Merge Main to rel branch

.github/workflows/pr-tests.yaml

@@ -70,9 +70,11 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v3
+      - name: Setup Go Version
+        run: echo "GO_VERSION=$(cat .go-version)" >> $GITHUB_ENV
       - uses: actions/setup-go@v4
         with:
-          go-version: '1.21.5'
+          go-version: ${{ env.GO_VERSION }}
           cache-dependency-path: "**/go.sum"
       - name: Install `govulncheck`
         run: go install golang.org/x/vuln/cmd/govulncheck@latest

.gitignore

@@ -9,3 +9,7 @@ bin/
 config/
 vendor/
 scripts/results.log
+amazon-network-policy-controller-k8s
+
+# Test build files
+test/build/

.go-version

@@ -0,0 +1 @@
+1.21.12

CODEOWNERS

@@ -0,0 +1 @@
+* @aws/eks-networking

Dockerfile

@@ -1,5 +1,8 @@
 # Build the manager binary
-FROM public.ecr.aws/eks-distro-build-tooling/golang:1.21.5-6-gcc-al2 as builder
+ARG golang_image
+
+FROM $golang_image as builder
+
 ARG TARGETOS
 ARG TARGETARCH
 
@@ -41,12 +44,8 @@ COPY . ./
 COPY --from=vmlinuxbuilder /vmlinuxbuilder/pkg/ebpf/c/vmlinux.h ./pkg/ebpf/c/
 RUN make build-bpf
 
-FROM public.ecr.aws/eks-distro-build-tooling/eks-distro-base:latest.2
-RUN yum update -y && \
-    yum install -y iptables iproute jq && \
-    yum install -y llvm clang make gcc && \
-    yum install -y coreutils kernel-devel elfutils-libelf-devel zlib-devel libbpf-devel && \
-    yum clean all
+# Container base image
+FROM public.ecr.aws/eks-distro-build-tooling/eks-distro-minimal-base-glibc:latest.2
 
 WORKDIR /
 COPY --from=builder /workspace/controller .

Dockerfile.test

@@ -1,4 +1,7 @@
-FROM public.ecr.aws/eks-distro-build-tooling/golang:1.21.3-4-gcc-al2
+ARG golang_image
+
+FROM $golang_image
+
 WORKDIR /go/src/github.com/aws/aws-network-policy-agent
 
 # Force the go compiler to use modules.

Makefile

@@ -3,11 +3,16 @@
 IMAGE ?= amazon/aws-network-policy-agent
 VERSION ?= $(shell git describe --tags --always --dirty || echo "unknown")
 IMAGE_NAME = $(IMAGE)$(IMAGE_ARCH_SUFFIX):$(VERSION)
+GOLANG_VERSION ?= $(shell cat .go-version)
+GOLANG_IMAGE ?= public.ecr.aws/eks-distro-build-tooling/golang:$(GOLANG_VERSION)-gcc-al2
 # TEST_IMAGE is the testing environment container image.
 TEST_IMAGE = aws-network-policy-agent-test
 TEST_IMAGE_NAME = $(TEST_IMAGE)$(IMAGE_ARCH_SUFFIX):$(VERSION)
+MAKEFILE_PATH = $(dir $(realpath -s $(firstword $(MAKEFILE_LIST))))
 
 export GOPROXY = direct
+export GOSUMDB = sum.golang.org
+export GOTOOLCHAIN = go$(GOLANG_VERSION)
 
 # aws-ebpf-sdk-go override in case we need to build against a custom version
 EBPF_SDK_OVERRIDE ?= "n"
@@ -80,7 +85,7 @@ vet: setup-ebpf-sdk-override # Run go vet against code.
 
