Handle race with multiple replicas and conntrack VIP entries #179

jayanthvn · 2024-01-05T03:49:56Z

Issue #, if available: N/A

Description of changes:
This handles 2 issues -

Race condition when multiple replicas share the same pinpath. Pinpath was getting deleted during scale down. This PR ensures last replica deletes the pin path.

When 2 replicas are present and one replica is deleted, only we try to remove the ENI filter -

{"level":"info","ts":"2024-01-05T02:18:01.286Z","logger":"controllers.policyEndpoints","caller":"controllers/policyendpoints_controller.go:146","msg":"PodIdentifier pinpath ","shared: ":true}
{"level":"info","ts":"2024-01-05T02:18:01.286Z","logger":"controllers.policyEndpoints","caller":"controllers/policyendpoints_controller.go:193","msg":"Total number of PolicyEndpoint resources for","podIdentifier ":"websocket-client-7f65cc6544-default"," are ":0}{"level":"info","ts":"2024-01-05T02:18:01.286Z","logger":"ebpf-client","caller":"controllers/policyendpoints_controller.go:193","msg":"DetacheBPFProbes for","pod":"websocket-client-7f65cc6544-9j58r"," in namespace":"default"," with hostVethName":"eni91226d5f053"," cleanup pinPath":false}{"level":"info","ts":"2024-01-05T02:18:01.286Z","logger":"ebpf-client","caller":"controllers/policyendpoints_controller.go:318","msg":"Attempting to do an Ingress Detach"}

{"level":"info","ts":"2024-01-05T02:18:01.286Z","logger":"ebpf-client","caller":"controllers/policyendpoints_controller.go:193","msg":"Successfully detached Ingress TC probe for","pod: ":"websocket-client-7f65cc6544-9j58r"," in namespace":"default"}
{"level":"info","ts":"2024-01-05T02:18:01.286Z","logger":"ebpf-client","caller":"controllers/policyendpoints_controller.go:318","msg":"Attempting to do an Egress Detach"}
{"level":"info","ts":"2024-01-05T02:18:01.286Z","logger":"ebpf-client","caller":"controllers/policyendpoints_controller.go:193","msg":"Successfully detached Egress TC probe for","pod: ":"websocket-client-7f65cc6544-9j58r"," in namespace":"default"}

When the last replica is deleted is when pinpath is deleted -

"level":"info","ts":"2024-01-04T22:32:37.982Z","logger":"controllers.policyEndpoints","caller":"controllers/policyendpoints_controller.go:146","msg":"Delete ","pinPath : ":true}

{"level":"info","ts":"2024-01-04T22:32:37.982Z","logger":"ebpf-client","caller":"controllers/policyendpoints_controller.go:318","msg":"Deleting: ","Program: ":"/sys/fs/bpf/globals/aws/programs/websocket-client-7f65cc6544-default_handle_ingress","Map: ":"/sys/fs/bpf/globals/aws/maps/websocket-client-7f65cc6544-default_ingress_map"}
{"level":"info","ts":"2024-01-04T22:32:37.982Z","logger":"ebpf-client","caller":"controllers/policyendpoints_controller.go:318","msg":"Found the Program and Map to delete - ","Program: ":"/sys/fs/bpf/globals/aws/programs/websocket-client-7f65cc6544-default_handle_ingress","Map: ":"/sys/fs/bpf/globals/aws/maps/websocket-client-7f65cc6544-default_ingress_map"}

DIP can be the service IP and if src and dest pods are on the same node and NP is enforced for both the pods. Then kernel contract will have just VIP in the forward direction and pod IP in the reverse direction. Where as NA conntrack will have 2 separate entries. In conntrack cleanup we just use the forward direction IP from the kernel conntrack leading to expiry of NA conntrack entry which has the pod IP.

