Azure
diff --git a/‎.pipelines/npm/npm-conformance-tests.yaml‎
Lines changed: 28 additions & 11 deletions b/‎.pipelines/npm/npm-conformance-tests.yaml‎
Lines changed: 28 additions & 11 deletions
diff --git a/‎go.mod‎
Lines changed: 1 addition & 1 deletion b/‎go.mod‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎go.sum‎
Lines changed: 2 additions & 2 deletions b/‎go.sum‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎npm/profiles/v2-background.yaml‎
Lines changed: 13 additions & 13 deletions b/‎npm/profiles/v2-background.yaml‎
Lines changed: 13 additions & 13 deletions
diff --git a/‎npm/profiles/v2-place-first.yaml‎
Lines changed: 13 additions & 11 deletions b/‎npm/profiles/v2-place-first.yaml‎
Lines changed: 13 additions & 11 deletions
diff --git a/‎test/integration/manifests/cilium/v1.16/cilium-agent/templates/daemonset-dualstack.yaml‎
Lines changed: 7 additions & 0 deletions b/‎test/integration/manifests/cilium/v1.16/cilium-agent/templates/daemonset-dualstack.yaml‎
Lines changed: 7 additions & 0 deletions
diff --git a/‎test/integration/manifests/cilium/v1.16/cilium-agent/templates/daemonset.yaml‎
Lines changed: 7 additions & 0 deletions b/‎test/integration/manifests/cilium/v1.16/cilium-agent/templates/daemonset.yaml‎
Lines changed: 7 additions & 0 deletions
diff --git a/‎test/integration/manifests/cilium/v1.16/cilium-config/cilium-config-dualstack.yaml‎
Lines changed: 1 addition & 1 deletion b/‎test/integration/manifests/cilium/v1.16/cilium-config/cilium-config-dualstack.yaml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎test/integration/manifests/cilium/v1.16/cilium-config/cilium-config-hubble.yaml‎
Lines changed: 1 addition & 1 deletion b/‎test/integration/manifests/cilium/v1.16/cilium-config/cilium-config-hubble.yaml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎test/integration/manifests/cilium/v1.16/cilium-config/cilium-config.yaml‎
Lines changed: 1 addition & 1 deletion b/‎test/integration/manifests/cilium/v1.16/cilium-config/cilium-config.yaml‎
Lines changed: 1 addition & 1 deletion
@@ -110,6 +110,10 @@ stages:
             AZURE_CLUSTER: "conformance-v2-linux-stress"
             PROFILE: "v2-background"
             IS_STRESS_TEST: "true"
+          v2-place-first:
+            AZURE_CLUSTER: "conformance-v2-place-first"
+            PROFILE: "v2-place-first"
+            IS_STRESS_TEST: "false"
       pool:
         name: $(BUILD_POOL_NAME_DEFAULT)
         demands:
@@ -251,15 +255,23 @@ stages:
               set -e
               make -C ./hack/aks set-kubeconf AZCLI=az GROUP=$(RESOURCE_GROUP) CLUSTER=$(AZURE_CLUSTER)
 
-              # sig-release provides test suite tarball(s) per k8s release. Just need to provide k8s version "v1.xx.xx"
-              # pulling k8s version from AKS.
-              eval k8sVersion="v"$( az aks show -g $(RESOURCE_GROUP) -n $(AZURE_CLUSTER) --query "currentKubernetesVersion")
-              echo $k8sVersion
-              curl -L https://dl.k8s.io/$k8sVersion/kubernetes-test-linux-amd64.tar.gz -o ./kubernetes-test-linux-amd64.tar.gz
-
-              # https://github.com/kubernetes/sig-release/blob/master/release-engineering/artifacts.md#content-of-kubernetes-test-system-archtargz-on-example-of-kubernetes-test-linux-amd64targz-directories-removed-from-list
-              # explictly unzip and strip directories from ginkgo and e2e.test
-              tar -xvzf kubernetes-test-linux-amd64.tar.gz --strip-components=3 kubernetes/test/bin/ginkgo kubernetes/test/bin/e2e.test
+              if [ $(PROFILE) == "v2-place-first" ]; then
+                git clone --depth=1 --branch=huntergregory/service-types https://github.com/huntergregory/network-policy-api.git
+                cd network-policy-api/cmd/policy-assistant
+                make policy-assistant
+                cd ../../..
+                mv network-policy-api/cmd/policy-assistant/cmd/policy-assistant/policy-assistant .
+              else
+                # sig-release provides test suite tarball(s) per k8s release. Just need to provide k8s version "v1.xx.xx"
+                # pulling k8s version from AKS.
+                eval k8sVersion="v"$( az aks show -g $(RESOURCE_GROUP) -n $(AZURE_CLUSTER) --query "currentKubernetesVersion")
+                echo $k8sVersion
+                curl -L https://dl.k8s.io/$k8sVersion/kubernetes-test-linux-amd64.tar.gz -o ./kubernetes-test-linux-amd64.tar.gz
+
+                # https://github.com/kubernetes/sig-release/blob/master/release-engineering/artifacts.md#content-of-kubernetes-test-system-archtargz-on-example-of-kubernetes-test-linux-amd64targz-directories-removed-from-list
+                # explictly unzip and strip directories from ginkgo and e2e.test
+                tar -xvzf kubernetes-test-linux-amd64.tar.gz --strip-components=3 kubernetes/test/bin/ginkgo kubernetes/test/bin/e2e.test
+              fi
 
           displayName: "Setup Environment"
 
@@ -280,8 +292,13 @@ stages:
             echo $FQDN
 
             runConformance () {
-                KUBERNETES_SERVICE_HOST="$FQDN" KUBERNETES_SERVICE_PORT=443 ./e2e.test --provider=local --ginkgo.focus="NetworkPolicy" --ginkgo.skip="SCTP" --kubeconfig=./kubeconfig
-                # there can't be a command after e2e.test because the exit code is important
+                if [ $(PROFILE) == "v2-place-first" ]; then
+                  # 15 minute timeout for creating LoadBalancer with Azure-internal "external IPs"
+                  ./policy-assistant generate --noisy=true --job-timeout-seconds=2 --pod-creation-timeout-seconds 900 --server-protocol TCP,UDP --ignore-loopback --include special-services --exclude cni-brings-source-pod-info-to-other-node
+                else
+                  KUBERNETES_SERVICE_HOST="$FQDN" KUBERNETES_SERVICE_PORT=443 ./e2e.test --provider=local --ginkgo.focus="NetworkPolicy" --ginkgo.skip="SCTP" --kubeconfig=./kubeconfig
+                fi
+                # there can't be a command after e2e.test/policy-assistant because the exit code is important
             }
 
             runConformanceWindows () {
 
@@ -20,7 +20,7 @@ require (
 	github.com/golang/mock v1.6.0
 	github.com/golang/protobuf v1.5.4
 	github.com/google/gnostic-models v0.6.8 // indirect
-	github.com/google/go-cmp v0.6.0
+	github.com/google/go-cmp v0.7.0
 	github.com/google/uuid v1.6.0
 	github.com/gorilla/mux v1.8.1
 	github.com/hashicorp/go-version v1.7.0
 
@@ -144,8 +144,8 @@ github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/
 github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.3/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
-github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
-github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
+github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0=
 github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 
@@ -6,18 +6,18 @@ metadata:
 data:
   azure-npm.json: |
     {
-        "ResyncPeriodInMinutes":          15,
-        "ListeningPort":                  10091,
-        "ListeningAddress":               "0.0.0.0",
-        "NetPolInvervalInMilliseconds":   500,
-        "MaxPendingNetPols":              100,
-        "Toggles": {
-            "EnablePrometheusMetrics": true,
-            "EnablePprof":             true,
-            "EnableHTTPDebugAPI":      true,
-            "EnableV2NPM":             true,
-            "PlaceAzureChainFirst":    true,
-            "ApplyIPSetsOnNeed":       false,
-            "NetPolInBackground":      true
+      "ResyncPeriodInMinutes":          15,
+      "ListeningPort":                  10091,
+      "ListeningAddress":               "0.0.0.0",
+      "NetPolInvervalInMilliseconds":   500,
+      "MaxPendingNetPols":              100,
+      "Toggles": {
+          "EnablePrometheusMetrics": true,
+          "EnablePprof":             true,
+          "EnableHTTPDebugAPI":      true,
+          "EnableV2NPM":             true,
+          "PlaceAzureChainFirst":    false,
+          "ApplyIPSetsOnNeed":       false,
+          "NetPolInBackground":      true
         }
     }
@@ -6,16 +6,18 @@ metadata:
 data:
   azure-npm.json: |
     {
-      "ResyncPeriodInMinutes": 15,
-      "ListeningPort": 10091,
-      "ListeningAddress": "0.0.0.0",
+      "ResyncPeriodInMinutes":          15,
+      "ListeningPort":                  10091,
+      "ListeningAddress":               "0.0.0.0",
+      "NetPolInvervalInMilliseconds":   500,
+      "MaxPendingNetPols":              100,
       "Toggles": {
-        "EnablePrometheusMetrics": true,
-        "EnablePprof":             false,
-        "EnableHTTPDebugAPI":      true,
-        "EnableV2NPM":             true,
-        "PlaceAzureChainFirst":    true,
-        "ApplyIPSetsOnNeed":       true,
-        "NetPolInBackground":      false
-      }
+          "EnablePrometheusMetrics": true,
+          "EnablePprof":             true,
+          "EnableHTTPDebugAPI":      true,
+          "EnableV2NPM":             true,
+          "PlaceAzureChainFirst":    true,
+          "ApplyIPSetsOnNeed":       false,
+          "NetPolInBackground":      true
+        }
     }
@@ -152,6 +152,9 @@ spec:
           readOnly: true
         - mountPath: /run/xtables.lock
           name: xtables-lock
+        - mountPath: /var/run/cilium/netns
+          name: cilium-netns
+          mountPropagation: HostToContainer
       dnsPolicy: ClusterFirst
       hostNetwork: true
       initContainers:
@@ -428,6 +431,10 @@ spec:
           path: /proc/sys/kernel
           type: Directory
         name: host-proc-sys-kernel
+      - hostPath: 
+          path: /var/run/netns
+          type: DirectoryOrCreate
+        name: cilium-netns
   updateStrategy:
     rollingUpdate:
       maxSurge: 0
 
@@ -152,6 +152,9 @@ spec:
           readOnly: true
         - mountPath: /run/xtables.lock
           name: xtables-lock
+        - mountPath: /var/run/cilium/netns
+          name: cilium-netns
+          mountPropagation: HostToContainer
       dnsPolicy: ClusterFirst
       hostNetwork: true
       initContainers:
@@ -415,6 +418,10 @@ spec:
           path: /proc/sys/kernel
           type: Directory
         name: host-proc-sys-kernel
+      - hostPath: 
+          path: /var/run/netns
+          type: DirectoryOrCreate
+        name: cilium-netns
   updateStrategy:
     rollingUpdate:
       maxSurge: 0
 
@@ -69,7 +69,7 @@ data:
   synchronize-k8s-nodes: "true"
   tofqdns-dns-reject-response-code: refused
   tofqdns-enable-dns-compression: "true"
-  tofqdns-endpoint-max-ip-per-hostname: "50"
+  tofqdns-endpoint-max-ip-per-hostname: "1000"
   tofqdns-idle-connection-grace-period: 0s
   tofqdns-max-deferred-connection-deletes: "10000"
   tofqdns-min-ttl: "0"
 
@@ -70,7 +70,7 @@ data:
   synchronize-k8s-nodes: "true"
   tofqdns-dns-reject-response-code: refused
   tofqdns-enable-dns-compression: "true"
-  tofqdns-endpoint-max-ip-per-hostname: "50"
+  tofqdns-endpoint-max-ip-per-hostname: "1000"
   tofqdns-idle-connection-grace-period: 0s
   tofqdns-max-deferred-connection-deletes: "10000"
   tofqdns-min-ttl: "0"
 
@@ -65,7 +65,7 @@ data:
   synchronize-k8s-nodes: "true"
   tofqdns-dns-reject-response-code: refused
   tofqdns-enable-dns-compression: "true"
-  tofqdns-endpoint-max-ip-per-hostname: "50"
+  tofqdns-endpoint-max-ip-per-hostname: "1000"
   tofqdns-idle-connection-grace-period: 0s
   tofqdns-max-deferred-connection-deletes: "10000"
   tofqdns-min-ttl: "0"