 .PHONY: test
 test: manifests generate fmt vet envtest ## Run tests.
-	KUBEBUILDER_ASSETS="$(shell $(ENVTEST) use $(ENVTEST_K8S_VERSION) --bin-dir $(LOCALBIN) -p path)" go test ./... -coverprofile cover.out -v -coverprofile=coverage.txt
+	KUBEBUILDER_ASSETS="$(shell $(ENVTEST) use $(ENVTEST_K8S_VERSION) --bin-dir $(LOCALBIN) -p path)" go test ./cmd/... ./controllers/... ./pkg/... -coverprofile cover.out -v -coverprofile=coverage.txt
 
 ##@ Build
 
@@ -155,26 +160,27 @@ build-bpf: ## Build BPF.
 #docker-build: test ## Build docker image with the manager.
 #	docker build -t ${IMAGE_NAME} .
 docker-build: setup-ebpf-sdk-override## Build docker image with the manager.
-	docker build -t ${IMAGE_NAME} .
+	docker build -t ${IMAGE_NAME} --build-arg golang_image="$(GOLANG_IMAGE)" .
 
 .PHONY: docker-push
 docker-push: ## Push docker image with the manager.
 	docker push ${IMAGE_NAME}
 
-##@ Build and Run Unit Tests 
+##@ Build and Run Unit Tests
 # Build the unit test driver container image.
 build-docker-test:     ## Build the unit test driver container image.
 	docker build $(DOCKER_BUILD_FLAGS_NP_AGENT) \
 		-f Dockerfile.test \
 		-t $(TEST_IMAGE_NAME) \
+		--build-arg golang_image="$(GOLANG_IMAGE)" \
 		.
 
 # Run unit tests inside of the testing container image.
 docker-unit-tests: build-docker-test     ## Run unit tests inside of the testing container image.
 	docker run $(DOCKER_RUN_ARGS) \
 		$(TEST_IMAGE_NAME) \
 		make test
- 
+
 
 # PLATFORMS defines the target platforms for  the manager image be build to provide support to multiple
 # architectures. (i.e. make docker-buildx IMG=myregistry/mypoperator:0.0.1). To use this option you need to:
@@ -194,6 +200,7 @@ docker-buildx: setup-ebpf-sdk-override ## Build and push docker image for the ma
 		--platform "$(PLATFORMS)"\
 		--cache-from=type=gha \
 		--cache-to=type=gha,mode=max \
+		--build-arg golang_image="$(GOLANG_IMAGE)" \
 		.
 	- docker buildx rm project-v3-builder
 	rm Dockerfile.cross
@@ -208,6 +215,7 @@ multi-arch-build-and-push: setup-ebpf-sdk-override ## Build and push docker imag
 		--cache-from=type=gha \
 		--cache-to=type=gha,mode=max \
 		-t $(IMAGE):$(VERSION) \
+		--build-arg golang_image="$(GOLANG_IMAGE)" \
 		--push \
 		.
 
@@ -269,7 +277,7 @@ $(CONTROLLER_GEN): $(LOCALBIN)
 .PHONY: envtest
 envtest: $(ENVTEST) ## Download envtest-setup locally if necessary.
 $(ENVTEST): $(LOCALBIN)
-	test -s $(LOCALBIN)/setup-envtest || GOBIN=$(LOCALBIN) go install sigs.k8s.io/controller-runtime/tools/setup-envtest@latest
+	test -s $(LOCALBIN)/setup-envtest || GOBIN=$(LOCALBIN) go install sigs.k8s.io/controller-runtime/tools/setup-envtest@v0.0.0-20230216140739-c98506dc3b8e
 
 # Check formatting of source code files without modification.
 check-format: FORMAT_FLAGS = -l
@@ -305,11 +313,23 @@ update-node-agent-image: ## Updates node agent image on an existing cluster. Opt
 	./scripts/update-node-agent-image.sh AWS_EKS_NODEAGENT=$(AWS_EKS_NODEAGENT) IP_FAMILY=$(IP_FAMILY)
 
