Ingress node firewall implements Kubernetes operator to provision stateless ingress node level firewall rules, stateless ingress node firewall implementation is done using eBPF XDP kernel plugin
License: Apache License 2.0
![dependabot[bot] avatar](https://avatars.githubusercontent.com/in/29110?v=4 "dependabot[bot]")
![openshift-ci[bot] avatar](https://avatars.githubusercontent.com/in/91280?v=4 "openshift-ci[bot]")
![openshift-merge-bot[bot] avatar](https://avatars.githubusercontent.com/in/412865?v=4 "openshift-merge-bot[bot]")
Describe the bug
It was noticed the test pods sometimes never get to ready state even after looong waiting time can be 10m
To Reproduce
Steps to reproduce the behavior:
run e2e CI job on OCP cluster
Expected behavior
e2e should be stable and always pass
Describe the bug
A clear and concise description of what the bug is.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
e2e test should pass
it seems we are missing some dependancies preventing me from using sctp linux defined header structure as a work around I added the header to kernel plugin but this need to cleaned up at some point some how
https://github.com/openshift/ingress-node-firewall/blob/master/bpf/ingress_node_firewall_kernel.c#L21
It takes a minute to start the daemon set pod. Fix this
Currently, we use a 900mb image (kindest/node) to mount the bpffs. No need for this. Switch it out for a smaller image.
I notice on my PC, I have to pull the full image.
No cache occurs even though I know I have this image locally already because I setup the KinD cluster using this image.
ebpf rules - implement correct idempotent rules merge for node deletion, add and update
Rename IngrNodeFwConfig to IngressNodeFirewallConfig
Unit tests break with 3d2ce73. Also, when running make test, the .yaml files are updated and generated differently from the checked in files.
I can fix this by reverting the commit
[akaris@linux ingress-node-firewall ((0ec1511...))]$ git checkout downstream/master
Warning: you are leaving 1 commit behind, not connected to
any of your branches:
0ec1511 Revert "fix go get controller-gen issue"
If you want to keep it by creating a new branch, this may be a good time
to do so with:
git branch <new-branch-name> 0ec1511
HEAD is now at c0a24f2 Merge pull request #104 from msherif1234/xdp_list_intfs
[akaris@linux ingress-node-firewall ((c0a24f2...))]$ git checkout -b revert-3d2ce73
Switched to a new branch 'revert-3d2ce73'
[akaris@linux ingress-node-firewall (revert-3d2ce73)]$ make test
==== Generating DaemonSet manifest
hack/generate-daemon-manifest.sh
/home/akaris/development/go/bin/controller-gen rbac:roleName=manager-role crd webhook paths="./..." output:crd:artifacts:config=config/crd/bases
/home/akaris/development/ingress-node-firewall/api/v1alpha1/ingressnodefirewallnodestate_types.go:31:35: map values must be a named type, not *ast.ArrayType
Error: not all generators ran successfully
run `controller-gen rbac:roleName=manager-role crd webhook paths=./... output:crd:artifacts:config=config/crd/bases -w` to see all available markers, or `controller-gen rbac:roleName=manager-role crd webhook paths=./... output:crd:artifacts:config=config/crd/bases -h` for usage
make: *** [Makefile:99: manifests] Error 1
[akaris@linux ingress-node-firewall (revert-3d2ce73)]$ git diff
diff --git a/config/crd/bases/ingressnodefirewall.openshift.io_ingressnodefirewallconfigs.yaml b/config/crd/bases/ingressnodefirewall.openshift.io_ingressnodefirewallconfigs.yaml
index bc0c639..9dec8d8 100644
--- a/config/crd/bases/ingressnodefirewall.openshift.io_ingressnodefirewallconfigs.yaml
+++ b/config/crd/bases/ingressnodefirewall.openshift.io_ingressnodefirewallconfigs.yaml
@@ -1,9 +1,10 @@
+
---
-apiVersion: apiextensions.k8s.io/v1
+apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
- controller-gen.kubebuilder.io/version: v0.9.0
+ controller-gen.kubebuilder.io/version: v0.3.0
creationTimestamp: null
name: ingressnodefirewallconfigs.ingressnodefirewall.openshift.io
spec:
@@ -14,83 +15,90 @@ spec:
plural: ingressnodefirewallconfigs
singular: ingressnodefirewallconfig
scope: Namespaced
+ subresources:
+ status: {}
+ validation:
+ openAPIV3Schema:
+ description: IngressNodeFirewallConfig is the Schema for the ingressnodefirewallconfigs
[akaris@linux ingress-node-firewall (revert-3d2ce73)]$
Describe the bug
An IngressNodeFirewall object is allowed even if interfaces is left out of the manifest, despite the CRD which states minItems: 1 for interfaces. In turn this leads to a failure, as the error can be seen in the IngressNodeFirewallState but the INF status simply states syncStatus: Error which can lead to confusion on the user/admin end.
Same process can be seen in Ingress config, where it is admitted without proper config, despite MinItem:1 in CRD
INF Manifest
IngressNodeFirewallState
status:
syncErrorMessage: Invalid interface name - cannot provide an empty list
syncStatus: Error
CRD
ingressnodefirewalls.ingressnodefirewall.openshift.io
interfaces:
description: >-
interfaces is a list of interfaces where the ingress
firewall policy will be applied on.
type: array
minItems: 1
items:
type: string
In the controller this is handled:
// Now, iterate over all interfaces in the InrgessNodeFirewallSpec.
if len(firewallObj.Spec.Interfaces) == 0 {
state.Status = infv1alpha1.IngressNodeFirewallNodeStateStatus{
SyncStatus: infv1alpha1.SyncError,
SyncErrorMessage: "Invalid interface name - cannot provide an empty list",
}
// Write back the state to the map and then continue with the next node.
nodeStates[node.Name] = state
continue withNextNode
}
Possibly the omitempty is taking precedence here:
// interfaces is a list of interfaces where the ingress firewall policy will be applied on.
// +kubebuilder:validation:Required
// +kubebuilder:validation:MinItems:=1
Interfaces []string `json:"interfaces,omitempty"`
To Reproduce
Steps to reproduce the behavior:
interfaces arrayExpected behavior
If interfaces are omitted, deny creation of the IngressNodeFirewall object to avoid any confusion on the user/admin end. As it is currently implemented, an expected failure occurs with the IngressNodeFirewall and the user/admin is left to track the failure via the state.
Describe the bug
Creating an INF with a spec.interface name that is not found on the target node causes subsequent INF policies not to be applied.
To Reproduce
Steps to reproduce the behaviour:
Expected behaviour
I expected the INF policy with a bad interface name not to block subsequent INF policies application
Screenshots
NA
Desktop (please complete the following information):
All
This issue is to discuss if this is expected behaviour.
Describe the bug
omega update PR is failing e2e need further investigation
To Reproduce
see PR #238
Expected behavior
E2E should pass
Describe the bug
2022/10/12 12:08:11 http: TLS handshake error from 10.130.0.33:36786: remote error: tls: bad certificate
While testing on OCP, I see this occur. IP above is kube-apiserver-operator
Within api server operator logs I see:
E1012 11:15:10.522830 1 degraded_webhook.go:128] x509: certificate signed by unknown authority
To Reproduce
Steps to reproduce the behavior:
Unknown currently. I rebooted a node and saw it after but unsure if this is what causes it.
Ill try to find steps to repro.
Logs from controller:
1.6655764583186285e+09 INFO setup Version {"version.Version": "4.12.0"}
I1012 12:07:39.370184 1 request.go:682] Waited for 1.041214659s due to client-side throttling, not priority and fairness, request: GET:https://172.30.0.1:443/apis/coordination.k8s.io/v1?timeout=32s
1.6655764644221544e+09 INFO controller-runtime.metrics Metrics server is starting to listen {"addr": "127.0.0.1:39300"}
1.665576464423153e+09 INFO controller-runtime.builder skip registering a mutating webhook, object does not implement admission.Defaulter or WithDefaulter wasn't called {"GVK": "ingressnodefirewall.openshift.io/v1alpha1, Kind=IngressNodeFirewall"}
1.665576464423177e+09 INFO controller-runtime.builder Registering a validating webhook {"GVK": "ingressnodefirewall.openshift.io/v1alpha1, Kind=IngressNodeFirewall", "path": "/validate-ingressnodefirewall-openshift-io-v1alpha1-ingressnodefirewall"}
1.6655764644232416e+09 INFO controller-runtime.webhook Registering webhook {"path": "/validate-ingressnodefirewall-openshift-io-v1alpha1-ingressnodefirewall"}
1.6655764644234755e+09 INFO platform detecting platform version...
1.665576464426542e+09 INFO platform route.openshift.io found in apis, platform is OpenShift
1.6655764644265637e+09 INFO platform PlatformInfo [Name: OpenShift, K8SVersion: 1.25, OS: linux/amd64]
1.665576464426599e+09 INFO setup starting manager
1.665576464427083e+09 INFO controller-runtime.webhook.webhooks Starting webhook server
1.6655764644272194e+09 INFO controller-runtime.certwatcher Updated current TLS certificate
1.6655764644273317e+09 INFO controller-runtime.webhook Serving webhook server {"host": "", "port": 9443}
1.6655764644273727e+09 INFO Starting server {"path": "/metrics", "kind": "metrics", "addr": "127.0.0.1:39300"}
1.6655764644273968e+09 INFO Starting server {"kind": "health probe", "addr": "[::]:8081"}
1.6655764644274538e+09 INFO controller-runtime.certwatcher Starting certificate watcher
I1012 12:07:44.427518 1 leaderelection.go:248] attempting to acquire leader lease openshift-ingress-node-firewall/d902e78d.ingress-nodefw...
