Sync Main with Release 1.0

.github/workflows/e2e-conformance.yaml

@@ -36,6 +36,7 @@ jobs:
       fail-fast: false
       matrix:
         ip-family: [ IPv4, IPv6 ]
+        instance-type: ["t3.large", "t4g.large"]
         # kubernetes-versions: ["1.25", "1.26", "1.27"]
     if: github.repository == 'aws/aws-network-policy-agent'
     runs-on: ubuntu-latest
@@ -54,6 +55,8 @@ jobs:
           RUN_CONFORMANCE_TESTS: true
           K8S_VERSION: 1.27
           IP_FAMILY: ${{ matrix.ip-family }}
+          INSTANCE_TYPE: ${{ matrix.instance-type }}
           AWS_EKS_NODEAGENT_IMAGE: ${{ needs.build-image.outputs.AWS_EKS_NODEAGENT_IMAGE }}
+          TEST_IMAGE_REGISTRY: ${{ secrets.TEST_IMAGE_REGISTRY }}
         run: |
-          ./scripts/run-tests.sh
+          ./scripts/run-tests.sh

.github/workflows/pr-tests.yaml

@@ -4,6 +4,7 @@ on:
   pull_request:
     branches:
       - "main"
+      - "release*"
 
 permissions:
   contents: read

.gitignore

@@ -5,4 +5,6 @@ coverage.txt
 aws-eks-na-cli
 aws-eks-na-cli-v6
 controller
+bin/
+config/
 vendor/

Dockerfile

@@ -1,5 +1,5 @@
 # Build the manager binary
-FROM public.ecr.aws/eks-distro-build-tooling/golang:1.20.4-5-gcc-al2 as builder
+FROM public.ecr.aws/eks-distro-build-tooling/golang:1.21.3-4-gcc-al2 as builder
 ARG TARGETOS
 ARG TARGETARCH
 

Dockerfile.test

@@ -1,4 +1,4 @@
-FROM public.ecr.aws/eks-distro-build-tooling/golang:1.20.4-5-gcc-al2
+FROM public.ecr.aws/eks-distro-build-tooling/golang:1.21.3-4-gcc-al2
 WORKDIR /go/src/github.com/aws/aws-network-policy-agent
 
 # Force the go compiler to use modules.

Makefile

@@ -202,9 +202,8 @@ docker-buildx: setup-ebpf-sdk-override ## Build and push docker image for the ma
 .PHONY: multi-arch-build-and-push
 multi-arch-build-and-push: setup-ebpf-sdk-override ## Build and push docker image for the manager for cross-platform support
 
-	sed -e '1 s/\(^FROM\)/FROM --platform=\$$\{BUILDPLATFORM\}/; t' -e ' 1,// s//FROM --platform=\$$\{BUILDPLATFORM\}/' Dockerfile > Dockerfile.cross
 	docker buildx build $(DOCKER_BUILD_FLAGS_NP_AGENT) \
-		-f Dockerfile.cross \
+		-f Dockerfile \
 		--platform "$(PLATFORMS)"\
 		--cache-from=type=gha \
 		--cache-to=type=gha,mode=max \

controllers/policyendpoints_controller.go

@@ -197,7 +197,7 @@ func (r *PolicyEndpointsReconciler) reconcilePolicyEndpoint(ctx context.Context,
 
 	// Identify pods local to the node. PolicyEndpoint resource will include `HostIP` field and
 	// network policy agent relies on it to filter local pods
-	targetPods, podIdentifiers, podsToBeCleanedUp := r.deriveTargetPods(ctx, policyEndpoint)
+	targetPods, podIdentifiers, podsToBeCleanedUp := r.deriveTargetPodsForParentNP(ctx, policyEndpoint)
 
 	// Check if we need to remove this policy against any existing pods against which this policy
 	// is currently active
@@ -418,11 +418,44 @@ func (r *PolicyEndpointsReconciler) updateeBPFMaps(ctx context.Context, podIdent
 	return nil
 }
 
