Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[network-policy-engine] Deny module setup if the cni-cilium module is enabled #7687

Merged
merged 2 commits into from
Mar 5, 2024
Merged

[network-policy-engine] Deny module setup if the cni-cilium module is enabled #7687

merged 2 commits into from
Mar 5, 2024

Conversation

Beastlex
Copy link
Collaborator

@Beastlex Beastlex commented Mar 1, 2024
edited by z9r5

Description

Disable network-policy-engine module if cni-cilium module is enabled.

Why do we need it, and what problem does it solve?

When the CNI-Cilium module is enabled, its own Network Policies are in place. If the Network Policy Engine module is also activated concurrently, conflicts and ambiguity can occur. To prevent this, a verification check will be added to the module activation script to ensure if the CNI-Cilium module is already enabled.

Checklist

  • The code is covered by unit tests.
  • e2e tests passed.
  • Documentation updated according to the changes.
  • Changes were tested in the Kubernetes cluster manually.

Changelog entries

section: network-policy-engine
type: chore
summary: Deny module setup if the `cni-cilium` module is enabled.

@Beastlex Beastlex added the area/network Pull requests that update cni and network modules label Mar 1, 2024
@Beastlex Beastlex added this to the v1.58.3 milestone Mar 1, 2024
@github-actions github-actions bot added the area/security Pull requests that update security modules label Mar 1, 2024
@Beastlex
modify enabled script for network-policy-engine
a898461 
Signed-off-by: Alexander Zverev <beastlex@gmail.com>
@Beastlex Beastlex force-pushed the add-constraints-with-cilium-for-modules branch from b9ccc2f to a898461 Compare March 1, 2024 12:09
@Beastlex Beastlex marked this pull request as ready for review March 1, 2024 13:37
@Beastlex Beastlex requested a review from apolovov as a code owner March 1, 2024 13:37
@apolovov apolovov changed the title [network-policy-engine] Add constraints (with check is cni-cilium enabled) on enabling module. [network-policy-engine] Deny module setup if the istio-cni module enabled Mar 4, 2024
@apolovov
Apply suggestions from code review
0aae3c3 
Signed-off-by: Andrey Polovov <andrey.polovov@flant.com>
@Beastlex Beastlex changed the title [network-policy-engine] Deny module setup if the istio-cni module enabled [network-policy-engine] Deny module setup if the cni-cilium module enabled Mar 4, 2024
@apolovov apolovov changed the title [network-policy-engine] Deny module setup if the cni-cilium module enabled [network-policy-engine] Deny module setup if the cni-cilium module is enabled Mar 5, 2024
@apolovov apolovov self-requested a review March 5, 2024 08:37
@apolovov apolovov merged commit 35e2039 into main Mar 5, 2024
36 of 37 checks passed
@apolovov apolovov deleted the add-constraints-with-cilium-for-modules branch March 5, 2024 08:37
@deckhouse-BOaTswain deckhouse-BOaTswain mentioned this pull request Mar 4, 2024
Merged
@z9r5 z9r5 added the status/backport Backport pr label Mar 5, 2024
github-actions bot pushed a commit that referenced this pull request Mar 5, 2024
@Beastlex @apolovov @z9r5
[network-policy-engine] Deny module setup if the cni-cilium module is…
f558167 
… enabled (#7687)

* modify enabled script for network-policy-engine

Signed-off-by: Alexander Zverev <beastlex@gmail.com>

* Apply suggestions from code review

Signed-off-by: Andrey Polovov <andrey.polovov@flant.com>

---------

Signed-off-by: Alexander Zverev <beastlex@gmail.com>
Signed-off-by: Andrey Polovov <andrey.polovov@flant.com>
Co-authored-by: Andrey Polovov <andrey.polovov@flant.com>
@deckhouse-BOaTswain
Copy link
Collaborator

Cherry pick PR 7721 to the branch release-1.58 successful!

deckhouse-BOaTswain added a commit that referenced this pull request Mar 5, 2024
@deckhouse-BOaTswain @Beastlex @apolovov
[network-policy-engine] Deny module setup if the cni-cilium module is…
d49e110 
… enabled (#7687) (#7721)

* modify enabled script for network-policy-engine



* Apply suggestions from code review



---------

Signed-off-by: Alexander Zverev <beastlex@gmail.com>
Signed-off-by: Andrey Polovov <andrey.polovov@flant.com>
Co-authored-by: Beastlex <36466535+Beastlex@users.noreply.github.com>
Co-authored-by: Andrey Polovov <andrey.polovov@flant.com>
@deckhouse-BOaTswain deckhouse-BOaTswain removed the status/backport Backport pr label Mar 5, 2024
This was referenced Mar 5, 2024
Merged
Merged
pashcovich pushed a commit that referenced this pull request Mar 6, 2024
@Beastlex @apolovov @pashcovich
[network-policy-engine] Deny module setup if the cni-cilium module is…
14283c8 
… enabled (#7687)

* modify enabled script for network-policy-engine

Signed-off-by: Alexander Zverev <beastlex@gmail.com>

* Apply suggestions from code review

Signed-off-by: Andrey Polovov <andrey.polovov@flant.com>

---------

Signed-off-by: Alexander Zverev <beastlex@gmail.com>
Signed-off-by: Andrey Polovov <andrey.polovov@flant.com>
Co-authored-by: Andrey Polovov <andrey.polovov@flant.com>
This was referenced Mar 6, 2024
Merged
Closed
Merged
@deckhouse-BOaTswain deckhouse-BOaTswain mentioned this pull request Mar 7, 2024
Merged
elenashliaga pushed a commit that referenced this pull request Mar 7, 2024
@Beastlex @apolovov @elenashliaga
[network-policy-engine] Deny module setup if the cni-cilium module is…
aca657c 
… enabled (#7687)

* modify enabled script for network-policy-engine

Signed-off-by: Alexander Zverev <beastlex@gmail.com>

* Apply suggestions from code review

Signed-off-by: Andrey Polovov <andrey.polovov@flant.com>

---------

Signed-off-by: Alexander Zverev <beastlex@gmail.com>
Signed-off-by: Andrey Polovov <andrey.polovov@flant.com>
Co-authored-by: Andrey Polovov <andrey.polovov@flant.com>
Horiodino pushed a commit to Horiodino/deckhouse that referenced this pull request Apr 21, 2024
@Beastlex @apolovov @Horiodino
[network-policy-engine] Deny module setup if the cni-cilium module is…
cda0117 
… enabled (deckhouse#7687)

* modify enabled script for network-policy-engine

Signed-off-by: Alexander Zverev <beastlex@gmail.com>

* Apply suggestions from code review

Signed-off-by: Andrey Polovov <andrey.polovov@flant.com>

---------

Signed-off-by: Alexander Zverev <beastlex@gmail.com>
Signed-off-by: Andrey Polovov <andrey.polovov@flant.com>
Co-authored-by: Andrey Polovov <andrey.polovov@flant.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@apolovov apolovov apolovov approved these changes

Assignees

@Beastlex Beastlex

Labels
area/network Pull requests that update cni and network modules area/security Pull requests that update security modules
Projects
None yet
Milestone
v1.58.3
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@Beastlex @deckhouse-BOaTswain @apolovov @z9r5