I1012 12:08:02.145061 1 leaderelection.go:258] successfully acquired lease openshift-ingress-node-firewall/d902e78d.ingress-nodefw
1.6655764821452363e+09 DEBUG events ingress-node-firewall-controller-manager-b8875b7c-b7x48_905d7422-87f4-4d39-bb1c-6c3d71faf040 became leader {"type": "Normal", "object": {"kind":"Lease","namespace":"openshift-ingress-node-firewall","name":"d902e78d.ingress-nodefw","uid":"20f907e4-1e3a-43ce-9d62-65682b8a30a5","apiVersion":"coordination.k8s.io/v1","resourceVersion":"91619"}, "reason": "LeaderElection"}
1.665576482145705e+09 INFO Starting EventSource {"controller": "ingressnodefirewall", "controllerGroup": "ingressnodefirewall.openshift.io", "controllerKind": "IngressNodeFirewall", "source": "kind source: *v1alpha1.IngressNodeFirewall"}
1.6655764821457582e+09 INFO Starting EventSource {"controller": "ingressnodefirewall", "controllerGroup": "ingressnodefirewall.openshift.io", "controllerKind": "IngressNodeFirewall", "source": "kind source: *v1.Node"}
1.6655764821457748e+09 INFO Starting EventSource {"controller": "ingressnodefirewall", "controllerGroup": "ingressnodefirewall.openshift.io", "controllerKind": "IngressNodeFirewall", "source": "kind source: *v1alpha1.IngressNodeFirewallNodeState"}
1.6655764821457813e+09 INFO Starting Controller {"controller": "ingressnodefirewall", "controllerGroup": "ingressnodefirewall.openshift.io", "controllerKind": "IngressNodeFirewall"}
1.6655764821462293e+09 INFO Starting EventSource {"controller": "ingressnodefirewallconfig", "controllerGroup": "ingressnodefirewall.openshift.io", "controllerKind": "IngressNodeFirewallConfig", "source": "kind source: *v1alpha1.IngressNodeFirewallConfig"}
1.665576482146256e+09 INFO Starting EventSource {"controller": "ingressnodefirewallconfig", "controllerGroup": "ingressnodefirewall.openshift.io", "controllerKind": "IngressNodeFirewallConfig", "source": "kind source: *v1.DaemonSet"}
1.6655764821462605e+09 INFO Starting Controller {"controller": "ingressnodefirewallconfig", "controllerGroup": "ingressnodefirewall.openshift.io", "controllerKind": "IngressNodeFirewallConfig"}
1.665576482247726e+09 INFO Starting workers {"controller": "ingressnodefirewall", "controllerGroup": "ingressnodefirewall.openshift.io", "controllerKind": "IngressNodeFirewall", "worker count": 1}
1.6655764822477381e+09 INFO Starting workers {"controller": "ingressnodefirewallconfig", "controllerGroup": "ingressnodefirewall.openshift.io", "controllerKind": "IngressNodeFirewallConfig", "worker count": 1}
2022/10/12 12:08:10 http: TLS handshake error from 10.130.0.33:36772: remote error: tls: bad certificate
2022/10/12 12:08:11 http: TLS handshake error from 10.130.0.33:36786: remote error: tls: bad certificate
2022/10/12 12:08:13 http: TLS handshake error from 10.130.0.33:36792: remote error: tls: bad certificate
2022/10/12 12:08:13 http: TLS handshake error from 10.130.0.33:36818: remote error: tls: bad certificate
2022/10/12 12:08:14 http: TLS handshake error from 10.130.0.33:36832: remote error: tls: bad certificate
2022/10/12 12:08:16 http: TLS handshake error from 10.130.0.33:36838: remote error: tls: bad certificate
2022/10/12 12:08:28 http: TLS handshake error from 10.130.0.33:34348: remote error: tls: bad certificate
2022/10/12 12:08:29 http: TLS handshake error from 10.130.0.33:34360: remote error: tls: bad certificate
2022/10/12 12:08:31 http: TLS handshake error from 10.130.0.33:34366: remote error: tls: bad certificate
2022/10/12 12:08:31 http: TLS handshake error from 10.130.0.33:34386: remote error: tls: bad certificate
2022/10/12 12:08:32 http: TLS handshake error from 10.130.0.33:34390: remote error: tls: bad certificate
2022/10/12 12:08:34 http: TLS handshake error from 10.130.0.33:34404: remote error: tls: bad certificate
1.6655765489751365e+09 INFO controllers.IngressNodeFirewallConfig.syncIngressNodeFirewallConfigResources Start
2022/10/12 12:09:08 reconciling (apps/v1, Kind=DaemonSet) openshift-ingress-node-firewall/ingress-node-firewall-daemon
2022/10/12 12:09:08 does not exist, creating (apps/v1, Kind=DaemonSet) openshift-ingress-node-firewall/ingress-node-firewall-daemon
2022/10/12 12:09:09 successfully created (apps/v1, Kind=DaemonSet) openshift-ingress-node-firewall/ingress-node-firewall-daemon
1.6655765490073535e+09 INFO controllers.IngressNodeFirewallConfig.syncIngressNodeFirewallConfigResources Start
2022/10/12 12:09:09 reconciling (apps/v1, Kind=DaemonSet) openshift-ingress-node-firewall/ingress-node-firewall-daemon
2022/10/12 12:09:09 update was successful
1.6655765490209832e+09 INFO controllers.IngressNodeFirewallConfig.syncIngressNodeFirewallConfigResources Start
2022/10/12 12:09:09 reconciling (apps/v1, Kind=DaemonSet) openshift-ingress-node-firewall/ingress-node-firewall-daemon
2022/10/12 12:09:09 update was successful
1.6655765490611908e+09 INFO controllers.IngressNodeFirewallConfig.syncIngressNodeFirewallConfigResources Start
2022/10/12 12:09:09 reconciling (apps/v1, Kind=DaemonSet) openshift-ingress-node-firewall/ingress-node-firewall-daemon
2022/10/12 12:09:09 update was successful
1.6655765505568647e+09 INFO controllers.IngressNodeFirewallConfig.syncIngressNodeFirewallConfigResources Start
2022/10/12 12:09:10 reconciling (apps/v1, Kind=DaemonSet) openshift-ingress-node-firewall/ingress-node-firewall-daemon
2022/10/12 12:09:10 update was successful
1.6655765505688732e+09 INFO controllers.IngressNodeFirewallConfig.syncIngressNodeFirewallConfigResources Start
2022/10/12 12:09:10 reconciling (apps/v1, Kind=DaemonSet) openshift-ingress-node-firewall/ingress-node-firewall-daemon
2022/10/12 12:09:10 update was successful
1.6655765512645593e+09 INFO controllers.IngressNodeFirewallConfig.syncIngressNodeFirewallConfigResources Start
2022/10/12 12:09:11 reconciling (apps/v1, Kind=DaemonSet) openshift-ingress-node-firewall/ingress-node-firewall-daemon
2022/10/12 12:09:11 update was successful
1.6655765512790902e+09 INFO controllers.IngressNodeFirewallConfig.syncIngressNodeFirewallConfigResources Start
2022/10/12 12:09:11 reconciling (apps/v1, Kind=DaemonSet) openshift-ingress-node-firewall/ingress-node-firewall-daemon
2022/10/12 12:09:11 update was successful
1.665576551295348e+09 INFO controllers.IngressNodeFirewallConfig.syncIngressNodeFirewallConfigResources Start
2022/10/12 12:09:11 reconciling (apps/v1, Kind=DaemonSet) openshift-ingress-node-firewall/ingress-node-firewall-daemon
2022/10/12 12:09:11 update was successful
2022/10/12 12:10:02 http: TLS handshake error from 10.130.0.33:43958: remote error: tls: bad certificate
2022/10/12 12:10:03 http: TLS handshake error from 10.130.0.33:43966: remote error: tls: bad certificate
2022/10/12 12:10:05 http: TLS handshake error from 10.130.0.33:43982: remote error: tls: bad certificate
2022/10/12 12:10:05 http: TLS handshake error from 10.130.0.33:43994: remote error: tls: bad certificate
2022/10/12 12:10:06 http: TLS handshake error from 10.130.0.33:43996: remote error: tls: bad certificate
2022/10/12 12:10:08 http: TLS handshake error from 10.130.0.33:46364: remote error: tls: bad certificate
2022/10/12 12:10:19 http: TLS handshake error from 10.130.0.33:54704: remote error: tls: bad certificate
2022/10/12 12:10:20 http: TLS handshake error from 10.130.0.33:54716: remote error: tls: bad certificate
2022/10/12 12:10:22 http: TLS handshake error from 10.130.0.33:54732: remote error: tls: bad certificate
2022/10/12 12:10:22 http: TLS handshake error from 10.130.0.33:54748: remote error: tls: bad certificate
2022/10/12 12:10:23 http: TLS handshake error from 10.130.0.33:54750: remote error: tls: bad certificate
2022/10/12 12:10:25 http: TLS handshake error from 10.130.0.33:54766: remote error: tls: bad certificate
2022/10/12 12:10:42 http: TLS handshake error from 10.130.0.33:49262: remote error: tls: bad certificate
2022/10/12 12:10:43 http: TLS handshake error from 10.130.0.33:49266: remote error: tls: bad certificate
2022/10/12 12:10:45 http: TLS handshake error from 10.130.0.33:49280: remote error: tls: bad certificate
2022/10/12 12:10:46 http: TLS handshake error from 10.130.0.33:49296: remote error: tls: bad certificate
2022/10/12 12:10:47 http: TLS handshake error from 10.130.0.33:49310: remote error: tls: bad certificate
2022/10/12 12:10:49 http: TLS handshake error from 10.130.0.33:38232: remote error: tls: bad certificate
Currently, we use an LPM trie as our data structure to store our rules and the first match we get when we look into the trie (with prefix always set to /32 for ipv4) , we make a decision whether to allow or drop. If an explicit rule is not found, we just drop. This is what we call exact match.
Another approach is if we do not find an entry with prefix /32, for ipv4, we decrement the prefix number until we find a match in the LPM trie. This is what we call longest match.
"Exact match" gives us a deterministic time latency to process each packet but at the determent of user experience.
"Longest match" packet process latency will be undetermined and depend on user config. API can be layered - meaning users can have a default set (usually deny) and then build up their allow rules.
This must go into the daemon (because that's the only entity that know that available interface names) and we must post an event / update the NodeState if an invalid interfaces name is specified
[root@ovnkubernetes ebpfsyncer]# go test . -run TestSyncInterfaceIngressRulesAttachAndDetachSingleInterface
Checking if this test runs with sufficiently high privileges
By populating the interface list
By running a cleanup
Deleting all XDP pins
Deleting the test interfaces
Deleting the netns
By creating the namespace
By creating new test interfaces for testing
By moving the peer interfaces to their own namespace and by assigning an IP
By moving the peer interfaces to their own namespace and by assigning an IP
By moving the peer interfaces to their own namespace and by assigning an IP
Running the ebpfsyncer's sync to attach rules
{"level":"info","ts":1660076054.594756,"logger":"syncIngressNodeFirewallResources","msg":"Start"}
akaris assignment in attach =========================================> map[]
akaris assignment in attach =========================================> map[dummy0:0xc0001100c0]
2022/08/09 20:14:14 Attached IngressNode Firewall program to iface "dummy0" (index 1194)
I0809 20:14:14.595414 295502 ingress_node_firewall_loader.go:72] Ingress node firewall map Info: &{Type:LPMTrie id:1062 KeySize:24 ValueSize:1200 MaxEntries:1024 Flags:1 Name:ingress_node_fi} with FD LPMTrie(ingress_node_firewall_table_map)#10
2022/08/09 20:14:14 Creating ingress firewall rules for key {16 [10 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0] 1194}
2022/08/09 20:14:14 EVENT_LOGGING_FILE env variable must be set
I0809 20:14:14.596244 295502 ingress_node_firewall_loader.go:72] Ingress node firewall map Info: &{Type:LPMTrie id:1062 KeySize:24 ValueSize:1200 MaxEntries:1024 Flags:1 Name:ingress_node_fi} with FD LPMTrie(ingress_node_firewall_table_map)#10
2022/08/09 20:14:14 Creating ingress firewall rules for key {0 [0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0] 1194}
2022/08/09 20:14:14 EVENT_LOGGING_FILE env variable must be set
Running ebpfsyncer's sync to delete rules
{"level":"info","ts":1660076054.5965254,"logger":"syncIngressNodeFirewallResources","msg":"Start"}
2022/08/09 20:14:14 Unattaching IngressNode Firewall program from iface "dummy0" (index 1194)
akaris lookup in cleanup =========================================> map[dummy0:0xc0001100c0]
akaris lookup in cleanup =========================================> map[dummy0:0xc0001100c0]
akaris delete in cleanup =========================================> map[dummy0:0xc0001100c0]
akaris delete in cleanup =========================================> map[]
I0809 20:14:14.596866 295502 ingress_node_firewall_loader.go:72] Ingress node firewall map Info: &{Type:LPMTrie id:1062 KeySize:24 ValueSize:1200 MaxEntries:1024 Flags:1 Name:ingress_node_fi} with FD LPMTrie(ingress_node_firewall_table_map)#10
2022/08/09 20:14:14 Deleting ingress firewall rules for key {16 [10 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0] 1194}
2022/08/09 20:14:14 EVENT_LOGGING_FILE env variable must be set
I0809 20:14:14.597070 295502 ingress_node_firewall_loader.go:72] Ingress node firewall map Info: &{Type:LPMTrie id:1062 KeySize:24 ValueSize:1200 MaxEntries:1024 Flags:1 Name:ingress_node_fi} with FD LPMTrie(ingress_node_firewall_table_map)#10
2022/08/09 20:14:14 Deleting ingress firewall rules for key {0 [0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0] 1194}
2022/08/09 20:14:14 EVENT_LOGGING_FILE env variable must be set
Running the ebpfsyncer's sync to attach rules again
{"level":"info","ts":1660076054.5973325,"logger":"syncIngressNodeFirewallResources","msg":"Start"}
2022/08/09 20:14:14 Interface dummy0 is already attached
I0809 20:14:14.597559 295502 ingress_node_firewall_loader.go:72] Ingress node firewall map Info: &{Type:LPMTrie id:1062 KeySize:24 ValueSize:1200 MaxEntries:1024 Flags:1 Name:ingress_node_fi} with FD LPMTrie(ingress_node_firewall_table_map)#10
2022/08/09 20:14:14 Creating ingress firewall rules for key {16 [10 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0] 1194}
2022/08/09 20:14:14 EVENT_LOGGING_FILE env variable must be set
I0809 20:14:14.597806 295502 ingress_node_firewall_loader.go:72] Ingress node firewall map Info: &{Type:LPMTrie id:1062 KeySize:24 ValueSize:1200 MaxEntries:1024 Flags:1 Name:ingress_node_fi} with FD LPMTrie(ingress_node_firewall_table_map)#10
2022/08/09 20:14:14 Creating ingress firewall rules for key {0 [0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0] 1194}
2022/08/09 20:14:14 EVENT_LOGGING_FILE env variable must be set
Running ebpfsyncer's sync to delete rules again
{"level":"info","ts":1660076054.598033,"logger":"syncIngressNodeFirewallResources","msg":"Start"}
2022/08/09 20:14:14 Unattaching IngressNode Firewall program from iface "dummy0" (index 1194)
akaris lookup in cleanup =========================================> map[]
akaris lookup in cleanup =========================================> map[]
{"level":"error","ts":1660076054.5983005,"logger":"syncIngressNodeFirewallResources","msg":"Fail to attach ingress firewall prog","error":"failed to find Link object for interface dummy0","stacktrace":"github.com/openshift/ingress-node-firewall/pkg/ebpfsyncer.TestSyncInterfaceIngressRulesAttachAndDetachSingleInterface\n\t/root/development/ingress-node-firewall/pkg/ebpfsyncer/ebpfsyncer_test.go:204\ntesting.tRunner\n\t/usr/local/go/src/testing/testing.go:1439"}
Deleting all XDP pins
Deleting the test interfaces
Deleting the netns
--- FAIL: TestSyncInterfaceIngressRulesAttachAndDetachSingleInterface (0.23s)
ebpfsyncer_test.go:460: invalid argument
ebpfsyncer_test.go:460: invalid argument
ebpfsyncer_test.go:460: invalid argument
ebpfsyncer_test.go:467: exit status 1
ebpfsyncer_test.go:206: failed to find Link object for interface dummy0
FAIL
FAIL github.com/openshift/ingress-node-firewall/pkg/ebpfsyncer 0.245s
FAIL
[root@ovnkubernetes ebpfsyncer]#
Code:
204
205 // IngressNodeFwAttach attach eBPF program to list interfaces and pin them to different pinDir
206 func (infc *IngNodeFwController) IngressNodeFwAttach(ifacesName []string, isDelete bool) (map[string]uint32, error) {
207 var ifMap = make(map[string]uint32, 0)
208
209 objs := infc.objs
210 for _, ifaceName := range ifacesName {
211 ifaceName := ifaceName
212 // Look up the network interface by name.