Eg:

root@ip-192-168-29-159 bin]# ./aws-eks-na-cli ebpf dump-maps 53
Conntrack Key : Source IP - 192.168.17.118 Source port - 57292 Dest IP - 10.100.58.78 Dest port - 80 Protocol - 6 Owner IP - 192.168.17.118
Value : 
Conntrack Val -  1
*******************************
Conntrack Key : Source IP - 192.168.14.74 Source port - 44240 Dest IP - 192.168.7.235 Dest port - 8080 Protocol - 6 Owner IP - 192.168.7.235
Value : 
Conntrack Val -  1
*******************************
Conntrack Key : Source IP - 192.168.17.118 Source port - 57292 Dest IP - 192.168.7.235 Dest port - 8080 Protocol - 6 Owner IP - 192.168.7.235
Value : 
Conntrack Val -  1
*******************************
Conntrack Key : Source IP - 192.168.14.74 Source port - 44240 Dest IP - 10.100.58.78 Dest port - 80 Protocol - 6 Owner IP - 192.168.14.74
Value : 
Conntrack Val -  1
*******************************
Done reading all entries


[root@ip-192-168-29-159 bin]# conntrack -L | grep 192.168.7.235
tcp      6 431999 ESTABLISHED src=192.168.14.74 dst=10.100.58.78 sport=44240 dport=80 src=192.168.7.235 dst=192.168.14.74 sport=8080 dport=44240 [ASSURED] mark=0 use=1
conntrack v1.4.4 (conntrack-tools): 78 flow entries have been shown.
tcp      6 431999 ESTABLISHED src=192.168.17.118 dst=10.100.58.78 sport=57292 dport=80 src=192.168.7.235 dst=192.168.17.118 sport=8080 dport=57292 [ASSURED] mark=0 use=1

Those entries with Pod IP as dest IP was getting deleted even for established connections -

"level":"info","ts":"2024-01-04T21:37:13.479Z","logger":"ebpf-client","caller":"wait/backoff.go:227","msg":"Check for any stale entries in the conntrack map"}
{"level":"info","ts":"2024-01-04T21:37:13.485Z","logger":"ebpf-client","caller":"wait/backoff.go:227","msg":"Conntrack cleanup","Entry - ":"Expired/Delete Conntrack Key : Source IP - 192.168.9.135 Source port - 38610 Dest IP - 192.168.7.235 Dest port - 8080 Protocol - 6 Owner IP - 192.168.7.235"}
{"level":"info","ts":"2024-01-04T21:37:13.485Z","logger":"ebpf-client","caller":"wait/backoff.go:227","msg":"Conntrack cleanup","Entry - ":"Expired/Delete Conntrack Key : Source IP - 192.168.17.128 Source port - 46126 Dest IP - 192.168.7.235 Dest port - 8080 Protocol - 6 Owner IP - 192.168.7.235"}
{"level":"info","ts":"2024-01-04T21:37:13.485Z","logger":"ebpf-client","caller":"wait/backoff.go:227","msg":"Conntrack cleanup","Delete - ":{"Source_ip":2265557184,"Source_port":38610,"Dest_ip":3943147712,"Dest_port":8080,"Protocol":6,"Owner_ip":3943147712}}
{"level":"info","ts":"2024-01-04T21:37:13.485Z","logger":"ebpf-client","caller":"wait/backoff.go:227","msg":"Conntrack cleanup","Delete - ":{"Source_ip":2148640960,"Source_port":46126,"Dest_ip":3943147712,"Dest_port":8080,"Protocol":6,"Owner_ip":3943147712}}
{"level":"info","ts":"2024-01-04T21:37:13.485Z","logger":"ebpf-client","caller":"wait/backoff.go:227","msg":"Done cleanup of conntrack map"}

Post fix, no stale entries found-

{"level":"info","ts":"2024-01-05T03:33:44.075Z","logger":"ebpf-client","caller":"wait/backoff.go:227","msg":"Check for any stale entries in the conntrack map"}
{"level":"info","ts":"2024-01-05T03:33:44.081Z","logger":"ebpf-client","caller":"wait/backoff.go:227","msg":"Done cleanup of conntrack map"}
{"level":"info","ts":"2024-01-05T03:38:44.081Z","logger":"ebpf-client","caller":"wait/backoff.go:227","msg":"Check for any stale entries in the conntrack map"}{"level":"info","ts":"2024-01-05T03:38:44.088Z","logger":"ebpf-client","caller":"wait/backoff.go:227","msg":"Done cleanup of conntrack map"}

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

jayanthvn · 2024-01-05T03:53:58Z

Pending regression test.

haouc

lgtm

pkg/ebpf/conntrack/conntrack_client.go

* Move to mainline sdk changes (#25) * Reuse eBPF SDK Client (#26) * Code refactoring - Sync to SDK's new API interface (#27) * Additional UTs for eBPF pkg (#29) * Additional UTs for eBPF pkg * UT for Global Map recovery flow * format changes * Events refactor (#30) * Remove replace and add comments * Minor refactor * Update AL2023 image * vmlinux generation * update readme (#31) * Third party attribution doc (#32) * Thirdparty attribution doc * Minor nits * minor nit * README Updates (#34) * Update README.md (#35) * Update go.mod and go.sum for master (#38) * Update go.mod and go.sum docker/make file changes * fix up vet * Run Conformance and Performance tests with github actions (#5) * Updated conformance and performance test parameters (#39) * Fix problem with policy not being applied to pods on IPv6 nodes (#40) * Update the session duration to 5 hrs for github actions (#53) * Update scripts to run cyclonus suite and install latest MAO * Handle 0 entries in cli (#60) * Update test pkg (#61) * Ignore policy restrictions against Node IP (#65) * feat: Add flag enable-policy-event-logs (#48) * feat: Add flag enable-policy-event-logs Policy event logging is now disabled by default * feat: Add enable-policy-event-logs flag to readme --------- Co-authored-by: Apurup Chevuru <60630804+achevuru@users.noreply.github.com> * Issue#45 Modified Default Metrics Bind Port (#46) * Issue#45 Modified Default Metrics Bind Port * Modified Health Probe Bind address to 8163 --------- Co-authored-by: Kareem Rady <kareemrady@KR-MBA.local> Co-authored-by: Jayanth Varavani <1111446+jayanthvn@users.noreply.github.com> Co-authored-by: Apurup Chevuru <60630804+achevuru@users.noreply.github.com> * Bump github.com/google/uuid from 1.3.0 to 1.3.1 (#43) Bumps [github.com/google/uuid](https://github.com/google/uuid) from 1.3.0 to 1.3.1. - [Release notes](https://github.com/google/uuid/releases) - [Changelog](https://github.com/google/uuid/blob/master/CHANGELOG.md) - [Commits](google/uuid@v1.3.0...v1.3.1) --- updated-dependencies: - dependency-name: github.com/google/uuid dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Apurup Chevuru <60630804+achevuru@users.noreply.github.com> * Bump github.com/vishvananda/netlink (#42) Bumps [github.com/vishvananda/netlink](https://github.com/vishvananda/netlink) from 1.1.1-0.20210330154013-f5de75959ad5 to 1.2.1-beta.2. - [Release notes](https://github.com/vishvananda/netlink/releases) - [Commits](https://github.com/vishvananda/netlink/commits/v1.2.1-beta.2) --- updated-dependencies: - dependency-name: github.com/vishvananda/netlink dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Add update image script and make targets (#59) * Fixes to cyclonus test script (#69) * Remove KUBECONFIG environment variable from cyclonus test script * With catchALL honor "except" (#58) * Honor except with catchALL * PR feedback * Remove unnecessary header files (#71) * Return exit status if test verification fails * V6 Optimizations (#80) * Bump github.com/aws/amazon-vpc-cni-k8s from 1.13.4 to 1.15.0 (#82) Bumps [github.com/aws/amazon-vpc-cni-k8s](https://github.com/aws/amazon-vpc-cni-k8s) from 1.13.4 to 1.15.0. - [Release notes](https://github.com/aws/amazon-vpc-cni-k8s/releases) - [Changelog](https://github.com/aws/amazon-vpc-cni-k8s/blob/master/CHANGELOG.md) - [Commits](aws/amazon-vpc-cni-k8s@v1.13.4...v1.15.0) --- updated-dependencies: - dependency-name: github.com/aws/amazon-vpc-cni-k8s dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Honor V6 Elf file updates (#84) * Build latest image with conformance tests (#85) * Create a github action to build multi-arch docker image * Update credentials action to v3 * Log rotate support (#87) * Bump go.uber.org/zap from 1.25.0 to 1.26.0 (#81) Bumps [go.uber.org/zap](https://github.com/uber-go/zap) from 1.25.0 to 1.26.0. - [Release notes](https://github.com/uber-go/zap/releases) - [Changelog](https://github.com/uber-go/zap/blob/master/CHANGELOG.md) - [Commits](uber-go/zap@v1.25.0...v1.26.0) --- updated-dependencies: - dependency-name: go.uber.org/zap dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Race condition with init and cw setup (#93) * Bump golang.org/x/net from 0.12.0 to 0.17.0 (#95) Bumps [golang.org/x/net](https://github.com/golang/net) from 0.12.0 to 0.17.0. - [Commits](golang/net@v0.12.0...v0.17.0) --- updated-dependencies: - dependency-name: golang.org/x/net dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * upgrade Go to 1.21.3 and upgrade dependencies * Fix conntrack issue and increase supported port/protocol (#102) * Fix conntrack * Update events * Pull test images from internal test infra accounts (#79) * Pull test images from internal test infra accounts * Test with ARM nodes in e2e conformance tests * Handle PolicyEndpoint split scenario when the target pods are paired … (#106) * Handle PolicyEndpoint split scenario when the target pods are paired with empty ingress/egress rules * Fix UT * inherit firewall rules from larger cidrs (#104) * Update /m * format * Len changes --------- Co-authored-by: Apurup Chevuru <60630804+achevuru@users.noreply.github.com> * Update pr-tests.yaml (#112) * Handle for controller not adding prefix lens (#113) * Update pr-tests.yaml * Minor fix for missing prefixlens * Refactor * Minor refactor (#116) * Update pr-tests.yaml * Minor refactor * README Update (#117) * Update issue templates (#121) * add more checks in pr actions * Bump github.com/go-logr/logr from 1.2.4 to 1.3.0 (#126) Bumps [github.com/go-logr/logr](https://github.com/go-logr/logr) from 1.2.4 to 1.3.0. - [Release notes](https://github.com/go-logr/logr/releases) - [Changelog](https://github.com/go-logr/logr/blob/master/CHANGELOG.md) - [Commits](go-logr/logr@v1.2.4...v1.3.0) --- updated-dependencies: - dependency-name: github.com/go-logr/logr dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump github.com/aws/aws-sdk-go from 1.45.19 to 1.47.5 (#134) Bumps [github.com/aws/aws-sdk-go](https://github.com/aws/aws-sdk-go) from 1.45.19 to 1.47.5. - [Release notes](https://github.com/aws/aws-sdk-go/releases) - [Commits](aws/aws-sdk-go@v1.45.19...v1.47.5) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump k8s.io/client-go from 0.28.2 to 0.28.3 (#123) Bumps [k8s.io/client-go](https://github.com/kubernetes/client-go) from 0.28.2 to 0.28.3. - [Changelog](https://github.com/kubernetes/client-go/blob/master/CHANGELOG.md) - [Commits](kubernetes/client-go@v0.28.2...v0.28.3) --- updated-dependencies: - dependency-name: k8s.io/client-go dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump sigs.k8s.io/controller-runtime from 0.16.2 to 0.16.3 (#122) Bumps [sigs.k8s.io/controller-runtime](https://github.com/kubernetes-sigs/controller-runtime) from 0.16.2 to 0.16.3. - [Release notes](https://github.com/kubernetes-sigs/controller-runtime/releases) - [Changelog](https://github.com/kubernetes-sigs/controller-runtime/blob/main/RELEASE.md) - [Commits](kubernetes-sigs/controller-runtime@v0.16.2...v0.16.3) --- updated-dependencies: - dependency-name: sigs.k8s.io/controller-runtime dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Conntrack cleanup issue with v1.0.5 (#133) * Conntrack cleanup issue with v1.0.5 * Minor changes * Index with owner * Add padding for v6 * Upgrade SDK * CLI update * minor change * force vulns check to use specified go patch version (#137) * Updating the expected results for known flaky test cases * Memory corruption (#142) * Bump github.com/google/uuid from 1.3.1 to 1.4.0 (#157) Bumps [github.com/google/uuid](https://github.com/google/uuid) from 1.3.1 to 1.4.0. - [Release notes](https://github.com/google/uuid/releases) - [Changelog](https://github.com/google/uuid/blob/master/CHANGELOG.md) - [Commits](google/uuid@v1.3.1...v1.4.0) --- updated-dependencies: - dependency-name: github.com/google/uuid dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump github.com/google/go-cmp from 0.5.9 to 0.6.0 (#156) Bumps [github.com/google/go-cmp](https://github.com/google/go-cmp) from 0.5.9 to 0.6.0. - [Release notes](https://github.com/google/go-cmp/releases) - [Commits](google/go-cmp@v0.5.9...v0.6.0) --- updated-dependencies: - dependency-name: github.com/google/go-cmp dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump github.com/spf13/cobra from 1.7.0 to 1.8.0 (#154) Bumps [github.com/spf13/cobra](https://github.com/spf13/cobra) from 1.7.0 to 1.8.0. - [Release notes](https://github.com/spf13/cobra/releases) - [Commits](spf13/cobra@v1.7.0...v1.8.0) --- updated-dependencies: - dependency-name: github.com/spf13/cobra dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump github.com/prometheus/client_golang from 1.16.0 to 1.17.0 (#153) Bumps [github.com/prometheus/client_golang](https://github.com/prometheus/client_golang) from 1.16.0 to 1.17.0. - [Release notes](https://github.com/prometheus/client_golang/releases) - [Changelog](https://github.com/prometheus/client_golang/blob/main/CHANGELOG.md) - [Commits](prometheus/client_golang@v1.16.0...v1.17.0) --- updated-dependencies: - dependency-name: github.com/prometheus/client_golang dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump k8s.io/client-go from 0.28.3 to 0.28.4 (#155) Bumps [k8s.io/client-go](https://github.com/kubernetes/client-go) from 