+func (r *PolicyEndpointsReconciler) deriveTargetPodsForParentNP(ctx context.Context,
+	policyEndpoint *policyk8sawsv1.PolicyEndpoint) ([]types.NamespacedName, map[string]bool, []types.NamespacedName) {
+	var targetPods, podsToBeCleanedUp []types.NamespacedName
+	podIdentifiers := make(map[string]bool)
+	currentPE := &policyk8sawsv1.PolicyEndpoint{}
+
+	r.log.Info("Parent NP resource:", "Name: ", policyEndpoint.Spec.PolicyRef.Name)
+	parentPEList := r.derivePolicyEndpointsOfParentNP(ctx, policyEndpoint.Spec.PolicyRef.Name, policyEndpoint.Namespace)
+	r.log.Info("Total PEs for Parent NP:", "Count: ", len(parentPEList))
+
+	for _, policyEndpointResource := range parentPEList {
+		r.log.Info("Derive PE Object ", "Name ", policyEndpointResource)
+		peNamespacedName := types.NamespacedName{
+			Name:      policyEndpointResource,
+			Namespace: policyEndpoint.Namespace,
+		}
+		if err := r.k8sClient.Get(ctx, peNamespacedName, currentPE); err != nil {
+			if apierrors.IsNotFound(err) {
+				continue
+			}
+		}
+		r.log.Info("Processing PE ", "Name ", policyEndpointResource)
+		currentTargetPods, currentPodIdentifiers, currentPodsToBeCleanedUp := r.deriveTargetPods(ctx, currentPE, parentPEList)
+		targetPods = append(targetPods, currentTargetPods...)
+		podsToBeCleanedUp = append(podsToBeCleanedUp, currentPodsToBeCleanedUp...)
+		for podIdentifier, _ := range currentPodIdentifiers {
+			podIdentifiers[podIdentifier] = true
+		}
+	}
+	return targetPods, podIdentifiers, podsToBeCleanedUp
+}
+
 // Derives list of local pods the policy endpoint resource selects.
 // Function returns list of target pods along with their unique identifiers. It also
 // captures list of (any) existing pods against which this policy is no longer active.
 func (r *PolicyEndpointsReconciler) deriveTargetPods(ctx context.Context,
-	policyEndpoint *policyk8sawsv1.PolicyEndpoint) ([]types.NamespacedName, map[string]bool, []types.NamespacedName) {
+	policyEndpoint *policyk8sawsv1.PolicyEndpoint, parentPEList []string) ([]types.NamespacedName, map[string]bool,
+	[]types.NamespacedName) {
 	var targetPods, podsToBeCleanedUp []types.NamespacedName
 	podIdentifiers := make(map[string]bool)
 
@@ -440,9 +473,10 @@ func (r *PolicyEndpointsReconciler) deriveTargetPods(ctx context.Context,
 			podIdentifier := utils.GetPodIdentifier(pod.Name, pod.Namespace)
 			podIdentifiers[podIdentifier] = true
 			r.log.Info("Derived ", "Pod identifier: ", podIdentifier)
-			r.updatePodIdentifierToPEMap(ctx, podIdentifier, policyEndpoint.ObjectMeta.Name)
+			r.updatePodIdentifierToPEMap(ctx, podIdentifier, parentPEList)
 		}
 	}
+
 	if podsPresent && len(currentPods.([]types.NamespacedName)) > 0 {
 		podsToBeCleanedUp = r.getPodListToBeCleanedUp(currentPods.([]types.NamespacedName), targetPods)
 	}
@@ -475,21 +509,32 @@ func (r *PolicyEndpointsReconciler) getPodListToBeCleanedUp(oldPodSet []types.Na
 }
 