213 iface, err := net.InterfaceByName(ifaceName)
214 if err != nil {
215 return ifMap, fmt.Errorf("lookup network iface %q: %s", ifaceName, err)
216 }
217 ifMap[ifaceName] = uint32(iface.Index)
218 if !isDelete {
219 // Attach the program.
220 l, err := link.AttachXDP(link.XDPOptions{
221 Program: objs.IngressNodeFirewallProcess,
222 Interface: iface.Index,
223 })
224 infc.links[ifaceName] = l
225 if err != nil {
226 if strings.Contains(err.Error(), xdpEBUSYErr) {
227 log.Printf("Interface %s is already attached", ifaceName)
228 return ifMap, nil
229 }
230 return ifMap, fmt.Errorf("could not attach XDP program: %s", err)
231 }
232 lPinDir := path.Join(infc.pinPath, ifaceName+"_link")
233 if err := l.Pin(lPinDir); err != nil {
234 return ifMap, fmt.Errorf("failed to pin link to pinDir %s: %s", lPinDir, err)
235 }
236 fmt.Println("akaris assignment in attach =========================================> ", infc.links)
237 infc.links[ifaceName] = l
238 fmt.Println("akaris assignment in attach =========================================> ", infc.links)
239 log.Printf("Attached IngressNode Firewall program to iface %q (index %d)", iface.Name, iface.Index)
240 } else {
241 log.Printf("Unattaching IngressNode Firewall program from iface %q (index %d)", iface.Name, iface.Index)
242 if err := infc.cleanup(ifaceName); err != nil {
243 return ifMap, err
244 }
245 }
246 }
247 return ifMap, nil
248 }
249
250 // cleanup will delete interface's eBPF objects.
251 func (infc *IngNodeFwController) cleanup(ifName string) error {
252 fmt.Println("akaris lookup in cleanup =========================================> ", infc.links)
253 l, ok := infc.links[ifName]
254 fmt.Println("akaris lookup in cleanup =========================================> ", infc.links)
255 if !ok {
256 return fmt.Errorf("failed to find Link object for interface %s", ifName)
257 }
258 if err := l.Unpin(); err != nil {
259 return fmt.Errorf("failed to unpin link for %s err: %q", ifName, err)
260 }
261 if err := l.Close(); err != nil {
262 return fmt.Errorf("failed to close and detach link %s err: %q", ifName, err)
263 }
264 fmt.Println("akaris delete in cleanup =========================================> ", infc.links)
265 delete(infc.links, ifName)
266 fmt.Println("akaris delete in cleanup =========================================> ", infc.links)
267 return nil
268 }
269
270 func (infc *IngNodeFwController) CleaneBPFObjs() error {
271 if err := infc.objs.Close(); err != nil {
272 return fmt.Errorf("failed to close eBPF objs err: %q", err)
273 }
274 if err := os.RemoveAll(infc.pinPath); err != nil {
275 return fmt.Errorf("failed to remove pinpath %s err: %q", infc.pinPath, err)
276 }
277 return nil
278 }
Test code:
143 // TestSyncInterfaceIngressRulesAttachAndDetachSingleInterface attaches and detaches rules from interfaces 2x in a row to test
144 // that this operation works.
145 func TestSyncInterfaceIngressRulesAttachAndDetachSingleInterface(t *testing.T) {
146 // Skip this test as it currently fails.
147 // t.Skip()
148
149 defer afterEach(t)
150 beforeEach(t)
151
152 rules := map[string][]infv1alpha1.IngressNodeFirewallRules{
153 fmt.Sprintf("%s0", interfacePrefix): {
154 {
155 SourceCIDRs: []string{"10.0.0.0/16"},
156 FirewallProtocolRules: []infv1alpha1.IngressNodeFirewallProtocolRule{
157 {
158 Order: 10,
159 ProtocolRule: &infv1alpha1.IngressNodeFirewallProtoRule{
160 Ports: "80",
161 },
162 Protocol: "tcp",
163 Action: "allow",
164 },
165 },
166 },
167 {
168 SourceCIDRs: []string{"0.0.0.0/0"},
169 FirewallProtocolRules: []infv1alpha1.IngressNodeFirewallProtocolRule{
170 {
171 Order: 10,
172 ProtocolRule: &infv1alpha1.IngressNodeFirewallProtoRule{
173 Ports: "80",
174 },
175 Protocol: "tcp",
176 Action: "deny",
177 },
178 },
179 },
180 },
181 }
182
183 ctx := context.Background()
184 l := zap.New()
185 fmt.Println("Running the ebpfsyncer's sync to attach rules")
186 err := GetEbpfSyncer(ctx, l, nil, nil).SyncInterfaceIngressRules(rules, false)
187 if err != nil {
188 t.Fatal(err)
189 }
190 fmt.Println("Running ebpfsyncer's sync to delete rules")
191 err = GetEbpfSyncer(ctx, l, nil, nil).SyncInterfaceIngressRules(rules, true)
192 if err != nil {
193 t.Fatal(err)
194 }
195
196 // time.Sleep(time.Second)
197
198 fmt.Println("Running the ebpfsyncer's sync to attach rules again")
199 err = GetEbpfSyncer(ctx, l, nil, nil).SyncInterfaceIngressRules(rules, false)
200 if err != nil {
201 t.Fatal(err)
202 }
203 fmt.Println("Running ebpfsyncer's sync to delete rules again")
204 err = GetEbpfSyncer(ctx, l, nil, nil).SyncInterfaceIngressRules(rules, true)
205 if err != nil {
206 t.Fatal(err)
207 }
208 }
note: with the sleep in line 196 this will not happen.
Describe the bug
as explicitly documented, today it's not possible to restrict access to SSH port, we get
The "ingressnodefirewall" is invalid: spec.ingress[0][rules][1]: Forbidden: port is in conflict with access to SSH
Expected behavior
The SSH port is one we want to restrict as well to particular cidrs
Additional context
ingress-node-firewall.v4.12.0-202301042354.2
Any ports utilised by this component must be reserved within openshift.
Daemon doesnt remove INF policy if its deleted.
Discovered in disruption test #221 named IngressNodeFirewall policy is configurable after daemon deletion
The following branches are being fast-forwarded from the current development branch (master) as placeholders for future releases. No merging is allowed into these release branches until they are unfrozen for production release.
release-4.15release-4.16For more information, see the branching documentation.
add unit and e2e tests that test rules updates (including deletion, etc.)
While I was testing, I wanted to wait until application of INF is completed by the daemons, but I noticed there is no "Pending" state for SyncStatus. Is this a gap?
Improve ingressnodefirewall_controller.go code:
1.661178512849118e+09 INFO controllers.IngressNodeFirewall Comparing currently managed interfaces against list of XDP interfaces on system {"e.managedInterfaces": {}}
1.6611785128495898e+09 INFO controllers.IngressNodeFirewall Attaching firewall interface {"intf": "enp2s0"}
1.6611785128498745e+09 ERROR controllers.IngressNodeFirewall Fail to attach ingress firewall prog {"error": "could not attach XDP program: can't create link: cannot allocate memory", "errorCauses": [{"error": "could not attach XDP program: can't create link: cannot allocate memory"}]}Describe the bug
Daemon fails to load or more likely didnt unload XDP program at some stage.
To Reproduce
Steps to reproduce the behaviour:
Unknown so far. Produced it with e2e tests in #173 but couldn't replicate it.
Opened this issue to track my investigation.
Logs - but i failed to get previous logs when it occurred :(
1.6655759345163863e+09 INFO setup Version {"version.Version": "361d7226-dirty"}
I1012 11:58:55.567113 172749 request.go:682] Waited for 1.039010097s due to client-side throttling, not priority and fairness, request: GET:https://172.30.0.1:443/apis/k8s.cni.cncf.io/v1?timeout=32s
1.6655759368196218e+09 INFO controller-runtime.metrics Metrics server is starting to listen {"addr": "127.0.0.1:39301"}
1.665575936819802e+09 INFO setup starting manager
1.6655759368200016e+09 INFO Starting server {"path": "/metrics", "kind": "metrics", "addr": "127.0.0.1:39301"}
1.665575936820043e+09 INFO Starting server {"kind": "health probe", "addr": "127.0.0.1:39300"}
1.6655759368201237e+09 INFO Starting EventSource {"controller": "ingressnodefirewallnodestate", "controllerGroup": "ingressnodefirewall.openshift.io", "controllerKind": "IngressNodeFirewallNodeState", "source": "kind source: *v1alpha1.IngressNodeFirewallNodeState"}
1.6655759368201387e+09 INFO Starting Controller {"controller": "ingressnodefirewallnodestate", "controllerGroup": "ingressnodefirewall.openshift.io", "controllerKind": "IngressNodeFirewallNodeState"}
1.665575936921046e+09 INFO Starting workers {"controller": "ingressnodefirewallnodestate", "controllerGroup": "ingressnodefirewall.openshift.io", "controllerKind": "IngressNodeFirewallNodeState", "worker count": 1}
1.6655759568332734e+09 INFO controllers.IngressNodeFirewall Reconciling resource and programming bpf {"name": "worker-0.ostest.test.metalkube.org", "namespace": "openshift-ingress-node-firewall"}
1.6655759568333015e+09 INFO controllers.IngressNodeFirewall.syncIngressNodeFirewallResources Running sync operation {"ifaceIngressRules": {"genev_sys_6081":[{"sourceCIDRs":["10.129.2.43/32"],"rules":[{"order":1,"protocolConfig":{"protocol":"TCP","tcp":{"ports":"80"}},"action":"Deny"},{"order":2,"protocolConfig":{"protocol":"UDP","udp":{"ports":"80"}},"action":"Deny"}]},{"sourceCIDRs":["fd01:0:0:6::2b/128"],"rules":[{"order":1,"protocolConfig":{"protocol":"TCP","tcp":{"ports":"80"}},"action":"Deny"},{"order":2,"protocolConfig":{"protocol":"UDP","udp":{"ports":"80"}},"action":"Deny"}]}]}, "isDelete": false}
1.6655759568334153e+09 INFO controllers.IngressNodeFirewall Creating a new eBPF firewall node controller
I1012 11:59:16.879072 172749 ingress_node_firewall_loader.go:327] Loading interfaces from pinned dir into memory
2022/10/12 11:59:16 Listening for events..