 ./PHONY: update-image-and-test
-update-image-and-test: ## Updates node agent image on existing cluster and runs cyclonus tests. Call with CLUSTER_NAME=<name of the cluster> and AWS_EKS_NODEAGENT=<Image URI> 
+update-image-and-test: ## Updates node agent image on existing cluster and runs cyclonus tests. Call with CLUSTER_NAME=<name of the cluster> and AWS_EKS_NODEAGENT=<Image URI>
 	$(MAKE) update-node-agent-image AWS_EKS_NODEAGENT=$(AWS_EKS_NODEAGENT)
 	$(MAKE) run-cyclonus-test CLUSTER_NAME=$(CLUSTER_NAME) SKIP_ADDON_INSTALLATION=true
 
+./PHONY: deploy-network-policy-controller-on-dataplane
+deploy-network-policy-controller-on-dataplane: ## This uses the script from amazon-network-policy-controller-k8s repository to install the controller on dataplane nodes
+	@if [ ! -d ./amazon-network-policy-controller-k8s ]; then \
+		git clone https://github.com/aws/amazon-network-policy-controller-k8s.git; \
+	fi
+	./amazon-network-policy-controller-k8s/scripts/deploy-controller-on-dataplane.sh NP_CONTROLLER_IMAGE=$(NP_CONTROLLER_IMAGE) NP_CONTROLLER_ENDPOINT_CHUNK_SIZE=$(NP_CONTROLLER_ENDPOINT_CHUNK_SIZE)
+
 clean: # Clean temporary files and build artifacts from the project
 	@rm -f -- aws-eks-na-cli
 	@rm -f -- aws-eks-na-cli-v6
 	@rm -f -- coverage.txt
+
+build-test-binaries: # Builds the test suite binaries
+	mkdir -p ${MAKEFILE_PATH}test/build
+	find ${MAKEFILE_PATH}test -name '*suite_test.go' -type f  | xargs dirname  | xargs ginkgo build
+	find ${MAKEFILE_PATH}test -name "*.test" -print0 | xargs -0 -I {} mv {} ${MAKEFILE_PATH}test/build

README.md

@@ -82,6 +82,29 @@ Network Policy agent can operate in either IPv4 or IPv6 mode. Setting this flag
 
 **Note:** VPC CNI by default creates an egress only IPv4 interface for IPv6 pods and this network interface will not be secured by the Network policy feature. Network policies will only be enforced on the Pod's primary interface (i.e.,) `eth0`. If you want to block the egress IPv4 access, please disable the interface creation via [ENABLE_V4_EGRESS](https://github.com/aws/amazon-vpc-cni-k8s#enable_v4_egress-v1151) flag in VPC CNI. 
 
+#### `conntrack-cache-cleanup-period` (from v1.0.7+)
+
+Type: Integer
+
+Default: 300
+
+Network Policy agent maintains a local conntrack cache. This configuration (in seconds) will determine how fast the local conntrack cache should be cleaned up from stale/expired entries. Based on the time interval set, network policy agent checks every entry in the local conntrack cache with kernel conntrack table and determine if the entry has to be deleted.
+
+#### `conntrack-cache-table-size` (from v1.1.3+)
+
+Type: Integer
+
+Default: 1024 * 256
+
+Network Policy agent maintains a local conntrack cache. Ideally this should be of the same size as kernel conntrack table. Note, this should be configured on new nodes before enabling network policy or if network policy is already enabled the change in configuration would need a reload of the nodes. Dynamic update of conntrack map size would lead to traffic disruption and isn't supported. The value supported is between 32K and 1024K.
+
+**Note**: To check the maximum conntrack table size in your linux worker node, use the following command:
+
+```console
+$ cat /proc/sys/net/netfilter/nf_conntrack_max
+262144
+```
+
 ## Network Policy Agent CLI
 The Amazon VPC CNI plugin for Kubernetes installs eBPF SDK collection of tools on the nodes. You can use the eBPF SDK tools to identify issues with network policies. For example, the following command lists the programs that are running on the node.