Merge remote-tracking branch 'origin/master' into sanprabhu/iptables-block-binary

Author: santhoshmprabhu

.github/CODEOWNERS

@@ -7,12 +7,13 @@
 # review a PR in an area.
 #
 # Rules are evaluated in this order, and the last match is used for auto-assignment.
-*                       @azure/azure-sdn-members
-/.github/               @azure/acn-admins
-/cns/                   @azure/acn-cns-reviewers
-/cni/                   @azure/acn-cni-reviewers
-/dropgz/                @rbtr @camrynl @paulyufan2 @ashvindeodhar @thatmattlong
-/npm/                   @azure/acn-npm-reviewers
-/zapai/                 @rbtr @ZetaoZhuang
-/bpf-prog/              @camrynl
-/azure-ip-masq-merger/  @QxBytes @santhoshmprabhu
+*                           @azure/azure-sdn-members
+/.github/                   @azure/acn-admins
+/cns/                       @azure/acn-cns-reviewers
+/cni/                       @azure/acn-cni-reviewers
+/dropgz/                    @rbtr @camrynl @paulyufan2 @ashvindeodhar @thatmattlong
+/npm/                       @azure/acn-npm-reviewers
+/zapai/                     @rbtr @ZetaoZhuang
+/bpf-prog/                  @camrynl
+/azure-ip-masq-merger/      @QxBytes @santhoshmprabhu
+/azure-iptables-monitor/    @QxBytes @santhoshmprabhu

.github/dependabot.yaml

@@ -106,11 +106,9 @@ updates:
   directory: "/"
   schedule:
     interval: "daily"
-  reviewers:
-    - "azure/azure-sdn-members"
   commit-message:
     prefix: "deps"
-  labels: [ "dependencies" ]
+  labels: [ "dependencies", "release/1.6"  ]
   open-pull-requests-limit: 10
   target-branch: "release/v1.6"
   ignore:
@@ -130,11 +128,9 @@ updates:
   directory: "/azure-ipam"
   schedule:
     interval: "daily"
-  reviewers:
-    - "azure/azure-sdn-members"
   commit-message:
     prefix: "deps"
-  labels: [ "dependencies", "azure-ipam" ]
+  labels: [ "dependencies", "azure-ipam", "release/1.6" ]
   open-pull-requests-limit: 10
   target-branch: "release/v1.6"
   ignore:

.pipelines/build/dockerfiles/azure-iptables-monitor.Dockerfile

@@ -0,0 +1,18 @@
+ARG ARCH
+
+# mcr.microsoft.com/azurelinux/base/core:3.0
+FROM mcr.microsoft.com/azurelinux/base/core@sha256:9948138108a3d69f1dae62104599ac03132225c3b7a5ac57b85a214629c8567d AS mariner-core
+
+# mcr.microsoft.com/azurelinux/distroless/minimal:3.0
+FROM mcr.microsoft.com/azurelinux/distroless/minimal@sha256:0801b80a0927309572b9adc99bd1813bc680473175f6e8175cd4124d95dbd50c AS mariner-distroless
+
+FROM mariner-core AS iptables
+RUN tdnf install -y iptables
+
+FROM mariner-distroless AS linux
+ARG ARTIFACT_DIR
+COPY --from=iptables /usr/sbin/*tables* /usr/sbin/
+COPY --from=iptables /usr/lib /usr/lib
+COPY ${ARTIFACT_DIR}/bin/azure-iptables-monitor /azure-iptables-monitor
+
+ENTRYPOINT ["/azure-iptables-monitor"]

.pipelines/build/ob-prepare.steps.yaml

@@ -62,6 +62,10 @@ steps:
     echo "##vso[task.setvariable variable=azureIpMasqMergerVersion;isOutput=true]$AZUREIPMASQMERGERVERSION"
     echo "azureIpMasqMergerVersion: $AZUREIPMASQMERGERVERSION"
 