1.6655759568793685e+09 INFO controllers.IngressNodeFirewall Comparing currently managed interfaces against list of XDP interfaces on system {"e.managedInterfaces": {}}
1.6655759568797479e+09 INFO controllers.IngressNodeFirewall Attaching firewall interface {"intf": "genev_sys_6081"}
1.6655759568798752e+09 ERROR controllers.IngressNodeFirewall Fail to attach ingress firewall prog {"error": "could not attach XDP program: create link: device or resource busy", "errorCauses": [{"error": "could not attach XDP program: create link: device or resource busy"}]}
github.com/openshift/ingress-node-firewall/pkg/ebpfsyncer.(*ebpfSingleton).attachNewInterfaces.func2
/go/src/github.com/openshift/ingress-node-firewall/pkg/ebpfsyncer/ebpfsyncer.go:187
k8s.io/client-go/util/retry.OnError.func1
/go/src/github.com/openshift/ingress-node-firewall/vendor/k8s.io/client-go/util/retry/util.go:51
k8s.io/apimachinery/pkg/util/wait.ConditionFunc.WithContext.func1
/go/src/github.com/openshift/ingress-node-firewall/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:222
k8s.io/apimachinery/pkg/util/wait.runConditionWithCrashProtectionWithContext
/go/src/github.com/openshift/ingress-node-firewall/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:235
k8s.io/apimachinery/pkg/util/wait.runConditionWithCrashProtection
/go/src/github.com/openshift/ingress-node-firewall/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:228
k8s.io/apimachinery/pkg/util/wait.ExponentialBackoff
/go/src/github.com/openshift/ingress-node-firewall/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:423
k8s.io/client-go/util/retry.OnError
/go/src/github.com/openshift/ingress-node-firewall/vendor/k8s.io/client-go/util/retry/util.go:50
github.com/openshift/ingress-node-firewall/pkg/ebpfsyncer.(*ebpfSingleton).attachNewInterfaces
/go/src/github.com/openshift/ingress-node-firewall/pkg/ebpfsyncer/ebpfsyncer.go:179
github.com/openshift/ingress-node-firewall/pkg/ebpfsyncer.(*ebpfSingleton).SyncInterfaceIngressRules
/go/src/github.com/openshift/ingress-node-firewall/pkg/ebpfsyncer/ebpfsyncer.go:102
github.com/openshift/ingress-node-firewall/controllers.(*IngressNodeFirewallNodeStateReconciler).reconcileResource
/go/src/github.com/openshift/ingress-node-firewall/controllers/ingressnodefirewallnodestate_controller.go:94
github.com/openshift/ingress-node-firewall/controllers.(*IngressNodeFirewallNodeStateReconciler).Reconcile
/go/src/github.com/openshift/ingress-node-firewall/controllers/ingressnodefirewallnodestate_controller.go:77
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Reconcile
/go/src/github.com/openshift/ingress-node-firewall/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:121
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler
/go/src/github.com/openshift/ingress-node-firewall/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:320
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem
/go/src/github.com/openshift/ingress-node-firewall/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:273
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2
/go/src/github.com/openshift/ingress-node-firewall/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:234
1.6655759568910933e+09 INFO controllers.IngressNodeFirewall Attaching firewall interface {"intf": "genev_sys_6081"}
1.6655759568913753e+09 ERROR controllers.IngressNodeFirewall Fail to attach ingress firewall prog {"error": "could not attach XDP program: create link: device or resource busy", "errorCauses": [{"error": "could not attach XDP program: create link: device or resource busy"}]}
github.com/openshift/ingress-node-firewall/pkg/ebpfsyncer.(*ebpfSingleton).attachNewInterfaces.func2
/go/src/github.com/openshift/ingress-node-firewall/pkg/ebpfsyncer/ebpfsyncer.go:187
k8s.io/client-go/util/retry.OnError.func1
/go/src/github.com/openshift/ingress-node-firewall/vendor/k8s.io/client-go/util/retry/util.go:51
k8s.io/apimachinery/pkg/util/wait.ConditionFunc.WithContext.func1
/go/src/github.com/openshift/ingress-node-firewall/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:222
k8s.io/apimachinery/pkg/util/wait.runConditionWithCrashProtectionWithContext
/go/src/github.com/openshift/ingress-node-firewall/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:235
k8s.io/apimachinery/pkg/util/wait.runConditionWithCrashProtection
/go/src/github.com/openshift/ingress-node-firewall/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:228
k8s.io/apimachinery/pkg/util/wait.ExponentialBackoff
/go/src/github.com/openshift/ingress-node-firewall/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:423
k8s.io/client-go/util/retry.OnError
/go/src/github.com/openshift/ingress-node-firewall/vendor/k8s.io/client-go/util/retry/util.go:50
github.com/openshift/ingress-node-firewall/pkg/ebpfsyncer.(*ebpfSingleton).attachNewInterfaces
/go/src/github.com/openshift/ingress-node-firewall/pkg/ebpfsyncer/ebpfsyncer.go:179
github.com/openshift/ingress-node-firewall/pkg/ebpfsyncer.(*ebpfSingleton).SyncInterfaceIngressRules
/go/src/github.com/openshift/ingress-node-firewall/pkg/ebpfsyncer/ebpfsyncer.go:102
github.com/openshift/ingress-node-firewall/controllers.(*IngressNodeFirewallNodeStateReconciler).reconcileResource
/go/src/github.com/openshift/ingress-node-firewall/controllers/ingressnodefirewallnodestate_controller.go:94
github.com/openshift/ingress-node-firewall/controllers.(*IngressNodeFirewallNodeStateReconciler).Reconcile
/go/src/github.com/openshift/ingress-node-firewall/controllers/ingressnodefirewallnodestate_controller.go:77
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Reconcile
/go/src/github.com/openshift/ingress-node-firewall/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:121
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler
/go/src/github.com/openshift/ingress-node-firewall/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:320
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem
/go/src/github.com/openshift/ingress-node-firewall/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:273
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2
/go/src/github.com/openshift/ingress-node-firewall/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:234
.....
Keeps repeating
Error:
Could not find the desired number of IngressNodeFirewallNodeStates. Found 2 objects but expected to find 1 objects. Object list: [{{IngressNodeFirewallNodeState ingressnodefirewall.openshift.io/v1alpha1} {worker-0 ingress-node-fw-config-test-namespace 0f232ef3-6787-4c02-9b5b-ae947e4e12c6 344 1 2022-08-12 10:02:58 -0400 EDT <nil> <nil> map[] map[] [{ingressnodefirewall.openshift.io/v1alpha1 IngressNodeFirewall firewall-0 3665039e-75da-4a66-98bb-375d4c321219 <nil> <nil>}] [] [{controllers.test Update ingressnodefirewall.openshift.io/v1alpha1 2022-08-12 10:02:58 -0400 EDT FieldsV1 {"f:metadata":{"f:ownerReferences":{".":{},"k:{\"uid\":\"3665039e-75da-4a66-98bb-375d4c321219\"}":{}}},"f:spec":{".":{},"f:interfaceIngressRules":{".":{},"f:eth0":{}}}} } {controllers.test Update ingressnodefirewall.openshift.io/v1alpha1 2022-08-12 10:02:58 -0400 EDT FieldsV1 {"f:status":{".":{},"f:syncStatus":{}}} status}]} {map[eth0:[{[10.0.0.0] [{10 {TCP 0xc0004fde80 <nil> <nil> <nil> <nil>} Allow}]}]]} {Synchronized }} {{IngressNodeFirewallNodeState ingressnodefirewall.openshift.io/v1alpha1} {worker-daemon ingress-node-fw-config-test-namespace a4087350-aaad-4e36-9165-b25c49e60bc3 342 1 2022-08-12 10:02:58 -0400 EDT <nil> <nil> map[] map[] [{ingressnodefirewall.openshift.io/v1alpha1 IngressNodeFirewall firewall-0 3665039e-75da-4a66-98bb-375d4c321219 <nil> <nil>}] [] [{controllers.test Update ingressnodefirewall.openshift.io/v1alpha1 2022-08-12 10:02:58 -0400 EDT FieldsV1 {"f:metadata":{"f:ownerReferences":{".":{},"k:{\"uid\":\"3665039e-75da-4a66-98bb-375d4c321219\"}":{}}},"f:spec":{".":{},"f:interfaceIngressRules":{".":{},"f:eth0":{}}}} } {controllers.test Update ingressnodefirewall.openshift.io/v1alpha1 2022-08-12 10:02:58 -0400 EDT FieldsV1 {"f:status":{".":{},"f:syncStatus":{}}} status}]} {map[eth0:[{[10.0.0.0] [{10 {TCP 0xc0004fdea0 <nil> <nil> <nil> <nil>} Allow}]}]]} {Synchronized }}]
Workaround: use make create-kind-cluster before doing make docker-build ?!?
Defining an ICMPv4 protocolConfig with protocol set to ICMPv6 the following causes a panic:
- action: Deny
order: 3
protocolConfig:
icmp:
icmpType: 8
protocol: ICMPv61.6653212685330708e+09 INFO controllers.IngressNodeFirewall Attaching firewall interface {"intf": "eth0"}
I1009 13:14:28.533081 263630 ingress_node_firewall_loader.go:191] Interface eth0 is already attached and managed, skipping
1.6653212685330853e+09 INFO controllers.IngressNodeFirewall Loading rules
I1009 13:14:28.533099 263630 ingress_node_firewall_loader.go:109] Ingress node firewall map Info: &{Type:LPMTrie id:9392 KeySize:24 ValueSize:1200 MaxEntries:1024 Flags:1 Name:ingress_node_fi} with FD LPMTrie(ingress_node_fi)#9
1.6653212685331907e+09 INFO Observed a panic in reconciler: runtime error: invalid memory address or nil pointer dereference {"controller": "ingressnodefirewallnodestate", "controllerGroup": "ingressnodefirewall.openshift.io", "controllerKind": "IngressNodeFirewallNodeState", "IngressNodeFirewallNodeState": {"name":"kind-worker","namespace":"ingress-node-firewall-system"}, "namespace": "ingress-node-firewall-system", "name": "kind-worker", "reconcileID": "a8e3e339-4e31-4762-bf4f-9e9e381a3c13"}
2022/10/09 13:14:28 Starting node metrics updater. Metrics will be polled periodically and presented as prometheus metrics
panic: runtime error: invalid memory address or nil pointer dereference [recovered]
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x14ab093]
goroutine 205 [running]:
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Reconcile.func1()
/go/src/github.com/openshift/ingress-node-firewall/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:118 +0x1f4
panic({0x16121c0, 0x26356e0})
/usr/local/go/src/runtime/panic.go:838 +0x207
github.com/openshift/ingress-node-firewall/pkg/ebpf.(*IngNodeFwController).makeIngressFwRulesMap(_, {{_, _, _}, {_, _, _}}, _)
/go/src/github.com/openshift/ingress-node-firewall/pkg/ebpf/ingress_node_firewall_loader.go:447 +0x553
github.com/openshift/ingress-node-firewall/pkg/ebpf.(*IngNodeFwController).IngressNodeFwRulesLoader(0xc000370040, 0xc000a53560?)
