}
 		r.log.Info("Processing PE ", "Name ", policyEndpointResource)
-		currentTargetPods, currentPodIdentifiers, currentPodsToBeCleanedUp := r.deriveTargetPods(ctx, currentPE, parentPEList)
+		currentTargetPods, currentPodIdentifiers := r.deriveTargetPods(ctx, currentPE, parentPEList)
+		r.log.Info("Adding to current targetPods", "Total pods: ", len(currentTargetPods))
 		targetPods = append(targetPods, currentTargetPods...)
-		podsToBeCleanedUp = append(podsToBeCleanedUp, currentPodsToBeCleanedUp...)
 		for podIdentifier, _ := range currentPodIdentifiers {
 			podIdentifiers[podIdentifier] = true
 		}
 	}
+
+	for _, policyEndpointResource := range parentPEList {
+		policyEndpointIdentifier := utils.GetPolicyEndpointIdentifier(policyEndpointResource,
+			resourceNamespace)
+		if len(targetPods) > 0 {
+			r.log.Info("Update target pods for PE Object ", "Name ", policyEndpointResource, " with Total pods: ", len(targetPods))
+			r.policyEndpointSelectorMap.Store(policyEndpointIdentifier, targetPods)
+		} else {
+			r.log.Info("No more target pods so deleting the entry in PE selector map for ", "Name ", policyEndpointResource)
+			r.policyEndpointSelectorMap.Delete(policyEndpointIdentifier)
+		}
+
+	}
+
+	if len(currentPods) > 0 {
+		podsToBeCleanedUp = r.getPodListToBeCleanedUp(currentPods, targetPods)
+	}
 	return targetPods, podIdentifiers, podsToBeCleanedUp
 }
 
 // Derives list of local pods the policy endpoint resource selects.
 // Function returns list of target pods along with their unique identifiers. It also
 // captures list of (any) existing pods against which this policy is no longer active.
 func (r *PolicyEndpointsReconciler) deriveTargetPods(ctx context.Context,
-	policyEndpoint *policyk8sawsv1.PolicyEndpoint, parentPEList []string) ([]types.NamespacedName, map[string]bool,
-	[]types.NamespacedName) {
-	var targetPods, podsToBeCleanedUp []types.NamespacedName
+	policyEndpoint *policyk8sawsv1.PolicyEndpoint, parentPEList []string) ([]types.NamespacedName, map[string]bool) {
+	var targetPods []types.NamespacedName
 	podIdentifiers := make(map[string]bool)
 
-	policyEndpointIdentifier := utils.GetPolicyEndpointIdentifier(policyEndpoint.Name,
-		policyEndpoint.Namespace)
-	// Gather the current set of pods (local to the node) that are configured with this policy rules.
-	currentPods, podsPresent := r.policyEndpointSelectorMap.Load(policyEndpointIdentifier)
 	// Pods are grouped by Host IP. Individual node agents will filter (local) pods
 	// by the Host IP value.
 	nodeIP := net.ParseIP(r.nodeIP)
@@ -500,16 +554,7 @@ func (r *PolicyEndpointsReconciler) deriveTargetPods(ctx context.Context,
 		}
 	}
 
-	if podsPresent && len(currentPods.([]types.NamespacedName)) > 0 {
-		podsToBeCleanedUp = r.getPodListToBeCleanedUp(currentPods.([]types.NamespacedName), targetPods)
-	}
-
-	if len(targetPods) > 0 {
-		r.policyEndpointSelectorMap.Store(policyEndpointIdentifier, targetPods)
-	} else {
-		r.policyEndpointSelectorMap.Delete(policyEndpointIdentifier)
-	}
-	return targetPods, podIdentifiers, podsToBeCleanedUp
+	return targetPods, podIdentifiers
 }
 
 func (r *PolicyEndpointsReconciler) getPodListToBeCleanedUp(oldPodSet []types.NamespacedName,

diff --git a/controllers/policyendpoints_controller_test.go b/controllers/policyendpoints_controller_test.go
@@ -496,12 +496,6 @@ func TestDeriveTargetPods(t *testing.T) {
 						Namespace: "bar",
 					},
 				},
-				podsToBeCleanedUp: []types.NamespacedName{
-					{
-						Name:      "foo1",
-						Namespace: "bar",
-					},
-				},
 			},
 		},
 		{
@@ -540,10 +534,9 @@ func TestDeriveTargetPods(t *testing.T) {
 		}
 
 		t.Run(tt.name, func(t *testing.T) {
-			gotActivePods, _, gotPodsToBeCleanedUp := policyEndpointReconciler.deriveTargetPods(context.Background(),
+			gotActivePods, _ := policyEndpointReconciler.deriveTargetPods(context.Background(),
 				&tt.policyendpoint, tt.parentPEList)
 			assert.Equal(t, tt.want.activePods, gotActivePods)
-			assert.Equal(t, tt.want.podsToBeCleanedUp, gotPodsToBeCleanedUp)
 		})
 	}
 }

diff --git a/go.mod b/go.mod
@@ -3,9 +3,9 @@ module github.com/aws/aws-network-policy-agent
 go 1.21
 
 require (
-	github.com/aws/amazon-vpc-cni-k8s v1.16.0
+	github.com/aws/amazon-vpc-cni-k8s v1.16.2
 	github.com/aws/aws-ebpf-sdk-go v1.0.6
-	github.com/aws/aws-sdk-go v1.49.13
+	github.com/aws/aws-sdk-go v1.50.9
 	github.com/go-logr/logr v1.4.1
 	github.com/go-logr/zapr v1.2.4
 	github.com/golang/mock v1.6.0
@@ -18,11 +18,11 @@ require (
 	github.com/stretchr/testify v1.8.4
 	github.com/vishvananda/netlink v1.2.1-beta.2
 	go.uber.org/zap v1.26.0
-	golang.org/x/sys v0.15.0
+	golang.org/x/sys v0.16.0
 	gopkg.in/natefinch/lumberjack.v2 v2.2.1
-	k8s.io/api v0.29.0
-	k8s.io/apimachinery v0.29.0
-	k8s.io/client-go v0.29.0
+	k8s.io/api v0.29.1
+	k8s.io/apimachinery v0.29.1
+	k8s.io/client-go v0.29.1
 	sigs.k8s.io/controller-runtime v0.16.3
 )
 
@@ -59,13 +59,12 @@ require (
 	go.uber.org/multierr v1.11.0 // indirect
 	golang.org/x/exp v0.0.0-20230315142452-642cacee5cc0 // indirect
 	golang.org/x/net v0.19.0 // indirect
-	golang.org/x/oauth2 v0.12.0 // indirect
+	golang.org/x/oauth2 v0.13.0 // indirect
 	golang.org/x/term v0.15.0 // indirect
 	golang.org/x/text v0.14.0 // indirect
 	golang.org/x/time v0.3.0 // indirect
-	golang.org/x/tools v0.16.0 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect
-	google.golang.org/appengine v1.6.7 // indirect
+	google.golang.org/appengine v1.6.8 // indirect
 	google.golang.org/protobuf v1.31.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect