From 0546aacfae268a63c8ae0777ca3db2fe18fb0630 Mon Sep 17 00:00:00 2001 From: Apurup Chevuru <60630804+achevuru@users.noreply.github.com> Date: Wed, 4 Oct 2023 16:20:46 -0700 Subject: [PATCH] Merge main to release-1.0 (#88) * Move to mainline sdk changes (#25) * Reuse eBPF SDK Client (#26) * Code refactoring - Sync to SDK's new API interface (#27) * Additional UTs for eBPF pkg (#29) * Additional UTs for eBPF pkg * UT for Global Map recovery flow * format changes * Events refactor (#30) * Remove replace and add comments * Minor refactor * Update AL2023 image * vmlinux generation * update readme (#31) * Third party attribution doc (#32) * Thirdparty attribution doc * Minor nits * minor nit * README Updates (#34) * Update README.md (#35) * Update go.mod and go.sum for master (#38) * Update go.mod and go.sum docker/make file changes * fix up vet * Run Conformance and Performance tests with github actions (#5) * Updated conformance and performance test parameters (#39) * Fix problem with policy not being applied to pods on IPv6 nodes (#40) * Update the session duration to 5 hrs for github actions (#53) * Update scripts to run cyclonus suite and install latest MAO * Handle 0 entries in cli (#60) * Update test pkg (#61) * Ignore policy restrictions against Node IP (#65) * feat: Add flag enable-policy-event-logs (#48) * feat: Add flag enable-policy-event-logs Policy event logging is now disabled by default * feat: Add enable-policy-event-logs flag to readme --------- Co-authored-by: Apurup Chevuru <60630804+achevuru@users.noreply.github.com> * Issue#45 Modified Default Metrics Bind Port (#46) * Issue#45 Modified Default Metrics Bind Port * Modified Health Probe Bind address to 8163 --------- Co-authored-by: Kareem Rady Co-authored-by: Jayanth Varavani <1111446+jayanthvn@users.noreply.github.com> Co-authored-by: Apurup Chevuru <60630804+achevuru@users.noreply.github.com> * Bump github.com/google/uuid from 1.3.0 to 1.3.1 (#43) Bumps [github.com/google/uuid](https://github.com/google/uuid) from 1.3.0 to 1.3.1. - [Release notes](https://github.com/google/uuid/releases) - [Changelog](https://github.com/google/uuid/blob/master/CHANGELOG.md) - [Commits](https://github.com/google/uuid/compare/v1.3.0...v1.3.1) --- updated-dependencies: - dependency-name: github.com/google/uuid dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Apurup Chevuru <60630804+achevuru@users.noreply.github.com> * Bump github.com/vishvananda/netlink (#42) Bumps [github.com/vishvananda/netlink](https://github.com/vishvananda/netlink) from 1.1.1-0.20210330154013-f5de75959ad5 to 1.2.1-beta.2. - [Release notes](https://github.com/vishvananda/netlink/releases) - [Commits](https://github.com/vishvananda/netlink/commits/v1.2.1-beta.2) --- updated-dependencies: - dependency-name: github.com/vishvananda/netlink dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Add update image script and make targets (#59) * Fixes to cyclonus test script (#69) * Remove KUBECONFIG environment variable from cyclonus test script * With catchALL honor "except" (#58) * Honor except with catchALL * PR feedback * Remove unnecessary header files (#71) * Return exit status if test verification fails * V6 Optimizations (#80) * Bump github.com/aws/amazon-vpc-cni-k8s from 1.13.4 to 1.15.0 (#82) Bumps [github.com/aws/amazon-vpc-cni-k8s](https://github.com/aws/amazon-vpc-cni-k8s) from 1.13.4 to 1.15.0. - [Release notes](https://github.com/aws/amazon-vpc-cni-k8s/releases) - [Changelog](https://github.com/aws/amazon-vpc-cni-k8s/blob/master/CHANGELOG.md) - [Commits](https://github.com/aws/amazon-vpc-cni-k8s/compare/v1.13.4...v1.15.0) --- updated-dependencies: - dependency-name: github.com/aws/amazon-vpc-cni-k8s dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Honor V6 Elf file updates (#84) * Build latest image with conformance tests (#85) * Create a github action to build multi-arch docker image * Update credentials action to v3 * Log rotate support (#87) * Bump go.uber.org/zap from 1.25.0 to 1.26.0 (#81) Bumps [go.uber.org/zap](https://github.com/uber-go/zap) from 1.25.0 to 1.26.0. - [Release notes](https://github.com/uber-go/zap/releases) - [Changelog](https://github.com/uber-go/zap/blob/master/CHANGELOG.md) - [Commits](https://github.com/uber-go/zap/compare/v1.25.0...v1.26.0) --- updated-dependencies: - dependency-name: go.uber.org/zap dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --------- Signed-off-by: dependabot[bot] Co-authored-by: Jayanth Varavani <1111446+jayanthvn@users.noreply.github.com> Co-authored-by: Geoffrey Cline Co-authored-by: Jay Deokar <23660509+jaydeokar@users.noreply.github.com> Co-authored-by: K.Hoshi Co-authored-by: Jay Deokar Co-authored-by: Tobias Germer Co-authored-by: Kareem Rady <82394457+kareem-rady@users.noreply.github.com> Co-authored-by: Kareem Rady Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .../actions/build-and-push-image/action.yaml | 47 ++++ .../actions/install-dependencies/action.yaml | 2 +- .github/workflows/e2e-conformance.yaml | 32 ++- .github/workflows/performance-tests.yaml | 32 ++- Makefile | 16 +- go.mod | 32 +-- go.sum | 75 +++--- main.go | 45 +--- pkg/clihelper/show.go | 2 +- pkg/ebpf/bpf_client.go | 46 ++-- pkg/ebpf/c/tc.v4egress.bpf.c | 6 +- pkg/ebpf/c/tc.v4ingress.bpf.c | 6 +- pkg/ebpf/c/tc.v6egress.bpf.c | 218 ++++++++---------- pkg/ebpf/c/tc.v6ingress.bpf.c | 167 +++++++------- pkg/ebpf/c/v6events.bpf.c | 9 +- pkg/ebpf/conntrack/conntrack_client.go | 8 + pkg/logger/logger.go | 114 +++++++++ pkg/utils/utils.go | 3 +- scripts/lib/cluster.sh | 4 +- scripts/lib/network-policy.sh | 32 ++- scripts/run-tests.sh | 7 +- scripts/update-node-agent-image.sh | 3 + 22 files changed, 548 insertions(+), 358 deletions(-) create mode 100644 .github/actions/build-and-push-image/action.yaml create mode 100644 pkg/logger/logger.go diff --git a/.github/actions/build-and-push-image/action.yaml b/.github/actions/build-and-push-image/action.yaml new file mode 100644 index 0000000..4178799 --- /dev/null +++ b/.github/actions/build-and-push-image/action.yaml @@ -0,0 +1,47 @@ +name: Build Image and Push +description: 'Builds Multi-arch Network Policy Agent image and pushes to ECR' +inputs: + aws-region: + description: AWS region + required: true +outputs: + image_uri: + description: "Network Policy Agent Image" + value: ${{ steps.build.outputs.image_uri }} +runs: + using: "composite" + steps: + - name: Set up Docker QEMU + uses: docker/setup-qemu-action@v2 + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v2 + - name: Build and Push Image + id: build + shell: bash + env: + REGION: ${{ inputs.aws-region }} + AWS_ECR_REPO_NAME: amazon/aws-network-policy-agent + run: | + IMAGE_VERSION=$(git rev-parse HEAD) + AWS_ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text) + AWS_ECR_REGISTRY="$AWS_ACCOUNT_ID.dkr.ecr.$REGION.amazonaws.com" + + aws ecr get-login-password --region $REGION | docker login --username AWS --password-stdin ${AWS_ECR_REGISTRY} + if ! `aws ecr describe-repositories --registry-id $AWS_ACCOUNT_ID --repository-names $AWS_ECR_REPO_NAME >/dev/null 2>&1`; then + echo "creating ECR repo with name $AWS_ECR_REPO_NAME" + aws ecr create-repository --repository-name $AWS_ECR_REPO_NAME + fi + + if [[ $(aws ecr batch-get-image --repository-name=$AWS_ECR_REPO_NAME --image-ids imageTag=$IMAGE_VERSION \ + --query 'images[].imageId.imageTag' --region $REGION) != "[]" ]]; then + echo "Image $AWS_ECR_REPO_NAME:$IMAGE_VERSION already exists. Skipping image build." + else + echo "Building AWS Network Policy Agent latest image" + + docker buildx create --name="network-policy-agent-builder" --buildkitd-flags '--allow-insecure-entitlement network.host' --use >/dev/null + make multi-arch-build-and-push VERSION=$IMAGE_VERSION IMAGE=$AWS_ECR_REGISTRY/$AWS_ECR_REPO_NAME + + docker buildx rm network-policy-agent-builder + fi + image_uri=$AWS_ECR_REGISTRY/$AWS_ECR_REPO_NAME:$IMAGE_VERSION + echo "image_uri=$(echo $image_uri)" >> $GITHUB_OUTPUT diff --git a/.github/actions/install-dependencies/action.yaml b/.github/actions/install-dependencies/action.yaml index e9cb95a..54243cc 100644 --- a/.github/actions/install-dependencies/action.yaml +++ b/.github/actions/install-dependencies/action.yaml @@ -16,4 +16,4 @@ runs: shell: bash run: | curl --silent --location "https://github.com/weaveworks/eksctl/releases/latest/download/eksctl_$(uname -s)_amd64.tar.gz" | tar xz -C /tmp - sudo mv /tmp/eksctl /usr/local/bin/ + sudo mv /tmp/eksctl /usr/local/bin/ \ No newline at end of file diff --git a/.github/workflows/e2e-conformance.yaml b/.github/workflows/e2e-conformance.yaml index 47ba099..293fe17 100644 --- a/.github/workflows/e2e-conformance.yaml +++ b/.github/workflows/e2e-conformance.yaml @@ -1,4 +1,4 @@ -name: e2e-conformance-tests +name: E2E Conformance Tests on: workflow_dispatch: {} @@ -10,7 +10,28 @@ permissions: contents: read jobs: + build-image: + if: github.repository == 'aws/aws-network-policy-agent' + runs-on: ubuntu-latest + outputs: + AWS_EKS_NODEAGENT_IMAGE: ${{steps.build-and-push-image.outputs.image_uri}} + steps: + - name: Checkout latest commit + uses: actions/checkout@v3 + - name: Install Dependencies + uses: ./.github/actions/install-dependencies + - uses: aws-actions/configure-aws-credentials@v3 + with: + role-to-assume: ${{ secrets.OSS_ROLE_ARN }} + aws-region: us-west-2 + role-duration-seconds: 3600 # 1 hour + - name: Build and Push Network Policy Image + id: build-and-push-image + uses: ./.github/actions/build-and-push-image + with: + aws-region: us-west-2 e2e-conformance-tests: + needs: build-image strategy: fail-fast: false matrix: @@ -19,19 +40,20 @@ jobs: if: github.repository == 'aws/aws-network-policy-agent' runs-on: ubuntu-latest steps: - - name: Checkout latest commit in the PR + - name: Checkout latest commit uses: actions/checkout@v3 - name: Install Dependencies uses: ./.github/actions/install-dependencies - - uses: aws-actions/configure-aws-credentials@v1 + - uses: aws-actions/configure-aws-credentials@v3 with: role-to-assume: ${{ secrets.OSS_ROLE_ARN }} - aws-region: ${{ secrets.AWS_DEFAULT_REGION }} + aws-region: us-west-2 role-duration-seconds: 18000 # 5 hours - name: Run e2e conformance test env: RUN_CONFORMANCE_TESTS: true K8S_VERSION: 1.27 IP_FAMILY: ${{ matrix.ip-family }} + AWS_EKS_NODEAGENT_IMAGE: ${{ needs.build-image.outputs.AWS_EKS_NODEAGENT_IMAGE }} run: | - ./scripts/run-tests.sh + ./scripts/run-tests.sh \ No newline at end of file diff --git a/.github/workflows/performance-tests.yaml b/.github/workflows/performance-tests.yaml index 61538bb..5605020 100644 --- a/.github/workflows/performance-tests.yaml +++ b/.github/workflows/performance-tests.yaml @@ -10,23 +10,44 @@ permissions: contents: read jobs: + build-image: + if: github.repository == 'aws/aws-network-policy-agent' + runs-on: ubuntu-latest + outputs: + AWS_EKS_NODEAGENT_IMAGE: ${{steps.build-and-push-image.outputs.image_uri}} + steps: + - name: Checkout latest commit + uses: actions/checkout@v3 + - name: Install Dependencies + uses: ./.github/actions/install-dependencies + - uses: aws-actions/configure-aws-credentials@v3 + with: + role-to-assume: ${{ secrets.OSS_ROLE_ARN }} + aws-region: us-west-2 + role-duration-seconds: 3600 # 1 hour + - name: Build and Push Network Policy Image + id: build-and-push-image + uses: ./.github/actions/build-and-push-image + with: + aws-region: us-west-2 performance-tests: + needs: build-image strategy: fail-fast: false matrix: - ip-family: [ "IPv4", "IPv6"] + ip-family: [ IPv4, IPv6 ] # kubernetes-versions: ["1.25", "1.26", "1.27"] if: github.repository == 'aws/aws-network-policy-agent' runs-on: ubuntu-latest steps: - - name: Checkout latest commit in the PR + - name: Checkout latest commit uses: actions/checkout@v3 - name: Install Dependencies uses: ./.github/actions/install-dependencies - - uses: aws-actions/configure-aws-credentials@v1 + - uses: aws-actions/configure-aws-credentials@v3 with: role-to-assume: ${{ secrets.OSS_ROLE_ARN }} - aws-region: ${{ secrets.AWS_DEFAULT_REGION }} + aws-region: us-west-2 role-duration-seconds: 18000 # 5 hours - name: Run performance tests env: @@ -35,5 +56,6 @@ jobs: NODES_CAPACITY: 3 INSTANCE_TYPE: c5.xlarge IP_FAMILY: ${{ matrix.ip-family }} + AWS_EKS_NODEAGENT_IMAGE: ${{ needs.build-image.outputs.AWS_EKS_NODEAGENT_IMAGE }} run: | - ./scripts/run-tests.sh + ./scripts/run-tests.sh \ No newline at end of file diff --git a/Makefile b/Makefile index 8cd39d6..9d04ff4 100644 --- a/Makefile +++ b/Makefile @@ -198,6 +198,20 @@ docker-buildx: setup-ebpf-sdk-override ## Build and push docker image for the ma - docker buildx rm project-v3-builder rm Dockerfile.cross + +.PHONY: multi-arch-build-and-push +multi-arch-build-and-push: setup-ebpf-sdk-override ## Build and push docker image for the manager for cross-platform support + + sed -e '1 s/\(^FROM\)/FROM --platform=\$$\{BUILDPLATFORM\}/; t' -e ' 1,// s//FROM --platform=\$$\{BUILDPLATFORM\}/' Dockerfile > Dockerfile.cross + docker buildx build $(DOCKER_BUILD_FLAGS_NP_AGENT) \ + -f Dockerfile.cross \ + --platform "$(PLATFORMS)"\ + --cache-from=type=gha \ + --cache-to=type=gha,mode=max \ + -t $(IMAGE):$(VERSION) \ + --push \ + . + ##@ Deployment ifndef ignore-not-found @@ -289,7 +303,7 @@ endif ./PHONY: update-node-agent-image update-node-agent-image: ## Updates node agent image on an existing cluster. Optionally call with AWS_EKS_NODEAGENT= - ./scripts/update-node-agent-image.sh AWS_EKS_NODEAGENT=$(AWS_EKS_NODEAGENT) + ./scripts/update-node-agent-image.sh AWS_EKS_NODEAGENT=$(AWS_EKS_NODEAGENT) IP_FAMILY=$(IP_FAMILY) ./PHONY: update-image-and-test update-image-and-test: ## Updates node agent image on existing cluster and runs cyclonus tests. Call with CLUSTER_NAME= and AWS_EKS_NODEAGENT= diff --git a/go.mod b/go.mod index bc5e04e..4a20b8b 100644 --- a/go.mod +++ b/go.mod @@ -3,7 +3,7 @@ module github.com/aws/aws-network-policy-agent go 1.20 require ( - github.com/aws/amazon-vpc-cni-k8s v1.13.4 + github.com/aws/amazon-vpc-cni-k8s v1.15.0 github.com/aws/aws-ebpf-sdk-go v1.0.2 github.com/aws/aws-sdk-go v1.44.318 github.com/go-logr/logr v1.2.4 @@ -17,12 +17,13 @@ require ( github.com/spf13/pflag v1.0.5 github.com/stretchr/testify v1.8.4 github.com/vishvananda/netlink v1.2.1-beta.2 - go.uber.org/zap v1.25.0 - golang.org/x/sys v0.8.0 - k8s.io/api v0.27.2 - k8s.io/apimachinery v0.27.2 - k8s.io/client-go v0.27.2 - sigs.k8s.io/controller-runtime v0.15.0 + go.uber.org/zap v1.26.0 + golang.org/x/sys v0.12.0 + gopkg.in/natefinch/lumberjack.v2 v2.2.1 + k8s.io/api v0.27.3 + k8s.io/apimachinery v0.27.3 + k8s.io/client-go v0.27.3 + sigs.k8s.io/controller-runtime v0.15.1 ) require ( @@ -56,23 +57,22 @@ require ( github.com/prometheus/procfs v0.10.1 // indirect github.com/vishvananda/netns v0.0.4 // indirect go.uber.org/multierr v1.10.0 // indirect - golang.org/x/net v0.10.0 // indirect + golang.org/x/net v0.12.0 // indirect golang.org/x/oauth2 v0.5.0 // indirect - golang.org/x/term v0.8.0 // indirect - golang.org/x/text v0.9.0 // indirect + golang.org/x/term v0.10.0 // indirect + golang.org/x/text v0.11.0 // indirect golang.org/x/time v0.3.0 // indirect gomodules.xyz/jsonpatch/v2 v2.3.0 // indirect google.golang.org/appengine v1.6.7 // indirect - google.golang.org/protobuf v1.30.0 // indirect + google.golang.org/protobuf v1.31.0 // indirect gopkg.in/inf.v0 v0.9.1 // indirect - gopkg.in/natefinch/lumberjack.v2 v2.2.1 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect - k8s.io/apiextensions-apiserver v0.27.2 // indirect - k8s.io/component-base v0.27.2 // indirect - k8s.io/klog/v2 v2.90.1 // indirect + k8s.io/apiextensions-apiserver v0.27.3 // indirect + k8s.io/component-base v0.27.3 // indirect + k8s.io/klog/v2 v2.100.1 // indirect k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f // indirect - k8s.io/utils v0.0.0-20230209194617-a36077c30491 // indirect + k8s.io/utils v0.0.0-20230220204549-a5ecb0141aa5 // indirect sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect sigs.k8s.io/yaml v1.3.0 // indirect diff --git a/go.sum b/go.sum index 9287937..74f0329 100644 --- a/go.sum +++ b/go.sum @@ -3,12 +3,13 @@ cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMT github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU= github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY= -github.com/aws/amazon-vpc-cni-k8s v1.13.4 h1:LC3AX3TRagZN1PUJRgx1Y1CnAvzala5xAFCrWLVthr8= -github.com/aws/amazon-vpc-cni-k8s v1.13.4/go.mod h1:eVzV7+2QctvKc+yyr3kLNHFwb9xZQRKl0C8ki4ObzDw= +github.com/aws/amazon-vpc-cni-k8s v1.15.0 h1:de/KJJ93G2TUpnNlJowsNPE/uDfmk7LKMLAc//ZKqdg= +github.com/aws/amazon-vpc-cni-k8s v1.15.0/go.mod h1:oqglfFY7lBgvaTRHpoUrZqkj7WA9k/1I+mU0ln/8ZoE= +github.com/aws/aws-ebpf-sdk-go v1.0.2 h1:2o6ddIgG86NGgzenxo1RFQrdcNrST1kZhjlmcePSwRk= +github.com/aws/aws-ebpf-sdk-go v1.0.2/go.mod h1:08LzhuZ2vJNshF6cZaJNzN8vC59Rrq43jFJdbST5Oi0= github.com/aws/aws-sdk-go v1.44.318 h1:Yl66rpbQHFUbxe9JBKLcvOvRivhVgP6+zH0b9KzARX8= github.com/aws/aws-sdk-go v1.44.318/go.mod h1:aVsgQcEevwlmQ7qHE9I3h+dtQgpqhFB+i8Phjh7fkwI= github.com/benbjohnson/clock v1.1.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA= -github.com/benbjohnson/clock v1.3.0 h1:ip6w0uFQkncKQ979AypyG0ER7mqUSBdKLOgAle/AT8A= github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw= github.com/buger/jsonparser v1.1.1/go.mod h1:6RYKKt7H4d4+iWqouImQ9R2FZql3VbhNgx27UK13J/0= @@ -41,7 +42,6 @@ github.com/flowstack/go-jsonschema v0.1.1/go.mod h1:yL7fNggx1o8rm9RlgXv7hTBWxdBM github.com/fsnotify/fsnotify v1.6.0 h1:n+5WquG0fcWoWp6xPWfHdbskMCQaFnG6PfBrh1Ky4HY= github.com/fsnotify/fsnotify v1.6.0/go.mod h1:sl3t1tCWJFWoRz9R8WJCbQihKKwmorjAbSClcnxKAGw= github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= -github.com/go-logfmt/logfmt v0.5.1/go.mod h1:WYhtIu8zTZfxdn5+rREduYbwxfcBr/Vr6KEVveWlfTs= github.com/go-logr/logr v1.2.0/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= github.com/go-logr/logr v1.2.4 h1:g01GSCwiDw2xSZfjJ2/T9M+S6pFdcNtFYsp+Y43HYDQ= github.com/go-logr/logr v1.2.4/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= @@ -107,10 +107,8 @@ github.com/jmespath/go-jmespath/internal/testify v1.5.1 h1:shLQSRRSCCPj3f2gpwzGw github.com/jmespath/go-jmespath/internal/testify v1.5.1/go.mod h1:L3OGu8Wl2/fWfCI6z80xFu9LTZmf1ZRjMHUOPmWr69U= github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY= github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y= -github.com/jpillora/backoff v1.0.0/go.mod h1:J/6gKK9jxlEcS3zixgDgUAsiuZ7yrSoa/FX5e0EB2j4= github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM= github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo= -github.com/julienschmidt/httprouter v1.3.0/go.mod h1:JR6WtHb+2LUe8TCKY3cZOxFyyO8IZAc4RVcycCCAKdM= github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= @@ -132,9 +130,8 @@ github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9G github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= -github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U= -github.com/onsi/ginkgo/v2 v2.9.5 h1:+6Hr4uxzP4XIUyAkg61dWBw8lb/gc4/X5luuxN/EC+Q= -github.com/onsi/gomega v1.27.7 h1:fVih9JD6ogIiHUN6ePK7HJidyEDpWGVB5mzM7cWNXoU= +github.com/onsi/ginkgo/v2 v2.11.0 h1:WgqUCUt/lT6yXoQ8Wef0fsNn5cAuMK7+KT9UFRz2tcU= +github.com/onsi/gomega v1.27.10 h1:naR28SdDFlqrG6kScpT8VWpu1xWY5nJRCF3XaYyBjhI= github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= @@ -189,8 +186,8 @@ go.uber.org/multierr v1.6.0/go.mod h1:cdWPpRnG4AhwMwsgIHip0KRBQjJy5kYEpYjJxpXp9i go.uber.org/multierr v1.10.0 h1:S0h4aNzvfcFsC3dRF1jLoaov7oRaKqRGC/pUEJ2yvPQ= go.uber.org/multierr v1.10.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y= go.uber.org/zap v1.24.0/go.mod h1:2kMP+WWQ8aoFoedH3T2sq6iJ2yDWpHbP0f6MQbS9Gkg= -go.uber.org/zap v1.25.0 h1:4Hvk6GtkucQ790dqmj7l1eEnRdKm3k3ZUrUMS2d5+5c= -go.uber.org/zap v1.25.0/go.mod h1:JIAUzQIH94IC4fOJQm7gMmBJP5k7wQfdcnYdPoEXJYk= +go.uber.org/zap v1.26.0 h1:sI7k6L95XOKS281NhVKOFCUNIvv9e0w4BF8N3u+tCRo= +go.uber.org/zap v1.26.0/go.mod h1:dtElttAiwGvoJ/vj4IwHBS/gXsEu/pZ50mUIRWuG0so= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= @@ -220,8 +217,8 @@ golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96b golang.org/x/net v0.0.0-20210805182204-aaa1db679c0d/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= golang.org/x/net v0.1.0/go.mod h1:Cx3nUiGt4eDBEyega/BKRp+/AlGL8hYe7U9odMt2Cco= -golang.org/x/net v0.10.0 h1:X2//UzNDwYmtCLn7To6G58Wr6f5ahEAQgKNzv9Y951M= -golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg= +golang.org/x/net v0.12.0 h1:cfawfvKITfUsFCeJIHJrbSxpeu/E81khclypR0GVT50= +golang.org/x/net v0.12.0/go.mod h1:zEVYFnQC7m/vmpQFELhcD1EWkZlX69l4oqgmer6hfKA= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.5.0 h1:HuArIo48skDwlrvM3sEdHXElYslAMsf3KwRkkW4MC4s= @@ -250,13 +247,13 @@ golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.8.0 h1:EBmGv8NaZBZTWvrbjNoL6HVt+IVy3QDQpJs7VRIw3tU= -golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.12.0 h1:CM0HF96J0hcLAwsHPJZjfdNzs0gftsLfgKt57wWHJ0o= +golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.1.0/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= -golang.org/x/term v0.8.0 h1:n5xxQn2i3PC0yLAbjTpNT85q/Kgzcr2gIoX9OrJUols= -golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo= +golang.org/x/term v0.10.0 h1:3R7pNqamzBraeqj/Tj8qt1aQ2HpmlC+Cx/qL/7hn4/c= +golang.org/x/term v0.10.0/go.mod h1:lpqdcUyK/oCiQxvxVrppt5ggO2KCZ5QblwqPnfZ6d5o= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= @@ -264,8 +261,8 @@ golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= -golang.org/x/text v0.9.0 h1:2sjJmO8cDvYveuX97RDLsxlyUxLl+GHoLxBiRdHllBE= -golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= +golang.org/x/text v0.11.0 h1:LAntKIrcmeSKERyiOh0XMV39LXS8IE9UL2yP7+f5ij4= +golang.org/x/text v0.11.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= golang.org/x/time v0.3.0 h1:rg5rLMjNzMS1RkNLzCG38eapWhnYLFYXDXj2gOlr8j4= golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= @@ -279,7 +276,7 @@ golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4f golang.org/x/tools v0.1.1/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= -golang.org/x/tools v0.9.1 h1:8WMNJAz3zrtPmnYC7ISf5dEn3MT0gY7jBJfw27yrrLo= +golang.org/x/tools v0.9.3 h1:Gn1I8+64MsuTb/HpH+LmQtNas23LhUVr3rYZ0eKuaMM= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= @@ -314,8 +311,8 @@ google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlba google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= -google.golang.org/protobuf v1.30.0 h1:kPPoIgf3TsEvrm0PFe15JQ+570QVxYzEvvHqChK+cng= -google.golang.org/protobuf v1.30.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= +google.golang.org/protobuf v1.31.0 h1:g0LDEJHgrBl9N9r17Ru3sqWhkIx2NB67okBHPwC7hs8= +google.golang.org/protobuf v1.31.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= @@ -337,27 +334,27 @@ gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= -k8s.io/api v0.27.2 h1:+H17AJpUMvl+clT+BPnKf0E3ksMAzoBBg7CntpSuADo= -k8s.io/api v0.27.2/go.mod h1:ENmbocXfBT2ADujUXcBhHV55RIT31IIEvkntP6vZKS4= -k8s.io/apiextensions-apiserver v0.27.2 h1:iwhyoeS4xj9Y7v8YExhUwbVuBhMr3Q4bd/laClBV6Bo= -k8s.io/apiextensions-apiserver v0.27.2/go.mod h1:Oz9UdvGguL3ULgRdY9QMUzL2RZImotgxvGjdWRq6ZXQ= -k8s.io/apimachinery v0.27.2 h1:vBjGaKKieaIreI+oQwELalVG4d8f3YAMNpWLzDXkxeg= -k8s.io/apimachinery v0.27.2/go.mod h1:XNfZ6xklnMCOGGFNqXG7bUrQCoR04dh/E7FprV6pb+E= -k8s.io/client-go v0.27.2 h1:vDLSeuYvCHKeoQRhCXjxXO45nHVv2Ip4Fe0MfioMrhE= -k8s.io/client-go v0.27.2/go.mod h1:tY0gVmUsHrAmjzHX9zs7eCjxcBsf8IiNe7KQ52biTcQ= -k8s.io/component-base v0.27.2 h1:neju+7s/r5O4x4/txeUONNTS9r1HsPbyoPBAtHsDCpo= -k8s.io/component-base v0.27.2/go.mod h1:5UPk7EjfgrfgRIuDBFtsEFAe4DAvP3U+M8RTzoSJkpo= -k8s.io/klog/v2 v2.90.1 h1:m4bYOKall2MmOiRaR1J+We67Do7vm9KiQVlT96lnHUw= -k8s.io/klog/v2 v2.90.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0= +k8s.io/api v0.27.3 h1:yR6oQXXnUEBWEWcvPWS0jQL575KoAboQPfJAuKNrw5Y= +k8s.io/api v0.27.3/go.mod h1:C4BNvZnQOF7JA/0Xed2S+aUyJSfTGkGFxLXz9MnpIpg= +k8s.io/apiextensions-apiserver v0.27.3 h1:xAwC1iYabi+TDfpRhxh4Eapl14Hs2OftM2DN5MpgKX4= +k8s.io/apiextensions-apiserver v0.27.3/go.mod h1:BH3wJ5NsB9XE1w+R6SSVpKmYNyIiyIz9xAmBl8Mb+84= +k8s.io/apimachinery v0.27.3 h1:Ubye8oBufD04l9QnNtW05idcOe9Z3GQN8+7PqmuVcUM= +k8s.io/apimachinery v0.27.3/go.mod h1:XNfZ6xklnMCOGGFNqXG7bUrQCoR04dh/E7FprV6pb+E= +k8s.io/client-go v0.27.3 h1:7dnEGHZEJld3lYwxvLl7WoehK6lAq7GvgjxpA3nv1E8= +k8s.io/client-go v0.27.3/go.mod h1:2MBEKuTo6V1lbKy3z1euEGnhPfGZLKTS9tiJ2xodM48= +k8s.io/component-base v0.27.3 h1:g078YmdcdTfrCE4fFobt7qmVXwS8J/3cI1XxRi/2+6k= +k8s.io/component-base v0.27.3/go.mod h1:JNiKYcGImpQ44iwSYs6dysxzR9SxIIgQalk4HaCNVUY= +k8s.io/klog/v2 v2.100.1 h1:7WCHKK6K8fNhTqfBhISHQ97KrnJNFZMcQvKp7gP/tmg= +k8s.io/klog/v2 v2.100.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0= k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f h1:2kWPakN3i/k81b0gvD5C5FJ2kxm1WrQFanWchyKuqGg= k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f/go.mod h1:byini6yhqGC14c3ebc/QwanvYwhuMWF6yz2F8uwW8eg= -k8s.io/utils v0.0.0-20230209194617-a36077c30491 h1:r0BAOLElQnnFhE/ApUsg3iHdVYYPBjNSSOMowRZxxsY= -k8s.io/utils v0.0.0-20230209194617-a36077c30491/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= -sigs.k8s.io/controller-runtime v0.15.0 h1:ML+5Adt3qZnMSYxZ7gAverBLNPSMQEibtzAgp0UPojU= -sigs.k8s.io/controller-runtime v0.15.0/go.mod h1:7ngYvp1MLT+9GeZ+6lH3LOlcHkp/+tzA/fmHa4iq9kk= +k8s.io/utils v0.0.0-20230220204549-a5ecb0141aa5 h1:kmDqav+P+/5e1i9tFfHq1qcF3sOrDp+YEkVDAHu7Jwk= +k8s.io/utils v0.0.0-20230220204549-a5ecb0141aa5/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= +sigs.k8s.io/controller-runtime v0.15.1 h1:9UvgKD4ZJGcj24vefUFgZFP3xej/3igL9BsOUTb/+4c= +sigs.k8s.io/controller-runtime v0.15.1/go.mod h1:7ngYvp1MLT+9GeZ+6lH3LOlcHkp/+tzA/fmHa4iq9kk= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= sigs.k8s.io/structured-merge-diff/v4 v4.2.3 h1:PRbqxJClWWYMNV1dhaG4NsibJbArud9kFxnAMREiWFE= sigs.k8s.io/structured-merge-diff/v4 v4.2.3/go.mod h1:qjx8mGObPmV2aSZepjQjbmb2ihdVs8cGKBraizNC69E= sigs.k8s.io/yaml v1.3.0 h1:a2VclLzOGrwOHDiV8EfBGhvjHvP46CtW5j6POvhYGGo= -sigs.k8s.io/yaml v1.3.0/go.mod h1:GeOyir5tyXNByN85N/dRIT9es5UQNerPYEKK56eTBm8= +sigs.k8s.io/yaml v1.3.0/go.mod h1:GeOyir5tyXNByN85N/dRIT9es5UQNerPYEKK56eTBm8= \ No newline at end of file diff --git a/main.go b/main.go index f99b232..9c8591c 100644 --- a/main.go +++ b/main.go @@ -19,28 +19,26 @@ package main import ( "os" + "github.com/aws/aws-network-policy-agent/pkg/logger" + "github.com/aws/aws-network-policy-agent/pkg/version" "github.com/go-logr/logr" "github.com/go-logr/zapr" "github.com/spf13/pflag" - zapRaw "go.uber.org/zap" - "go.uber.org/zap/zapcore" // Import all Kubernetes client auth plugins (e.g. Azure, GCP, OIDC, etc.) // to ensure that exec-entrypoint and run can make use of them. _ "k8s.io/client-go/plugin/pkg/client/auth" + policyk8sawsv1 "github.com/aws/aws-network-policy-agent/api/v1alpha1" + "github.com/aws/aws-network-policy-agent/controllers" + "github.com/aws/aws-network-policy-agent/pkg/config" + "github.com/aws/aws-network-policy-agent/pkg/metrics" "k8s.io/apimachinery/pkg/runtime" utilruntime "k8s.io/apimachinery/pkg/util/runtime" clientgoscheme "k8s.io/client-go/kubernetes/scheme" ctrl "sigs.k8s.io/controller-runtime" "sigs.k8s.io/controller-runtime/pkg/healthz" - "sigs.k8s.io/controller-runtime/pkg/log/zap" - - policyk8sawsv1 "github.com/aws/aws-network-policy-agent/api/v1alpha1" - "github.com/aws/aws-network-policy-agent/controllers" - "github.com/aws/aws-network-policy-agent/pkg/config" - "github.com/aws/aws-network-policy-agent/pkg/metrics" //+kubebuilder:scaffold:imports ) @@ -136,32 +134,7 @@ func loadControllerConfig() (config.ControllerConfig, error) { } // getLoggerWithLogLevel returns logger with specific log level. -func getLoggerWithLogLevel(logLevel string, logFile string) (logr.Logger, error) { - var zapLevel zapcore.Level - switch logLevel { - case "info": - zapLevel = zapcore.InfoLevel - case "debug": - zapLevel = zapcore.DebugLevel - default: - zapLevel = zapcore.InfoLevel - } - if len(logFile) > 0 { - cfg := zapRaw.NewProductionConfig() - cfg.OutputPaths = []string{logFile} - cfg.EncoderConfig.EncodeTime = zapcore.ISO8601TimeEncoder - cfg.EncoderConfig.TimeKey = "timestamp" - cfg.EncoderConfig.CallerKey = "" - cfg.Level = zapRaw.NewAtomicLevelAt(zapLevel) - logger, err := cfg.Build() - if err != nil { - return logr.Logger{}, err - } - return zapr.NewLogger(logger), nil - - } - return zap.New(zap.UseDevMode(false), - zap.Level(zapLevel), - zap.StacktraceLevel(zapcore.FatalLevel), - ), nil +func getLoggerWithLogLevel(logLevel string, logFilePath string) (logr.Logger, error) { + ctrlLogger := logger.New(logLevel, logFilePath) + return zapr.NewLogger(ctrlLogger), nil } diff --git a/pkg/clihelper/show.go b/pkg/clihelper/show.go index 32efa02..aad2319 100644 --- a/pkg/clihelper/show.go +++ b/pkg/clihelper/show.go @@ -67,7 +67,7 @@ func convByteToTrieV6(keyByte []byte) BPFTrieKeyV6 { func convConntrackV6ToByte(key ConntrackKeyV6) []byte { ipSize := unsafe.Sizeof(key) - byteArray := (*[38]byte)(unsafe.Pointer(&key)) + byteArray := (*[unsafe.Sizeof(key)]byte)(unsafe.Pointer(&key)) byteSlice := byteArray[:ipSize] return byteSlice } diff --git a/pkg/ebpf/bpf_client.go b/pkg/ebpf/bpf_client.go index 3b906a2..2d4e82e 100644 --- a/pkg/ebpf/bpf_client.go +++ b/pkg/ebpf/bpf_client.go @@ -303,7 +303,7 @@ func checkAndUpdateBPFBinaries(bpfTCClient tc.BpfTc, bpfBinaries []string, hostB log.Info("comparing new and existing probes ...") isEqual := cmp.Equal(currentProbe, existingProbe) if !isEqual { - if bpfProbe == EVENTS_BINARY { + if bpfProbe == EVENTS_BINARY || bpfProbe == EVENTS_V6_BINARY { // Ingress and Egress probes refer to Conntrack and Policy Events maps defined in // events binary. So, if the events binary changes, we will need to update all the existing // probes in the local node @@ -311,11 +311,11 @@ func checkAndUpdateBPFBinaries(bpfTCClient tc.BpfTc, bpfBinaries []string, hostB log.Info("change detected in event probe binaries..") break } - if bpfProbe == TC_INGRESS_BINARY { + if bpfProbe == TC_INGRESS_BINARY || bpfProbe == TC_V6_INGRESS_BINARY { log.Info("change detected in ingress probe binaries.. ") updateIngressProbe = true } - if bpfProbe == TC_EGRESS_BINARY { + if bpfProbe == TC_EGRESS_BINARY || bpfProbe == TC_V6_EGRESS_BINARY { log.Info("change detected in egress probe binaries..") updateEgressProbe = true } @@ -331,6 +331,7 @@ func checkAndUpdateBPFBinaries(bpfTCClient tc.BpfTc, bpfBinaries []string, hostB return updateIngressProbe, updateEgressProbe, updateEventsProbe, err } } + return updateIngressProbe, updateEgressProbe, updateEventsProbe, nil } @@ -342,24 +343,26 @@ func recoverBPFState(eBPFSDKClient goelf.BpfSDKClient, policyEndpointeBPFContext // Recover global maps (Conntrack and Events) if there is no need to update // events binary - recoveredGlobalMaps, err := eBPFSDKClient.RecoverGlobalMaps() - if err != nil { - log.Error(err, "failed to recover global maps..") - sdkAPIErr.WithLabelValues("RecoverGlobalMaps").Inc() - return isConntrackMapPresent, isPolicyEventsMapPresent, eventsMapFD, nil - } - log.Info("Total no.of global maps recovered...", "count: ", len(recoveredGlobalMaps)) - for globalMapName, globalMap := range recoveredGlobalMaps { - log.Info("Global Map..", "Name: ", globalMapName, "updateEventsProbe: ", updateEventsProbe) - if globalMapName == CONNTRACK_MAP_PIN_PATH { - log.Info("Conntrack Map is already present on the node") - isConntrackMapPresent = true - globalMaps.Store(globalMapName, globalMap) - } - if globalMapName == POLICY_EVENTS_MAP_PIN_PATH && !updateEventsProbe { - isPolicyEventsMapPresent = true - eventsMapFD = int(globalMap.MapFD) - log.Info("Policy event Map is already present on the node ", "Recovered FD", eventsMapFD) + if !updateEventsProbe { + recoveredGlobalMaps, err := eBPFSDKClient.RecoverGlobalMaps() + if err != nil { + log.Error(err, "failed to recover global maps..") + sdkAPIErr.WithLabelValues("RecoverGlobalMaps").Inc() + return isConntrackMapPresent, isPolicyEventsMapPresent, eventsMapFD, nil + } + log.Info("Total no.of global maps recovered...", "count: ", len(recoveredGlobalMaps)) + for globalMapName, globalMap := range recoveredGlobalMaps { + log.Info("Global Map..", "Name: ", globalMapName, "updateEventsProbe: ", updateEventsProbe) + if globalMapName == CONNTRACK_MAP_PIN_PATH { + log.Info("Conntrack Map is already present on the node") + isConntrackMapPresent = true + globalMaps.Store(globalMapName, globalMap) + } + if globalMapName == POLICY_EVENTS_MAP_PIN_PATH { + isPolicyEventsMapPresent = true + eventsMapFD = int(globalMap.MapFD) + log.Info("Policy event Map is already present on the node ", "Recovered FD", eventsMapFD) + } } } @@ -391,6 +394,7 @@ func recoverBPFState(eBPFSDKClient goelf.BpfSDKClient, policyEndpointeBPFContext policyEndpointeBPFContext.Store(podIdentifier, peBPFContext) } } + return isConntrackMapPresent, isPolicyEventsMapPresent, eventsMapFD, nil } diff --git a/pkg/ebpf/c/tc.v4egress.bpf.c b/pkg/ebpf/c/tc.v4egress.bpf.c index 1596655..b8ed4cd 100644 --- a/pkg/ebpf/c/tc.v4egress.bpf.c +++ b/pkg/ebpf/c/tc.v4egress.bpf.c @@ -88,9 +88,9 @@ int handle_egress(struct __sk_buff *skb) void *data = (void *)(long)skb->data; __u8 src_ip[4]; - memset(&flow_key, 0, sizeof(flow_key)); - memset(&src_ip, 0, sizeof(src_ip)); - memset(&reverse_flow_key, 0, sizeof(reverse_flow_key)); + __builtin_memset(&flow_key, 0, sizeof(flow_key)); + __builtin_memset(&src_ip, 0, sizeof(src_ip)); + __builtin_memset(&reverse_flow_key, 0, sizeof(reverse_flow_key)); struct ethhdr *ether = data; diff --git a/pkg/ebpf/c/tc.v4ingress.bpf.c b/pkg/ebpf/c/tc.v4ingress.bpf.c index e7936c9..f965732 100644 --- a/pkg/ebpf/c/tc.v4ingress.bpf.c +++ b/pkg/ebpf/c/tc.v4ingress.bpf.c @@ -89,9 +89,9 @@ int handle_ingress(struct __sk_buff *skb) void *data = (void *)(long)skb->data; __u8 dest_ip[4]; - memset(&flow_key, 0, sizeof(flow_key)); - memset(&dest_ip, 0, sizeof(dest_ip)); - memset(&reverse_flow_key, 0, sizeof(reverse_flow_key)); + __builtin_memset(&flow_key, 0, sizeof(flow_key)); + __builtin_memset(&dest_ip, 0, sizeof(dest_ip)); + __builtin_memset(&reverse_flow_key, 0, sizeof(reverse_flow_key)); struct ethhdr *ether = data; if (data + sizeof(*ether) > data_end) { diff --git a/pkg/ebpf/c/tc.v6egress.bpf.c b/pkg/ebpf/c/tc.v6egress.bpf.c index f666bab..48fe430 100644 --- a/pkg/ebpf/c/tc.v6egress.bpf.c +++ b/pkg/ebpf/c/tc.v6egress.bpf.c @@ -42,21 +42,21 @@ struct lpm_trie_val { struct conntrack_key { - __u8 src_ip[16]; + struct in6_addr saddr; __u16 src_port; - __u8 dest_ip[16]; + struct in6_addr daddr; __u16 dest_port; __u8 protocol; }; struct conntrack_value { - __u8 val[16]; + struct in6_addr addr; }; struct data_t { - __u8 src_ip[16]; + struct in6_addr src_ip; __u32 src_port; - __u8 dest_ip[16]; + struct in6_addr dest_ip; __u32 dest_port; __u32 protocol; __u32 verdict; @@ -74,26 +74,22 @@ struct bpf_map_def_pvt SEC("maps") egress_map = { struct bpf_map_def_pvt aws_conntrack_map; struct bpf_map_def_pvt policy_events; - SEC("tc_cls") int handle_egress(struct __sk_buff *skb) { + struct keystruct trie_key; struct lpm_trie_val *trie_val; - __u32 l4_src_port = 0; - __u32 l4_dst_port = 0; - struct conntrack_key flow_key; - struct conntrack_value *flow_val; - struct conntrack_key reverse_flow_key; - struct conntrack_value *reverse_flow_val; - struct data_t evt = {}; + __u16 l4_src_port = 0; + __u16 l4_dst_port = 0; + struct conntrack_key flow_key; + struct conntrack_value *flow_val; + struct conntrack_value *reverse_flow_val; + struct data_t evt = {}; void *data_end = (void *)(long)skb->data_end; void *data = (void *)(long)skb->data; - __u8 src_ip[16]; - memset(&flow_key, 0, sizeof(flow_key)); - memset(&src_ip, 0, sizeof(src_ip)); - memset(&reverse_flow_key, 0, sizeof(reverse_flow_key)); + __builtin_memset(&flow_key, 0, sizeof(flow_key)); struct ethhdr *ether = data; if (data + sizeof(*ether) > data_end) { @@ -119,119 +115,109 @@ int handle_egress(struct __sk_buff *skb) if (ip->nexthdr == 58) { return BPF_OK; } + + switch (ip->nexthdr) { + case IPPROTO_TCP: + if (data + sizeof(*ip) + sizeof(*l4_tcp_hdr) > data_end) { + return BPF_OK; + } + l4_src_port = (((((unsigned short)(l4_tcp_hdr->source) & 0xFF)) << 8) | (((unsigned short)(l4_tcp_hdr->source) & 0xFF00) >> 8)); + l4_dst_port = (((((unsigned short)(l4_tcp_hdr->dest) & 0xFF)) << 8) | (((unsigned short)(l4_tcp_hdr->dest) & 0xFF00) >> 8)); + break; + case IPPROTO_UDP: + if (data + sizeof(*ip) + sizeof(*l4_udp_hdr) > data_end) { + return BPF_OK; + } + l4_src_port = (((((unsigned short)(l4_udp_hdr->source) & 0xFF)) << 8) | (((unsigned short)(l4_udp_hdr->source) & 0xFF00) >> 8)); + l4_dst_port = (((((unsigned short)(l4_udp_hdr->dest) & 0xFF)) << 8) | (((unsigned short)(l4_udp_hdr->dest) & 0xFF00) >> 8)); + break; + case IPPROTO_SCTP: + if (data + sizeof(*ip) + sizeof(*l4_sctp_hdr) > data_end) { + return BPF_OK; + } + l4_src_port = (((((unsigned short)(l4_sctp_hdr->source) & 0xFF)) << 8) | (((unsigned short)(l4_sctp_hdr->source) & 0xFF00) >> 8)); + l4_dst_port = (((((unsigned short)(l4_sctp_hdr->dest) & 0xFF)) << 8) | (((unsigned short)(l4_sctp_hdr->dest) & 0xFF00) >> 8)); + break; + } - switch (ip->nexthdr) { - case IPPROTO_TCP: - if (data + sizeof(*ip) + sizeof(*l4_tcp_hdr) > data_end) { - return BPF_OK; - } - l4_src_port = (((((unsigned short)(l4_tcp_hdr->source) & 0xFF)) << 8) | (((unsigned short)(l4_tcp_hdr->source) & 0xFF00) >> 8)); - l4_dst_port = (((((unsigned short)(l4_tcp_hdr->dest) & 0xFF)) << 8) | (((unsigned short)(l4_tcp_hdr->dest) & 0xFF00) >> 8)); - break; - case IPPROTO_UDP: - if (data + sizeof(*ip) + sizeof(*l4_udp_hdr) > data_end) { - return BPF_OK; - } - l4_src_port = (((((unsigned short)(l4_udp_hdr->source) & 0xFF)) << 8) | (((unsigned short)(l4_udp_hdr->source) & 0xFF00) >> 8)); - l4_dst_port = (((((unsigned short)(l4_udp_hdr->dest) & 0xFF)) << 8) | (((unsigned short)(l4_udp_hdr->dest) & 0xFF00) >> 8)); - break; - case IPPROTO_SCTP: - if (data + sizeof(*ip) + sizeof(*l4_sctp_hdr) > data_end) { - return BPF_OK; - } - l4_src_port = (((((unsigned short)(l4_sctp_hdr->source) & 0xFF)) << 8) | (((unsigned short)(l4_sctp_hdr->source) & 0xFF00) >> 8)); - l4_dst_port = (((((unsigned short)(l4_sctp_hdr->dest) & 0xFF)) << 8) | (((unsigned short)(l4_sctp_hdr->dest) & 0xFF00) >> 8)); - break; - } - - trie_key.prefix_len = 128; + trie_key.prefix_len = 128; + //Fill the IP Key to be used for lookup for (int i=0; i<16; i++){ trie_key.ip[i] = ip->daddr.in6_u.u6_addr8[i]; - src_ip[i] = ip->saddr.in6_u.u6_addr8[i]; - flow_key.src_ip[i] = ip->saddr.in6_u.u6_addr8[i]; - flow_key.dest_ip[i] = ip->daddr.in6_u.u6_addr8[i]; - reverse_flow_key.src_ip[i] = ip->daddr.in6_u.u6_addr8[i]; - reverse_flow_key.dest_ip[i] = ip->saddr.in6_u.u6_addr8[i]; - evt.src_ip[i] = ip->saddr.in6_u.u6_addr8[i]; - evt.dest_ip[i] = ip->daddr.in6_u.u6_addr8[i]; } - //Check