From b40b5189d587549d7c5afce0afe184eff4537ead Mon Sep 17 00:00:00 2001 From: Cristina Kovacs Date: Fri, 25 Mar 2022 12:13:53 -0500 Subject: [PATCH 01/10] adding egress tests --- .../translation/translatePolicy_test.go | 345 ++++++++++++++++++ 1 file changed, 345 insertions(+) diff --git a/npm/pkg/controlplane/translation/translatePolicy_test.go b/npm/pkg/controlplane/translation/translatePolicy_test.go index 482043cfc1..2c5d82fcb0 100644 --- a/npm/pkg/controlplane/translation/translatePolicy_test.go +++ b/npm/pkg/controlplane/translation/translatePolicy_test.go @@ -1576,3 +1576,348 @@ func TestIngressPolicy(t *testing.T) { }) } } + +func TestEgressPolicy(t *testing.T) { + tcp := v1.ProtocolTCP + targetPodMatchType := policies.EitherMatch + peerMatchType := policies.DstMatch + tests := []struct { + name string + targetSelector *metav1.LabelSelector + rules []networkingv1.NetworkPolicyEgressRule + npmNetPol *policies.NPMNetworkPolicy + }{ + { + name: "only port in egress rules", + targetSelector: &metav1.LabelSelector{ + MatchLabels: map[string]string{ + "label": "dst", + }, + }, + rules: []networkingv1.NetworkPolicyEgressRule{ + { + Ports: []networkingv1.NetworkPolicyPort{ + { + Protocol: &tcp, + }, + }, + }, + }, + npmNetPol: &policies.NPMNetworkPolicy{ + Name: "serve-tcp", + NameSpace: "default", + PodSelectorIPSets: []*ipsets.TranslatedIPSet{ + ipsets.NewTranslatedIPSet("label:dst", ipsets.KeyValueLabelOfPod), + ipsets.NewTranslatedIPSet("default", ipsets.Namespace), + }, + PodSelectorList: []policies.SetInfo{ + policies.NewSetInfo("label:dst", ipsets.KeyValueLabelOfPod, included, targetPodMatchType), + policies.NewSetInfo("default", ipsets.Namespace, included, targetPodMatchType), + }, + ACLs: []*policies.ACLPolicy{ + { + PolicyID: "azure-acl-default-serve-tcp", + Target: policies.Allowed, + Direction: policies.Egress, + DstPorts: policies.Ports{ + Port: 0, + EndPort: 0, + }, + Protocol: "TCP", + }, + defaultDropACL("default", "serve-tcp", policies.Egress), + }, + }, + }, + { + name: "only ipBlock in egress rules", + targetSelector: &metav1.LabelSelector{ + MatchLabels: map[string]string{ + "label": "dst", + }, + }, + rules: []networkingv1.NetworkPolicyEgressRule{ + { + To: []networkingv1.NetworkPolicyPeer{ + { + IPBlock: &networkingv1.IPBlock{ + CIDR: "172.17.0.0/16", + Except: []string{"172.17.1.0/24"}, + }, + }, + }, + }, + }, + npmNetPol: &policies.NPMNetworkPolicy{ + Name: "only-ipblock", + NameSpace: "default", + PodSelectorIPSets: []*ipsets.TranslatedIPSet{ + ipsets.NewTranslatedIPSet("label:dst", ipsets.KeyValueLabelOfPod), + ipsets.NewTranslatedIPSet("default", ipsets.Namespace), + }, + PodSelectorList: []policies.SetInfo{ + policies.NewSetInfo("label:dst", ipsets.KeyValueLabelOfPod, included, targetPodMatchType), + policies.NewSetInfo("default", ipsets.Namespace, included, targetPodMatchType), + }, + RuleIPSets: []*ipsets.TranslatedIPSet{ + ipsets.NewTranslatedIPSet("only-ipblock-in-ns-default-0-0OUT", ipsets.CIDRBlocks, []string{"172.17.0.0/16", "172.17.1.0/24 nomatch"}...), + }, + ACLs: []*policies.ACLPolicy{ + { + PolicyID: "azure-acl-default-only-ipblock", + Target: policies.Allowed, + Direction: policies.Egress, + DstList: []policies.SetInfo{ + policies.NewSetInfo("only-ipblock-in-ns-default-0-0OUT", ipsets.CIDRBlocks, included, peerMatchType), + }, + }, + defaultDropACL("default", "only-ipblock", policies.Egress), + }, + }, + }, + { + name: "only peer podSelector in egress rules", + targetSelector: &metav1.LabelSelector{ + MatchLabels: map[string]string{ + "label": "dst", + }, + }, + rules: []networkingv1.NetworkPolicyEgressRule{ + { + To: []networkingv1.NetworkPolicyPeer{ + { + PodSelector: &metav1.LabelSelector{ + MatchLabels: map[string]string{ + "peer-podselector-kay": "peer-podselector-value", + }, + }, + }, + }, + }, + }, + npmNetPol: &policies.NPMNetworkPolicy{ + Name: "only-peer-podSelector", + NameSpace: "default", + PodSelectorIPSets: []*ipsets.TranslatedIPSet{ + ipsets.NewTranslatedIPSet("label:dst", ipsets.KeyValueLabelOfPod), + ipsets.NewTranslatedIPSet("default", ipsets.Namespace), + }, + PodSelectorList: []policies.SetInfo{ + policies.NewSetInfo("label:dst", ipsets.KeyValueLabelOfPod, included, targetPodMatchType), + policies.NewSetInfo("default", ipsets.Namespace, included, targetPodMatchType), + }, + RuleIPSets: []*ipsets.TranslatedIPSet{ + ipsets.NewTranslatedIPSet("peer-podselector-kay:peer-podselector-value", ipsets.KeyValueLabelOfPod), + ipsets.NewTranslatedIPSet("default", ipsets.Namespace), + }, + ACLs: []*policies.ACLPolicy{ + { + PolicyID: "azure-acl-default-only-peer-podSelector", + Target: policies.Allowed, + Direction: policies.Egress, + DstList: []policies.SetInfo{ + policies.NewSetInfo("peer-podselector-kay:peer-podselector-value", ipsets.KeyValueLabelOfPod, included, peerMatchType), + policies.NewSetInfo("default", ipsets.Namespace, included, peerMatchType), + }, + }, + defaultDropACL("default", "only-peer-podSelector", policies.Egress), + }, + }, + }, + { + name: "only peer nameSpaceSelector in egress rules", + targetSelector: &metav1.LabelSelector{ + MatchLabels: map[string]string{ + "label": "dst", + }, + }, + rules: []networkingv1.NetworkPolicyEgressRule{ + { + To: []networkingv1.NetworkPolicyPeer{ + { + NamespaceSelector: &metav1.LabelSelector{ + MatchLabels: map[string]string{ + "peer-nsselector-kay": "peer-nsselector-value", + }, + }, + }, + }, + }, + }, + npmNetPol: &policies.NPMNetworkPolicy{ + Name: "only-peer-nsSelector", + NameSpace: "default", + PodSelectorIPSets: []*ipsets.TranslatedIPSet{ + ipsets.NewTranslatedIPSet("label:dst", ipsets.KeyValueLabelOfPod), + ipsets.NewTranslatedIPSet("default", ipsets.Namespace), + }, + PodSelectorList: []policies.SetInfo{ + policies.NewSetInfo("label:dst", ipsets.KeyValueLabelOfPod, included, targetPodMatchType), + policies.NewSetInfo("default", ipsets.Namespace, included, targetPodMatchType), + }, + RuleIPSets: []*ipsets.TranslatedIPSet{ + ipsets.NewTranslatedIPSet("peer-nsselector-kay:peer-nsselector-value", ipsets.KeyValueLabelOfNamespace), + }, + ACLs: []*policies.ACLPolicy{ + { + PolicyID: "azure-acl-default-only-peer-nsSelector", + Target: policies.Allowed, + Direction: policies.Egress, + DstList: []policies.SetInfo{ + policies.NewSetInfo("peer-nsselector-kay:peer-nsselector-value", ipsets.KeyValueLabelOfNamespace, included, peerMatchType), + }, + }, + defaultDropACL("default", "only-peer-nsSelector", policies.Egress), + }, + }, + }, + { + name: "deny all in egress rules", + targetSelector: &metav1.LabelSelector{ + MatchLabels: map[string]string{ + "label": "dst", + }, + }, + rules: nil, + npmNetPol: &policies.NPMNetworkPolicy{ + Name: "serve-tcp", + NameSpace: "default", + PodSelectorIPSets: []*ipsets.TranslatedIPSet{ + ipsets.NewTranslatedIPSet("label:dst", ipsets.KeyValueLabelOfPod), + ipsets.NewTranslatedIPSet("default", ipsets.Namespace), + }, + PodSelectorList: []policies.SetInfo{ + policies.NewSetInfo("label:dst", ipsets.KeyValueLabelOfPod, included, targetPodMatchType), + policies.NewSetInfo("default", ipsets.Namespace, included, targetPodMatchType), + }, + ACLs: []*policies.ACLPolicy{ + + defaultDropACL("default", "serve-tcp", policies.Egress), + }, + }, + }, + { + name: "allow all egress rules", + targetSelector: &metav1.LabelSelector{ + MatchLabels: map[string]string{ + "label": "dst", + }, + }, + rules: []networkingv1.NetworkPolicyEgressRule{ + {}, + }, + npmNetPol: &policies.NPMNetworkPolicy{ + Name: "serve-tcp", + NameSpace: "default", + PodSelectorIPSets: []*ipsets.TranslatedIPSet{ + ipsets.NewTranslatedIPSet("label:dst", ipsets.KeyValueLabelOfPod), + ipsets.NewTranslatedIPSet("default", ipsets.Namespace), + }, + PodSelectorList: []policies.SetInfo{ + policies.NewSetInfo("label:dst", ipsets.KeyValueLabelOfPod, included, targetPodMatchType), + policies.NewSetInfo("default", ipsets.Namespace, included, targetPodMatchType), + }, + ACLs: []*policies.ACLPolicy{ + { + PolicyID: "azure-acl-default-serve-tcp", + Target: policies.Allowed, + Direction: policies.Egress, + }, + }, + }, + }, + { + name: "peer nameSpaceSelector and ipblock in egress rules", + targetSelector: &metav1.LabelSelector{ + MatchLabels: map[string]string{ + "label": "dst", + }, + }, + rules: []networkingv1.NetworkPolicyEgressRule{ + { + To: []networkingv1.NetworkPolicyPeer{ + { + NamespaceSelector: &metav1.LabelSelector{ + MatchLabels: map[string]string{ + "peer-nsselector-kay": "peer-nsselector-value", + }, + }, + }, + { + IPBlock: &networkingv1.IPBlock{ + CIDR: "172.17.0.0/16", + Except: []string{"172.17.1.0/24", "172.17.2.0/24"}, + }, + }, + { + IPBlock: &networkingv1.IPBlock{ + CIDR: "172.17.0.0/16", + }, + }, + }, + }, + }, + npmNetPol: &policies.NPMNetworkPolicy{ + Name: "only-peer-nsSelector", + NameSpace: "default", + PodSelectorIPSets: []*ipsets.TranslatedIPSet{ + ipsets.NewTranslatedIPSet("label:dst", ipsets.KeyValueLabelOfPod), + ipsets.NewTranslatedIPSet("default", ipsets.Namespace), + }, + PodSelectorList: []policies.SetInfo{ + policies.NewSetInfo("label:dst", ipsets.KeyValueLabelOfPod, included, targetPodMatchType), + policies.NewSetInfo("default", ipsets.Namespace, included, targetPodMatchType), + }, + RuleIPSets: []*ipsets.TranslatedIPSet{ + ipsets.NewTranslatedIPSet("peer-nsselector-kay:peer-nsselector-value", ipsets.KeyValueLabelOfNamespace), + ipsets.NewTranslatedIPSet("only-peer-nsSelector-in-ns-default-0-1OUT", ipsets.CIDRBlocks, []string{"172.17.0.0/16", "172.17.1.0/24 nomatch", "172.17.2.0/24 nomatch"}...), + ipsets.NewTranslatedIPSet("only-peer-nsSelector-in-ns-default-0-2OUT", ipsets.CIDRBlocks, []string{"172.17.0.0/16"}...), + }, + ACLs: []*policies.ACLPolicy{ + { + PolicyID: "azure-acl-default-only-peer-nsSelector", + Target: policies.Allowed, + Direction: policies.Egress, + DstList: []policies.SetInfo{ + policies.NewSetInfo("peer-nsselector-kay:peer-nsselector-value", ipsets.KeyValueLabelOfNamespace, included, peerMatchType), + }, + }, + { + PolicyID: "azure-acl-default-only-peer-nsSelector", + Target: policies.Allowed, + Direction: policies.Egress, + DstList: []policies.SetInfo{ + policies.NewSetInfo("only-peer-nsSelector-in-ns-default-0-1OUT", ipsets.CIDRBlocks, included, peerMatchType), + }, + }, + { + PolicyID: "azure-acl-default-only-peer-nsSelector", + Target: policies.Allowed, + Direction: policies.Egress, + DstList: []policies.SetInfo{ + policies.NewSetInfo("only-peer-nsSelector-in-ns-default-0-2OUT", ipsets.CIDRBlocks, included, peerMatchType), + }, + }, + defaultDropACL("default", "only-peer-nsSelector", policies.Egress), + }, + }, + }, + } + + for _, tt := range tests { + tt := tt + t.Run(tt.name, func(t *testing.T) { + t.Parallel() + npmNetPol := &policies.NPMNetworkPolicy{ + Name: tt.npmNetPol.Name, + NameSpace: tt.npmNetPol.NameSpace, + } + var err error + npmNetPol.PodSelectorIPSets, npmNetPol.PodSelectorList, err = podSelectorWithNS(npmNetPol.NameSpace, policies.EitherMatch, tt.targetSelector) + require.NoError(t, err) + err = egressPolicy(npmNetPol, tt.rules) + require.NoError(t, err) + require.Equal(t, tt.npmNetPol, npmNetPol) + }) + } +} From eb31f07799f7da0dff7439a9d96111108c4d77a8 Mon Sep 17 00:00:00 2001 From: Cristina Kovacs Date: Fri, 25 Mar 2022 13:28:00 -0500 Subject: [PATCH 02/10] fixed lint issue --- npm/pkg/controlplane/translation/translatePolicy_test.go | 1 - 1 file changed, 1 deletion(-) diff --git a/npm/pkg/controlplane/translation/translatePolicy_test.go b/npm/pkg/controlplane/translation/translatePolicy_test.go index 2c5d82fcb0..0c84fedea4 100644 --- a/npm/pkg/controlplane/translation/translatePolicy_test.go +++ b/npm/pkg/controlplane/translation/translatePolicy_test.go @@ -1791,7 +1791,6 @@ func TestEgressPolicy(t *testing.T) { policies.NewSetInfo("default", ipsets.Namespace, included, targetPodMatchType), }, ACLs: []*policies.ACLPolicy{ - defaultDropACL("default", "serve-tcp", policies.Egress), }, }, From 7062230ffecff72b4909103abb53050b4b1e4fff Mon Sep 17 00:00:00 2001 From: Mathew Merrick Date: Mon, 28 Mar 2022 15:33:36 -0700 Subject: [PATCH 03/10] npm: fix error wrapping with go 1.18 (#1304) * fix npm error wrapping typo with go 1.18 * pesky lines --- npm/http/server/server.go | 2 +- npm/http/server/server_test.go | 2 +- npm/pkg/dataplane/debug/converter_test.go | 16 ++++++++-------- npm/pkg/dataplane/debug/trafficanalyzer_test.go | 2 +- 4 files changed, 11 insertions(+), 11 deletions(-) diff --git a/npm/http/server/server.go b/npm/http/server/server.go index 6e6278914d..308d038ed7 100644 --- a/npm/http/server/server.go +++ b/npm/http/server/server.go @@ -71,7 +71,7 @@ func (n *NPMRestServer) npmCacheHandler(npmCacheEncoder json.Marshaler) http.Han } _, err = w.Write(b) if err != nil { - log.Errorf("failed to write resp: %w", err) + log.Errorf("failed to write resp: %v", err) } }) } diff --git a/npm/http/server/server_test.go b/npm/http/server/server_test.go index cc016c3020..f23b1b61b2 100644 --- a/npm/http/server/server_test.go +++ b/npm/http/server/server_test.go @@ -37,7 +37,7 @@ func TestGetNPMCacheHandler(t *testing.T) { byteArray, err := io.ReadAll(rr.Body) if err != nil { - t.Errorf("failed to read response's data : %w", err) + t.Errorf("failed to read response's data : %v", err) } actual := &controllersv1.Cache{} diff --git a/npm/pkg/dataplane/debug/converter_test.go b/npm/pkg/dataplane/debug/converter_test.go index dc0258c30d..a94e0687b6 100644 --- a/npm/pkg/dataplane/debug/converter_test.go +++ b/npm/pkg/dataplane/debug/converter_test.go @@ -18,7 +18,7 @@ func TestGetJSONRulesFromIptableFile(t *testing.T) { iptableSaveFile, ) if err != nil { - t.Errorf("failed to test GetJSONRulesFromIptable : %w", err) + t.Errorf("failed to test GetJSONRulesFromIptable : %v", err) } } @@ -30,7 +30,7 @@ func TestGetProtobufRulesFromIptableFile(t *testing.T) { iptableSaveFile, ) if err != nil { - t.Errorf("error during TestGetJSONRulesFromIptable : %w", err) + t.Errorf("error during TestGetJSONRulesFromIptable : %v", err) } } @@ -38,7 +38,7 @@ func TestNpmCacheFromFile(t *testing.T) { c := &Converter{} err := c.NpmCacheFromFile(npmCacheFile) if err != nil { - t.Errorf("Failed to decode NPMCache from %s file : %w", npmCacheFile, err) + t.Errorf("Failed to decode NPMCache from %s file : %v", npmCacheFile, err) } } @@ -93,7 +93,7 @@ func TestGetSetType(t *testing.T) { c := &Converter{} err := c.initConverterFile(npmCacheFile) if err != nil { - t.Errorf("error during initilizing converter : %w", err) + t.Errorf("error during initilizing converter : %v", err) } for name, test := range tests { @@ -315,7 +315,7 @@ func TestGetRulesFromChain(t *testing.T) { c := &Converter{} err := c.initConverterFile(npmCacheFile) if err != nil { - t.Errorf("error during initilizing converter : %w", err) + t.Errorf("error during initilizing converter : %v", err) } for name, test := range testCases { @@ -323,7 +323,7 @@ func TestGetRulesFromChain(t *testing.T) { t.Run(name, func(t *testing.T) { actuatlReponsesArr, err := c.getRulesFromChain(test.input) if err != nil { - t.Errorf("error during get rules : %w", err) + t.Errorf("error during get rules : %v", err) } if !reflect.DeepEqual(test.expected, actuatlReponsesArr) { t.Errorf("got '%+v', expected '%+v'", actuatlReponsesArr, test.expected) @@ -504,12 +504,12 @@ func TestGetModulesFromRule(t *testing.T) { c := &Converter{} err := c.initConverterFile(npmCacheFile) if err != nil { - t.Errorf("error during initilizing converter : %w", err) + t.Errorf("error during initilizing converter : %v", err) } err = c.getModulesFromRule(modules, actualRuleResponse) if err != nil { - t.Errorf("error during getNPMIPtable.ModulesFromRule : %w", err) + t.Errorf("error during getNPMIPtable.ModulesFromRule : %v", err) } if !reflect.DeepEqual(expectedRuleResponse, actualRuleResponse) { diff --git a/npm/pkg/dataplane/debug/trafficanalyzer_test.go b/npm/pkg/dataplane/debug/trafficanalyzer_test.go index 35b97294a5..8eed757005 100644 --- a/npm/pkg/dataplane/debug/trafficanalyzer_test.go +++ b/npm/pkg/dataplane/debug/trafficanalyzer_test.go @@ -237,7 +237,7 @@ func TestGetNetworkTuple(t *testing.T) { iptableSaveFile, ) if err != nil { - t.Errorf("error during get network tuple : %w", err) + t.Errorf("error during get network tuple : %v", err) } sortedActualTupleList := hashTheSortTupleList(actualTupleList) if !reflect.DeepEqual(sortedExpectedTupleList, sortedActualTupleList) { From ca8a85002dd2e0cfa173bcf2385688b9d36a28ce Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 29 Mar 2022 02:32:45 +0000 Subject: [PATCH 04/10] vendor: bump google.golang.org/protobuf from 1.27.1 to 1.28.0 (#1297) --- go.mod | 2 +- go.sum | 3 ++- .../protobuf/encoding/protowire/wire.go | 19 ++++++++++---- .../protobuf/internal/encoding/text/decode.go | 2 +- .../protobuf/internal/errors/is_go112.go | 1 + .../protobuf/internal/errors/is_go113.go | 1 + .../internal/flags/proto_legacy_disable.go | 1 + .../internal/flags/proto_legacy_enable.go | 1 + .../protobuf/internal/impl/codec_map_go111.go | 1 + .../protobuf/internal/impl/codec_map_go112.go | 1 + .../protobuf/internal/impl/codec_reflect.go | 1 + .../protobuf/internal/impl/codec_unsafe.go | 1 + .../protobuf/internal/impl/decode.go | 8 ++++++ .../protobuf/internal/impl/pointer_reflect.go | 1 + .../protobuf/internal/impl/pointer_unsafe.go | 1 + .../protobuf/internal/strs/strings_pure.go | 1 + .../protobuf/internal/strs/strings_unsafe.go | 1 + .../protobuf/internal/version/version.go | 4 +-- .../protobuf/proto/decode.go | 17 ++++++++++++- .../protobuf/proto/proto_methods.go | 1 + .../protobuf/proto/proto_reflect.go | 1 + .../protobuf/reflect/protoreflect/methods.go | 1 + .../reflect/protoreflect/value_pure.go | 1 + .../reflect/protoreflect/value_union.go | 25 +++++++++++++++++++ .../reflect/protoreflect/value_unsafe.go | 1 + .../protobuf/runtime/protoiface/methods.go | 1 + vendor/modules.txt | 4 +-- 27 files changed, 89 insertions(+), 13 deletions(-) diff --git a/go.mod b/go.mod index c26dad9b81..ae796f5ea6 100644 --- a/go.mod +++ b/go.mod @@ -34,7 +34,7 @@ require ( golang.org/x/sys v0.0.0-20220114195835-da31bd327af9 golang.org/x/term v0.0.0-20210615171337-6886f2dfbf5b // indirect google.golang.org/grpc v1.45.0 - google.golang.org/protobuf v1.27.1 + google.golang.org/protobuf v1.28.0 k8s.io/api v0.23.5 k8s.io/apiextensions-apiserver v0.23.4 k8s.io/apimachinery v0.23.5 diff --git a/go.sum b/go.sum index 31196532e2..096e657d4e 100644 --- a/go.sum +++ b/go.sum @@ -1415,8 +1415,9 @@ google.golang.org/protobuf v1.24.0/go.mod h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGj google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c= google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= -google.golang.org/protobuf v1.27.1 h1:SnqbnDw1V7RiZcXPx5MEeqPv2s79L9i7BJUlG/+RurQ= google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= +google.golang.org/protobuf v1.28.0 h1:w43yiav+6bVFTBQFZX0r7ipe9JQ1QsbMgHwbBziscLw= +google.golang.org/protobuf v1.28.