/go/src/github.com/openshift/ingress-node-firewall/pkg/ebpf/ingress_node_firewall_loader.go:124 +0x4e9
github.com/openshift/ingress-node-firewall/pkg/ebpfsyncer.(*ebpfSingleton).loadIngressNodeFirewallRules(0xc000114d20, 0xc00064f950)
/go/src/github.com/openshift/ingress-node-firewall/pkg/ebpfsyncer/ebpfsyncer.go:137 +0x65
github.com/openshift/ingress-node-firewall/pkg/ebpfsyncer.(*ebpfSingleton).SyncInterfaceIngressRules(0xc000114d20, 0xc00064f950, 0x0)
/go/src/github.com/openshift/ingress-node-firewall/pkg/ebpfsyncer/ebpfsyncer.go:107 +0x45e
github.com/openshift/ingress-node-firewall/controllers.(*IngressNodeFirewallNodeStateReconciler).reconcileResource(0x1a7b750?, {0x1a780f0?, 0xc00064f8f0?}, {{{0x1841c27?, 0x28?}, {0xc000371340?, 0x4?}}}, 0xc00066adc0, 0xb0?)
/go/src/github.com/openshift/ingress-node-firewall/controllers/ingressnodefirewallnodestate_controller.go:94 +0x7e
github.com/openshift/ingress-node-firewall/controllers.(*IngressNodeFirewallNodeStateReconciler).Reconcile(0xc0009f1b60, {0x1a780f0, 0xc00064f8f0}, {{{0xc000652580?, 0x10?}, {0xc000045bb0?, 0x40f327?}}})
/go/src/github.com/openshift/ingress-node-firewall/controllers/ingressnodefirewallnodestate_controller.go:77 +0x3c5
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Reconcile(0x1a78048?, {0x1a780f0?, 0xc00064f8f0?}, {{{0xc000652580?, 0x173d1c0?}, {0xc000045bb0?, 0xc00041a5d0?}}})
/go/src/github.com/openshift/ingress-node-firewall/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:121 +0xc8
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler(0xc00012e140, {0x1a78048, 0xc000625480}, {0x166be00?, 0xc0007b4760?})
/go/src/github.com/openshift/ingress-node-firewall/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:320 +0x33c
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem(0xc00012e140, {0x1a78048, 0xc000625480})
/go/src/github.com/openshift/ingress-node-firewall/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:273 +0x1d9
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2()
/go/src/github.com/openshift/ingress-node-firewall/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:234 +0x85
created by sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2
/go/src/github.com/openshift/ingress-node-firewall/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:230 +0x325
Need to get webhook to reject this config but also harden the reconciler code for defence in depth.
Add API method to list all attached XDP interfaces; it's possible that a daemon goes down, the resource is updated, and then the daemon comes back up but it has no way of knowing which interfaces are attached. When a daemon comes up it must compare the current resource state to the currently attached interfaces.
We must cover the following corner case:
applied on A,B
ii) process down, no watch
iii) spec updated:
spec:
interfaces: A
iv) processs up, attaches watch
applied on A
===================================
Compare that to what happens when all goes well:
applied on A,B
ii) spec updated:
spec:
interfaces: A
iii) watch sees change in spec, process gets old and new
iv) processs up
applied on A (and b can be deleted)
duplicate rule order check fire up incorrectly when update an existing rule
The "ingressnodefirewall-demo2" is invalid:
* spec.ingress[0][rules]: Invalid value: "ingressnodefirewall-demo2": order is not unique for sourceCIDR "172.16.0.0/12" and conflicts with IngressNodeFirewall "ingressnodefirewall-demo2"
* spec.ingress[1][rules]: Invalid value: "ingressnodefirewall-demo2": order is not unique for sourceCIDR "fc00:f853:ccd:e793::0/64" and conflicts with IngressNodeFirewall "ingressnodefirewall-demo2"
1.6595435039586163e+09 INFO controllers.IngressNodeFirewall.syncIngressNodeFirewallResources Start
1.6595435039760628e+09 ERROR controllers.IngressNodeFirewall.syncIngressNodeFirewallResources Fail to create nodefw controller instance {"error": "loading objects: pinDir:/sys/fs/bpf/xdp_ingress_node_firewall_process, err:field IngressNodeFirewallProcess: program ingress_node_firewall_process: load program: invalid argument: invalid func unknown#177 (247 line(s) omitted)"}
github.com/openshift/ingress-node-firewall/controllers.(*IngressNodeFirewallNodeStateReconciler).reconcileResource
/go/src/github.com/openshift/ingress-node-firewall/controllers/ingressnodefirewallnodestate_controller.go:93
github.com/openshift/ingress-node-firewall/controllers.(*IngressNodeFirewallNodeStateReconciler).Reconcile
/go/src/github.com/openshift/ingress-node-firewall/controllers/ingressnodefirewallnodestate_controller.go:81
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Reconcile
/go/src/github.com/openshift/ingress-node-firewall/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:121
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler
/go/src/github.com/openshift/ingress-node-firewall/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:320
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem
/go/src/github.com/openshift/ingress-node-firewall/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:273
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2
/go/src/github.com/openshift/ingress-node-firewall/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:234
1.6595435039761407e+09 ERROR Reconciler error {"controller": "ingressnodefirewallnodestate", "controllerGroup": "ingress-nodefw.ingress-nodefw", "controllerKind": "IngressNodeFirewallNodeState", "ingressNodeFirewallNodeState": {"name":"ip-10-0-156-173.ec2.internal","namespace":"openshift-ingress-node-firewall"}, "namespace": "openshift-ingress-node-firewall", "name": "ip-10-0-156-173.ec2.internal", "reconcileID": "70dcd4e4-c964-4f0a-8297-f46ce0e47c67", "error": "FailedToSyncIngressNodeFirewallResources: loading objects: pinDir:/sys/fs/bpf/xdp_ingress_node_firewall_process, err:field IngressNodeFirewallProcess: program ingress_node_firewall_process: load program: invalid argument: invalid func unknown#177 (247 line(s) omitted)", "errorVerbose": "loading objects: pinDir:/sys/fs/bpf/xdp_ingress_node_firewall_process, err:field IngressNodeFirewallProcess: program ingress_node_firewall_process: load program: invalid argument: invalid func unknown#177 (247 line(s) omitted)\nFailedToSyncIngressNodeFirewallResources\ngithub.com/openshift/ingress-node-firewall/controllers.(*IngressNodeFirewallNodeStateReconciler).reconcileResource\n\t/go/src/github.com/openshift/ingress-node-firewall/controllers/ingressnodefirewallnodestate_controller.go:94\ngithub.com/openshift/ingress-node-firewall/controllers.(*IngressNodeFirewallNodeStateReconciler).Reconcile\n\t/go/src/github.com/openshift/ingress-node-firewall/controllers/ingressnodefirewallnodestate_controller.go:81\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Reconcile\n\t/go/src/github.com/openshift/ingress-node-firewall/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:121\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\t/go/src/github.com/openshift/ingress-node-firewall/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:320\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/go/src/github.com/openshift/ingress-node-firewall/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:273\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\t/go/src/github.com/openshift/ingress-node-firewall/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:234\nruntime.goexit\n\t/usr/local/go/src/runtime/asm_amd64.s:1571"}
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem
/go/src/github.com/openshift/ingress-node-firewall/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:273
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2
/go/src/github.com/openshift/ingress-node-firewall/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:234
Hello!
Is there something planned for implementing firewall rules to specific routes/namespaces?
We have the following use case: we have an application that is running on OCP and that we want to expose to our DMZ.
We want to do this using a route and without relying on any reverse proxy. Our OCP cluster is currently firewalled from our DMZ
and if we remove the firewall rule, it would mean that everything in the DMZ would then have access to all exposed services in OCP, which is not ideal.
Our plan is then to implement something of this sort:
Would this be possible? If not, how can this be implemented otherwise?
All the best!
Using podman (on Fedora 36) the daemon/daemonset container fails to start with the following error:
Message: mount: /sys/fs/bpf: permission denied.
and the pod goes into an endless crashloopbackoff state.
If you switch to using docker[-ce] then this problem doesn't occur so I suspect this is just a rootless podman issue (i.e., lack of privileges) because if the scripts to create/delete the KIND cluster are invoked using sudo then the error doesn't occur.
I don't know whether we want to encourage or use sudo to start the KIND cluster.
today under pkg/ebpf
we have
bpf_bpfeb.o
bpf_bpfel.o
the OWNERS file should be synced to match other SDN team repos
fix initial e2e-test failure in make test-e2e
[akaris@linux ingress-node-firewall (sdn-3315)]$ make test-e2e
/home/akaris/development/ingress-node-firewall/bin/controller-gen object:headerFile="hack/boilerplate.go.txt" paths="./..."
go fmt ./...
go vet ./...
==== Generating DaemonSet manifest
hack/generate-daemon-manifest.sh
/home/akaris/development/ingress-node-firewall/bin/controller-gen rbac:roleName=manager-role crd webhook paths="./..." output:crd:artifacts:config=config/crd/bases
rm -rf /tmp/test_validation_logs/
mkdir -p /tmp/test_validation_logs/
go test --tags=validationtests -v ./test/e2e/validation -ginkgo.v -junit /tmp/test_validation_logs/ -report /tmp/test_validation_logs/
=== RUN TestValidation
Running Suite: Ingress Node Firewall Operator Validation Suite
==============================================================
Random Seed: 1660219716
Will run 4 of 4 specs
IngressNodeFirewall IngressNodeFirewall
should have the IngressNodeFirewall Operator deployment in running state
/home/akaris/development/ingress-node-firewall/test/e2e/validation/tests/validation.go:30
•
------------------------------
IngressNodeFirewall IngressNodeFirewall
should have the IngressNodeFirewallConfig CRD available in the cluster
/home/akaris/development/ingress-node-firewall/test/e2e/validation/tests/validation.go:52
•
------------------------------
IngressNodeFirewall IngressNodeFirewall
should have the IngressNodeFirewall CRD available in the cluster
/home/akaris/development/ingress-node-firewall/test/e2e/validation/tests/validation.go:58
•
------------------------------
IngressNodeFirewall IngressNodeFirewall
should have the IngressNodeFirewallNodeState CRD available in the cluster
/home/akaris/development/ingress-node-firewall/test/e2e/validation/tests/validation.go:64
•
JUnit report was created: /tmp/test_validation_logs/validation_junit.xml
Ran 4 of 4 Specs in 0.039 seconds
SUCCESS! -- 4 Passed | 0 Failed | 0 Pending | 0 Skipped
You're using deprecated Ginkgo functionality:
=============================================
Ginkgo 2.0 is under active development and will introduce several new features, improvements, and a small handful of breaking changes.
A release candidate for 2.0 is now available and 2.0 should GA in Fall 2021. Please give the RC a try and send us feedback!
- To learn more, view the migration guide at https://github.com/onsi/ginkgo/blob/ver2/docs/MIGRATING_TO_V2.md
- For instructions on using the Release Candidate visit https://github.com/onsi/ginkgo/blob/ver2/docs/MIGRATING_TO_V2.md#using-the-beta
- To comment, chime in at https://github.com/onsi/ginkgo/issues/711
You are using a custom reporter. Support for custom reporters will likely be removed in V2. Most users were using them to generate junit or teamcity reports and this functionality will be merged into the core reporter. In addition, Ginkgo 2.0 will support emitting a JSON-formatted report that users can then manipulate to generate custom reports.
