Skip to content

Comments

OCPBUGS-45980: Downstream merge 2025-10-29#76

Merged
openshift-merge-bot[bot] merged 100 commits intoopenshift:mainfrom
zeeke:ds/sync-20251029
Nov 4, 2025
Merged

OCPBUGS-45980: Downstream merge 2025-10-29#76
openshift-merge-bot[bot] merged 100 commits intoopenshift:mainfrom
zeeke:ds/sync-20251029

Conversation

@zeeke
Copy link
Contributor

@zeeke zeeke commented Oct 29, 2025
edited
Loading

s1061123 and others added 30 commits February 10, 2021 02:22
@s1061123
Add pod-iptables option to store pod iptables
c0000b1 
This change introduces pod-iptables option to store iptables-rules
in pod's network namespace. This helps administrator/engineer to
troubleshooting.
@s1061123
Merge pull request openshift#7 from k8snetworkplumbingwg/dev/store-ip…
138d0e7 
…tables

Add pod-iptables option to store pod iptables
@s1061123
Fix owners file
5abf7b6
@s1061123
Update CI pipeline
a36e946
@s1061123
Add label to Dockerfile
61d59b7
@s1061123
Update github action to simplify
dda5ef4
@s1061123
Use GITHUB_TOKEN for push packages
c0f1543
@s1061123
Update slack URL in README
d470625
@s1061123
fix workflows
29ba692
@s1061123
Fix some timing issue and change memory limit
3c8e688
@dougbtv
Merge pull request openshift#9 from s1061123/fix/update-mem-limit
d66db44 
Fix some timing issue and change memory limit
@s1061123
Add namespace check between pod and multi-networkpolicy
f8ed41f
@s1061123
Merge pull request openshift#10 from s1061123/fix/wrong-iptables
be5f2bc 
Add namespace check between pod and multi-networkpolicy
@zeeke
Use TCP as default for Port.Protocol
ed63ae4 
Add ginkgo test to the suite with only default values.
Add `renderProtocol` function with fallback logic.

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>
@s1061123
Merge pull request openshift#12 from zeeke/default-protocol
8db3426 
Use TCP as default for Port.Protocol
@s1061123
Fix to work namespacveSelector policy, without labelSelector
cf25830
@dougbtv
Merge pull request openshift#15 from s1061123/fix/14
7aa72e3 
Fix to work namespacveSelector policy, without labelSelector
@zeeke
Support for NamespaceSelector (openshift#16)
005b50f 
* Add test case for namespace selector

The case is about having two namespaces with pods
and net-attach-def and a multi networkpolicy that
goes through namespace borders.

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>

* Add test case with net-attach-def in other ns

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>
@zeeke
Improve logging in server.go (openshift#19)
6300c9b 
* Add object information to update events

This should make it clearer what k8s object the
daemon is working on.

Increase verbosity threshlod for invoke handlers logs.

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>

* Improve error logging

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>
@s1061123
Add IPv6 support in TODO list
58aefb2
@zeeke
Set specific version for revive tool (openshift#20)
6140783 
"go getting" github.com/mgechev/revive can lead to unreproducible
builds, as it download the latest "dev" version. Stick to the latest
(v1.2.1) version.

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>
@zeeke
Log filter rules (openshift#23)
ab3453f 
* Log filter rules

Logging iptables rules before applying them
can be useful to debug complex scenarios.
Setting verbosity level to 6 as they can be
quite cumbersome.

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>

* Clean up logging code

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>
@s1061123
Refine policy generation routine to support multiple policies
ad351c3 
This change refines policy rule generation to introduce conntrack
and support multiple policies in a pod. Fix openshift#17 and openshift#18
@s1061123
Fix capabilities (openshift#25)
42ae37b 
fix openshift#24
@dougbtv
Merge pull request openshift#28 from s1061123/dev/refine-policy
27c26d7 
Refine policy generation routine to support multiple policies
@s1061123
Update github action to fit to latest golang
f52ca37
@s1061123
Remove docker from support runtime due to obsolated
da2505e
@dougbtv
Merge pull request openshift#30 from s1061123/update-action
d3fd437 
Update github action to fit to latest golang
@dougbtv
Merge pull request openshift#29 from s1061123/fix/remove-docker
6939262 
Remove docker from support runtime due to obsolated
@dependabot
Bump github.com/containernetworking/cni from 0.7.1 to 0.8.1 (openshif…
632bc6c 
…t#31)