0.28.3 to 0.28.4. - [Changelog](https://github.com/kubernetes/client-go/blob/master/CHANGELOG.md) - [Commits](kubernetes/client-go@v0.28.3...v0.28.4) --- updated-dependencies: - dependency-name: k8s.io/client-go dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Conntrack enhancements (#151) * Env fix * Move to flag * Cleanup * Log line for debugs * minor update * Ignore PE slices tied to same NP during Clean up flow (#159) * Ignore PE slices tied to same NP during Clean up flow * Format changes * UT fix --------- Co-authored-by: Jayanth Varavani <1111446+jayanthvn@users.noreply.github.com> * CLI changes (#152) * CLI changes * Utils * Upgrade SDK * Upgrade sdk * Update builder image to latest golang version * fix logger error; remove version log * Add workflow to run manual e2e tests on specific instance type (#148) * Add region parameter to describe instances * Add prefix to identify log stream for network policy events (#178) * Bump github.com/go-logr/logr from 1.3.0 to 1.4.1 Bumps [github.com/go-logr/logr](https://github.com/go-logr/logr) from 1.3.0 to 1.4.1. - [Release notes](https://github.com/go-logr/logr/releases) - [Changelog](https://github.com/go-logr/logr/blob/master/CHANGELOG.md) - [Commits](go-logr/logr@v1.3.0...v1.4.1) --- updated-dependencies: - dependency-name: github.com/go-logr/logr dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> * Bump k8s.io/client-go from 0.28.4 to 0.29.0 Bumps [k8s.io/client-go](https://github.com/kubernetes/client-go) from 0.28.4 to 0.29.0. - [Changelog](https://github.com/kubernetes/client-go/blob/master/CHANGELOG.md) - [Commits](kubernetes/client-go@v0.28.4...v0.29.0) --- updated-dependencies: - dependency-name: k8s.io/client-go dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> * Log the to be deleted conntrack entries in readable format * dependabot updates * Handle replica and VIP (#179) * Check the new addon versions in the right regions * Update CI scripts to the test on latest available k8s cluster * Bump github.com/aws/amazon-vpc-cni-k8s from 1.16.0 to 1.16.2 (#196) Bumps [github.com/aws/amazon-vpc-cni-k8s](https://github.com/aws/amazon-vpc-cni-k8s) from 1.16.0 to 1.16.2. - [Release notes](https://github.com/aws/amazon-vpc-cni-k8s/releases) - [Changelog](https://github.com/aws/amazon-vpc-cni-k8s/blob/v1.16.2/CHANGELOG.md) - [Commits](aws/amazon-vpc-cni-k8s@v1.16.0...v1.16.2) --- updated-dependencies: - dependency-name: github.com/aws/amazon-vpc-cni-k8s dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump github.com/aws/aws-sdk-go from 1.49.13 to 1.50.9 (#199) Bumps [github.com/aws/aws-sdk-go](https://github.com/aws/aws-sdk-go) from 1.49.13 to 1.50.9. - [Release notes](https://github.com/aws/aws-sdk-go/releases) - [Commits](aws/aws-sdk-go@v1.49.13...v1.50.9) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump k8s.io/apimachinery from 0.29.0 to 0.29.1 (#197) Bumps [k8s.io/apimachinery](https://github.com/kubernetes/apimachinery) from 0.29.0 to 0.29.1. - [Commits](kubernetes/apimachinery@v0.29.0...v0.29.1) --- updated-dependencies: - dependency-name: k8s.io/apimachinery dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump golang.org/x/sys from 0.15.0 to 0.16.0 (#195) Bumps [golang.org/x/sys](https://github.com/golang/sys) from 0.15.0 to 0.16.0. - [Commits](golang/sys@v0.15.0...v0.16.0) --- updated-dependencies: - dependency-name: golang.org/x/sys dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump k8s.io/client-go from 0.29.0 to 0.29.1 (#194) Bumps [k8s.io/client-go](https://github.com/kubernetes/client-go) from 0.29.0 to 0.29.1. - [Changelog](https://github.com/kubernetes/client-go/blob/master/CHANGELOG.md) - [Commits](kubernetes/client-go@v0.29.0...v0.29.1) --- updated-dependencies: - dependency-name: k8s.io/client-go dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Handle PE split cleanup and duplicate l4info (#185) --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Apurup Chevuru <60630804+achevuru@users.noreply.github.com> Co-authored-by: Geoffrey Cline <geoffreyc@outlook.com> Co-authored-by: Jay Deokar <23660509+jaydeokar@users.noreply.github.com> Co-authored-by: K.Hoshi <rxnew.axdseuan@gmail.com> Co-authored-by: Jay Deokar <jsdeokar@amazon.com> Co-authored-by: Tobias Germer <bvrcreepyx@hotmail.de> Co-authored-by: Kareem Rady <82394457+kareem-rady@users.noreply.github.com> Co-authored-by: Kareem Rady <kareemrady@KR-MBA.local> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Jeff Nelson <jdnelson@amazon.com> Co-authored-by: Jeffrey Nelson <jdn5126@gmail.com> Co-authored-by: Hao Zhou <zhuhz@amazon.com> Co-authored-by: Hao Zhou <haouc@users.noreply.github.com>

jayanthvn changed the title ~~Handle replica and VIP~~ Handle race with multiple replicas and conntrack VIP entries Jan 5, 2024

jayanthvn requested a review from achevuru January 5, 2024 03:50

jdn5126 mentioned this pull request Jan 5, 2024

Is the network policy for VPC CNI designed to be stateful or stateless? #175

Closed

jdn5126 force-pushed the na_pinpath branch 2 times, most recently from 2062de1 to f547b44 Compare January 8, 2024 21:37

haouc approved these changes Jan 8, 2024

View reviewed changes

pkg/ebpf/conntrack/conntrack_client.go Show resolved Hide resolved

Handle replica and VIP

f986af4

jdn5126 force-pushed the na_pinpath branch from f547b44 to f986af4 Compare January 8, 2024 23:26

jayanthvn merged commit 3c805f0 into aws:main Jan 9, 2024
4 checks passed

jdn5126 mentioned this pull request Jan 9, 2024

Pods with no eBPF maps attached #183

Closed

jayanthvn deleted the na_pinpath branch January 9, 2024 18:54

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Handle race with multiple replicas and conntrack VIP entries #179

Handle race with multiple replicas and conntrack VIP entries #179

jayanthvn commented Jan 5, 2024

jayanthvn commented Jan 5, 2024

haouc left a comment

Handle race with multiple replicas and conntrack VIP entries #179

Handle race with multiple replicas and conntrack VIP entries #179

Conversation

jayanthvn commented Jan 5, 2024

jayanthvn commented Jan 5, 2024

haouc left a comment

Choose a reason for hiding this comment