If this change will be impactful to you please leave a comment on https://github.com/onsi/ginkgo/issues/711
Learn more at: https://github.com/onsi/ginkgo/blob/ver2/docs/MIGRATING_TO_V2.md#removed-custom-reporters
To silence deprecations that can be silenced set the following environment variable:
ACK_GINKGO_DEPRECATIONS=1.16.5
--- PASS: TestValidation (0.07s)
PASS
ok github.com/openshift/ingress-node-firewall/test/e2e/validation 0.186s
rm -rf /tmp/test_e2e_logs/
mkdir -p /tmp/test_e2e_logs/
go test --tags=e2etests -v ./test/e2e/functional -ginkgo.v -junit /tmp/test_e2e_logs/ -report /tmp/test_e2e_logs/
=== RUN TestE2E
Running Suite: Ingress Node Firewall Operator E2E Suite
=======================================================
Random Seed: 1660219719
Will run 16 of 16 specs
Ingress Node Firewall IngressNodeFirewall deploy
should run Ingress node firewall DaemonSet
/home/akaris/development/ingress-node-firewall/test/e2e/functional/tests/e2e.go:70
STEP: checking Ingress node firewall daemonset is in running state
• [SLOW TEST:8.147 seconds]
Ingress Node Firewall
/home/akaris/development/ingress-node-firewall/test/e2e/functional/tests/e2e.go:38
IngressNodeFirewall deploy
/home/akaris/development/ingress-node-firewall/test/e2e/functional/tests/e2e.go:39
should run Ingress node firewall DaemonSet
/home/akaris/development/ingress-node-firewall/test/e2e/functional/tests/e2e.go:70
------------------------------
Ingress Node Firewall IngressNodeFirewall deploy
should run Ingress node firewall apply rules and check the actions
/home/akaris/development/ingress-node-firewall/test/e2e/functional/tests/e2e.go:94
STEP: get nodes IP addresses with matching labels and ping their IPs
STEP: creating ingress node firewall rules
STEP: checking Ingress node firewall rules resource is created
STEP: checking ingress node firewall nodeState resource is created
STEP: checking Ingress node firewall rules deny ping packets
STEP: checking ingress node firewall events are generated
STEP: checking Ingress node firewall nodeState resource is deleted
STEP: checking Ingress node firewall rules resource is deleted
• [SLOW TEST:32.421 seconds]
Ingress Node Firewall
/home/akaris/development/ingress-node-firewall/test/e2e/functional/tests/e2e.go:38
IngressNodeFirewall deploy
/home/akaris/development/ingress-node-firewall/test/e2e/functional/tests/e2e.go:39
should run Ingress node firewall apply rules and check the actions
/home/akaris/development/ingress-node-firewall/test/e2e/functional/tests/e2e.go:94
------------------------------
Ingress Node Firewall Statistics
should expose at least one endpoint via a daemon metrics service
/home/akaris/development/ingress-node-firewall/test/e2e/functional/tests/e2e.go:258
• [SLOW TEST:5.059 seconds]
Ingress Node Firewall
/home/akaris/development/ingress-node-firewall/test/e2e/functional/tests/e2e.go:38
Statistics
/home/akaris/development/ingress-node-firewall/test/e2e/functional/tests/e2e.go:227
should expose at least one endpoint via a daemon metrics service
/home/akaris/development/ingress-node-firewall/test/e2e/functional/tests/e2e.go:258
------------------------------
Ingress Node Firewall Statistics
should expose daemon metrics
/home/akaris/development/ingress-node-firewall/test/e2e/functional/tests/e2e.go:285
• [SLOW TEST:39.396 seconds]
Ingress Node Firewall
/home/akaris/development/ingress-node-firewall/test/e2e/functional/tests/e2e.go:38
Statistics
/home/akaris/development/ingress-node-firewall/test/e2e/functional/tests/e2e.go:227
should expose daemon metrics
/home/akaris/development/ingress-node-firewall/test/e2e/functional/tests/e2e.go:285
------------------------------
Ingress Node Firewall Webhook
should allow valid ingressnodefirewall TCP rule
/home/akaris/development/ingress-node-firewall/test/e2e/functional/tests/e2e.go:425
•
------------------------------
Ingress Node Firewall Webhook
should allow valid ingressnodefirewall UDP rule
/home/akaris/development/ingress-node-firewall/test/e2e/functional/tests/e2e.go:434
•
------------------------------
Ingress Node Firewall Webhook
should allow valid ingressnodefirewall ICMPV4 rule
/home/akaris/development/ingress-node-firewall/test/e2e/functional/tests/e2e.go:443
•
------------------------------
Ingress Node Firewall Webhook
should allow valid ingressnodefirewall ICMPV6 rule
/home/akaris/development/ingress-node-firewall/test/e2e/functional/tests/e2e.go:452
•
------------------------------
Ingress Node Firewall Webhook
should allow valid ingressnodefirewall SCTP rule
/home/akaris/development/ingress-node-firewall/test/e2e/functional/tests/e2e.go:461
•
------------------------------
Ingress Node Firewall Webhook
should block any rules which conflict with failsafe rules
/home/akaris/development/ingress-node-firewall/test/e2e/functional/tests/e2e.go:470
•
------------------------------
Ingress Node Firewall Webhook
should block invalid order
/home/akaris/development/ingress-node-firewall/test/e2e/functional/tests/e2e.go:487
• Failure in Spec Teardown (AfterEach) [0.012 seconds]
Ingress Node Firewall
/home/akaris/development/ingress-node-firewall/test/e2e/functional/tests/e2e.go:38
Webhook
/home/akaris/development/ingress-node-firewall/test/e2e/functional/tests/e2e.go:394
should block invalid order [AfterEach]
/home/akaris/development/ingress-node-firewall/test/e2e/functional/tests/e2e.go:487
Unexpected error:
<*errors.StatusError | 0xc0005cc780>: {
ErrStatus: {
TypeMeta: {Kind: "", APIVersion: ""},
ListMeta: {
SelfLink: "",
ResourceVersion: "",
Continue: "",
RemainingItemCount: nil,
},
Status: "Failure",
Message: "daemonsets.apps \"ingress-node-firewall-daemon\" not found",
Reason: "NotFound",
Details: {
Name: "ingress-node-firewall-daemon",
Group: "apps",
Kind: "daemonsets",
UID: "",
Causes: nil,
RetryAfterSeconds: 0,
},
Code: 404,
},
}
daemonsets.apps "ingress-node-firewall-daemon" not found
occurred
/home/akaris/development/ingress-node-firewall/test/e2e/functional/tests/e2e.go:417
------------------------------
Ingress Node Firewall Webhook
should block TCP rule ICMP defined
/home/akaris/development/ingress-node-firewall/test/e2e/functional/tests/e2e.go:497
•
------------------------------
Ingress Node Firewall Webhook
should block UDP rule ICMP defined
/home/akaris/development/ingress-node-firewall/test/e2e/functional/tests/e2e.go:506
•
------------------------------
Ingress Node Firewall Webhook
should block SCTP rule ICMP defined
/home/akaris/development/ingress-node-firewall/test/e2e/functional/tests/e2e.go:515
•
------------------------------
Ingress Node Firewall Webhook
should block ICMPV4 with TCP port defined
/home/akaris/development/ingress-node-firewall/test/e2e/functional/tests/e2e.go:524
•
------------------------------
Ingress Node Firewall Webhook
should block ICMPV6 with TCP port defined
/home/akaris/development/ingress-node-firewall/test/e2e/functional/tests/e2e.go:533
•
JUnit report was created: /tmp/test_e2e_logs/e2e_junit.xml
Summarizing 1 Failure:
[Fail] Ingress Node Firewall Webhook [AfterEach] should block invalid order
/home/akaris/development/ingress-node-firewall/test/e2e/functional/tests/e2e.go:417
Ran 16 of 16 Specs in 109.838 seconds
FAIL! -- 15 Passed | 1 Failed | 0 Pending | 0 Skipped
You're using deprecated Ginkgo functionality:
=============================================
Ginkgo 2.0 is under active development and will introduce several new features, improvements, and a small handful of breaking changes.
A release candidate for 2.0 is now available and 2.0 should GA in Fall 2021. Please give the RC a try and send us feedback!
- To learn more, view the migration guide at https://github.com/onsi/ginkgo/blob/ver2/docs/MIGRATING_TO_V2.md
- For instructions on using the Release Candidate visit https://github.com/onsi/ginkgo/blob/ver2/docs/MIGRATING_TO_V2.md#using-the-beta
- To comment, chime in at https://github.com/onsi/ginkgo/issues/711
You are using a custom reporter. Support for custom reporters will likely be removed in V2. Most users were using them to generate junit or teamcity reports and this functionality will be merged into the core reporter. In addition, Ginkgo 2.0 will support emitting a JSON-formatted report that users can then manipulate to generate custom reports.
If this change will be impactful to you please leave a comment on https://github.com/onsi/ginkgo/issues/711
Learn more at: https://github.com/onsi/ginkgo/blob/ver2/docs/MIGRATING_TO_V2.md#removed-custom-reporters
To silence deprecations that can be silenced set the following environment variable:
ACK_GINKGO_DEPRECATIONS=1.16.5
--- FAIL: TestE2E (109.86s)
FAIL
FAIL github.com/openshift/ingress-node-firewall/test/e2e/functional 109.938s
FAIL
make: *** [Makefile:134: test-functional] Error 1
[akaris@linux ingress-node-firewall (sdn-3315)]$ make test-e2e
/home/akaris/development/ingress-node-firewall/bin/controller-gen object:headerFile="hack/boilerplate.go.txt" paths="./..."
go fmt ./...
go vet ./...
==== Generating DaemonSet manifest
hack/generate-daemon-manifest.sh
/home/akaris/development/ingress-node-firewall/bin/controller-gen rbac:roleName=manager-role crd webhook paths="./..." output:crd:artifacts:config=config/crd/bases
rm -rf /tmp/test_validation_logs/
mkdir -p /tmp/test_validation_logs/
go test --tags=validationtests -v ./test/e2e/validation -ginkgo.v -junit /tmp/test_validation_logs/ -report /tmp/test_validation_logs/
=== RUN TestValidation
Running Suite: Ingress Node Firewall Operator Validation Suite
==============================================================
Random Seed: 1660219843
Will run 4 of 4 specs
IngressNodeFirewall IngressNodeFirewall
should have the IngressNodeFirewall Operator deployment in running state
/home/akaris/development/ingress-node-firewall/test/e2e/validation/tests/validation.go:30
•
------------------------------
IngressNodeFirewall IngressNodeFirewall
should have the IngressNodeFirewallConfig CRD available in the cluster
/home/akaris/development/ingress-node-firewall/test/e2e/validation/tests/validation.go:52
•
------------------------------
IngressNodeFirewall IngressNodeFirewall
should have the IngressNodeFirewall CRD available in the cluster
/home/akaris/development/ingress-node-firewall/test/e2e/validation/tests/validation.go:58
•
------------------------------
IngressNodeFirewall IngressNodeFirewall
should have the IngressNodeFirewallNodeState CRD available in the cluster
/home/akaris/development/ingress-node-firewall/test/e2e/validation/tests/validation.go:64
•
JUnit report was created: /tmp/test_validation_logs/validation_junit.xml
Ran 4 of 4 Specs in 0.040 seconds
SUCCESS! -- 4 Passed | 0 Failed | 0 Pending | 0 Skipped
You're using deprecated Ginkgo functionality:
=============================================
Ginkgo 2.0 is under active development and will introduce several new features, improvements, and a small handful of breaking changes.
A release candidate for 2.0 is now available and 2.0 should GA in Fall 2021. Please give the RC a try and send us feedback!
- To learn more, view the migration guide at https://github.com/onsi/ginkgo/blob/ver2/docs/MIGRATING_TO_V2.md
- For instructions on using the Release Candidate visit https://github.com/onsi/ginkgo/blob/ver2/docs/MIGRATING_TO_V2.md#using-the-beta
- To comment, chime in at https://github.com/onsi/ginkgo/issues/711
You are using a custom reporter. Support for custom reporters will likely be removed in V2. Most users were using them to generate junit or teamcity reports and this functionality will be merged into the core reporter. In addition, Ginkgo 2.0 will support emitting a JSON-formatted report that users can then manipulate to generate custom reports.