for the an existing flow in the conntrack table - flow_key.src_port = l4_src_port; - flow_key.dest_port = l4_dst_port; - flow_key.protocol = ip->nexthdr; - - - //Check if it's an existing flow - flow_val = (struct conntrack_value *)bpf_map_lookup_elem(&aws_conntrack_map, &flow_key); - if (flow_val != NULL &&(flow_val->val[12] == src_ip[12] && flow_val->val[13] == src_ip[13] - && flow_val->val[14] == src_ip[14] && flow_val->val[15] == src_ip[15])) { - return BPF_OK; - } - - evt.src_port = flow_key.src_port; - evt.dest_port = flow_key.dest_port; - evt.protocol = flow_key.protocol; - - //Check for the reverse flow entry in the conntrack table - reverse_flow_key.src_port = l4_dst_port; - reverse_flow_key.dest_port = l4_src_port; - reverse_flow_key.protocol = ip->nexthdr; + //Check for the an existing flow in the conntrack table + flow_key.saddr = ip->saddr; + flow_key.daddr = ip->daddr; + flow_key.src_port = l4_src_port; + flow_key.dest_port = l4_dst_port; + flow_key.protocol = ip->nexthdr; + + //Check if it's an existing flow + flow_val = (struct conntrack_value *)bpf_map_lookup_elem(&aws_conntrack_map, &flow_key); + if (flow_val != NULL && (flow_val->addr.in6_u.u6_addr8[12] == flow_key.saddr.in6_u.u6_addr8[12] + && flow_val->addr.in6_u.u6_addr8[13] == flow_key.saddr.in6_u.u6_addr8[13] + && flow_val->addr.in6_u.u6_addr8[14] == flow_key.saddr.in6_u.u6_addr8[14] + && flow_val->addr.in6_u.u6_addr8[15] == flow_key.saddr.in6_u.u6_addr8[15])) { + return BPF_OK; + } + evt.src_ip = ip->saddr; + evt.dest_ip = ip->daddr; + evt.src_port = flow_key.src_port; + evt.dest_port = flow_key.dest_port; + evt.protocol = flow_key.protocol; + + //Check for the reverse flow entry in the conntrack table + flow_key.daddr = ip->saddr; + flow_key.saddr = ip->daddr; + flow_key.src_port = flow_key.dest_port; + flow_key.dest_port = l4_src_port; + + reverse_flow_val = (struct conntrack_value *)bpf_map_lookup_elem(&aws_conntrack_map, &flow_key); + if (reverse_flow_val != NULL && (reverse_flow_val->addr.in6_u.u6_addr8[12] == flow_key.daddr.in6_u.u6_addr8[12] + && reverse_flow_val->addr.in6_u.u6_addr8[13] == flow_key.daddr.in6_u.u6_addr8[13] + && reverse_flow_val->addr.in6_u.u6_addr8[14] == flow_key.daddr.in6_u.u6_addr8[14] + && reverse_flow_val->addr.in6_u.u6_addr8[15] == flow_key.daddr.in6_u.u6_addr8[15])) { + return BPF_OK; + } - //Check if it's a response packet - reverse_flow_val = (struct conntrack_value *)bpf_map_lookup_elem(&aws_conntrack_map, &reverse_flow_key); - if (reverse_flow_val != NULL &&(reverse_flow_val->val[12] == src_ip[12] && reverse_flow_val->val[13] == src_ip[13] - && reverse_flow_val->val[14] == src_ip[14] && reverse_flow_val->val[15] == src_ip[15])) { - return BPF_OK; - } + //Check if it's in the allowed list + trie_val = bpf_map_lookup_elem(&egress_map, &trie_key); + if (trie_val == NULL) { + bpf_ringbuf_output(&policy_events, &evt, sizeof(evt), 0); + return BPF_DROP; + } - //Check if it's in the allowed list - trie_val = bpf_map_lookup_elem(&egress_map, &trie_key); - if (trie_val == NULL) { - evt.verdict = 0; + for (int i=0; i<4; i++, trie_val++){ + if (trie_val->protocol == RESERVED_IP_PROTOCOL) { bpf_ringbuf_output(&policy_events, &evt, sizeof(evt), 0); return BPF_DROP; } - for (int i=0; i<4; i++, trie_val++){ - if (trie_val->protocol == RESERVED_IP_PROTOCOL) { - evt.verdict = 0; - bpf_ringbuf_output(&policy_events, &evt, sizeof(evt), 0); - return BPF_DROP; - } - - if ((trie_val->protocol == ANY_IP_PROTOCOL) || (trie_val->protocol == ip->nexthdr && - ((trie_val->start_port == ANY_PORT) || (l4_dst_port == trie_val->start_port) || - (l4_dst_port > trie_val->start_port && l4_dst_port <= trie_val->end_port)))) { - //Inject in to conntrack map - struct conntrack_value new_flow_val = {}; - new_flow_val.val[0]=src_ip[0]; - new_flow_val.val[1]=src_ip[1]; - new_flow_val.val[2]=src_ip[2]; - new_flow_val.val[3]=src_ip[3]; - new_flow_val.val[4]=src_ip[4]; - new_flow_val.val[5]=src_ip[5]; - new_flow_val.val[6]=src_ip[6]; - new_flow_val.val[7]=src_ip[7]; - new_flow_val.val[8]=src_ip[8]; - new_flow_val.val[9]=src_ip[9]; - new_flow_val.val[10]=src_ip[10]; - new_flow_val.val[11]=src_ip[11]; - new_flow_val.val[12]=src_ip[12]; - new_flow_val.val[13]=src_ip[13]; - new_flow_val.val[14]=src_ip[14]; - new_flow_val.val[15]=src_ip[15]; - bpf_map_update_elem(&aws_conntrack_map, &flow_key, &new_flow_val, 0); // 0 - BPF_ANY - evt.verdict = 1; - bpf_ringbuf_output(&policy_events, &evt, sizeof(evt), 0); - return BPF_OK; - } + if ((trie_val->protocol == ANY_IP_PROTOCOL) || (trie_val->protocol == ip->nexthdr && + ((trie_val->start_port == ANY_PORT) || (l4_dst_port == trie_val->start_port) || + (l4_dst_port > trie_val->start_port && l4_dst_port <= trie_val->end_port)))) { + //Inject in to conntrack map + struct conntrack_value new_flow_val; + __builtin_memset(&new_flow_val, 0, sizeof(new_flow_val)); + new_flow_val.addr = ip->saddr; + + //Reswap before adding to conntrack + flow_key.saddr = ip->saddr; + flow_key.daddr = ip->daddr; + flow_key.dest_port = flow_key.src_port; + flow_key.src_port = l4_src_port; + + bpf_map_update_elem(&aws_conntrack_map, &flow_key, &new_flow_val, 0); // 0 - BPF_ANY + evt.verdict = 1; + bpf_ringbuf_output(&policy_events, &evt, sizeof(evt), 0); + return BPF_OK; } - evt.verdict = 0; - bpf_ringbuf_output(&policy_events, &evt, sizeof(evt), 0); - return BPF_DROP; + } + bpf_ringbuf_output(&policy_events, &evt, sizeof(evt), 0); + return BPF_DROP; } return BPF_OK; } diff --git a/pkg/ebpf/c/tc.v6ingress.bpf.c b/pkg/ebpf/c/tc.v6ingress.bpf.c index ca02ebc..011a58e 100644 --- a/pkg/ebpf/c/tc.v6ingress.bpf.c +++ b/pkg/ebpf/c/tc.v6ingress.bpf.c @@ -13,6 +13,9 @@ #define ANY_IP_PROTOCOL 254 #define ANY_PORT 0 +#define IN6_ARE_ADDR_EQUAL(a, b) \ + (__builtin_memcmp(&(a)->in6_u.u6_addr8[0], &(b)->in6_u.u6_addr8[0], sizeof(struct in6_addr)) == 0) + struct bpf_map_def_pvt { __u32 type; __u32 key_size; @@ -41,21 +44,21 @@ struct lpm_trie_val { }; struct conntrack_key { - __u8 src_ip[16]; + struct in6_addr saddr; __u16 src_port; - __u8 dest_ip[16]; + struct in6_addr daddr; __u16 dest_port; __u8 protocol; }; struct conntrack_value { - __u8 val[16]; + struct in6_addr addr; }; struct data_t { - __u8 src_ip[16]; + struct in6_addr src_ip; __u32 src_port; - __u8 dest_ip[16]; + struct in6_addr dest_ip; __u32 dest_port; __u32 protocol; __u32 verdict; @@ -79,20 +82,16 @@ int handle_ingress(struct __sk_buff *skb) { struct keystruct trie_key; struct lpm_trie_val *trie_val; - __u32 l4_src_port = 0; - __u32 l4_dst_port = 0; + __u16 l4_src_port = 0; + __u16 l4_dst_port = 0; struct conntrack_key flow_key; - struct conntrack_value *flow_val; - struct conntrack_key reverse_flow_key; - struct conntrack_value *reverse_flow_val; + struct conntrack_value *flow_val; + struct conntrack_value *reverse_flow_val; void *data_end = (void *)(long)skb->data_end; void *data = (void *)(long)skb->data; struct data_t evt = {}; - __u8 dest_ip[16]; - memset(&flow_key, 0, sizeof(flow_key)); - memset(&dest_ip, 0, sizeof(dest_ip)); - memset(&reverse_flow_key, 0, sizeof(reverse_flow_key)); + __builtin_memset(&flow_key, 0, sizeof(flow_key)); struct ethhdr *ether = data; if (data + sizeof(*ether) > data_end) { @@ -147,91 +146,81 @@ int handle_ingress(struct __sk_buff *skb) //Fill the IP Key to be used for lookup for (int i=0; i<16; i++){ trie_key.ip[i] = ip->saddr.in6_u.u6_addr8[i]; - dest_ip[i] = ip->daddr.in6_u.u6_addr8[i]; - flow_key.src_ip[i] = ip->saddr.in6_u.u6_addr8[i]; - flow_key.dest_ip[i] = ip->daddr.in6_u.u6_addr8[i]; - reverse_flow_key.src_ip[i] = ip->daddr.in6_u.u6_addr8[i]; - reverse_flow_key.dest_ip[i] = ip->saddr.in6_u.u6_addr8[i]; - evt.src_ip[i] = ip->saddr.in6_u.u6_addr8[i]; - evt.dest_ip[i] = ip->daddr.in6_u.u6_addr8[i]; } + + //Check for the an existing