Update k8s.io/utils dependency and use ebtables from there

hack/.golint_failures

@@ -183,7 +183,6 @@ pkg/security/podsecuritypolicy/util
 pkg/serviceaccount
 pkg/ssh
 pkg/util/config
-pkg/util/ebtables
 pkg/util/goroutinemap/exponentialbackoff
 pkg/util/labels # See previous effort in PR #80685
 pkg/util/oom

pkg/kubelet/dockershim/network/kubenet/BUILD

@@ -27,7 +27,6 @@ go_library(
             "//pkg/kubelet/dockershim/network:go_default_library",
             "//pkg/kubelet/dockershim/network/hostport:go_default_library",
             "//pkg/util/bandwidth:go_default_library",
-            "//pkg/util/ebtables:go_default_library",
             "//pkg/util/iptables:go_default_library",
             "//pkg/util/sysctl:go_default_library",
             "//staging/src/k8s.io/apimachinery/pkg/util/errors:go_default_library",
@@ -42,6 +41,7 @@ go_library(
             "//vendor/k8s.io/klog/v2:go_default_library",
             "//vendor/k8s.io/utils/exec:go_default_library",
             "//vendor/k8s.io/utils/net:go_default_library",
+            "//vendor/k8s.io/utils/net/ebtables:go_default_library",
         ],
         "@io_bazel_rules_go//go/platform:darwin": [
             "//pkg/kubelet/apis/config:go_default_library",
@@ -80,7 +80,6 @@ go_library(
             "//pkg/kubelet/dockershim/network:go_default_library",
             "//pkg/kubelet/dockershim/network/hostport:go_default_library",
             "//pkg/util/bandwidth:go_default_library",
-            "//pkg/util/ebtables:go_default_library",
             "//pkg/util/iptables:go_default_library",
             "//pkg/util/sysctl:go_default_library",
             "//staging/src/k8s.io/apimachinery/pkg/util/errors:go_default_library",
@@ -95,6 +94,7 @@ go_library(
             "//vendor/k8s.io/klog/v2:go_default_library",
             "//vendor/k8s.io/utils/exec:go_default_library",
             "//vendor/k8s.io/utils/net:go_default_library",
+            "//vendor/k8s.io/utils/net/ebtables:go_default_library",
         ],
         "@io_bazel_rules_go//go/platform:nacl": [
             "//pkg/kubelet/apis/config:go_default_library",

pkg/kubelet/dockershim/network/kubenet/kubenet_linux.go

@@ -41,10 +41,10 @@ import (
 	"k8s.io/kubernetes/pkg/kubelet/dockershim/network"
 	"k8s.io/kubernetes/pkg/kubelet/dockershim/network/hostport"
 	"k8s.io/kubernetes/pkg/util/bandwidth"
-	utilebtables "k8s.io/kubernetes/pkg/util/ebtables"
 	utiliptables "k8s.io/kubernetes/pkg/util/iptables"
 	utilsysctl "k8s.io/kubernetes/pkg/util/sysctl"
 	utilexec "k8s.io/utils/exec"
+	utilebtables "k8s.io/utils/net/ebtables"
 
 	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	kubefeatures "k8s.io/kubernetes/pkg/features"

pkg/util/BUILD

@@ -16,7 +16,6 @@ filegroup(
         "//pkg/util/config:all-srcs",
         "//pkg/util/conntrack:all-srcs",
         "//pkg/util/coverage:all-srcs",
-        "//pkg/util/ebtables:all-srcs",
         "//pkg/util/env:all-srcs",
         "//pkg/util/filesystem:all-srcs",
         "//pkg/util/flag:all-srcs",