If this change will be impactful to you please leave a comment on https://github.com/onsi/ginkgo/issues/711
Learn more at: https://github.com/onsi/ginkgo/blob/ver2/docs/MIGRATING_TO_V2.md#removed-custom-reporters
To silence deprecations that can be silenced set the following environment variable:
ACK_GINKGO_DEPRECATIONS=1.16.5
--- PASS: TestValidation (0.06s)
PASS
ok github.com/openshift/ingress-node-firewall/test/e2e/validation 0.114s
rm -rf /tmp/test_e2e_logs/
mkdir -p /tmp/test_e2e_logs/
go test --tags=e2etests -v ./test/e2e/functional -ginkgo.v -junit /tmp/test_e2e_logs/ -report /tmp/test_e2e_logs/
=== RUN TestE2E
Running Suite: Ingress Node Firewall Operator E2E Suite
=======================================================
Random Seed: 1660219845
Will run 16 of 16 specs
Ingress Node Firewall IngressNodeFirewall deploy
should run Ingress node firewall DaemonSet
/home/akaris/development/ingress-node-firewall/test/e2e/functional/tests/e2e.go:70
STEP: checking Ingress node firewall daemonset is in running state
•
------------------------------
Ingress Node Firewall IngressNodeFirewall deploy
should run Ingress node firewall apply rules and check the actions
/home/akaris/development/ingress-node-firewall/test/e2e/functional/tests/e2e.go:94
STEP: get nodes IP addresses with matching labels and ping their IPs
STEP: creating ingress node firewall rules
STEP: checking Ingress node firewall rules resource is created
STEP: checking ingress node firewall nodeState resource is created
STEP: checking Ingress node firewall rules deny ping packets
STEP: checking ingress node firewall events are generated
STEP: checking Ingress node firewall nodeState resource is deleted
STEP: checking Ingress node firewall rules resource is deleted
• [SLOW TEST:28.268 seconds]
Ingress Node Firewall
/home/akaris/development/ingress-node-firewall/test/e2e/functional/tests/e2e.go:38
IngressNodeFirewall deploy
/home/akaris/development/ingress-node-firewall/test/e2e/functional/tests/e2e.go:39
should run Ingress node firewall apply rules and check the actions
/home/akaris/development/ingress-node-firewall/test/e2e/functional/tests/e2e.go:94
------------------------------
Ingress Node Firewall Statistics
should expose at least one endpoint via a daemon metrics service
/home/akaris/development/ingress-node-firewall/test/e2e/functional/tests/e2e.go:258
•
------------------------------
Ingress Node Firewall Statistics
should expose daemon metrics
/home/akaris/development/ingress-node-firewall/test/e2e/functional/tests/e2e.go:285
• [SLOW TEST:34.544 seconds]
Ingress Node Firewall
/home/akaris/development/ingress-node-firewall/test/e2e/functional/tests/e2e.go:38
Statistics
/home/akaris/development/ingress-node-firewall/test/e2e/functional/tests/e2e.go:227
should expose daemon metrics
/home/akaris/development/ingress-node-firewall/test/e2e/functional/tests/e2e.go:285
------------------------------
Ingress Node Firewall Webhook
should allow valid ingressnodefirewall TCP rule
/home/akaris/development/ingress-node-firewall/test/e2e/functional/tests/e2e.go:425
•
------------------------------
Ingress Node Firewall Webhook
should allow valid ingressnodefirewall UDP rule
/home/akaris/development/ingress-node-firewall/test/e2e/functional/tests/e2e.go:434
•
------------------------------
Ingress Node Firewall Webhook
should allow valid ingressnodefirewall ICMPV4 rule
/home/akaris/development/ingress-node-firewall/test/e2e/functional/tests/e2e.go:443
•
------------------------------
Ingress Node Firewall Webhook
should allow valid ingressnodefirewall ICMPV6 rule
/home/akaris/development/ingress-node-firewall/test/e2e/functional/tests/e2e.go:452
•
------------------------------
Ingress Node Firewall Webhook
should allow valid ingressnodefirewall SCTP rule
/home/akaris/development/ingress-node-firewall/test/e2e/functional/tests/e2e.go:461
•
------------------------------
Ingress Node Firewall Webhook
should block any rules which conflict with failsafe rules
/home/akaris/development/ingress-node-firewall/test/e2e/functional/tests/e2e.go:470
•
------------------------------
Ingress Node Firewall Webhook
should block invalid order
/home/akaris/development/ingress-node-firewall/test/e2e/functional/tests/e2e.go:487
•
------------------------------
Ingress Node Firewall Webhook
should block TCP rule ICMP defined
/home/akaris/development/ingress-node-firewall/test/e2e/functional/tests/e2e.go:497
•
------------------------------
Ingress Node Firewall Webhook
should block UDP rule ICMP defined
/home/akaris/development/ingress-node-firewall/test/e2e/functional/tests/e2e.go:506
•
------------------------------
Ingress Node Firewall Webhook
should block SCTP rule ICMP defined
/home/akaris/development/ingress-node-firewall/test/e2e/functional/tests/e2e.go:515
•
------------------------------
Ingress Node Firewall Webhook
should block ICMPV4 with TCP port defined
/home/akaris/development/ingress-node-firewall/test/e2e/functional/tests/e2e.go:524
•
------------------------------
Ingress Node Firewall Webhook
should block ICMPV6 with TCP port defined
/home/akaris/development/ingress-node-firewall/test/e2e/functional/tests/e2e.go:533
•
JUnit report was created: /tmp/test_e2e_logs/e2e_junit.xml
Ran 16 of 16 Specs in 65.509 seconds
SUCCESS! -- 16 Passed | 0 Failed | 0 Pending | 0 Skipped
You're using deprecated Ginkgo functionality:
=============================================
Ginkgo 2.0 is under active development and will introduce several new features, improvements, and a small handful of breaking changes.
A release candidate for 2.0 is now available and 2.0 should GA in Fall 2021. Please give the RC a try and send us feedback!
- To learn more, view the migration guide at https://github.com/onsi/ginkgo/blob/ver2/docs/MIGRATING_TO_V2.md
- For instructions on using the Release Candidate visit https://github.com/onsi/ginkgo/blob/ver2/docs/MIGRATING_TO_V2.md#using-the-beta
- To comment, chime in at https://github.com/onsi/ginkgo/issues/711
You are using a custom reporter. Support for custom reporters will likely be removed in V2. Most users were using them to generate junit or teamcity reports and this functionality will be merged into the core reporter. In addition, Ginkgo 2.0 will support emitting a JSON-formatted report that users can then manipulate to generate custom reports.
If this change will be impactful to you please leave a comment on https://github.com/onsi/ginkgo/issues/711
Learn more at: https://github.com/onsi/ginkgo/blob/ver2/docs/MIGRATING_TO_V2.md#removed-custom-reporters
To silence deprecations that can be silenced set the following environment variable:
ACK_GINKGO_DEPRECATIONS=1.16.5
--- PASS: TestE2E (65.53s)
PASS
ok github.com/openshift/ingress-node-firewall/test/e2e/functional 65.603s
It's really weird, but when starting the opeartor locally with make install run , the DaemonSet's ebpf doesn't work and fails with:
1.6589407504610174e+09 ERROR controllers.IngressNodeFirewall.syncIngressNodeFirewallResources Fail to create nodefw controller instance {"error": "loading objects: pinDir:/sys/fs/bpf/xdp_ingress_node_firewall_process, err:field IngresNodeFirewallProcess: program ingres_node_firewall_process: load program: invalid argument: invalid func unknown#177 (205 line(s) omitted)"}
Currently, we can alter webhook enable/disable by manually editing a deployment file. We should be able to toggle its availability with an environment variable:
ENABLE_WEBHOOK=false make deploywe should allow users to configure something like this
apiVersion: ingressnodefirewall.openshift.io/v1alpha1
kind: IngressNodeFirewall
metadata:
name: ingressnodefirewall-denyall
spec:
interfaces:
- eth0
nodeSelector:
matchLabels:
do-node-ingress-firewall: 'true'
ingress:
- sourceCIDRs:
- 0.0.0.0/0
rules:
- order: 20
action: Denyin case after configuring all the whitelist rules we need to drop everything else
user will be responsible to whitelist all ports their application will use in this case to ensure proper functionality
Change 3ea498b seems to have broken overlapping ordering when there are two INFs with the exact same sourceCIDRs and they contain non-unique orders.
This happens every few times when running the unit tests. The unit tests create and delete resources in short intervals one after another, so this is definitely a race condition which will need to be ironed out. Below, we have a leftover nodestate resource from a previous test which somehow isn't cleaned up correctly:
2022/08/10 15:02:26 reconciling (apps/v1, Kind=DaemonSet) ingress-node-fw-config-test-namespace/ingress-node-firewall-daemon
2022/08/10 15:02:26 does not exist, creating (apps/v1, Kind=DaemonSet) ingress-node-fw-config-test-namespace/ingress-node-firewall-daemon
2022/08/10 15:02:26 successfully created (apps/v1, Kind=DaemonSet) ingress-node-fw-config-test-namespace/ingress-node-firewall-daemon
2022/08/10 15:02:26 reconciling (apps/v1, Kind=DaemonSet) ingress-node-fw-config-test-namespace/ingress-node-firewall-daemon
2022/08/10 15:02:26 update was successful
2022/08/10 15:02:26 reconciling (apps/v1, Kind=DaemonSet) ingress-node-fw-config-test-namespace/ingress-node-firewall-daemon
2022/08/10 15:02:26 update was successful
2022/08/10 15:02:26 reconciling (apps/v1, Kind=DaemonSet) ingress-node-fw-config-test-namespace/ingress-node-firewall-daemon
2022/08/10 15:02:26 update was successful
2022/08/10 15:02:26 reconciling (apps/v1, Kind=DaemonSet) ingress-node-fw-config-test-namespace/ingress-node-firewall-daemon
2022/08/10 15:02:26 update was successful
2022/08/10 15:02:26 reconciling (apps/v1, Kind=DaemonSet) ingress-node-fw-config-test-namespace/ingress-node-firewall-daemon
2022/08/10 15:02:26 update was successful
2022/08/10 15:02:26 reconciling (apps/v1, Kind=DaemonSet) ingress-node-fw-config-test-namespace/ingress-node-firewall-daemon
2022/08/10 15:02:26 update was successful
2022/08/10 15:02:26 reconciling (apps/v1, Kind=DaemonSet) ingress-node-fw-config-test-namespace/ingress-node-firewall-daemon
•••••••••
------------------------------
• Failure [1.084 seconds]
IngressNodeFirewall controller rules
/home/akaris/development/ingress-node-firewall/controllers/ingressnodefirewall_controller_rules_test.go:20
when IngressNodeFirewall objects are created for test case: "baseline test without merging"
/home/akaris/development/ingress-node-firewall/controllers/ingressnodefirewall_controller_rules_test.go:780
The resulting IngressNodeFirewallNodeState object should look as expected [It]
/home/akaris/development/ingress-node-firewall/controllers/ingressnodefirewall_controller_rules_test.go:781
Timed out after 1.003s.