 func (r *PolicyEndpointsReconciler) updatePodIdentifierToPEMap(ctx context.Context, podIdentifier string,
-	policyEndpointName string) {
+	parentPEList []string) {
 	r.podIdentifierToPolicyEndpointMapMutex.Lock()
 	defer r.podIdentifierToPolicyEndpointMapMutex.Unlock()
-
 	var policyEndpoints []string
+
+	r.log.Info("Total PEs for Parent NP:", "Count: ", len(parentPEList))
 	if currentPESet, ok := r.podIdentifierToPolicyEndpointMap.Load(podIdentifier); ok {
 		policyEndpoints = currentPESet.([]string)
-		for _, pe := range currentPESet.([]string) {
-			if pe == policyEndpointName {
-				//Nothing to do if this PE is already tracked against this podIdentifier
-				return
+		for _, policyEndpointResourceName := range parentPEList {
+			r.log.Info("PE for parent NP", "name", policyEndpointResourceName)
+			addPEResource := true
+			for _, pe := range currentPESet.([]string) {
+				if pe == policyEndpointResourceName {
+					//Nothing to do if this PE is already tracked against this podIdentifier
+					addPEResource = false
+					break
+				}
+			}
+			if addPEResource {
+				r.log.Info("Adding PE", "name", policyEndpointResourceName, "for podIdentifier", podIdentifier)
+				policyEndpoints = append(policyEndpoints, policyEndpointResourceName)
 			}
 		}
+	} else {
+		policyEndpoints = append(policyEndpoints, parentPEList...)
 	}
-	policyEndpoints = append(policyEndpoints, policyEndpointName)
 	r.podIdentifierToPolicyEndpointMap.Store(podIdentifier, policyEndpoints)
 	return
 }
@@ -547,3 +592,23 @@ func (r *PolicyEndpointsReconciler) getLocalConntrackCacheCleanupPeriod() time.D
 	}
 	return defaultLocalConntrackCacheCleanupPeriodInSeconds
 }
+
+func (r *PolicyEndpointsReconciler) derivePolicyEndpointsOfParentNP(ctx context.Context, parentNP, resourceNamespace string) []string {
+	var parentPolicyEndpointList []string
+
+	policyEndpointList := &policyk8sawsv1.PolicyEndpointList{}
+	if err := r.k8sClient.List(ctx, policyEndpointList, &client.ListOptions{
+		Namespace: resourceNamespace,
+	}); err != nil {
+		r.log.Info("Unable to list PolicyEndpoints", "err", err)
+		return nil
+	}
+
+	for _, policyEndpoint := range policyEndpointList.Items {
+		if policyEndpoint.Spec.PolicyRef.Name == parentNP {
+			parentPolicyEndpointList = append(parentPolicyEndpointList, policyEndpoint.Name)
+			r.log.Info("Found another PE resource for the parent NP", "name", policyEndpoint.Name)
+		}
+	}
+	return parentPolicyEndpointList
+}

controllers/policyendpoints_controller_test.go

@@ -461,13 +461,15 @@ func TestDeriveTargetPods(t *testing.T) {
 	tests := []struct {
 		name           string
 		policyendpoint policyendpoint.PolicyEndpoint
+		parentPEList   []string
 		currentPods    []types.NamespacedName //Current set of active pods against this policy
 		nodeIP         string                 //Default: 1.1.1.1
 		want           want
 	}{
 		{
 			name:           "Matching Local pods",
 			policyendpoint: samplePolicyEndpoint,
+			parentPEList:   []string{samplePolicyEndpoint.Name},
 			want: want{
 				activePods: []types.NamespacedName{
 					{
@@ -485,6 +487,7 @@ func TestDeriveTargetPods(t *testing.T) {
 		{
 			name:           "Derive Old pods to be cleaned up",
 			policyendpoint: policyEndpointUpdate,
+			parentPEList:   []string{policyEndpointUpdate.Name},
 			currentPods:    samplePods,
 			want: want{
 				activePods: []types.NamespacedName{
@@ -504,6 +507,7 @@ func TestDeriveTargetPods(t *testing.T) {
 		{
 			name:           "Matching Local pods on IPv6 node",
 			policyendpoint: ipv6NodePolicyEndpoint,
+			parentPEList:   []string{ipv6NodePolicyEndpoint.Name},
 			nodeIP:         "2001:db8:0:0:0:0:0:1",
 			want: want{
 				activePods: []types.NamespacedName{
@@ -537,7 +541,7 @@ func TestDeriveTargetPods(t *testing.T) {
 
 		t.Run(tt.name, func(t *testing.T) {
 			gotActivePods, _, gotPodsToBeCleanedUp := policyEndpointReconciler.deriveTargetPods(context.Background(),
-				&tt.policyendpoint)
+				&tt.policyendpoint, tt.parentPEList)
 			assert.Equal(t, tt.want.activePods, gotActivePods)
 			assert.Equal(t, tt.want.podsToBeCleanedUp, gotPodsToBeCleanedUp)
 		})