pkg/util/ebtables/BUILD

@@ -1,37 +0,0 @@
-package(default_visibility = ["//visibility:public"])
-
-load(
-    "@io_bazel_rules_go//go:def.bzl",
-    "go_library",
-    "go_test",
-)
-
-go_library(
-    name = "go_default_library",
-    srcs = ["ebtables.go"],
-    importpath = "k8s.io/kubernetes/pkg/util/ebtables",
-    deps = ["//vendor/k8s.io/utils/exec:go_default_library"],
-)
-
-go_test(
-    name = "go_default_test",
-    srcs = ["ebtables_test.go"],
-    embed = [":go_default_library"],
-    deps = [
-        "//vendor/k8s.io/utils/exec:go_default_library",
-        "//vendor/k8s.io/utils/exec/testing:go_default_library",
-    ],
-)
-
-filegroup(
-    name = "package-srcs",
-    srcs = glob(["**"]),
-    tags = ["automanaged"],
-    visibility = ["//visibility:private"],
-)
-
-filegroup(
-    name = "all-srcs",
-    srcs = [":package-srcs"],
-    tags = ["automanaged"],
-)

pkg/util/ebtables/OWNERS

@@ -1,8 +0,0 @@
-# See the OWNERS docs at https://go.k8s.io/owners
-
-reviewers:
-- sig-network-reviewers
-approvers:
-- sig-network-approvers
-labels:
-- sig/network

pkg/util/ebtables/ebtables_test.go

@@ -1,169 +0,0 @@
-/*
-Copyright 2016 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package ebtables
-
-import (
-	"strings"
-	"testing"
-
-	"k8s.io/utils/exec"
-	fakeexec "k8s.io/utils/exec/testing"
-)
-
-func TestEnsureChain(t *testing.T) {
-	fcmd := fakeexec.FakeCmd{
-		CombinedOutputScript: []fakeexec.FakeAction{
-			// Does not Exists
-			func() ([]byte, []byte, error) { return nil, nil, &fakeexec.FakeExitError{Status: 1} },
-			// Success
-			func() ([]byte, []byte, error) { return []byte{}, nil, nil },
-			// Exists
-			func() ([]byte, []byte, error) { return nil, nil, nil },
-			// Does not Exists
-			func() ([]byte, []byte, error) { return nil, nil, &fakeexec.FakeExitError{Status: 1} },
-			// Fail to create chain
-			func() ([]byte, []byte, error) { return nil, nil, &fakeexec.FakeExitError{Status: 2} },
-		},
-	}
-	fexec := fakeexec.FakeExec{
-		CommandScript: []fakeexec.FakeCommandAction{
-			func(cmd string, args ...string) exec.Cmd { return fakeexec.InitFakeCmd(&fcmd, cmd, args...) },
-			func(cmd string, args ...string) exec.Cmd { return fakeexec.InitFakeCmd(&fcmd, cmd, args...) },
-			func(cmd string, args ...string) exec.Cmd { return fakeexec.InitFakeCmd(&fcmd, cmd, args...) },
-			func(cmd string, args ...string) exec.Cmd { return fakeexec.InitFakeCmd(&fcmd, cmd, args...) },
-			func(cmd string, args ...string) exec.Cmd { return fakeexec.InitFakeCmd(&fcmd, cmd, args...) },
-		},
-	}
-
-	runner := New(&fexec)
-	exists, err := runner.EnsureChain(TableFilter, "TEST-CHAIN")
-	if exists {
-		t.Errorf("expected exists = false")
-	}
-	if err != nil {
-		t.Errorf("expected err = nil")
-	}
-
-	exists, err = runner.EnsureChain(TableFilter, "TEST-CHAIN")
-	if !exists {
-		t.Errorf("expected exists = true")
-	}
-	if err != nil {
-		t.Errorf("expected err = nil")
-	}
-
-	exists, err = runner.EnsureChain(TableFilter, "TEST-CHAIN")
-	if exists {
-		t.Errorf("expected exists = false")
-	}
-	errStr := "Failed to ensure TEST-CHAIN chain: exit 2, output:"
-	if err == nil || !strings.Contains(err.Error(), errStr) {
-		t.Errorf("expected error: %q", errStr)
-	}
-}
-
-func TestEnsureRule(t *testing.T) {
-	fcmd := fakeexec.FakeCmd{
-		CombinedOutputScript: []fakeexec.FakeAction{
-			// Exists
-			func() ([]byte, []byte, error) {
-				return []byte(`Bridge table: filter
-
-Bridge chain: OUTPUT, entries: 4, policy: ACCEPT
--j TEST
-`), nil, nil
-			},
-			// Does not Exists.
-			func() ([]byte, []byte, error) {
-				return []byte(`Bridge table: filter
-
-Bridge chain: TEST, entries: 0, policy: ACCEPT`), nil, nil
-			},
-			// Fail to create
-			func() ([]byte, []byte, error) { return nil, nil, &fakeexec.FakeExitError{Status: 2} },
-		},
-	}
-	fexec := fakeexec.FakeExec{
-		CommandScript: []fakeexec.FakeCommandAction{
-			func(cmd string, args ...string) exec.Cmd { return fakeexec.InitFakeCmd(&fcmd, cmd, args...) },
-			func(cmd string, args ...string) exec.Cmd { return fakeexec.InitFakeCmd(&fcmd, cmd, args...) },
-			func(cmd string, args ...string) exec.Cmd { return fakeexec.InitFakeCmd(&fcmd, cmd, args...) },
-		},
-	}
-
-	runner := New(&fexec)
-
-	exists, err := runner.EnsureRule(Append, TableFilter, ChainOutput, "-j", "TEST")
-	if !exists {
-		t.Errorf("expected exists = true")
-	}
-	if err != nil {
-		t.Errorf("expected err = nil")
-	}
-
-	exists, err = runner.EnsureRule(Append, TableFilter, ChainOutput, "-j", "NEXT-TEST")
-	if exists {
-		t.Errorf("expected exists = false")
-	}
-	errStr := "Failed to ensure rule: exit 2, output: "
-	if err == nil || err.Error() != errStr {
-		t.Errorf("expected error: %q", errStr)
-	}
-}
-
-func TestDeleteRule(t *testing.T) {
-	fcmd := fakeexec.FakeCmd{
-		CombinedOutputScript: []fakeexec.FakeAction{
-			// Exists
-			func() ([]byte, []byte, error) {
-				return []byte(`Bridge table: filter
-
-Bridge chain: OUTPUT, entries: 4, policy: ACCEPT
--j TEST
-`), nil, nil
-			},
-			// Fail to delete
-			func() ([]byte, []byte, error) { return nil, nil, &fakeexec.FakeExitError{Status: 2} },
-			// Does not Exists.
-			func() ([]byte, []byte, error) {
-				return []byte(`Bridge table: filter
-
-Bridge chain: TEST, entries: 0, policy: ACCEPT`), nil, nil
-			},
-		},
-	}
-	fexec := fakeexec.FakeExec{
-		CommandScript: []fakeexec.FakeCommandAction{
-			func(cmd string, args ...string) exec.Cmd { return fakeexec.InitFakeCmd(&fcmd, cmd, args...) },
-			func(cmd string, args ...string) exec.Cmd { return fakeexec.InitFakeCmd(&fcmd, cmd, args...) },
-			func(cmd string, args ...string) exec.Cmd { return fakeexec.InitFakeCmd(&fcmd, cmd, args...) },
-		},
-	}
-
-	runner := New(&fexec)
-
-	err := runner.DeleteRule(TableFilter, ChainOutput, "-j", "TEST")
-	errStr := "Failed to delete rule: exit 2, output: "
-	if err == nil || err.Error() != errStr {
-		t.Errorf("expected error: %q", errStr)
-	}
-
-	err = runner.DeleteRule(TableFilter, ChainOutput, "-j", "TEST")
-	if err != nil {
-		t.Errorf("expected err = nil")
-	}
-}

test/e2e/framework/.import-restrictions

@@ -206,7 +206,6 @@ rules:
       - k8s.io/kubernetes/pkg/util/config
       - k8s.io/kubernetes/pkg/util/configz
       - k8s.io/kubernetes/pkg/util/conntrack
-      - k8s.io/kubernetes/pkg/util/ebtables
       - k8s.io/kubernetes/pkg/util/env
       - k8s.io/kubernetes/pkg/util/filesystem
       - k8s.io/kubernetes/pkg/util/flag

vendor/k8s.io/utils/net/BUILD

@@ -21,7 +21,10 @@ filegroup(
 
 filegroup(
     name = "all-srcs",
-    srcs = [":package-srcs"],
+    srcs = [
+        ":package-srcs",
+        "//vendor/k8s.io/utils/net/ebtables:all-srcs",
+    ],
     tags = ["automanaged"],
     visibility = ["//visibility:public"],
 )

vendor/k8s.io/utils/net/ebtables/BUILD

@@ -0,0 +1,24 @@
+load("@io_bazel_rules_go//go:def.bzl", "go_library")
+
+go_library(
+    name = "go_default_library",
+    srcs = ["ebtables.go"],
+    importmap = "k8s.io/kubernetes/vendor/k8s.io/utils/net/ebtables",
+    importpath = "k8s.io/utils/net/ebtables",
+    visibility = ["//visibility:public"],
+    deps = ["//vendor/k8s.io/utils/exec:go_default_library"],
+)
+
+filegroup(
+    name = "package-srcs",
+    srcs = glob(["**"]),
+    tags = ["automanaged"],
+    visibility = ["//visibility:private"],
+)
+
+filegroup(
+    name = "all-srcs",
+    srcs = [":package-srcs"],
+    tags = ["automanaged"],
+    visibility = ["//visibility:public"],
+)

vendor/k8s.io/utils/net/ebtables/ebtables.go

@@ -14,6 +14,9 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
+// Package ebtables allows to control the ebtables Linux-based bridging firewall.
+// Both chains and rules can be added, deleted and modified.
+// For ebtables specific documentation see: http://ebtables.netfilter.org/
 package ebtables
 
 import (
@@ -31,23 +34,29 @@ const (
 	fullMac = "--Lmac2"
 )
 
+// RulePosition is the rule position within a table
 type RulePosition string
 
+// Relative position for a new rule
 const (
 	Prepend RulePosition = "-I"
 	Append  RulePosition = "-A"
 )
 
+// Table is an Ebtables table type
 type Table string
 
+// Tables available in ebtables by default
 const (
 	TableNAT    Table = "nat"
 	TableFilter Table = "filter"
 	TableBroute Table = "broute"
 )
 
+// Chain is an Ebtables chain type
 type Chain string
 
+// Chains that are built-in in ebtables
 const (
 	ChainPostrouting Chain = "POSTROUTING"
 	ChainPrerouting  Chain = "PREROUTING"
@@ -68,7 +77,7 @@ const (
 	opDeleteRule  operation = "-D"
 )
 
-// An injectable interface for running ebtables commands.  Implementations must be goroutine-safe.
+// Interface for running ebtables commands.  Implementations must be goroutine-safe.
 type Interface interface {
 	// GetVersion returns the "X.Y.Z" semver string for ebtables.
 	GetVersion() (string, error)
@@ -125,7 +134,7 @@ func (runner *runner) GetVersion() (string, error) {
 }
 
 func (runner *runner) EnsureRule(position RulePosition, table Table, chain Chain, args ...string) (bool, error) {
-	exist := true
+	var exist bool
 	fullArgs := makeFullArgs(table, opListChain, chain, fullMac)
 	out, err := runner.exec.Command(cmdebtables, fullArgs...).CombinedOutput()
 	if err != nil {
@@ -144,7 +153,7 @@ func (runner *runner) EnsureRule(position RulePosition, table Table, chain Chain
 }
 
 func (runner *runner) DeleteRule(table Table, chain Chain, args ...string) error {
-	exist := true
+	var exist bool
 	fullArgs := makeFullArgs(table, opListChain, chain, fullMac)
 	out, err := runner.exec.Command(cmdebtables, fullArgs...).CombinedOutput()
 	if err != nil {

vendor/modules.txt

@@ -2459,6 +2459,7 @@ k8s.io/utils/io
 k8s.io/utils/keymutex
 k8s.io/utils/mount
 k8s.io/utils/net
+k8s.io/utils/net/ebtables
 k8s.io/utils/nsenter
 k8s.io/utils/path
 k8s.io/utils/pointer