Expected
<bool>: false
to be true
/home/akaris/development/ingress-node-firewall/controllers/ingressnodefirewall_controller_test.go:343
------------------------------
STEP: Creating node worker-0
STEP: Creating new IngressNodeFirewall objects
By creating new IngressNodeFirewall object firewall-01.6601365479200597e+09 INFO controllers.IngressNodeFirewall Getting all IngressNodeFirewallNodeState objects in namespace {"req.Name": "firewall-0", "r.Namespace": "ingress-node-fw-config-test-namespace"}
STEP: Waiting for the expected list of IngressNodeFirewallNodeStates
1.6601365479258146e+09 INFO controllers.IngressNodeFirewall Getting all IngressNodeFirewall objects {"req.Name": "firewall-0"}
Could not find the desired number of IngressNodeFirewallNodeStates. Found 0 objects but expected to find 1 objects. Object list: []
1.660136547931877e+09 INFO controllers.IngressNodeFirewall Building the desired node state specs {"req.Name": "firewall-0"}
1.6601365479352949e+09 INFO controllers.IngressNodeFirewall Object node found, triggering creation {"req.Name": "firewall-0", "nodeToCreate": "worker-daemon"}
Could not find the desired number of IngressNodeFirewallNodeStates. Found 0 objects but expected to find 1 objects. Object list: []
1.660136547943595e+09 INFO controllers.IngressNodeFirewall Reconciling resource and programming bpf {"name": "worker-daemon", "namespace": "ingress-node-fw-config-test-namespace"}
1.6601365479459715e+09 INFO controllers.IngressNodeFirewall Created object {"req.Name": "firewall-0", "ingressNodeFirewallNodeState.Namespace": "ingress-node-fw-config-test-namespace", "ingressNodeFirewallNodeState.Name": "worker-daemon"}
1.6601365479459975e+09 INFO controllers.IngressNodeFirewall Object node found, triggering creation {"req.Name": "firewall-0", "nodeToCreate": "worker-0"}
1.6601365479492908e+09 INFO controllers.IngressNodeFirewall Reconciling resource and programming bpf {"name": "worker-daemon", "namespace": "ingress-node-fw-config-test-namespace"}
Could not find the desired number of IngressNodeFirewallNodeStates. Found 2 objects but expected to find 1 objects. Object list: [{{IngressNodeFirewallNodeState ingressnodefirewall.openshift.io/v1alpha1} {worker-0 ingress-node-fw-config-test-namespace c2ec61c8-52d0-4a4a-8a1c-f18fd00a90f8 342 1 2022-08-10 15:02:27 +0200 CEST <nil> <nil> map[] map[] [{ingressnodefirewall.openshift.io/v1alpha1 IngressNodeFirewall firewall-0 c2ca64b8-87ae-423e-8e86-b36ab427a70f <nil> <nil>}] [] [{controllers.test Update ingressnodefirewall.openshift.io/v1alpha1 2022-08-10 15:02:27 +0200 CEST FieldsV1 {"f:metadata":{"f:ownerReferences":{".":{},"k:{\"uid\":\"c2ca64b8-87ae-423e-8e86-b36ab427a70f\"}":{}}},"f:spec":{".":{},"f:interfaceIngressRules":{".":{},"f:eth0":{}}}} }]} {map[eth0:[{[10.0.0.0] [{10 {TCP 0xc00056c660 <nil> <nil> <nil> <nil>} Allow}]}]]} { }} {{IngressNodeFirewallNodeState ingressnodefirewall.openshift.io/v1alpha1} {worker-daemon ingress-node-fw-config-test-namespace aa1a09cc-f4a8-4a1e-a14e-a777a6a7c22c 341 1 2022-08-10 15:02:27 +0200 CEST <nil> <nil> map[] map[] [{ingressnodefirewall.openshift.io/v1alpha1 IngressNodeFirewall firewall-0 c2ca64b8-87ae-423e-8e86-b36ab427a70f <nil> <nil>}] [] [{controllers.test Update ingressnodefirewall.openshift.io/v1alpha1 2022-08-10 15:02:27 +0200 CEST FieldsV1 {"f:metadata":{"f:ownerReferences":{".":{},"k:{\"uid\":\"c2ca64b8-87ae-423e-8e86-b36ab427a70f\"}":{}}},"f:spec":{".":{},"f:interfaceIngressRules":{".":{},"f:eth0":{}}}} } {controllers.test Update ingressnodefirewall.openshift.io/v1alpha1 2022-08-10 15:02:27 +0200 CEST FieldsV1 {"f:status":{".":{},"f:syncStatus":{}}} status}]} {map[eth0:[{[10.0.0.0] [{10 {TCP 0xc00056c680 <nil> <nil> <nil> <nil>} Allow}]}]]} {Synchronized }}]
1.6601365479552739e+09 INFO controllers.IngressNodeFirewall Created object {"req.Name": "firewall-0", "ingressNodeFirewallNodeState.Namespace": "ingress-node-fw-config-test-namespace", "ingressNodeFirewallNodeState.Name": "worker-0"}
1.6601365479553275e+09 INFO controllers.IngressNodeFirewall Getting all IngressNodeFirewallNodeState objects in namespace {"req.Name": "firewall-0", "r.Namespace": "ingress-node-fw-config-test-namespace"}
1.6601365479579825e+09 INFO controllers.IngressNodeFirewall Getting all IngressNodeFirewall objects {"req.Name": "firewall-0"}
1.6601365479596775e+09 INFO controllers.IngressNodeFirewall Building the desired node state specs {"req.Name": "firewall-0"}
1.6601365479612281e+09 INFO controllers.IngressNodeFirewall Getting all IngressNodeFirewallNodeState objects in namespace {"req.Name": "firewall-0", "r.Namespace": "ingress-node-fw-config-test-namespace"}
1.6601365479645565e+09 INFO controllers.IngressNodeFirewall Getting all IngressNodeFirewall objects {"req.Name": "firewall-0"}
Could not find the desired number of IngressNodeFirewallNodeStates. Found 2 objects but expected to find 1 objects. Object list: [{{IngressNodeFirewallNodeState ingressnodefirewall.openshift.io/v1alpha1} {worker-0 ingress-node-fw-config-test-namespace c2ec61c8-52d0-4a4a-8a1c-f18fd00a90f8 343 1 2022-08-10 15:02:27 +0200 CEST <nil> <nil> map[] map[] [{ingressnodefirewall.openshift.io/v1alpha1 IngressNodeFirewall firewall-0 c2ca64b8-87ae-423e-8e86-b36ab427a70f <nil> <nil>}] [] [{controllers.test Update ingressnodefirewall.openshift.io/v1alpha1 2022-08-10 15:02:27 +0200 CEST FieldsV1 {"f:metadata":{"f:ownerReferences":{".":{},"k:{\"uid\":\"c2ca64b8-87ae-423e-8e86-b36ab427a70f\"}":{}}},"f:spec":{".":{},"f:interfaceIngressRules":{".":{},"f:eth0":{}}}} } {controllers.test Update ingressnodefirewall.openshift.io/v1alpha1 2022-08-10 15:02:27 +0200 CEST FieldsV1 {"f:status":{".":{},"f:syncStatus":{}}} status}]} {map[eth0:[{[10.0.0.0] [{10 {TCP 0xc00056c960 <nil> <nil> <nil> <nil>} Allow}]}]]} {Synchronized }} {{IngressNodeFirewallNodeState ingressnodefirewall.openshift.io/v1alpha1} {worker-daemon ingress-node-fw-config-test-namespace aa1a09cc-f4a8-4a1e-a14e-a777a6a7c22c 341 1 2022-08-10 15:02:27 +0200 CEST <nil> <nil> map[] map[] [{ingressnodefirewall.openshift.io/v1alpha1 IngressNodeFirewall firewall-0 c2ca64b8-87ae-423e-8e86-b36ab427a70f <nil> <nil>}] [] [{controllers.test Update ingressnodefirewall.openshift.io/v1alpha1 2022-08-10 15:02:27 +0200 CEST FieldsV1 {"f:metadata":{"f:ownerReferences":{".":{},"k:{\"uid\":\"c2ca64b8-87ae-423e-8e86-b36ab427a70f\"}":{}}},"f:spec":{".":{},"f:interfaceIngressRules":{".":{},"f:eth0":{}}}} } {controllers.test Update ingressnodefirewall.openshift.io/v1alpha1 2022-08-10 15:02:27 +0200 CEST FieldsV1 {"f:status":{".":{},"f:syncStatus":{}}} status}]} {map[eth0:[{[10.0.0.0] [{10 {TCP 0xc00056c980 <nil> <nil> <nil> <nil>} Allow}]}]]} {Synchronized }}]
(...)
1.6601365489525127e+09 INFO controllers.IngressNodeFirewall Getting all IngressNodeFirewall objects {"req.Name": "firewall-0"}
1.6601365489577942e+09 INFO controllers.IngressNodeFirewall Building the desired node state specs {"req.Name": "firewall-0"}
1.6601365489578543e+09 INFO controllers.IngressNodeFirewall Existing object not found in desired list, triggering deletion {"req.Name": "firewall-0"}
1.6601365489717815e+09 INFO controllers.IngressNodeFirewall Existing object not found in desired list, triggering deletion {"req.Name": "firewall-0"}
1.6601365489837143e+09 INFO controllers.IngressNodeFirewall Getting all IngressNodeFirewallNodeState objects in namespace {"req.Name": "firewall-0", "r.Namespace": "ingress-node-fw-config-test-namespace"}
••••••••••2022/08/10 15:02:49 failed to shut down testEnv err timeout waiting for process kube-apiserver to stop
Summarizing 1 Failure:
[Fail] IngressNodeFirewall controller rules when IngressNodeFirewall objects are created for test case: "baseline test without merging" [It] The resulting IngressNodeFirewallNodeState object should look as expected
/home/akaris/development/ingress-node-firewall/controllers/ingressnodefirewall_controller_test.go:343
Ran 20 of 20 Specs in 29.974 seconds
FAIL! -- 19 Passed | 1 Failed | 0 Pending | 0 Skipped
Describe the bug
SPDY executor doesnt return a sctp netcat servers stdout.
To Reproduce
Steps to reproduce the behavior:
Enable SCTP tests by setting environment variable ENABLE_SCTP=true. Ensure SCTP kernel modules are loaded on the affected worker nodes.
Run tests.
Expected behavior
SCTP tests pass.
**additional comments **
SCTP tests fail and SPDY executor returns blank stdout even though I can see the appropriate IP address was sent to the netcat server via tcpdump -i any -A -s0.
This only occurs for SCTP tests.
Describe the bug
1- the new netcat images are large in size so it requires longer timeout setting to run
I used
- timeout = time.Second * 40
+ timeout = time.Second * 4002- IPv6 test cases fails probably some env setting I tried to disable firewalld but that didn't help as I work around I used
- isSingleStack = false
+ isSingleStack = trueTo Reproduce
Steps to reproduce the behavior:
make test-e2eExpected behavior
We should be able to run both IPv4 and IPv6 test cases on KinD
Otherwise, folks importing our API, also get all the webhook dependencies.
All credit for noticing this goes to @JoelSpeed
100 16624 # HELP ingressnodefirewall_node_packet_deny_bytes The number of bytes for packets which results in an deny IP packet result
0ingressnodefirewall_node_packet_deny_bytes 3.1537011078e+11
1# HELP ingressnodefirewall_node_packet_deny_total The number of packets which results in a deny IP packet result
66# TYPE ingressnodefirewall_node_packet_deny_total gauge
2ingressnodefirewall_node_packet_deny_total 5.256168513e+09
should run Ingress node firewall apply rules and check the actions [It]
/home/mmahmoud/go/src/ingress-node-firewall/test/e2e/functional/tests/e2e.go:94
Unexpected error:
<*errors.StatusError | 0xc0004e4820>: {
ErrStatus: {
TypeMeta: {Kind: "", APIVersion: ""},
ListMeta: {
SelfLink: "",
ResourceVersion: "",
Continue: "",
RemainingItemCount: nil,
},
Status: "Failure",
Message: "error dialing backend: dial tcp 172.18.0.2:10250: i/o timeout",
Reason: "",
Details: nil,
Code: 500,
},
}
error dialing backend: dial tcp 172.18.0.2:10250: i/o timeout
occurred
/home/mmahmoud/go/src/ingress-node-firewall/test/e2e/functional/tests/e2e.go:197
Currentlly, we have:
I think that IngressNodeFirewallNodeState should be namespaced as it's read by the daemonset pods and I prefer using rolebindings to give access than clusterolebindings. For IngrNodeFwConfig and IngressNodeFirewall, I'm indifferent, but they should either both be namespaced or both be at cluster scope.
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.