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= gopkg.in/airbrake/gobrake.v2 v2.0.9/go.mod h1:/h5ZAUhDkGaJfjzjKLSjv6zCL6O0LLBxU4K+aSYdM/U= gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= diff --git a/vendor/google.golang.org/protobuf/encoding/protowire/wire.go b/vendor/google.golang.org/protobuf/encoding/protowire/wire.go index a427f8b704..9c61112f58 100644 --- a/vendor/google.golang.org/protobuf/encoding/protowire/wire.go +++ b/vendor/google.golang.org/protobuf/encoding/protowire/wire.go @@ -21,10 +21,11 @@ import ( type Number int32 const ( - MinValidNumber Number = 1 - FirstReservedNumber Number = 19000 - LastReservedNumber Number = 19999 - MaxValidNumber Number = 1<<29 - 1 + MinValidNumber Number = 1 + FirstReservedNumber Number = 19000 + LastReservedNumber Number = 19999 + MaxValidNumber Number = 1<<29 - 1 + DefaultRecursionLimit = 10000 ) // IsValid reports whether the field number is semantically valid. @@ -55,6 +56,7 @@ const ( errCodeOverflow errCodeReserved errCodeEndGroup + errCodeRecursionDepth ) var ( @@ -112,6 +114,10 @@ func ConsumeField(b []byte) (Number, Type, int) { // When parsing a group, the length includes the end group marker and // the end group is verified to match the starting field number. func ConsumeFieldValue(num Number, typ Type, b []byte) (n int) { + return consumeFieldValueD(num, typ, b, DefaultRecursionLimit) +} + +func consumeFieldValueD(num Number, typ Type, b []byte, depth int) (n int) { switch typ { case VarintType: _, n = ConsumeVarint(b) @@ -126,6 +132,9 @@ func ConsumeFieldValue(num Number, typ Type, b []byte) (n int) { _, n = ConsumeBytes(b) return n case StartGroupType: + if depth < 0 { + return errCodeRecursionDepth + } n0 := len(b) for { num2, typ2, n := ConsumeTag(b) @@ -140,7 +149,7 @@ func ConsumeFieldValue(num Number, typ Type, b []byte) (n int) { return n0 - len(b) } - n = ConsumeFieldValue(num2, typ2, b) + n = consumeFieldValueD(num2, typ2, b, depth-1) if n < 0 { return n // forward error code } diff --git a/vendor/google.golang.org/protobuf/internal/encoding/text/decode.go b/vendor/google.golang.org/protobuf/internal/encoding/text/decode.go index eb10ea1026..37803773fa 100644 --- a/vendor/google.golang.org/protobuf/internal/encoding/text/decode.go +++ b/vendor/google.golang.org/protobuf/internal/encoding/text/decode.go @@ -381,7 +381,7 @@ func (d *Decoder) currentOpenKind() (Kind, byte) { case '[': return ListOpen, ']' } - panic(fmt.Sprintf("Decoder: openStack contains invalid byte %s", string(openCh))) + panic(fmt.Sprintf("Decoder: openStack contains invalid byte %c", openCh)) } func (d *Decoder) pushOpenStack(ch byte) { diff --git a/vendor/google.golang.org/protobuf/internal/errors/is_go112.go b/vendor/google.golang.org/protobuf/internal/errors/is_go112.go index f90e909b37..fbcd349207 100644 --- a/vendor/google.golang.org/protobuf/internal/errors/is_go112.go +++ b/vendor/google.golang.org/protobuf/internal/errors/is_go112.go @@ -2,6 +2,7 @@ // Use of this source code is governed by a BSD-style // license that can be found in the LICENSE file. +//go:build !go1.13 // +build !go1.13 package errors diff --git a/vendor/google.golang.org/protobuf/internal/errors/is_go113.go b/vendor/google.golang.org/protobuf/internal/errors/is_go113.go index dc05f4191c..5e72f1cde9 100644 --- a/vendor/google.golang.org/protobuf/internal/errors/is_go113.go +++ b/vendor/google.golang.org/protobuf/internal/errors/is_go113.go @@ -2,6 +2,7 @@ // Use of this source code is governed by a BSD-style // license that can be found in the LICENSE file. +//go:build go1.13 // +build go1.13 package errors diff --git a/vendor/google.golang.org/protobuf/internal/flags/proto_legacy_disable.go b/vendor/google.golang.org/protobuf/internal/flags/proto_legacy_disable.go index a72995f02d..bda8e8cf3f 100644 --- a/vendor/google.golang.org/protobuf/internal/flags/proto_legacy_disable.go +++ b/vendor/google.golang.org/protobuf/internal/flags/proto_legacy_disable.go @@ -2,6 +2,7 @@ // Use of this source code is governed by a BSD-style // license that can be found in the LICENSE file. +//go:build !protolegacy // +build !protolegacy package flags diff --git a/vendor/google.golang.org/protobuf/internal/flags/proto_legacy_enable.go b/vendor/google.golang.org/protobuf/internal/flags/proto_legacy_enable.go index 772e2f0e4d..6d8d9bd6b0 100644 --- a/vendor/google.golang.org/protobuf/internal/flags/proto_legacy_enable.go +++ b/vendor/google.golang.org/protobuf/internal/flags/proto_legacy_enable.go @@ -2,6 +2,7 @@ // Use of this source code is governed by a BSD-style // license that can be found in the LICENSE file. +//go:build protolegacy // +build protolegacy package flags diff --git a/vendor/google.golang.org/protobuf/internal/impl/codec_map_go111.go b/vendor/google.golang.org/protobuf/internal/impl/codec_map_go111.go index 2706bb67f5..4b15493f2f 100644 --- a/vendor/google.golang.org/protobuf/internal/impl/codec_map_go111.go +++ b/vendor/google.golang.org/protobuf/internal/impl/codec_map_go111.go @@ -2,6 +2,7 @@ // Use of this source code is governed by a BSD-style // license that can be found in the LICENSE file. +//go:build !go1.12 // +build !go1.12 package impl diff --git a/vendor/google.golang.org/protobuf/internal/impl/codec_map_go112.go b/vendor/google.golang.org/protobuf/internal/impl/codec_map_go112.go index 1533ef600c..0b31b66eaf 100644 --- a/vendor/google.golang.org/protobuf/internal/impl/codec_map_go112.go +++ b/vendor/google.golang.org/protobuf/internal/impl/codec_map_go112.go @@ -2,6 +2,7 @@ // Use of this source code is governed by a BSD-style // license that can be found in the LICENSE file. +//go:build go1.12 // +build go1.12 package impl diff --git a/vendor/google.golang.org/protobuf/internal/impl/codec_reflect.go b/vendor/google.golang.org/protobuf/internal/impl/codec_reflect.go index 90705e3aea..145c577bd6 100644 --- a/vendor/google.golang.org/protobuf/internal/impl/codec_reflect.go +++ b/vendor/google.golang.org/protobuf/internal/impl/codec_reflect.go @@ -2,6 +2,7 @@ // Use of this source code is governed by a BSD-style // license that can be found in the LICENSE file. +//go:build purego || appengine // +build purego appengine package impl diff --git a/vendor/google.golang.org/protobuf/internal/impl/codec_unsafe.go b/vendor/google.golang.org/protobuf/internal/impl/codec_unsafe.go index e118af1e20..757642e23c 100644 --- a/vendor/google.golang.org/protobuf/internal/impl/codec_unsafe.go +++ b/vendor/google.golang.org/protobuf/internal/impl/codec_unsafe.go @@ -2,6 +2,7 @@ // Use of this source code is governed by a BSD-style // license that can be found in the LICENSE file. +//go:build !purego && !appengine // +build !purego,!appengine package impl diff --git a/vendor/google.golang.org/protobuf/internal/impl/decode.go b/vendor/google.golang.org/protobuf/internal/impl/decode.go index 949dc49a65..c65b0325c1 100644 --- a/vendor/google.golang.org/protobuf/internal/impl/decode.go +++ b/vendor/google.golang.org/protobuf/internal/impl/decode.go @@ -18,6 +18,7 @@ import ( ) var errDecode = errors.New("cannot parse invalid wire-format data") +var errRecursionDepth = errors.New("exceeded maximum recursion depth") type unmarshalOptions struct { flags protoiface.UnmarshalInputFlags @@ -25,6 +26,7 @@ type unmarshalOptions struct { FindExtensionByName(field protoreflect.FullName) (protoreflect.ExtensionType, error) FindExtensionByNumber(message protoreflect.FullName, field protoreflect.FieldNumber) (protoreflect.ExtensionType, error) } + depth int } func (o unmarshalOptions) Options() proto.UnmarshalOptions { @@ -44,6 +46,7 @@ func (o unmarshalOptions) IsDefault() bool { var lazyUnmarshalOptions = unmarshalOptions{ resolver: preg.GlobalTypes, + depth: protowire.DefaultRecursionLimit, } type unmarshalOutput struct { @@ -62,6 +65,7 @@ func (mi *MessageInfo) unmarshal(in piface.UnmarshalInput) (piface.UnmarshalOutp out, err := mi.unmarshalPointer(in.Buf, p, 0, unmarshalOptions{ flags: in.Flags, resolver: in.Resolver, + depth: in.Depth, }) var flags piface.UnmarshalOutputFlags if out.initialized { @@ -82,6 +86,10 @@ var errUnknown = errors.New("unknown") func (mi *MessageInfo) unmarshalPointer(b []byte, p pointer, groupTag protowire.Number, opts unmarshalOptions) (out unmarshalOutput, err error) { mi.init() + opts.depth-- + if opts.depth < 0 { + return out, errRecursionDepth + } if flags.ProtoLegacy && mi.isMessageSet { return unmarshalMessageSet(mi, b, p, opts) } diff --git a/vendor/google.golang.org/protobuf/internal/impl/pointer_reflect.go b/vendor/google.golang.org/protobuf/internal/impl/pointer_reflect.go index 9e3ed821ef..4c491bdf48 100644 --- a/vendor/google.golang.org/protobuf/internal/impl/pointer_reflect.go +++ b/vendor/google.golang.org/protobuf/internal/impl/pointer_reflect.go @@ -2,6 +2,7 @@ // Use of this source code is governed by a BSD-style // license that can be found in the LICENSE file. +//go:build purego || appengine // +build purego appengine package impl diff --git a/vendor/google.golang.org/protobuf/internal/impl/pointer_unsafe.go b/vendor/google.golang.org/protobuf/internal/impl/pointer_unsafe.go index 9ecf23a85b..ee0e0573e3 100644 --- a/vendor/google.golang.org/protobuf/internal/impl/pointer_unsafe.go +++ b/vendor/google.golang.org/protobuf/internal/impl/pointer_unsafe.go @@ -2,6 +2,7 @@ // Use of this source code is governed by a BSD-style // license that can be found in the LICENSE file. +//go:build !purego && !appengine // +build !purego,!appengine package impl diff --git a/vendor/google.golang.org/protobuf/internal/strs/strings_pure.go b/vendor/google.golang.org/protobuf/internal/strs/strings_pure.go index 85e074c977..a1f6f33386 100644 --- a/vendor/google.golang.org/protobuf/internal/strs/strings_pure.go +++ b/vendor/google.golang.org/protobuf/internal/strs/strings_pure.go @@ -2,6 +2,7 @@ // Use of this source code is governed by a BSD-style // license that can be found in the LICENSE file. +//go:build purego || appengine // +build purego appengine package strs diff --git a/vendor/google.golang.org/protobuf/internal/strs/strings_unsafe.go b/vendor/google.golang.org/protobuf/internal/strs/strings_unsafe.go index 2160c70191..56a8a4ed3c 100644 --- a/vendor/google.golang.org/protobuf/internal/strs/strings_unsafe.go +++ b/vendor/google.golang.org/protobuf/internal/strs/strings_unsafe.go @@ -2,6 +2,7 @@ // Use of this source code is governed by a BSD-style // license that can be found in the LICENSE file. +//go:build !purego && !appengine // +build !purego,!appengine package strs diff --git a/vendor/google.golang.org/protobuf/internal/version/version.go b/vendor/google.golang.org/protobuf/internal/version/version.go index 14e774fb2e..3d40d5249e 100644 --- a/vendor/google.golang.org/protobuf/internal/version/version.go +++ b/vendor/google.golang.org/protobuf/internal/version/version.go @@ -52,8 +52,8 @@ import ( // 10. Send out the CL for review and submit it. const ( Major = 1 - Minor = 27 - Patch = 1 + Minor = 28 + Patch = 0 PreRelease = "" ) diff --git a/vendor/google.golang.org/protobuf/proto/decode.go b/vendor/google.golang.org/protobuf/proto/decode.go index 49f9b8c88c..11bf7173be 100644 --- a/vendor/google.golang.org/protobuf/proto/decode.go +++ b/vendor/google.golang.org/protobuf/proto/decode.go @@ -42,18 +42,25 @@ type UnmarshalOptions struct { FindExtensionByName(field protoreflect.FullName) (protoreflect.ExtensionType, error) FindExtensionByNumber(message protoreflect.FullName, field protoreflect.FieldNumber) (protoreflect.ExtensionType, error) } + + // RecursionLimit limits how deeply messages may be nested. + // If zero, a default limit is applied. + RecursionLimit int } // Unmarshal parses the wire-format message in b and places the result in m. // The provided message must be mutable (e.g., a non-nil pointer to a message). func Unmarshal(b []byte, m Message) error { - _, err := UnmarshalOptions{}.unmarshal(b, m.ProtoReflect()) + _, err := UnmarshalOptions{RecursionLimit: protowire.DefaultRecursionLimit}.unmarshal(b, m.ProtoReflect()) return err } // Unmarshal parses the wire-format message in b and places the result in m. // The provided message must be mutable (e.g., a non-nil pointer to a message). func (o UnmarshalOptions) Unmarshal(b []byte, m Message) error { + if o.RecursionLimit == 0 { + o.RecursionLimit = protowire.DefaultRecursionLimit + } _, err := o.unmarshal(b, m.ProtoReflect()) return err } @@ -63,6 +70,9 @@ func (o UnmarshalOptions) Unmarshal(b []byte, m Message) error { // This method permits fine-grained control over the unmarshaler. // Most users should use Unmarshal instead. func (o UnmarshalOptions) UnmarshalState(in protoiface.UnmarshalInput) (protoiface.UnmarshalOutput, error) { + if o.RecursionLimit == 0 { + o.RecursionLimit = protowire.DefaultRecursionLimit + } return o.unmarshal(in.Buf, in.Message) } @@ -86,12 +96,17 @@ func (o UnmarshalOptions) unmarshal(b []byte, m protoreflect.Message) (out proto Message: m, Buf: b, Resolver: o.Resolver, + Depth: o.RecursionLimit, } if o.DiscardUnknown { in.Flags |= protoiface.UnmarshalDiscardUnknown } out, err = methods.Unmarshal(in) } else { + o.RecursionLimit-- + if o.RecursionLimit < 0 { + return out, errors.New("exceeded max recursion depth") + } err = o.unmarshalMessageSlow(b, m) } if err != nil { diff --git a/vendor/google.golang.org/protobuf/proto/proto_methods.go b/vendor/google.golang.org/protobuf/proto/proto_methods.go index d8dd604f6b..465e057b32 100644 --- a/vendor/google.golang.org/protobuf/proto/proto_methods.go +++ b/vendor/google.golang.org/protobuf/proto/proto_methods.go @@ -3,6 +3,7 @@ // license that can be found in the LICENSE file. // The protoreflect build tag disables use of fast-path methods. +//go:build !protoreflect // +build !protoreflect package proto diff --git a/vendor/google.golang.org/protobuf/proto/proto_reflect.go b/vendor/google.golang.org/protobuf/proto/proto_reflect.go index b103d43205..494d6ceef9 100644 --- a/vendor/google.golang.org/protobuf/proto/proto_reflect.go +++ b/vendor/google.golang.org/protobuf/proto/proto_reflect.go @@ -3,6 +3,7 @@ // license that can be found in the LICENSE file. // The protoreflect build tag disables use of fast-path methods. +//go:build protoreflect // +build protoreflect package proto diff --git a/vendor/google.golang.org/protobuf/reflect/protoreflect/methods.go b/vendor/google.golang.org/protobuf/reflect/protoreflect/methods.go index 6be5d16e9f..d5d5af6ebe 100644 --- a/vendor/google.golang.org/protobuf/reflect/protoreflect/methods.go +++ b/vendor/google.golang.org/protobuf/reflect/protoreflect/methods.go @@ -53,6 +53,7 @@ type ( FindExtensionByName(field FullName) (ExtensionType, error) FindExtensionByNumber(message FullName, field FieldNumber) (ExtensionType, error) } + Depth int } unmarshalOutput = struct { pragma.NoUnkeyedLiterals diff --git a/vendor/google.golang.org/protobuf/reflect/protoreflect/value_pure.go b/vendor/google.golang.org/protobuf/reflect/protoreflect/value_pure.go index 918e685e1d..7ced876f4e 100644 --- a/vendor/google.golang.org/protobuf/reflect/protoreflect/value_pure.go +++ b/vendor/google.golang.org/protobuf/reflect/protoreflect/value_pure.go @@ -2,6 +2,7 @@ // Use of this source code is governed by a BSD-style // license that can be found in the LICENSE file. +//go:build purego || appengine // +build purego appengine package protoreflect diff --git a/vendor/google.golang.org/protobuf/reflect/protoreflect/value_union.go b/vendor/google.golang.org/protobuf/reflect/protoreflect/value_union.go index 5a34147241..eb7764c307 100644 --- a/vendor/google.golang.org/protobuf/reflect/protoreflect/value_union.go +++ b/vendor/google.golang.org/protobuf/reflect/protoreflect/value_union.go @@ -41,6 +41,31 @@ import ( // Converting to/from a Value and a concrete Go value panics on type mismatch. // For example, ValueOf("hello").Int() panics because this attempts to // retrieve an int64 from a string. +// +// List, Map, and Message Values are called "composite" values. +// +// A composite Value may alias (reference) memory at some location, +// such that changes to the Value updates the that location. +// A composite value acquired with a Mutable method, such as Message.Mutable, +// always references the source object. +// +// For example: +// // Append a 0 to a "repeated int32" field. +// // Since the Value returned by Mutable is guaranteed to alias +// // the source message, modifying the Value modifies the message. +// message.Mutable(fieldDesc).(List).Append(protoreflect.ValueOfInt32(0)) +// +// // Assign [0] to a "repeated int32" field by creating a new Value, +// // modifying it, and assigning it. +// list := message.NewField(fieldDesc).(List) +// list.Append(protoreflect.ValueOfInt32(0)) +// message.Set(fieldDesc, list) +// // ERROR: Since it is not defined whether Set aliases the source, +// // appending to the List here may or may not modify the message. +// list.Append(protoreflect.ValueOfInt32(0)) +// +// Some operations, such as Message.Get, may return an "empty, read-only" +// composite Value. Modifying an empty, read-only value panics. type Value value // The protoreflect API uses a custom Value union type instead of interface{} diff --git a/vendor/google.golang.org/protobuf/reflect/protoreflect/value_unsafe.go b/vendor/google.golang.org/protobuf/reflect/protoreflect/value_unsafe.go index c45debdcac..702ddf22a2 100644 --- a/vendor/google.golang.org/protobuf/reflect/protoreflect/value_unsafe.go +++ b/vendor/google.golang.org/protobuf/reflect/protoreflect/value_unsafe.go @@ -2,6 +2,7 @@ // Use of this source code is governed by a BSD-style // license that can be found in the LICENSE file. +//go:build !purego && !appengine // +build !purego,!appengine package protoreflect diff --git a/vendor/google.golang.org/protobuf/runtime/protoiface/methods.go b/vendor/google.golang.org/protobuf/runtime/protoiface/methods.go index 32c04f67eb..44cf467d88 100644 --- a/vendor/google.golang.org/protobuf/runtime/protoiface/methods.go +++ b/vendor/google.golang.org/protobuf/runtime/protoiface/methods.go @@ -103,6 +103,7 @@ type UnmarshalInput = struct { FindExtensionByName(field protoreflect.FullName) (protoreflect.ExtensionType, error) FindExtensionByNumber(message protoreflect.FullName, field protoreflect.FieldNumber) (protoreflect.ExtensionType, error) } + Depth int } // UnmarshalOutput is output from the Unmarshal method. diff --git a/vendor/modules.txt b/vendor/modules.txt index 9eb37a1e11..198677ce0e 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -442,8 +442,8 @@ google.golang.org/grpc/serviceconfig google.golang.org/grpc/stats google.golang.org/grpc/status google.golang.org/grpc/tap -# google.golang.org/protobuf v1.27.1 -## explicit; go 1.9 +# google.golang.org/protobuf v1.28.0 +## explicit; go 1.11 google.golang.org/protobuf/encoding/protojson google.golang.org/protobuf/encoding/prototext google.golang.org/protobuf/encoding/protowire From 0ad7821b2a43694aa08f81c5080a36dbb974c4bb Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 29 Mar 2022 18:40:16 +0000 Subject: [PATCH 05/10] vendor: bump k8s.io/klog/v2 from 2.60.0 to 2.60.1 (#1296) --- go.mod | 2 +- go.sum | 4 +- vendor/k8s.io/klog/v2/OWNERS | 16 +- vendor/k8s.io/klog/v2/README.md | 7 +- vendor/k8s.io/klog/v2/contextual.go | 55 ------ vendor/k8s.io/klog/v2/imports.go | 20 -- .../k8s.io/klog/v2/internal/clock/README.md | 7 + vendor/k8s.io/klog/v2/internal/clock/clock.go | 178 ++++++++++++++++++ vendor/k8s.io/klog/v2/klog.go | 2 +- vendor/k8s.io/klog/v2/klogr.go | 5 - vendor/modules.txt | 3 +- 11 files changed, 201 insertions(+), 98 deletions(-) create mode 100644 vendor/k8s.io/klog/v2/internal/clock/README.md create mode 100644 vendor/k8s.io/klog/v2/internal/clock/clock.go diff --git a/go.mod b/go.mod index ae796f5ea6..a723c29c5a 100644 --- a/go.mod +++ b/go.mod @@ -94,7 +94,7 @@ require ( gopkg.in/yaml.v2 v2.4.0 // indirect gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b // indirect k8s.io/component-base v0.23.4 // indirect - k8s.io/klog/v2 v2.60.0 + k8s.io/klog/v2 v2.60.1 k8s.io/kube-openapi v0.0.0-20211115234752-e816edb12b65 // indirect sigs.k8s.io/structured-merge-diff/v4 v4.2.1 // indirect ) diff --git a/go.sum b/go.sum index 096e657d4e..e685fc54a5 100644 --- a/go.sum +++ b/go.sum @@ -1522,8 +1522,8 @@ k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE= k8s.io/klog/v2 v2.2.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y= k8s.io/klog/v2 v2.4.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y= k8s.io/klog/v2 v2.30.0/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0= -k8s.io/klog/v2 v2.60.0 h1:gpzK92+m2MpVQKeRAUO+GURys568jE2RzMlIKEQeA9Q= -k8s.io/klog/v2 v2.60.0/go.mod h1:N3kgBtsFxMb4nQ0eBDgbHEt/dtxBuTkSFQ+7K5OUoz4= +k8s.io/klog/v2 v2.60.1 h1:VW25q3bZx9uE3vvdL6M8ezOX79vA2Aq1nEWLqNQclHc= +k8s.io/klog/v2 v2.60.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0= k8s.io/kube-openapi v0.0.0-20200805222855-6aeccd4b50c6/go.mod h1:UuqjUnNftUyPE5H64/qeyjQoUZhGpeFDVdxjTeEVN2o= k8s.io/kube-openapi v0.0.0-20201113171705-d219536bb9fd/go.mod h1:WOJ3KddDSol4tAGcJo0Tvi+dK12EcqSLqcWsryKMpfM= k8s.io/kube-openapi v0.0.0-20211115234752-e816edb12b65 h1:E3J9oCLlaobFUqsjG9DfKbP2BmgwBL2p7pn0A3dG9W4= diff --git a/vendor/k8s.io/klog/v2/OWNERS b/vendor/k8s.io/klog/v2/OWNERS index ad5063fdf1..8cccebf2e9 100644 --- a/vendor/k8s.io/klog/v2/OWNERS +++ b/vendor/k8s.io/klog/v2/OWNERS @@ -1,19 +1,13 @@ # See the OWNERS docs at https://go.k8s.io/owners reviewers: - - jayunit100 - - hoegaarden - - andyxning - - neolit123 - pohly - - yagonobre - - vincepri - - detiber approvers: - dims - thockin - - justinsb - - tallclair - - piosz + - serathius +emeritus_approvers: - brancz + - justinsb - lavalamp - - serathius + - piosz + - tallclair diff --git a/vendor/k8s.io/klog/v2/README.md b/vendor/k8s.io/klog/v2/README.md index a9c945e1d0..7de2212cca 100644 --- a/vendor/k8s.io/klog/v2/README.md +++ b/vendor/k8s.io/klog/v2/README.md @@ -28,12 +28,15 @@ Historical context is available here: Semantic versioning is used in this repository. It contains several Go modules with different levels of stability: - `k8s.io/klog/v2` - stable API, `vX.Y.Z` tags -- `k8s.io/tools` - no stable API yet (may change eventually), `tools/v0.Y.Z` tags +- `k8s.io/hack/tools` - no stable API yet (may change eventually or get moved to separate repo), `hack/tools/v0.Y.Z` tags - `examples` - no stable API, no tags, no intention to ever stabilize Exempt from the API stability guarantee are items (packages, functions, etc.) which are marked explicitly as `EXPERIMENTAL` in their docs comment. Those -may still change in incompatible ways or get removed entirely. +may still change in incompatible ways or get removed entirely. This can only +be used for code that is used in tests to avoid situations where non-test +code from two different Kubernetes dependencies depends on incompatible +releases of klog because an experimental API was changed. ---- diff --git a/vendor/k8s.io/klog/v2/contextual.go b/vendor/k8s.io/klog/v2/contextual.go index 33743ffb8d..0bf19280e5 100644 --- a/vendor/k8s.io/klog/v2/contextual.go +++ b/vendor/k8s.io/klog/v2/contextual.go @@ -80,11 +80,6 @@ func SetLogger(logger logr.Logger) { // Supporting direct calls is recommended because it avoids the overhead of // routing log entries through klogr into klog and then into the actual Logger // backend. -// -// Experimental -// -// Notice: This function is EXPERIMENTAL and may be changed or removed in a -// later release. func SetLoggerWithOptions(logger logr.Logger, opts ...LoggerOption) { globalLogger = &logger globalLoggerOptions = loggerOptions{} @@ -96,11 +91,6 @@ func SetLoggerWithOptions(logger logr.Logger, opts ...LoggerOption) { // ContextualLogger determines whether the logger passed to // SetLoggerWithOptions may also get called directly. Such a logger cannot rely // on verbosity checking in klog. -// -// Experimental -// -// Notice: This function is EXPERIMENTAL and may be changed or removed in a -// later release. func ContextualLogger(enabled bool) LoggerOption { return func(o *loggerOptions) { o.contextualLogger = enabled @@ -108,11 +98,6 @@ func ContextualLogger(enabled bool) LoggerOption { } // FlushLogger provides a callback for flushing data buffered by the logger. -// -// Experimental -// -// Notice: This function is EXPERIMENTAL and may be changed or removed in a -// later release. func FlushLogger(flush func()) LoggerOption { return func(o *loggerOptions) { o.flush = flush @@ -121,11 +106,6 @@ func FlushLogger(flush func()) LoggerOption { // LoggerOption implements the functional parameter paradigm for // SetLoggerWithOptions. -// -// Experimental -// -// Notice: This type is EXPERIMENTAL and may be changed or removed in a -// later release. type LoggerOption func(o *loggerOptions) type loggerOptions struct { @@ -151,11 +131,6 @@ func ClearLogger() { // to avoid the additional overhead for contextual logging. // // This must be called during initialization before goroutines are started. -// -// Experimental -// -// Notice: This function is EXPERIMENTAL and may be changed or removed in a -// later release. func EnableContextualLogging(enabled bool) { contextualLoggingEnabled = enabled } @@ -163,11 +138,6 @@ func EnableContextualLogging(enabled bool) { // FromContext retrieves a logger set by the caller or, if not set, // falls back to the program's global logger (a Logger instance or klog // itself). -// -// Experimental -// -// Notice: This function is EXPERIMENTAL and may be changed or removed in a -// later release. func FromContext(ctx context.Context) Logger { if contextualLoggingEnabled { if logger, err := logr.FromContext(ctx); err == nil { @@ -181,11 +151,6 @@ func FromContext(ctx context.Context) Logger { // TODO can be used as a last resort by code that has no means of // receiving a logger from its caller. FromContext or an explicit logger // parameter should be used instead. -// -// Experimental -// -// Notice: This function is EXPERIMENTAL and may be changed or removed in a -// later release. func TODO() Logger { return Background() } @@ -194,11 +159,6 @@ func TODO() Logger { // that logger was initialized by the program and not by code that should // better receive a logger via its parameters. TODO can be used as a temporary // solution for such code. -// -// Experimental -// -// Notice: This function is EXPERIMENTAL and may be changed or removed in a -// later release. func Background() Logger { if globalLoggerOptions.contextualLogger { // Is non-nil because globalLoggerOptions.contextualLogger is @@ -211,11 +171,6 @@ func Background() Logger { // LoggerWithValues returns logger.WithValues(...kv) when // contextual logging is enabled, otherwise the logger. -// -// Experimental -// -// Notice: This function is EXPERIMENTAL and may be changed or removed in a -// later release. func LoggerWithValues(logger Logger, kv ...interface{}) Logger { if contextualLoggingEnabled { return logger.WithValues(kv...) @@ -225,11 +180,6 @@ func LoggerWithValues(logger Logger, kv ...interface{}) Logger { // LoggerWithName returns logger.WithName(name) when contextual logging is // enabled, otherwise the logger. -// -// Experimental -// -// Notice: This function is EXPERIMENTAL and may be changed or removed in a -// later release. func LoggerWithName(logger Logger, name string) Logger { if contextualLoggingEnabled { return logger.WithName(name) @@ -239,11 +189,6 @@ func LoggerWithName(logger Logger, name string) Logger { // NewContext returns logr.NewContext(ctx, logger) when // contextual logging is enabled, otherwise ctx. -// -// Experimental -// -// Notice: This function is EXPERIMENTAL and may be changed or removed in a -// later release. func NewContext(ctx context.Context, logger Logger) context.Context { if contextualLoggingEnabled { return logr.NewContext(ctx, logger) diff --git a/vendor/k8s.io/klog/v2/imports.go b/vendor/k8s.io/klog/v2/imports.go index 43cd08190f..602c3ed9e6 100644 --- a/vendor/k8s.io/klog/v2/imports.go +++ b/vendor/k8s.io/klog/v2/imports.go @@ -24,35 +24,15 @@ import ( // without directly importing it. // Logger in this package is exactly the same as logr.Logger. -// -// Experimental -// -// Notice: This type is EXPERIMENTAL and may be changed or removed in a -// later release. type Logger = logr.Logger // LogSink in this package is exactly the same as logr.LogSink. -// -// Experimental -// -// Notice: This type is EXPERIMENTAL and may be changed or removed in a -// later release. type LogSink = logr.LogSink // Runtimeinfo in this package is exactly the same as logr.RuntimeInfo. -// -// Experimental -// -// Notice: This type is EXPERIMENTAL and may be changed or removed in a -// later release. type RuntimeInfo = logr.RuntimeInfo var ( // New is an alias for logr.New. - // - // Experimental - // - // Notice: This variable is EXPERIMENTAL and may be changed or removed in a - // later release. New = logr.New ) diff --git a/vendor/k8s.io/klog/v2/internal/clock/README.md b/vendor/k8s.io/klog/v2/internal/clock/README.md new file mode 100644 index 0000000000..03d692c8f8 --- /dev/null +++ b/vendor/k8s.io/klog/v2/internal/clock/README.md @@ -0,0 +1,7 @@ +# Clock + +This package provides an interface for time-based operations. It allows +mocking time for testing. + +This is a copy of k8s.io/utils/clock. We have to copy it to avoid a circular +dependency (k8s.io/klog -> k8s.io/utils -> k8s.io/klog). diff --git a/vendor/k8s.io/klog/v2/internal/clock/clock.go b/vendor/k8s.io/klog/v2/internal/clock/clock.go new file mode 100644 index 0000000000..b8b6af5c81 --- /dev/null +++ b/vendor/k8s.io/klog/v2/internal/clock/clock.go @@ -0,0 +1,178 @@ +/* +Copyright 2014 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package clock + +import "time" + +// PassiveClock allows for injecting fake or real clocks into code +// that needs to read the current time but does not support scheduling +// activity in the future. +type PassiveClock interface { + Now() time.Time + Since(time.Time) time.Duration +} + +// Clock allows for injecting fake or real clocks into code that +// needs to do arbitrary things based on time. +type Clock interface { + PassiveClock + // After returns the channel of a new Timer. + // This method does not allow to free/GC the backing timer before it fires. Use + // NewTimer instead. + After(d time.Duration) <-chan time.Time + // NewTimer returns a new Timer. + NewTimer(d time.Duration) Timer + // Sleep sleeps for the provided duration d. + // Consider making the sleep interruptible by using 'select' on a context channel and a timer channel. + Sleep(d time.Duration) + // Tick returns the channel of a new Ticker. + // This method does not allow to free/GC the backing ticker. Use + // NewTicker from WithTicker instead. + Tick(d time.Duration) <-chan time.Time +} + +// WithTicker allows for injecting fake or real clocks into code that +// needs to do arbitrary things based on time. +type WithTicker interface { + Clock + // NewTicker returns a new Ticker. + NewTicker(time.Duration) Ticker +} + +// WithDelayedExecution allows for injecting fake or real clocks into +// code that needs to make use of AfterFunc functionality. +type WithDelayedExecution interface { + Clock + // AfterFunc executes f in its own goroutine after waiting + // for d duration and returns a Timer whose channel can be + // closed by calling Stop() on the Timer. + AfterFunc(d time.Duration, f func()) Timer +} + +// WithTickerAndDelayedExecution allows for injecting fake or real clocks +// into code that needs Ticker and AfterFunc functionality +type WithTickerAndDelayedExecution interface { + WithTicker + // AfterFunc executes f in its own goroutine after waiting + // for d duration and returns a Timer whose channel can be + // closed by calling Stop() on the Timer. + AfterFunc(d time.Duration, f func()) Timer +} + +// Ticker defines the Ticker interface. +type Ticker interface { + C() <-chan time.Time + Stop() +} + +var _ = WithTicker(RealClock{}) + +// RealClock really calls time.Now() +type RealClock struct{} + +// Now returns the current time. +func (RealClock) Now() time.Time { + return time.Now() +} + +// Since returns time since the specified timestamp. +func (RealClock) Since(ts time.Time) time.Duration { + return time.Since(ts) +} + +// After is the same as time.After(d). +// This method does not allow to free/GC the backing timer before it fires. Use +// NewTimer instead. +func (RealClock) After(d time.Duration) <-chan time.Time { + return time.After(d) +} + +// NewTimer is the same as time.NewTimer(d) +func (RealClock) NewTimer(d time.Duration) Timer { + return &realTimer{ + timer: time.NewTimer(d), + } +} + +// AfterFunc is the same as time.AfterFunc(d, f). +func (RealClock) AfterFunc(d time.Duration, f func()) Timer { + return &realTimer{ + timer: time.AfterFunc(d, f), + } +} + +// Tick is the same as time.Tick(d) +// This method does not allow to free/GC the backing ticker. Use +// NewTicker instead. +func (RealClock) Tick(d time.Duration) <-chan time.Time { + return time.Tick(d) +} + +// NewTicker returns a new Ticker. +func (RealClock) NewTicker(d time.Duration) Ticker { + return &realTicker{ + ticker: time.NewTicker(d), + } +} + +// Sleep is the same as time.Sleep(d) +// Consider making the sleep interruptible by using 'select' on a context channel and a timer channel. +func (RealClock) Sleep(d time.Duration) { + time.Sleep(d) +} + +// Timer allows for injecting fake or real timers into code that +// needs to do arbitrary things based on time. +type Timer interface { + C() <-chan time.Time + Stop() bool + Reset(d time.Duration) bool +} + +var _ = Timer(&realTimer{}) + +// realTimer is backed by an actual time.Timer. +type realTimer struct { + timer *time.Timer +} + +// C returns the underlying timer's channel. +func (r *realTimer) C() <-chan time.Time { + return r.timer.C +} + +// Stop calls Stop() on the underlying timer. +func (r *realTimer) Stop() bool { + return r.timer.Stop() +} + +// Reset calls Reset() on the underlying timer. +func (r *realTimer) Reset(d time.Duration) bool { + return r.timer.Reset(d) +} + +type realTicker struct { + ticker *time.Ticker +} + +func (r *realTicker) C() <-chan time.Time { + return r.ticker.C +} + +func (r *realTicker) Stop() { + r.ticker.Stop() +} diff --git a/vendor/k8s.io/klog/v2/klog.go b/vendor/k8s.io/klog/v2/klog.go index bb6f64be49..cb04590fe6 100644 --- a/vendor/k8s.io/klog/v2/klog.go +++ b/vendor/k8s.io/klog/v2/klog.go @@ -91,9 +91,9 @@ import ( "github.com/go-logr/logr" "k8s.io/klog/v2/internal/buffer" + "k8s.io/klog/v2/internal/clock" "k8s.io/klog/v2/internal/serialize" "k8s.io/klog/v2/internal/severity" - "k8s.io/utils/clock" ) // severityValue