flow in the conntrack table + flow_key.saddr = ip->saddr; + flow_key.daddr = ip->daddr; + flow_key.src_port = l4_src_port; + flow_key.dest_port = l4_dst_port; + flow_key.protocol = ip->nexthdr; + + //Check if it's an existing flow + flow_val = (struct conntrack_value *)bpf_map_lookup_elem(&aws_conntrack_map, &flow_key); + if (flow_val != NULL && (flow_val->addr.in6_u.u6_addr8[12] == flow_key.daddr.in6_u.u6_addr8[12] + && flow_val->addr.in6_u.u6_addr8[13] == flow_key.daddr.in6_u.u6_addr8[13] + && flow_val->addr.in6_u.u6_addr8[14] == flow_key.daddr.in6_u.u6_addr8[14] + && flow_val->addr.in6_u.u6_addr8[15] == flow_key.daddr.in6_u.u6_addr8[15])) { + return BPF_OK; + } - //Check for the an existing flow in the conntrack table - flow_key.src_port = l4_src_port; - flow_key.dest_port = l4_dst_port; - flow_key.protocol = ip->nexthdr; - - - //Check if it's an existing flow - flow_val = (struct conntrack_value *)bpf_map_lookup_elem(&aws_conntrack_map, &flow_key); - if (flow_val != NULL && (flow_val->val[12] == dest_ip[12] && flow_val->val[13] == dest_ip[13] - && flow_val->val[14] == dest_ip[14] && flow_val->val[15] == dest_ip[15])) { - return BPF_OK; - } - - evt.src_port = flow_key.src_port; - evt.dest_port = flow_key.dest_port; - evt.protocol = flow_key.protocol; - - //Check for the reverse flow entry in the conntrack table - reverse_flow_key.src_port = l4_dst_port; - reverse_flow_key.dest_port = l4_src_port; - reverse_flow_key.protocol = ip->nexthdr; - + evt.src_ip = ip->saddr; + evt.dest_ip = ip->daddr; + evt.src_port = flow_key.src_port; + evt.dest_port = flow_key.dest_port; + evt.protocol = flow_key.protocol; + + //Swap to check reverse flow + flow_key.daddr = ip->saddr; + flow_key.saddr = ip->daddr; + flow_key.src_port = flow_key.dest_port; + flow_key.dest_port = l4_src_port; + + + //Check if it's a response packet + reverse_flow_val = (struct conntrack_value *)bpf_map_lookup_elem(&aws_conntrack_map, &flow_key); + if (reverse_flow_val != NULL && (reverse_flow_val->addr.in6_u.u6_addr8[12] == flow_key.saddr.in6_u.u6_addr8[12] + && reverse_flow_val->addr.in6_u.u6_addr8[13] == flow_key.saddr.in6_u.u6_addr8[13] + && reverse_flow_val->addr.in6_u.u6_addr8[14] == flow_key.saddr.in6_u.u6_addr8[14] + && reverse_flow_val->addr.in6_u.u6_addr8[15] == flow_key.saddr.in6_u.u6_addr8[15])) { + return BPF_OK; + } - //Check if it's a response packet - reverse_flow_val = (struct conntrack_value *)bpf_map_lookup_elem(&aws_conntrack_map, &reverse_flow_key); - if (reverse_flow_val != NULL &&(reverse_flow_val->val[12] == dest_ip[12] && reverse_flow_val->val[13] == dest_ip[13] - && reverse_flow_val->val[14] == dest_ip[14] && reverse_flow_val->val[15] == dest_ip[15] )) { - return BPF_OK; - } + //Check if it's in the allowed list + trie_val = bpf_map_lookup_elem(&ingress_map, &trie_key); + if (trie_val == NULL) { + bpf_ringbuf_output(&policy_events, &evt, sizeof(evt), 0); + return BPF_DROP; + } - //Check if it's in the allowed list - trie_val = bpf_map_lookup_elem(&ingress_map, &trie_key); - if (trie_val == NULL) { - evt.verdict = 0; + for (int i=0; i<4; i++, trie_val++){ + if (trie_val->protocol == RESERVED_IP_PROTOCOL) { bpf_ringbuf_output(&policy_events, &evt, sizeof(evt), 0); return BPF_DROP; } - for (int i=0; i<4; i++, trie_val++){ - if (trie_val->protocol == RESERVED_IP_PROTOCOL) { - evt.verdict = 0; - bpf_ringbuf_output(&policy_events, &evt, sizeof(evt), 0); - return BPF_DROP; - } - - if ((trie_val->protocol == ANY_IP_PROTOCOL) || (trie_val->protocol == ip->nexthdr && - ((trie_val->start_port == ANY_PORT) || (l4_dst_port == trie_val->start_port) || - (l4_dst_port > trie_val->start_port && l4_dst_port <= trie_val->end_port)))) { + if ((trie_val->protocol == ANY_IP_PROTOCOL) || (trie_val->protocol == ip->nexthdr && + ((trie_val->start_port == ANY_PORT) || (l4_dst_port == trie_val->start_port) || + (l4_dst_port > trie_val->start_port && l4_dst_port <= trie_val->end_port)))) { //Inject in to conntrack map - struct conntrack_value new_flow_val = {}; - new_flow_val.val[0]=dest_ip[0]; - new_flow_val.val[1]=dest_ip[1]; - new_flow_val.val[2]=dest_ip[2]; - new_flow_val.val[3]=dest_ip[3]; - new_flow_val.val[4]=dest_ip[4]; - new_flow_val.val[5]=dest_ip[5]; - new_flow_val.val[6]=dest_ip[6]; - new_flow_val.val[7]=dest_ip[7]; - new_flow_val.val[8]=dest_ip[8]; - new_flow_val.val[9]=dest_ip[9]; - new_flow_val.val[10]=dest_ip[10]; - new_flow_val.val[11]=dest_ip[11]; - new_flow_val.val[12]=dest_ip[12]; - new_flow_val.val[13]=dest_ip[13]; - new_flow_val.val[14]=dest_ip[14]; - new_flow_val.val[15]=dest_ip[15]; - - bpf_map_update_elem(&aws_conntrack_map, &flow_key, &dest_ip, 0); // 0 - BPF_ANY - evt.verdict = 1; - bpf_ringbuf_output(&policy_events, &evt, sizeof(evt), 0); - return BPF_OK; + struct conntrack_value new_flow_val; + __builtin_memset(&new_flow_val, 0, sizeof(new_flow_val)); + new_flow_val.addr = ip->daddr; + + //Reswap before adding to conntrack + flow_key.saddr = ip->saddr; + flow_key.daddr = ip->daddr; + flow_key.dest_port = flow_key.src_port; + flow_key.src_port = l4_src_port; + + bpf_map_update_elem(&aws_conntrack_map, &flow_key, &new_flow_val, 0); // 0 - BPF_ANY + evt.verdict = 1; + bpf_ringbuf_output(&policy_events, &evt, sizeof(evt), 0); + return BPF_OK; } - } - evt.verdict = 0; - bpf_ringbuf_output(&policy_events, &evt, sizeof(evt), 0); - return BPF_DROP; + } + bpf_ringbuf_output(&policy_events, &evt, sizeof(evt), 0); + return BPF_DROP; } return BPF_OK; } diff --git a/pkg/ebpf/c/v6events.bpf.c b/pkg/ebpf/c/v6events.bpf.c index 5dfeee1..96ac864 100644 --- a/pkg/ebpf/c/v6events.bpf.c +++ b/pkg/ebpf/c/v6events.bpf.c @@ -27,15 +27,16 @@ struct data_t { }; struct conntrack_key { - __u8 src_ip[16]; + struct in6_addr saddr; __u16 src_port; - __u8 dest_ip[16]; + struct in6_addr daddr; __u16 dest_port; __u8 protocol; }; + struct conntrack_value { - __u8 val[16]; + struct in6_addr addr; }; struct bpf_map_def_pvt SEC("maps") aws_conntrack_map = { @@ -46,10 +47,12 @@ struct bpf_map_def_pvt SEC("maps") aws_conntrack_map = { .pinning = PIN_GLOBAL_NS, }; + struct bpf_map_def_pvt SEC("maps") policy_events = { .type = BPF_MAP_TYPE_RINGBUF, .max_entries = 256 * 1024, .pinning = PIN_GLOBAL_NS, }; + char _license[] SEC("license") = "GPL"; diff --git a/pkg/ebpf/conntrack/conntrack_client.go b/pkg/ebpf/conntrack/conntrack_client.go index 938e269..3a5becc 100644 --- a/pkg/ebpf/conntrack/conntrack_client.go +++ b/pkg/ebpf/conntrack/conntrack_client.go @@ -92,6 +92,10 @@ func (c *conntrackClient) CleanupConntrackMap() { iterValue := ConntrackVal{} err = goebpfmaps.GetMapEntryByID(uintptr(unsafe.Pointer(&iterKey)), uintptr(unsafe.Pointer(&iterValue)), mapID) if err != nil { + if errors.Is(err, unix.ENOENT) { + err = nil + break + } return } else { newKey := ConntrackKey{} @@ -179,6 +183,10 @@ func (c *conntrackClient) Cleanupv6ConntrackMap() { iterValue := ConntrackVal{} err = goebpfmaps.GetMapEntryByID(uintptr(unsafe.Pointer(&byteSlice[0])), uintptr(unsafe.Pointer(&iterValue)), mapID) if err != nil { + if errors.Is(err, unix.ENOENT) { + err = nil + break + } return } else { newKey := utils.ConntrackKeyV6{} diff --git a/pkg/logger/logger.go b/pkg/logger/logger.go new file mode 100644 index 0000000..baa3a2a --- /dev/null +++ b/pkg/logger/logger.go @@ -0,0 +1,114 @@ +// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. +// +// Licensed under the Apache License, Version 2.0 (the "License"). +// You may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +//limitations under the License. + +package logger + +import ( + "os" + "strings" + + "go.uber.org/zap" + "go.uber.org/zap/zapcore" + lumberjack "gopkg.in/natefinch/lumberjack.v2" +) + +// Configuration stores the config for the logger +type Configuration struct { + LogLevel string + LogLocation string +} + +// getZapLevel converts log level string to zapcore.Level +func getZapLevel(inputLogLevel string) zapcore.Level { + lvl := strings.ToLower(inputLogLevel) + + switch lvl { + case "debug": + return zapcore.DebugLevel + case "info": + return zapcore.InfoLevel + case "warn": + return zapcore.WarnLevel + case "error": + return zapcore.ErrorLevel + case "fatal": + return zapcore.FatalLevel + default: + return zapcore.DebugLevel + } +} + +func getEncoder() zapcore.Encoder { + encoderConfig := zap.NewProductionEncoderConfig() + encoderConfig.EncodeTime = zapcore.ISO8601TimeEncoder + return zapcore.NewJSONEncoder(encoderConfig) +} + +func (logConfig *Configuration) newZapLogger() *zap.Logger { //Logger { + var cores []zapcore.Core + + logLevel := getZapLevel(logConfig.LogLevel) + + writer := getLogFilePath(logConfig.LogLocation) + + cores = append(cores, zapcore.NewCore(getEncoder(), writer, logLevel)) + + combinedCore := zapcore.NewTee(cores...) + + logger := zap.New(combinedCore, + zap.AddCaller(), + zap.AddCallerSkip(2), + ) + defer logger.Sync() + + return logger +} + +// getLogFilePath returns the writer +func getLogFilePath(logFilePath string) zapcore.WriteSyncer { + var writer zapcore.WriteSyncer + + if logFilePath == "" { + writer = zapcore.Lock(os.Stderr) + } else if strings.ToLower(logFilePath) != "stdout" { + writer = getLogWriter(logFilePath) + } else { + writer = zapcore.Lock(os.Stdout) + } + + return writer +} + +// getLogWriter is for lumberjack +func getLogWriter(logFilePath string) zapcore.WriteSyncer { + lumberJackLogger := &lumberjack.Logger{ + Filename: logFilePath, + MaxSize: 100, + MaxBackups: 5, + MaxAge: 30, + Compress: true, + } + return zapcore.AddSync(lumberJackLogger) +} + +// New logger initializes logger +func New(logLevel, logLocation string) *zap.Logger { + inputLogConfig := &Configuration{ + LogLevel: logLevel, + LogLocation: logLocation, + } + + logger := inputLogConfig.newZapLogger() + return logger +} diff --git a/pkg/utils/utils.go b/pkg/utils/utils.go index 5bfb28a..d79b4fe 100644 --- a/pkg/utils/utils.go +++ b/pkg/utils/utils.go @@ -285,6 +285,7 @@ func ConvIPv6ToByte(ipaddr net.IP) []byte { type ConntrackKeyV6 struct { Source_ip [16]byte Source_port uint16 + _ uint16 //Padding Dest_ip [16]byte Dest_port uint16 Protocol uint8 @@ -296,7 +297,7 @@ type ConntrackVal struct { func ConvConntrackV6ToByte(key ConntrackKeyV6) []byte { ipSize := unsafe.Sizeof(key) - byteArray := (*[38]byte)(unsafe.Pointer(&key)) + byteArray := (*[unsafe.Sizeof(key)]byte)(unsafe.Pointer(&key)) byteSlice := byteArray[:ipSize] return byteSlice } diff --git a/scripts/lib/cluster.sh b/scripts/lib/cluster.sh index 1e9932f..59e3268 100644 --- a/scripts/lib/cluster.sh +++ b/scripts/lib/cluster.sh @@ -14,7 +14,6 @@ function load_default_values(){ : "${CW_POLICY_ARN:=arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy}" : "${ENDPOINT_FLAG:=""}" : "${HELM_EXTRA_ARGS:=""}" - } function create_cluster(){ @@ -56,5 +55,4 @@ function delete_cluster(){ eksctl delete cluster -f ./eks-cluster.yaml || echo "Cluster Delete failed" rm -rf ./eks-cluster.yaml || echo "Cluster config file not found" -} - +} \ No newline at end of file diff --git a/scripts/lib/network-policy.sh b/scripts/lib/network-policy.sh index 9dc71e2..1ddfc67 100644 --- a/scripts/lib/network-policy.sh +++ b/scripts/lib/network-policy.sh @@ -4,7 +4,7 @@ function load_addon_details() { ADDON_NAME="vpc-cni" echo "loading $ADDON_NAME addon details" LATEST_ADDON_VERSION=$(aws eks describe-addon-versions $ENDPOINT_FLAG --addon-name $ADDON_NAME --kubernetes-version $K8S_VERSION | jq '.addons[0].addonVersions[0].addonVersion' -r) - EXISTING_SERVICE_ACCOUNT_ROLE_ARN=$(kubectl get serviceaccount -n kube-system aws-node -o json | jq '.metadata.annotations."eks.amazonaws.com/role-arn"' -r) + get_service_account_role_arn } function wait_for_addon_status() { @@ -73,6 +73,10 @@ function install_network_policy_mao() { wait_for_addon_status "ACTIVE" } +function get_service_account_role_arn(){ + EXISTING_SERVICE_ACCOUNT_ROLE_ARN=$(kubectl get serviceaccount -n kube-system aws-node -o json | jq '.metadata.annotations."eks.amazonaws.com/role-arn"' -r) +} + function install_network_policy_helm(){ helm repo add eks https://aws.github.io/eks-charts @@ -87,23 +91,29 @@ function install_network_policy_helm(){ ENABLE_PREFIX_DELEGATION=true fi + get_service_account_role_arn + + if [[ ! -z $EXISTING_SERVICE_ACCOUNT_ROLE_ARN ]]; then + HELM_EXTRA_ARGS+=" --set serviceAccount.annotations.\eks\.amazonaws\.com/role-arn=$EXISTING_SERVICE_ACCOUNT_ROLE_ARN" + fi + echo "Updating annotations and labels on existing resources" - for kind in daemonSet clusterRole clusterRoleBinding serviceAccount; do - echo "setting annotations and labels on $kind/aws-node" - kubectl -n kube-system annotate --overwrite $kind aws-node meta.helm.sh/release-name=aws-vpc-cni || echo "Unable to annotate $kind/aws-node" - kubectl -n kube-system annotate --overwrite $kind aws-node meta.helm.sh/release-namespace=kube-system || echo "Unable to annotate $kind/aws-node" - kubectl -n kube-system label --overwrite $kind aws-node app.kubernetes.io/managed-by=Helm || echo "Unable to label $kind/aws-node" + resources=("daemonSet/aws-node" "clusterRole/aws-node" "clusterRoleBinding/aws-node" "serviceAccount/aws-node" "configmap/amazon-vpc-cni") + for kind in ${resources[@]}; do + echo "setting annotations and labels on $kind" + kubectl -n kube-system annotate --overwrite $kind meta.helm.sh/release-name=aws-vpc-cni meta.helm.sh/release-namespace=kube-system || echo "Unable to annotate $kind" + kubectl -n kube-system label --overwrite $kind app.kubernetes.io/managed-by=Helm || echo "Unable to label $kind" done - echo "Installing/Updating the aws-vpc-cni helm chart with `enableNetworkPolicy=true`" + echo "Installing/Updating the aws-vpc-cni helm chart with enableNetworkPolicy=true" helm upgrade --install aws-vpc-cni eks/aws-vpc-cni --wait --timeout 300s \ --namespace kube-system \ --set enableNetworkPolicy=true \ --set originalMatchLabels=true \ --set init.env.ENABLE_IPv6=$ENABLE_IPv6 \ - --set image.env.ENABLE_IPv6=$ENABLE_IPv6 \ + --set env.ENABLE_IPv6=$ENABLE_IPv6 \ --set nodeAgent.enableIpv6=$ENABLE_IPv6 \ - --set image.env.ENABLE_PREFIX_DELEGATION=$ENABLE_PREFIX_DELEGATION \ - --set image.env.ENABLE_IPv4=$ENABLE_IPv4 $HELM_EXTRA_ARGS + --set env.ENABLE_PREFIX_DELEGATION=$ENABLE_PREFIX_DELEGATION \ + --set env.ENABLE_IPv4=$ENABLE_IPv4 $HELM_EXTRA_ARGS -} +} \ No newline at end of file diff --git a/scripts/run-tests.sh b/scripts/run-tests.sh index 0722f91..c823188 100755 --- a/scripts/run-tests.sh +++ b/scripts/run-tests.sh @@ -1,5 +1,4 @@ #! /bin/bash - set -Eeuox pipefail DIR=$(cd "$(dirname "$0")"; pwd) @@ -12,6 +11,7 @@ source ${DIR}/lib/tests.sh : "${RUN_PERFORMANCE_TESTS:=false}" : "${RUN_CONFORMANCE_TESTS:=false}" +: "${AWS_EKS_NODEAGENT_IMAGE:=""}" TEST_FAILED="false" cleanup() { @@ -28,8 +28,7 @@ trap cleanup EXIT load_default_values create_cluster -load_addon_details -install_network_policy_mao $LATEST_ADDON_VERSION +make update-node-agent-image AWS_EKS_NODEAGENT=$AWS_EKS_NODEAGENT_IMAGE IP_FAMILY=$IP_FAMILY if [[ $RUN_PERFORMANCE_TESTS == "true" ]]; then echo "Runnning Performance tests" @@ -45,4 +44,4 @@ check_path_cleanup if [[ $TEST_FAILED == "true" ]]; then echo "Test run failed, check failures" exit 1 -fi +fi \ No newline at end of file diff --git a/scripts/update-node-agent-image.sh b/scripts/update-node-agent-image.sh index 2094a1f..03e6aa3 100755 --- a/scripts/update-node-agent-image.sh +++ b/scripts/update-node-agent-image.sh @@ -22,3 +22,6 @@ else fi install_network_policy_helm + +echo "Check aws-node daemonset status" +kubectl rollout status ds/aws-node -n kube-system --timeout=300s \ No newline at end of file