-
Notifications
You must be signed in to change notification settings - Fork 108
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[network-policy-engine] Deny module setup if the cni-cilium module is enabled #7687
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
github-actions
bot
added
the
area/security
Pull requests that update security modules
label
Mar 1, 2024
Signed-off-by: Alexander Zverev <beastlex@gmail.com>
Beastlex
force-pushed
the
add-constraints-with-cilium-for-modules
branch
from
March 1, 2024 12:09
b9ccc2f
to
a898461
Compare
apolovov
changed the title
[network-policy-engine] Add constraints (with check is cni-cilium enabled) on enabling module.
[network-policy-engine] Deny module setup if the istio-cni module enabled
Mar 4, 2024
apolovov
reviewed
Mar 4, 2024
apolovov
reviewed
Mar 4, 2024
Signed-off-by: Andrey Polovov <andrey.polovov@flant.com>
Beastlex
changed the title
[network-policy-engine] Deny module setup if the istio-cni module enabled
[network-policy-engine] Deny module setup if the cni-cilium module enabled
Mar 4, 2024
apolovov
changed the title
[network-policy-engine] Deny module setup if the cni-cilium module enabled
[network-policy-engine] Deny module setup if the cni-cilium module is enabled
Mar 5, 2024
apolovov
approved these changes
Mar 5, 2024
Merged
github-actions bot
pushed a commit
that referenced
this pull request
Mar 5, 2024
… enabled (#7687) * modify enabled script for network-policy-engine Signed-off-by: Alexander Zverev <beastlex@gmail.com> * Apply suggestions from code review Signed-off-by: Andrey Polovov <andrey.polovov@flant.com> --------- Signed-off-by: Alexander Zverev <beastlex@gmail.com> Signed-off-by: Andrey Polovov <andrey.polovov@flant.com> Co-authored-by: Andrey Polovov <andrey.polovov@flant.com>
Cherry pick PR 7721 to the branch release-1.58 successful! |
deckhouse-BOaTswain
added a commit
that referenced
this pull request
Mar 5, 2024
… enabled (#7687) (#7721) * modify enabled script for network-policy-engine * Apply suggestions from code review --------- Signed-off-by: Alexander Zverev <beastlex@gmail.com> Signed-off-by: Andrey Polovov <andrey.polovov@flant.com> Co-authored-by: Beastlex <36466535+Beastlex@users.noreply.github.com> Co-authored-by: Andrey Polovov <andrey.polovov@flant.com>
This was referenced Mar 5, 2024
Merged
pashcovich
pushed a commit
that referenced
this pull request
Mar 6, 2024
… enabled (#7687) * modify enabled script for network-policy-engine Signed-off-by: Alexander Zverev <beastlex@gmail.com> * Apply suggestions from code review Signed-off-by: Andrey Polovov <andrey.polovov@flant.com> --------- Signed-off-by: Alexander Zverev <beastlex@gmail.com> Signed-off-by: Andrey Polovov <andrey.polovov@flant.com> Co-authored-by: Andrey Polovov <andrey.polovov@flant.com>
This was referenced Mar 6, 2024
Closed
Merged
elenashliaga
pushed a commit
that referenced
this pull request
Mar 7, 2024
… enabled (#7687) * modify enabled script for network-policy-engine Signed-off-by: Alexander Zverev <beastlex@gmail.com> * Apply suggestions from code review Signed-off-by: Andrey Polovov <andrey.polovov@flant.com> --------- Signed-off-by: Alexander Zverev <beastlex@gmail.com> Signed-off-by: Andrey Polovov <andrey.polovov@flant.com> Co-authored-by: Andrey Polovov <andrey.polovov@flant.com>
Horiodino
pushed a commit
to Horiodino/deckhouse
that referenced
this pull request
Apr 21, 2024
… enabled (deckhouse#7687) * modify enabled script for network-policy-engine Signed-off-by: Alexander Zverev <beastlex@gmail.com> * Apply suggestions from code review Signed-off-by: Andrey Polovov <andrey.polovov@flant.com> --------- Signed-off-by: Alexander Zverev <beastlex@gmail.com> Signed-off-by: Andrey Polovov <andrey.polovov@flant.com> Co-authored-by: Andrey Polovov <andrey.polovov@flant.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
area/network
Pull requests that update cni and network modules
area/security
Pull requests that update security modules
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Disable network-policy-engine module if cni-cilium module is enabled.
Why do we need it, and what problem does it solve?
When the CNI-Cilium module is enabled, its own Network Policies are in place. If the Network Policy Engine module is also activated concurrently, conflicts and ambiguity can occur. To prevent this, a verification check will be added to the module activation script to ensure if the CNI-Cilium module is already enabled.
Checklist
Changelog entries