go.mod

@@ -1,29 +1,29 @@
 module github.com/aws/aws-network-policy-agent
 
-go 1.20
+go 1.21
 
 require (
-	github.com/aws/amazon-vpc-cni-k8s v1.15.0
-	github.com/aws/aws-ebpf-sdk-go v1.0.2
-	github.com/aws/aws-sdk-go v1.44.318
+	github.com/aws/amazon-vpc-cni-k8s v1.15.1
+	github.com/aws/aws-ebpf-sdk-go v1.0.3
+	github.com/aws/aws-sdk-go v1.45.19
 	github.com/go-logr/logr v1.2.4
 	github.com/go-logr/zapr v1.2.4
 	github.com/golang/mock v1.6.0
 	github.com/google/go-cmp v0.5.9
 	github.com/google/uuid v1.3.1
 	github.com/pkg/errors v0.9.1
 	github.com/prometheus/client_golang v1.16.0
-	github.com/spf13/cobra v1.6.1
+	github.com/spf13/cobra v1.7.0
 	github.com/spf13/pflag v1.0.5
 	github.com/stretchr/testify v1.8.4
 	github.com/vishvananda/netlink v1.2.1-beta.2
 	go.uber.org/zap v1.26.0
-	golang.org/x/sys v0.12.0
+	golang.org/x/sys v0.13.0
 	gopkg.in/natefinch/lumberjack.v2 v2.2.1
-	k8s.io/api v0.27.3
-	k8s.io/apimachinery v0.27.3
-	k8s.io/client-go v0.27.3
-	sigs.k8s.io/controller-runtime v0.15.1
+	k8s.io/api v0.28.2
+	k8s.io/apimachinery v0.28.2
+	k8s.io/client-go v0.28.2
+	sigs.k8s.io/controller-runtime v0.16.2
 )
 
 require (
@@ -34,15 +34,15 @@ require (
 	github.com/evanphx/json-patch/v5 v5.6.0 // indirect
 	github.com/fsnotify/fsnotify v1.6.0 // indirect
 	github.com/go-openapi/jsonpointer v0.19.6 // indirect
-	github.com/go-openapi/jsonreference v0.20.1 // indirect
+	github.com/go-openapi/jsonreference v0.20.2 // indirect
 	github.com/go-openapi/swag v0.22.3 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/golang/protobuf v1.5.3 // indirect
-	github.com/google/gnostic v0.6.9 // indirect
+	github.com/google/gnostic-models v0.6.9-0.20230804172637-c7be7c783f49 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
 	github.com/imdario/mergo v0.3.13 // indirect
-	github.com/inconshreveable/mousetrap v1.0.1 // indirect
+	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/jmespath/go-jmespath v0.4.0 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
@@ -53,26 +53,27 @@ require (
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/prometheus/client_model v0.4.0 // indirect
-	github.com/prometheus/common v0.42.0 // indirect
+	github.com/prometheus/common v0.44.0 // indirect
 	github.com/prometheus/procfs v0.10.1 // indirect
 	github.com/vishvananda/netns v0.0.4 // indirect
-	go.uber.org/multierr v1.10.0 // indirect
-	golang.org/x/net v0.12.0 // indirect
-	golang.org/x/oauth2 v0.5.0 // indirect
-	golang.org/x/term v0.10.0 // indirect
-	golang.org/x/text v0.11.0 // indirect
+	go.uber.org/multierr v1.11.0 // indirect
+	golang.org/x/exp v0.0.0-20230315142452-642cacee5cc0 // indirect
+	golang.org/x/net v0.17.0 // indirect
+	golang.org/x/oauth2 v0.8.0 // indirect
+	golang.org/x/term v0.13.0 // indirect
+	golang.org/x/text v0.13.0 // indirect
 	golang.org/x/time v0.3.0 // indirect
-	gomodules.xyz/jsonpatch/v2 v2.3.0 // indirect
+	gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
 	google.golang.org/protobuf v1.31.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	k8s.io/apiextensions-apiserver v0.27.3 // indirect
-	k8s.io/component-base v0.27.3 // indirect
+	k8s.io/apiextensions-apiserver v0.28.0 // indirect
+	k8s.io/component-base v0.28.1 // indirect
 	k8s.io/klog/v2 v2.100.1 // indirect
-	k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f // indirect
-	k8s.io/utils v0.0.0-20230220204549-a5ecb0141aa5 // indirect
+	k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9 // indirect
+	k8s.io/utils v0.0.0-20230406110748-d93618cff8a2 // indirect
 	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect
 	sigs.k8s.io/yaml v1.3.0 // indirect