Bumps [github.com/containernetworking/cni](https://github.com/containernetworking/cni) from 0.7.1 to 0.8.1.
- [Release notes](https://github.com/containernetworking/cni/releases)
- [Commits](containernetworking/cni@v0.7.1...v0.8.1)

---
updated-dependencies:
- dependency-name: github.com/containernetworking/cni
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
zeeke added 8 commits April 28, 2025 13:06
@zeeke
Merge pull request openshift#75 from zeeke/us/end-port
42bf16c 
Support `EndPort` field
@zeeke
e2e: test for port rnages
d1d84a6 
Add end2end test cases for
- k8snetworkplumbingwg/multi-networkpolicy-iptables#75

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>
@zeeke
Refactor renderIngressFrom and renderEgressTo
845f77f 
and split them in multple smaller functions.

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>
@zeeke
Give precendence to IPBlock field over PodSelector
71d037d 
As per API description [1]:
> IPBlock defines policy on a particular IPBlock. If this field is set then neither of the other fields can be."

if a policy rule has a from/to rule with an IPBlock field,
then the PodSelector and NamespaceSelector fields must be ignored.

[1] https://github.com/k8snetworkplumbingwg/multi-networkpolicy/blob/master/scheme.yml#L88

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>
@zeeke
deps: bump golang.org/x/net
4df0e40 
    CVE-2024-45338

 ```
$ go get -u golang.org/x/net@v0.34.0
go: upgraded golang.org/x/net v0.20.0 => v0.41.0

$ go mod tidy
$ go mod vendor
```

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>
@zeeke
Merge pull request openshift#74 from zeeke/us/CVE-2024-45338
c0f06e2 
deps: bump `golang.org/x/net`
@zeeke
Merge pull request openshift#76 from zeeke/us/end-port-e2e
81e667d 
e2e: test for port ranges
@zeeke
Merge pull request openshift#77 from zeeke/us/OCPBUGS-45980
2849ee0 
Give precendence to IPBlock field over PodSelector
@openshift-ci-robot openshift-ci-robot added jira/severity-important Referenced Jira bug's severity is important for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. labels Oct 29, 2025
@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Oct 29, 2025

@zeeke: This pull request references Jira Issue OCPBUGS-45980, which is invalid:

  • expected the bug to target the "4.21.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci openshift-ci bot requested review from bpickard22 and pliurh October 29, 2025 17:05
@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Oct 29, 2025
@openshift-ci
Copy link

openshift-ci bot commented Oct 30, 2025

@zeeke: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/okd-scos-e2e-aws-ovn 7224f53 link false /test okd-scos-e2e-aws-ovn

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@zeeke
Copy link
Contributor Author

zeeke commented Oct 31, 2025

/jira refresh

@openshift-ci-robot openshift-ci-robot added jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. and removed jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. labels Oct 31, 2025
@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Oct 31, 2025

@zeeke: This pull request references Jira Issue OCPBUGS-45980, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (4.21.0) matches configured target version for branch (4.21.0)
  • bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @ajaggapa

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci openshift-ci bot requested a review from ajaggapa October 31, 2025 16:21
@cgoncalves
Copy link

cgoncalves commented Nov 4, 2025

/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Nov 4, 2025
@openshift-ci
Copy link

openshift-ci bot commented Nov 4, 2025

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: cgoncalves, zeeke

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-merge-bot openshift-merge-bot bot merged commit 85bd7c6 into openshift:main Nov 4, 2025
6 of 7 checks passed
@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Nov 4, 2025

@zeeke: Jira Issue OCPBUGS-45980: All pull requests linked via external trackers have merged:

Jira Issue OCPBUGS-45980 has been moved to the MODIFIED state.

Details

In response to this:

pulling downstream:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-merge-robot
Copy link

openshift-merge-robot commented Nov 6, 2025

Fix included in accepted release 4.21.0-0.nightly-2025-11-05-234508

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bpickard22 bpickard22 Awaiting requested review from bpickard22

@pliurh pliurh Awaiting requested review from pliurh

@ajaggapa ajaggapa Awaiting requested review from ajaggapa

Assignees

@cgoncalves cgoncalves

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. jira/severity-important Referenced Jira bug's severity is important for the branch this PR is targeting. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. lgtm Indicates that a PR is ready to be merged.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

9 participants

@zeeke @openshift-ci-robot @cgoncalves @openshift-merge-robot @s1061123 @dougbtv @p- @oilbeater @nkinkade