identifies the sort of log: info, warning etc. It also implements diff --git a/vendor/k8s.io/klog/v2/klogr.go b/vendor/k8s.io/klog/v2/klogr.go index cdb3834fa1..351d7a7405 100644 --- a/vendor/k8s.io/klog/v2/klogr.go +++ b/vendor/k8s.io/klog/v2/klogr.go @@ -25,11 +25,6 @@ import ( // NewKlogr returns a logger that is functionally identical to // klogr.NewWithOptions(klogr.FormatKlog), i.e. it passes through to klog. The // difference is that it uses a simpler implementation. -// -// Experimental -// -// Notice: This function is EXPERIMENTAL and may be changed or removed in a -// later release. func NewKlogr() Logger { return New(&klogger{}) } diff --git a/vendor/modules.txt b/vendor/modules.txt index 198677ce0e..f2612b440f 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -887,10 +887,11 @@ k8s.io/component-base/config/v1alpha1 # k8s.io/klog v1.0.0 ## explicit; go 1.12 k8s.io/klog -# k8s.io/klog/v2 v2.60.0 +# k8s.io/klog/v2 v2.60.1 ## explicit; go 1.13 k8s.io/klog/v2 k8s.io/klog/v2/internal/buffer +k8s.io/klog/v2/internal/clock k8s.io/klog/v2/internal/serialize k8s.io/klog/v2/internal/severity # k8s.io/kube-openapi v0.0.0-20211115234752-e816edb12b65 From df9b910423047c624c528bcee15761725b36f2df Mon Sep 17 00:00:00 2001 From: Cristina Kovacs Date: Fri, 25 Mar 2022 12:13:53 -0500 Subject: [PATCH 06/10] adding egress tests --- .../translation/translatePolicy_test.go | 345 ++++++++++++++++++ 1 file changed, 345 insertions(+) diff --git a/npm/pkg/controlplane/translation/translatePolicy_test.go b/npm/pkg/controlplane/translation/translatePolicy_test.go index 482043cfc1..2c5d82fcb0 100644 --- a/npm/pkg/controlplane/translation/translatePolicy_test.go +++ b/npm/pkg/controlplane/translation/translatePolicy_test.go @@ -1576,3 +1576,348 @@ func TestIngressPolicy(t *testing.T) { }) } } + +func TestEgressPolicy(t *testing.T) { + tcp := v1.ProtocolTCP + targetPodMatchType := policies.EitherMatch + peerMatchType := policies.DstMatch + tests := []struct { + name string + targetSelector *metav1.LabelSelector + rules []networkingv1.NetworkPolicyEgressRule + npmNetPol *policies.NPMNetworkPolicy + }{ + { + name: "only port in egress rules", + targetSelector: &metav1.LabelSelector{ + MatchLabels: map[string]string{ + "label": "dst", + }, + }, + rules: []networkingv1.NetworkPolicyEgressRule{ + { + Ports: []networkingv1.NetworkPolicyPort{ + { + Protocol: &tcp, + }, + }, + }, + }, + npmNetPol: &policies.NPMNetworkPolicy{ + Name: "serve-tcp", + NameSpace: "default", + PodSelectorIPSets: []*ipsets.TranslatedIPSet{ + ipsets.NewTranslatedIPSet("label:dst", ipsets.KeyValueLabelOfPod), + ipsets.NewTranslatedIPSet("default", ipsets.Namespace), + }, + PodSelectorList: []policies.SetInfo{ + policies.NewSetInfo("label:dst", ipsets.KeyValueLabelOfPod, included, targetPodMatchType), + policies.NewSetInfo("default", ipsets.Namespace, included, targetPodMatchType), + }, + ACLs: []*policies.ACLPolicy{ + { + PolicyID: "azure-acl-default-serve-tcp", + Target: policies.Allowed, + Direction: policies.Egress, + DstPorts: policies.Ports{ + Port: 0, + EndPort: 0, + }, + Protocol: "TCP", + }, + defaultDropACL("default", "serve-tcp", policies.Egress), + }, + }, + }, + { + name: "only ipBlock in egress rules", + targetSelector: &metav1.LabelSelector{ + MatchLabels: map[string]string{ + "label": "dst", + }, + }, + rules: []networkingv1.NetworkPolicyEgressRule{ + { + To: []networkingv1.NetworkPolicyPeer{ + { + IPBlock: &networkingv1.IPBlock{ + CIDR: "172.17.0.0/16", + Except: []string{"172.17.1.0/24"}, + }, + }, + }, + }, + }, + npmNetPol: &policies.NPMNetworkPolicy{ + Name: "only-ipblock", + NameSpace: "default", + PodSelectorIPSets: []*ipsets.TranslatedIPSet{ + ipsets.NewTranslatedIPSet("label:dst", ipsets.KeyValueLabelOfPod), + ipsets.NewTranslatedIPSet("default", ipsets.Namespace), + }, + PodSelectorList: []policies.SetInfo{ + policies.NewSetInfo("label:dst", ipsets.KeyValueLabelOfPod, included, targetPodMatchType), + policies.NewSetInfo("default", ipsets.Namespace, included, targetPodMatchType), + }, + RuleIPSets: []*ipsets.TranslatedIPSet{ + ipsets.NewTranslatedIPSet("only-ipblock-in-ns-default-0-0OUT", ipsets.CIDRBlocks, []string{"172.17.0.0/16", "172.17.1.0/24 nomatch"}...), + }, + ACLs: []*policies.ACLPolicy{ + { + PolicyID: "azure-acl-default-only-ipblock", + Target: policies.Allowed, + Direction: policies.Egress, + DstList: []policies.SetInfo{ + policies.NewSetInfo("only-ipblock-in-ns-default-0-0OUT", ipsets.CIDRBlocks, included, peerMatchType), + }, + }, + defaultDropACL("default", "only-ipblock", policies.Egress), + }, + }, + }, + { + name: "only peer podSelector in egress rules", + targetSelector: &metav1.LabelSelector{ + MatchLabels: map[string]string{ + "label": "dst", + }, + }, + rules: []networkingv1.NetworkPolicyEgressRule{ + { + To: []networkingv1.NetworkPolicyPeer{ + { + PodSelector: &metav1.LabelSelector{ + MatchLabels: map[string]string{ + "peer-podselector-kay": "peer-podselector-value", + }, + }, + }, + }, + }, + }, + npmNetPol: &policies.NPMNetworkPolicy{ + Name: "only-peer-podSelector", + NameSpace: "default", + PodSelectorIPSets: []*ipsets.TranslatedIPSet{ + ipsets.NewTranslatedIPSet("label:dst", ipsets.KeyValueLabelOfPod), + ipsets.NewTranslatedIPSet("default", ipsets.Namespace), + }, + PodSelectorList: []policies.SetInfo{ + policies.NewSetInfo("label:dst", ipsets.KeyValueLabelOfPod, included, targetPodMatchType), + policies.NewSetInfo("default", ipsets.Namespace, included, targetPodMatchType), + }, + RuleIPSets: []*ipsets.TranslatedIPSet{ + ipsets.NewTranslatedIPSet("peer-podselector-kay:peer-podselector-value", ipsets.KeyValueLabelOfPod), + ipsets.NewTranslatedIPSet("default", ipsets.Namespace), + }, + ACLs: []*policies.ACLPolicy{ + { + PolicyID: "azure-acl-default-only-peer-podSelector", + Target: policies.Allowed, + Direction: policies.Egress, + DstList: []policies.SetInfo{ + policies.NewSetInfo("peer-podselector-kay:peer-podselector-value", ipsets.KeyValueLabelOfPod, included, peerMatchType), + policies.NewSetInfo("default", ipsets.Namespace, included, peerMatchType), + }, + }, + defaultDropACL("default", "only-peer-podSelector", policies.Egress), + }, + }, + }, + { + name: "only peer nameSpaceSelector in egress rules", + targetSelector: &metav1.LabelSelector{ + MatchLabels: map[string]string{ + "label": "dst", + }, + }, + rules: []networkingv1.NetworkPolicyEgressRule{ + { + To: []networkingv1.NetworkPolicyPeer{ + { + NamespaceSelector: &metav1.LabelSelector{ + MatchLabels: map[string]string{ + "peer-nsselector-kay": "peer-nsselector-value", + }, + }, + }, + }, + }, + }, + npmNetPol: &policies.NPMNetworkPolicy{ + Name: "only-peer-nsSelector", + NameSpace: "default", + PodSelectorIPSets: []*ipsets.TranslatedIPSet{ + ipsets.NewTranslatedIPSet("label:dst", ipsets.KeyValueLabelOfPod), + ipsets.NewTranslatedIPSet("default", ipsets.Namespace), + }, + PodSelectorList: []policies.SetInfo{ + policies.NewSetInfo("label:dst", ipsets.KeyValueLabelOfPod, included, targetPodMatchType), + policies.NewSetInfo("default", ipsets.Namespace, included, targetPodMatchType), + }, + RuleIPSets: []*ipsets.TranslatedIPSet{ + ipsets.NewTranslatedIPSet("peer-nsselector-kay:peer-nsselector-value", ipsets.KeyValueLabelOfNamespace), + }, + ACLs: []*policies.ACLPolicy{ + { + PolicyID: "azure-acl-default-only-peer-nsSelector", + Target: policies.Allowed, + Direction: policies.Egress, + DstList: []policies.SetInfo{ + policies.NewSetInfo("peer-nsselector-kay:peer-nsselector-value", ipsets.KeyValueLabelOfNamespace, included, peerMatchType), + }, + }, + defaultDropACL("default", "only-peer-nsSelector", policies.Egress), + }, + }, + }, + { + name: "deny all in egress rules", + targetSelector: &metav1.LabelSelector{ + MatchLabels: map[string]string{ + "label": "dst", + }, + }, + rules: nil, + npmNetPol: &policies.NPMNetworkPolicy{ + Name: "serve-tcp", + NameSpace: "default", + PodSelectorIPSets: []*ipsets.TranslatedIPSet{ + ipsets.NewTranslatedIPSet("label:dst", ipsets.KeyValueLabelOfPod), + ipsets.NewTranslatedIPSet("default", ipsets.Namespace), + }, + PodSelectorList: []policies.SetInfo{ + policies.NewSetInfo("label:dst", ipsets.KeyValueLabelOfPod, included, targetPodMatchType), + policies.NewSetInfo("default", ipsets.Namespace, included, targetPodMatchType), + }, + ACLs: []*policies.ACLPolicy{ + + defaultDropACL("default", "serve-tcp", policies.Egress), + }, + }, + }, + { + name: "allow all egress rules", + targetSelector: &metav1.LabelSelector{ + MatchLabels: map[string]string{ + "label": "dst", + }, + }, + rules: []networkingv1.NetworkPolicyEgressRule{ + {}, + }, + npmNetPol: &policies.NPMNetworkPolicy{ + Name: "serve-tcp", + NameSpace: "default", + PodSelectorIPSets: []*ipsets.TranslatedIPSet{ + ipsets.NewTranslatedIPSet("label:dst", ipsets.KeyValueLabelOfPod), + ipsets.NewTranslatedIPSet("default", ipsets.Namespace), + }, + PodSelectorList: []policies.SetInfo{ + policies.NewSetInfo("label:dst", ipsets.KeyValueLabelOfPod, included, targetPodMatchType), + policies.NewSetInfo("default", ipsets.Namespace, included, targetPodMatchType), + }, + ACLs: []*policies.ACLPolicy{ + { + PolicyID: "azure-acl-default-serve-tcp", + Target: policies.Allowed, + Direction: policies.Egress, + }, + }, + }, + }, + { + name: "peer nameSpaceSelector and ipblock in egress rules", + targetSelector: &metav1.LabelSelector{ + MatchLabels: map[string]string{ + "label": "dst", + }, + }, + rules: []networkingv1.NetworkPolicyEgressRule{ + { + To: []networkingv1.NetworkPolicyPeer{ + { + NamespaceSelector: &metav1.LabelSelector{ + MatchLabels: map[string]string{ + "peer-nsselector-kay": "peer-nsselector-value", + }, + }, + }, + { + IPBlock: &networkingv1.IPBlock{ + CIDR: "172.17.0.0/16", + Except: []string{"172.17.1.0/24", "172.17.2.0/24"}, + }, + }, + { + IPBlock: &networkingv1.IPBlock{ + CIDR: "172.17.0.0/16", + }, + }, + }, + }, + }, + npmNetPol: &policies.NPMNetworkPolicy{ + Name: "only-peer-nsSelector", + NameSpace: "default", + PodSelectorIPSets: []*ipsets.TranslatedIPSet{ + ipsets.NewTranslatedIPSet("label:dst", ipsets.KeyValueLabelOfPod), + ipsets.NewTranslatedIPSet("default", ipsets.Namespace), + }, + PodSelectorList: []policies.SetInfo{ + policies.NewSetInfo("label:dst", ipsets.KeyValueLabelOfPod, included, targetPodMatchType), + policies.NewSetInfo("default", ipsets.Namespace, included, targetPodMatchType), + }, + RuleIPSets: []*ipsets.TranslatedIPSet{ + ipsets.NewTranslatedIPSet("peer-nsselector-kay:peer-nsselector-value", ipsets.KeyValueLabelOfNamespace), + ipsets.NewTranslatedIPSet("only-peer-nsSelector-in-ns-default-0-1OUT", ipsets.CIDRBlocks, []string{"172.17.0.0/16", "172.17.1.0/24 nomatch", "172.17.2.0/24 nomatch"}...), + ipsets.NewTranslatedIPSet("only-peer-nsSelector-in-ns-default-0-2OUT", ipsets.CIDRBlocks, []string{"172.17.0.0/16"}...), + }, + ACLs: []*policies.ACLPolicy{ + { + PolicyID: "azure-acl-default-only-peer-nsSelector", + Target: policies.Allowed, + Direction: policies.Egress, + DstList: []policies.SetInfo{ + policies.NewSetInfo("peer-nsselector-kay:peer-nsselector-value", ipsets.KeyValueLabelOfNamespace, included, peerMatchType), + }, + }, + { + PolicyID: "azure-acl-default-only-peer-nsSelector", + Target: policies.Allowed, + Direction: policies.Egress, + DstList: []policies.SetInfo{ + policies.NewSetInfo("only-peer-nsSelector-in-ns-default-0-1OUT", ipsets.CIDRBlocks, included, peerMatchType), + }, + }, + { + PolicyID: "azure-acl-default-only-peer-nsSelector", + Target: policies.Allowed, + Direction: policies.Egress, + DstList: []policies.SetInfo{ + policies.NewSetInfo("only-peer-nsSelector-in-ns-default-0-2OUT", ipsets.CIDRBlocks, included, peerMatchType), + }, + }, + defaultDropACL("default", "only-peer-nsSelector", policies.Egress), + }, + }, + }, + } + + for _, tt := range tests { + tt := tt + t.Run(tt.name, func(t *testing.T) { + t.Parallel() + npmNetPol := &policies.NPMNetworkPolicy{ + Name: tt.npmNetPol.Name, + NameSpace: tt.npmNetPol.NameSpace, + } + var err error + npmNetPol.PodSelectorIPSets, npmNetPol.PodSelectorList, err = podSelectorWithNS(npmNetPol.NameSpace, policies.EitherMatch, tt.targetSelector) + require.NoError(t, err) + err = egressPolicy(npmNetPol, tt.rules) + require.NoError(t, err) + require.Equal(t, tt.npmNetPol, npmNetPol) + }) + } +} From 9e13fbc96861208f4fbffc3974bc45269c05785f Mon Sep 17 00:00:00 2001 From: Cristina Kovacs Date: Fri, 25 Mar 2022 13:28:00 -0500 Subject: [PATCH 07/10] fixed lint issue --- npm/pkg/controlplane/translation/translatePolicy_test.go | 1 - 1 file changed, 1 deletion(-) diff --git a/npm/pkg/controlplane/translation/translatePolicy_test.go b/npm/pkg/controlplane/translation/translatePolicy_test.go index 2c5d82fcb0..0c84fedea4 100644 --- a/npm/pkg/controlplane/translation/translatePolicy_test.go +++ b/npm/pkg/controlplane/translation/translatePolicy_test.go @@ -1791,7 +1791,6 @@ func TestEgressPolicy(t *testing.T) { policies.NewSetInfo("default", ipsets.Namespace, included, targetPodMatchType), }, ACLs: []*policies.ACLPolicy{ - defaultDropACL("default", "serve-tcp", policies.Egress), }, }, From bbbc9605c4ae01c62e90f166913e09710c76385e Mon Sep 17 00:00:00 2001 From: Cristina Kovacs Date: Fri, 1 Apr 2022 12:30:23 -0500 Subject: [PATCH 08/10] added error test --- .../translation/translatePolicy_test.go | 55 ++++++++++++++++++- 1 file changed, 52 insertions(+), 3 deletions(-) diff --git a/npm/pkg/controlplane/translation/translatePolicy_test.go b/npm/pkg/controlplane/translation/translatePolicy_test.go index 0c84fedea4..ee5e8afe27 100644 --- a/npm/pkg/controlplane/translation/translatePolicy_test.go +++ b/npm/pkg/controlplane/translation/translatePolicy_test.go @@ -1579,6 +1579,7 @@ func TestIngressPolicy(t *testing.T) { func TestEgressPolicy(t *testing.T) { tcp := v1.ProtocolTCP + emptyString := intstr.FromString("") targetPodMatchType := policies.EitherMatch peerMatchType := policies.DstMatch tests := []struct { @@ -1586,6 +1587,7 @@ func TestEgressPolicy(t *testing.T) { targetSelector *metav1.LabelSelector rules []networkingv1.NetworkPolicyEgressRule npmNetPol *policies.NPMNetworkPolicy + wantErr bool }{ { name: "only port in egress rules", @@ -1901,6 +1903,50 @@ func TestEgressPolicy(t *testing.T) { }, }, }, + { + name: "error", + targetSelector: &metav1.LabelSelector{ + MatchLabels: map[string]string{ + "label": "dst", + }, + }, + rules: []networkingv1.NetworkPolicyEgressRule{ + { + Ports: []networkingv1.NetworkPolicyPort{ + { + Protocol: &tcp, + Port: &emptyString, + }, + }, + }, + }, + npmNetPol: &policies.NPMNetworkPolicy{ + Name: "serve-tcp", + NameSpace: "default", + PodSelectorIPSets: []*ipsets.TranslatedIPSet{ + ipsets.NewTranslatedIPSet("label:dst", ipsets.KeyValueLabelOfPod), + ipsets.NewTranslatedIPSet("default", ipsets.Namespace), + }, + PodSelectorList: []policies.SetInfo{ + policies.NewSetInfo("label:dst", ipsets.KeyValueLabelOfPod, included, targetPodMatchType), + policies.NewSetInfo("default", ipsets.Namespace, included, targetPodMatchType), + }, + ACLs: []*policies.ACLPolicy{ + { + PolicyID: "azure-acl-default-serve-tcp", + Target: policies.Allowed, + Direction: policies.Egress, + SrcList: []policies.SetInfo{}, + DstList: []policies.SetInfo{ + policies.NewSetInfo("serve-tcp", ipsets.NamedPorts, included, policies.DstDstMatch), + }, + Protocol: "TCP", + }, + defaultDropACL("default", "serve-tcp", policies.Egress), + }, + }, + wantErr: true, + }, } for _, tt := range tests { @@ -1913,10 +1959,13 @@ func TestEgressPolicy(t *testing.T) { } var err error npmNetPol.PodSelectorIPSets, npmNetPol.PodSelectorList, err = podSelectorWithNS(npmNetPol.NameSpace, policies.EitherMatch, tt.targetSelector) - require.NoError(t, err) err = egressPolicy(npmNetPol, tt.rules) - require.NoError(t, err) - require.Equal(t, tt.npmNetPol, npmNetPol) + if tt.wantErr { + require.Error(t, err) + } else { + require.NoError(t, err) + require.Equal(t, tt.npmNetPol, npmNetPol) + } }) } } From 0234550be38ce62407a3e780cb3c2a5a9c097be6 Mon Sep 17 00:00:00 2001 From: Cristina Kovacs Date: Fri, 1 Apr 2022 12:50:48 -0500 Subject: [PATCH 09/10] added check --- npm/pkg/controlplane/translation/translatePolicy_test.go | 1 + 1 file changed, 1 insertion(+) diff --git a/npm/pkg/controlplane/translation/translatePolicy_test.go b/npm/pkg/controlplane/translation/translatePolicy_test.go index ee5e8afe27..3e7777e8b7 100644 --- a/npm/pkg/controlplane/translation/translatePolicy_test.go +++ b/npm/pkg/controlplane/translation/translatePolicy_test.go @@ -1959,6 +1959,7 @@ func TestEgressPolicy(t *testing.T) { } var err error npmNetPol.PodSelectorIPSets, npmNetPol.PodSelectorList, err = podSelectorWithNS(npmNetPol.NameSpace, policies.EitherMatch, tt.targetSelector) + require.NoError(t, err) err = egressPolicy(npmNetPol, tt.rules) if tt.wantErr { require.Error(t, err) From 19d487d862243f560d441a9f6d8848378e5b74d4 Mon Sep 17 00:00:00 2001 From: Cristina Kovacs Date: Fri, 1 Apr 2022 20:20:34 -0500 Subject: [PATCH 10/10] cleaned up method --- npm/pkg/controlplane/translation/translatePolicy_test.go | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/npm/pkg/controlplane/translation/translatePolicy_test.go b/npm/pkg/controlplane/translation/translatePolicy_test.go index 3e7777e8b7..5dd1fcaf3f 100644 --- a/npm/pkg/controlplane/translation/translatePolicy_test.go +++ b/npm/pkg/controlplane/translation/translatePolicy_test.go @@ -1936,11 +1936,7 @@ func TestEgressPolicy(t *testing.T) { PolicyID: "azure-acl-default-serve-tcp", Target: policies.Allowed, Direction: policies.Egress, - SrcList: []policies.SetInfo{}, - DstList: []policies.SetInfo{ - policies.NewSetInfo("serve-tcp", ipsets.NamedPorts, included, policies.DstDstMatch), - }, - Protocol: "TCP", + Protocol: "TCP", }, defaultDropACL("default", "serve-tcp", policies.Egress), },