+    AZUREIPTABLESMONITORVERSION=$(make azure-iptables-monitor-version)
+    echo "##vso[task.setvariable variable=azureIptablesMonitorVersion;isOutput=true]$AZUREIPTABLESMONITORVERSION"
+    echo "azureIptablesMonitorVersion: $AZUREIPTABLESMONITORVERSION"
+
     CNIVERSION=$(make cni-version)
     echo "##vso[task.setvariable variable=cniVersion;isOutput=true]$CNIVERSION"
     echo "cniVersion: $CNIVERSION"

.pipelines/build/scripts/azure-iptables-monitor.sh

@@ -0,0 +1,18 @@
+#!/bin/bash
+set -eux
+
+[[ $OS =~ windows ]] && { echo "azure-iptables-monitor is not supported on Windows"; exit 1; }
+FILE_EXT=''
+
+export CGO_ENABLED=0
+
+mkdir -p "$OUT_DIR"/bin
+mkdir -p "$OUT_DIR"/files
+
+pushd "$REPO_ROOT"/azure-iptables-monitor
+  GOOS="$OS" go build -v -a -trimpath \
+    -o "$OUT_DIR"/bin/azure-iptables-monitor"$FILE_EXT" \
+    -ldflags "-s -w -X github.com/Azure/azure-container-networking/azure-iptables-monitor/internal/buildinfo.Version=$AZURE_IPTABLES_MONITOR_VERSION -X main.version=$AZURE_IPTABLES_MONITOR_VERSION" \
+    -gcflags="-dwarflocationlists=true" \
+    .
+popd

.pipelines/cni/pipeline.yaml

@@ -227,22 +227,6 @@ stages:
       scaleup: ${SCALEUP_WIN}
       iterations: ${ITERATIONS_WIN}
 
-  - template: singletenancy/cniv2-template.yaml
-    parameters:
-      name: windows19_overlay
-      clusterType: overlay-byocni-up
-      clusterName: w19-amd-ov
-      nodeCount: ${NODE_COUNT_WINCLUSTER_SYSTEMPOOL}
-      nodeCountWin: ${NODE_COUNT_WIN}
-      vmSize: ${VM_SIZE_WINCLUSTER_SYSTEMPOOL}
-      vmSizeWin: ${VM_SIZE_WIN}
-      arch: amd64
-      os: windows
-      os_version: 'ltsc2019'
-      osSkuWin: 'Windows2019'
-      scaleup: ${SCALEUP_WIN}
-      iterations: ${ITERATIONS_WIN}
-
 ## Linux E2E
   - template: singletenancy/cniv1-template.yaml
     parameters:
@@ -561,7 +545,6 @@ stages:
       - rdma_linux_overlay
       - windows_podsubnet_HNS
       - windows_overlay_HNS
-      - windows19_overlay_HNS
       - setup
       - ${{if eq(parameters.upgradeScenario, true)}}:
         - cilium_overlay_upgrade
@@ -636,9 +619,6 @@ stages:
             win-cniv2-overlay:
               name: windows_overlay
               clusterName: w22-over
-            windows19_overlay:
-              name: windows19_overlay
-              clusterName: w19-amd-ov
         steps:
           - task: AzureCLI@2
             inputs:

.pipelines/pipeline.yaml

@@ -15,6 +15,7 @@ trigger:
   branches:
     include:
       - gh-readonly-queue/master/*
+      - gh-readonly-queue/release/*
   tags:
     include:
       - "*"
@@ -125,6 +126,10 @@ stages:
                 arch: amd64
                 name: azure-ip-masq-merger
                 os: linux
+              azure_iptables_monitor_linux_amd64:
+                arch: amd64
+                name: azure-iptables-monitor
+                os: linux
               cni_linux_amd64:
                 arch: amd64
                 name: cni
@@ -174,6 +179,10 @@ stages:
                 arch: arm64
                 name: azure-ip-masq-merger
                 os: linux
+              azure_iptables_monitor_linux_arm64:
+                arch: arm64
+                name: azure-iptables-monitor
+                os: linux
               cni_linux_arm64:
                 arch: arm64
                 name: cni
@@ -228,6 +237,9 @@ stages:
               azure_ip_masq_merger:
                 name: azure-ip-masq-merger
                 platforms: linux/amd64 linux/arm64
+              azure_iptables_monitor:
+                name: azure-iptables-monitor
+                platforms: linux/amd64 linux/arm64
           steps:
             - template: containers/manifest-template.yaml
               parameters:

.pipelines/run-pipeline.yaml

@@ -38,6 +38,7 @@ stages:
     IMAGE_REPO_PATH: $[ stageDependencies.setup.env.outputs['EnvironmentalVariables.imageRepositoryPath'] ]
     AZURE_IPAM_VERSION: $[ stageDependencies.setup.env.outputs['EnvironmentalVariables.azureIpamVersion'] ]
     AZURE_IP_MASQ_MERGER_VERSION: $[ stageDependencies.setup.env.outputs['EnvironmentalVariables.azureIpMasqMergerVersion'] ]
+    AZURE_IPTABLES_MONITOR_VERSION: $[ stageDependencies.setup.env.outputs['EnvironmentalVariables.azureIptablesMonitorVersion'] ]
     CNI_VERSION: $[ stageDependencies.setup.env.outputs['EnvironmentalVariables.cniVersion'] ]
     CNS_VERSION: $[ stageDependencies.setup.env.outputs['EnvironmentalVariables.cnsVersion'] ]
     IPV6_HP_BPF_VERSION: $[ stageDependencies.setup.env.outputs['EnvironmentalVariables.ipv6HpBpfVersion'] ]
@@ -68,6 +69,12 @@ stages:
               archiveName: azure-ip-masq-merger
               archiveVersion: $(AZURE_IP_MASQ_MERGER_VERSION)
               imageTag: $(Build.BuildNumber)
+            azure_iptables_monitor:
+              name: azure-iptables-monitor
+              extraArgs: ''
+              archiveName: azure-iptables-monitor
+              archiveVersion: $(AZURE_IPTABLES_MONITOR_VERSION)
+              imageTag: $(Build.BuildNumber)
             cni:
               name: cni
               extraArgs: '--build-arg CNI_AI_PATH=$(CNI_AI_PATH) --build-arg CNI_AI_ID=$(CNI_AI_ID)'
@@ -152,6 +159,12 @@ stages:
               archiveName: azure-ip-masq-merger
               archiveVersion: $(AZURE_IP_MASQ_MERGER_VERSION)
               imageTag: $(Build.BuildNumber)
+            azure_iptables_monitor:
+              name: azure-iptables-monitor
+              extraArgs: ''
+              archiveName: azure-iptables-monitor
+              archiveVersion: $(AZURE_IPTABLES_MONITOR_VERSION)
+              imageTag: $(Build.BuildNumber)
             cni:
               name: cni
               extraArgs: '--build-arg CNI_AI_PATH=$(CNI_AI_PATH) --build-arg CNI_AI_ID=$(CNI_AI_ID)'
@@ -190,6 +203,7 @@ stages:
 
       AZURE_IPAM_VERSION: $[ stageDependencies.setup.env.outputs['EnvironmentalVariables.azureIpamVersion'] ]
       AZURE_IP_MASQ_MERGER_VERSION: $[ stageDependencies.setup.env.outputs['EnvironmentalVariables.azureIpMasqMergerVersion'] ]
+      AZURE_IPTABLES_MONITOR_VERSION: $[ stageDependencies.setup.env.outputs['EnvironmentalVariables.azureIptablesMonitorVersion'] ]
       CNI_VERSION: $[ stageDependencies.setup.env.outputs['EnvironmentalVariables.cniVersion'] ]
       CNS_VERSION: $[ stageDependencies.setup.env.outputs['EnvironmentalVariables.cnsVersion'] ]
       IPV6_HP_BPF_VERSION: $[ stageDependencies.setup.env.outputs['EnvironmentalVariables.ipv6HpBpfVersion'] ]
@@ -202,6 +216,9 @@ stages:
       IP_MASQ_MERGER_LINUX_AMD64_REF: $(IMAGE_REPO_PATH)/linux-amd64/azure-ip-masq-merger:$(Build.BuildNumber)
       IP_MASQ_MERGER_LINUX_ARM64_REF: $(IMAGE_REPO_PATH)/linux-arm64/azure-ip-masq-merger:$(Build.BuildNumber)
 
+      IPTABLES_MONITOR_LINUX_AMD64_REF: $(IMAGE_REPO_PATH)/linux-amd64/azure-iptables-monitor:$(Build.BuildNumber)
+      IPTABLES_MONITOR_LINUX_ARM64_REF: $(IMAGE_REPO_PATH)/linux-arm64/azure-iptables-monitor:$(Build.BuildNumber)
+
       CNI_LINUX_AMD64_REF: $(IMAGE_REPO_PATH)/linux-amd64/cni:$(Build.BuildNumber)
       CNI_LINUX_ARM64_REF: $(IMAGE_REPO_PATH)/linux-arm64/cni:$(Build.BuildNumber)
       CNI_WINDOWS_AMD64_REF: $(IMAGE_REPO_PATH)/windows-amd64/cni:$(Build.BuildNumber)
@@ -241,6 +258,15 @@ stages:
               imageReference: $(IP_MASQ_MERGER_LINUX_AMD64_REF)
             - platform: linux/arm64
               imageReference: $(IP_MASQ_MERGER_LINUX_ARM64_REF)
+        - job: azure_iptables_monitor
+          templateContext:
+            name: azure-iptables-monitor
+            image_tag: $(AZURE_IPTABLES_MONITOR_VERSION)
+            platforms:
+            - platform: linux/amd64
+              imageReference: $(IPTABLES_MONITOR_LINUX_AMD64_REF)
+            - platform: linux/arm64
+              imageReference: $(IPTABLES_MONITOR_LINUX_ARM64_REF)
         - job: cni
           templateContext:
             name: cni

azure-iptables-monitor/Dockerfile

@@ -15,7 +15,7 @@ ARG OS
 ARG VERSION
 WORKDIR /azure-iptables-monitor
 COPY ./azure-iptables-monitor .
-RUN GOOS=$OS CGO_ENABLED=0 go build -a -o /go/bin/iptables-monitor -trimpath -ldflags "-X main.version="$VERSION"" -gcflags="-dwarflocationlists=true" .
+RUN GOOS=$OS CGO_ENABLED=0 go build -a -o /go/bin/iptables-monitor -trimpath -ldflags "-s -w -X main.version="$VERSION"" -gcflags="-dwarflocationlists=true" .
 
 FROM mariner-core AS iptables
 RUN tdnf install -y iptables

azure-iptables-monitor/go.mod

@@ -5,6 +5,7 @@ go 1.23.0
 require (
 	github.com/coreos/go-iptables v0.8.0
 	github.com/stretchr/testify v1.9.0
+	k8s.io/api v0.31.3
 	k8s.io/apimachinery v0.31.3
 	k8s.io/client-go v0.31.3
 	k8s.io/component-base v0.31.3
@@ -44,7 +45,7 @@ require (
 	github.com/spf13/pflag v1.0.5 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
 	golang.org/x/net v0.38.0 // indirect
-	golang.org/x/oauth2 v0.21.0 // indirect
+	golang.org/x/oauth2 v0.27.0 // indirect
 	golang.org/x/sys v0.31.0 // indirect
 	golang.org/x/term v0.30.0 // indirect
 	golang.org/x/text v0.23.0 // indirect
@@ -53,7 +54,6 @@ require (
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	k8s.io/api v0.31.3 // indirect
 	k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340 // indirect
 	k8s.io/utils v0.0.0-20240921022957-49e7df575cb6 // indirect
 	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect