Support Cilium 1.17

Signed-off-by: Daichi Sakaue <daichi-sakaue@cybozu.co.jp>

Author: yokaze

cmd/npv/app/helper_proxy.go

@@ -113,7 +113,7 @@ func (c *proxyClient) testAgentVersion(ctx context.Context, stderr io.Writer) er
 	url := c.endpointURL + "/version"
 	resp, err := http.Get(url)
 	if err != nil {
-		return fmt.Errorf("failed to request version: %w", err)
+		return fmt.Errorf("failed to request /version: %w", err)
 	}
 	defer resp.Body.Close()
 	data, err := io.ReadAll(resp.Body)
@@ -179,6 +179,16 @@ func (c *proxyClient) fetchCIDRIdentities() error {
 	return nil
 }
 
+func (c *proxyClient) listCIDRIdentity() ([]uint32, error) {
+	if err := c.fetchCIDRIdentities(); err != nil {
+		return nil, err
+	}
+	// for k, v := range c.cachedCIDRIdentities {
+
+	// }
+	return nil, nil
+}
+
 func (c *proxyClient) getCIDRIdentity(ctx context.Context, id uint32) (*models.Identity, error) {
 	if err := c.fetchCIDRIdentities(); err != nil {
 		return nil, err

e2e/Makefile

@@ -9,8 +9,8 @@ HELM := helm --content-cache $(CACHE_DIR)/helm/content
 
 # Avoid using SHA here
 # https://github.com/kubernetes-sigs/kind/issues/4028
-CILIUM_IMAGE := quay.io/cilium/cilium:v1.16.19
-CILIUM_CHART := oci://quay.io/cilium/charts/cilium:1.16.19@sha256:7496a278401c221a30d023df4e40c4e97c3c203645b337d332da5f9e887acf06
+CILIUM_IMAGE := quay.io/cilium/cilium:v1.17.15
+CILIUM_CHART := oci://quay.io/cilium/charts/cilium:1.17.15@sha256:464dbdb023f9d2fd291efbe2adcf76681e36cc7144ed5fe983058b25cb23a4a5
 
 DEPLOYMENT_REPLICAS ?= 1
 
@@ -89,6 +89,7 @@ install-test-pod:
 	$(MAKE) --no-print-directory DEPLOYMENT_REPLICAS=2 run-test-pod-l3-ingress-explicit-allow-all
 	$(MAKE) --no-print-directory wait-for-workloads
 
+	kubectl apply -f testdata/policy/cidr-group.yaml
 	kubectl apply -f testdata/policy/l3.yaml
 	kubectl apply -f testdata/policy/l4.yaml
 

e2e/inspect_test.go

@@ -86,7 +86,9 @@ Deny,Egress,l4-egress-explicit-deny-any,false,false,6,53
 Deny,Egress,l4-egress-explicit-deny-any,false,false,17,53
 Deny,Egress,l4-egress-explicit-deny-any,false,false,132,53
 Deny,Egress,l4-egress-explicit-deny-tcp,false,false,6,8000
-Allow,Ingress,cidr:10.100.0.0/16,true,true,0,0
+Allow,Ingress,cidr:10.100.0.0/24,true,true,0,0
+Allow,Ingress,cidr:10.100.10.0/24,true,true,0,0
+Allow,Ingress,cidr:10.120.0.0/16,true,true,0,0
 Allow,Ingress,reserved:host,true,true,0,0
 Allow,Egress,cidr:1.1.1.1/32,false,false,6,53
 Allow,Egress,cidr:1.1.1.1/32,false,false,17,53
@@ -123,14 +125,8 @@ Allow,Egress,cidr:8.8.8.8/32,false,false,17,53
 Allow,Egress,cidr:8.8.8.8/32,false,false,132,53`,
 		},
 		{
-			Selector:  "test=self",
-			ExtraArgs: []string{"--with-cidrs=8.8.0.0/16"},
-			Expected: `Deny,Egress,cidr:8.8.4.4/32,false,false,6,53
-Deny,Egress,cidr:8.8.4.4/32,false,false,17,53
-Deny,Egress,cidr:8.8.4.4/32,false,false,132,53
-Allow,Egress,cidr:8.8.8.8/32,false,false,6,53
-Allow,Egress,cidr:8.8.8.8/32,false,false,17,53
-Allow,Egress,cidr:8.8.8.8/32,false,false,132,53`,
+			Selector: "test=l3-egress-explicit-deny-all",
+			Expected: `Allow,Ingress,reserved:host,true,true,0,0`,
 		},
 		{
 			Selector:  "test=self",
@@ -160,6 +156,7 @@ Deny,Egress,cidr:8.8.4.4/32,false,false,132,53`,
 			Expected: `Deny,Ingress,cidr:192.168.100.0/24,false,false,6,8080
 Allow,Ingress,cidr:10.100.0.0/16,true,true,0,0`,
 		},
+		// npv inspect should handle --with-public-cidrs
 		{
 			Selector:  "test=self",
 			ExtraArgs: []string{"--with-public-cidrs"},
@@ -173,6 +170,64 @@ Allow,Egress,cidr:8.8.8.8/32,false,false,6,53
 Allow,Egress,cidr:8.8.8.8/32,false,false,17,53
 Allow,Egress,cidr:8.8.8.8/32,false,false,132,53`,
 		},
+		// npv inspect should handle --with-private-cidrs
+		{
+			Selector:  "test=self",
+			ExtraArgs: []string{"--with-private-cidrs"},
+			Expected: `Deny,Ingress,cidr:192.168.100.0/24,false,false,6,8080
+Allow,Ingress,cidr:10.100.0.0/24,true,true,0,0
+Allow,Ingress,cidr:10.100.10.0/24,true,true,0,0
+Allow,Ingress,cidr:10.120.0.0/16,true,true,0,0`,
+		},
+		// npv inspect should handle --with-cidrs=/0
+		{
+			Selector:  "test=self",
+			ExtraArgs: []string{"--with-cidrs=0.0.0.0/0"},
+			Expected: `Deny,Ingress,cidr:192.168.100.0/24,false,false,6,8080
+Deny,Egress,cidr:8.8.4.4/32,false,false,6,53
+Deny,Egress,cidr:8.8.4.4/32,false,false,17,53
+Deny,Egress,cidr:8.8.4.4/32,false,false,132,53
+Allow,Ingress,cidr:10.100.0.0/24,true,true,0,0
+Allow,Ingress,cidr:10.100.10.0/24,true,true,0,0
+Allow,Ingress,cidr:10.120.0.0/16,true,true,0,0
+Allow,Egress,cidr:1.1.1.1/32,false,false,6,53
+Allow,Egress,cidr:1.1.1.1/32,false,false,17,53
+Allow,Egress,cidr:1.1.1.1/32,false,false,132,53
+Allow,Egress,cidr:8.8.8.8/32,false,false,6,53
+Allow,Egress,cidr:8.8.8.8/32,false,false,17,53
+Allow,Egress,cidr:8.8.8.8/32,false,false,132,53`,
+		},
+		// npv inspect should handle --with-cidrs=/16
+		{
+			Selector:  "test=self",
+			ExtraArgs: []string{"--with-cidrs=8.8.0.0/16"},
+			Expected: `Deny,Egress,cidr:8.8.4.4/32,false,false,6,53
+Deny,Egress,cidr:8.8.4.4/32,false,false,17,53
+Deny,Egress,cidr:8.8.4.4/32,false,false,132,53
+Allow,Egress,cidr:8.8.8.8/32,false,false,6,53
+Allow,Egress,cidr:8.8.8.8/32,false,false,17,53
+Allow,Egress,cidr:8.8.8.8/32,false,false,132,53`,
+		},
+		// npv inspect should handle --with-cidrs=/16,!/32
+		{
+			Selector:  "test=self",
+			ExtraArgs: []string{"--with-cidrs=8.8.0.0/16,!8.8.8.8/32"},
+			Expected: `Deny,Egress,cidr:8.8.4.4/32,false,false,6,53
+Deny,Egress,cidr:8.8.4.4/32,false,false,17,53
+Deny,Egress,cidr:8.8.4.4/32,false,false,132,53`,
+		},
+		// npv inspect should omit /24 --with-cidrs=!/24
+		{
+			Selector:  "test=self",
+			ExtraArgs: []string{"--with-cidrs=10.100.0.0/24,!10.100.0.0/24"},
+			Expected:  ``,
+		},
+		// npv inspect should include /24 --with-cidrs=!/28
+		{
+			Selector:  "test=self",
+			ExtraArgs: []string{"--with-cidrs=10.100.0.0/24,!10.100.0.0/28"},
+			Expected:  `Allow,Ingress,cidr:10.100.0.0/24,true,true,0,0`,
+		},
 		// npv inspect should handle reserved:unknown
 		{
 			Selector:  "test=l4-ingress-all-allow-tcp",
@@ -223,7 +278,9 @@ Allow,Egress,l4-ingress-explicit-allow-tcp,false,false,6,8000`,
 		{
 			Selector:  "test=self",
 			ExtraArgs: []string{"--ingress", "--allowed"},
-			Expected: `Allow,Ingress,cidr:10.100.0.0/16,true,true,0,0
+			Expected: `Allow,Ingress,cidr:10.100.0.0/24,true,true,0,0
+Allow,Ingress,cidr:10.100.10.0/24,true,true,0,0
+Allow,Ingress,cidr:10.120.0.0/16,true,true,0,0
 Allow,Ingress,reserved:host,true,true,0,0`,
 		},
 		{

e2e/list_test.go

@@ -188,7 +188,12 @@ spec:
       k8s:test: self
   ingress:
   - fromCIDR:
-    - 10.100.0.0/16
+    - 10.100.0.0/24
+    - 10.100.10.0/24
+  - fromCIDRSet:
+    - cidr: 10.120.0.0/16
+      except:
+      - 10.120.0.0/24
 ---
 apiVersion: cilium.io/v2
 kind: CiliumNetworkPolicy

e2e/reach_test.go

@@ -99,7 +99,9 @@ Sender,Egress,Deny,l4-egress-explicit-deny-any,false,false,132,53`,
 }
 
 func testReachCIDR() {
-	expectedIngressPrivate := `Receiver,Ingress,Allow,cidr:10.100.0.0/16,true,true,0,0
+	expectedIngressPrivate := `Receiver,Ingress,Allow,cidr:10.100.0.0/24,true,true,0,0
+Receiver,Ingress,Allow,cidr:10.100.10.0/24,true,true,0,0
+Receiver,Ingress,Allow,cidr:10.120.0.0/16,true,true,0,0
 Receiver,Ingress,Deny,cidr:192.168.100.0/24,false,false,6,8080`
 	expectedIngressPublic := ""
 	expectedEgressPrivate := ""

e2e/summary_test.go

@@ -16,13 +16,13 @@ l3-ingress-explicit-deny-all,1,1,0,0
 l3-ingress-implicit-deny-all,1,0,0,0
 l4-egress-explicit-deny-any,1,0,0,0
 l4-egress-explicit-deny-tcp,1,0,0,0
-l4-ingress-all-allow-tcp,3,0,0,0
+l4-ingress-all-allow-tcp,2,0,0,0
 l4-ingress-explicit-allow-any,4,0,0,0
 l4-ingress-explicit-allow-tcp,2,0,0,0
 l4-ingress-explicit-deny-any,1,3,0,0
 l4-ingress-explicit-deny-udp,1,1,0,0
-self,2,1,17,8
-self,2,1,17,8`
+self,4,1,17,8
+self,4,1,17,8`
 
 	It("should show summary", func() {
 		result := runViewerSafe(Default, nil, "summary", "-o=json", "-n=test")

e2e/testdata/policy/README.md

@@ -21,5 +21,8 @@
 
 | Source | To self (Ingress) |
 |-|-|
-| 10.100.0.0/16 | allow (L3) |
+| 10.100.0.0/24 | allow (L3) |
+| 10.100.10.0/24 | allow (L3) |
+| 10.120.0.0/16 | allow (L3) |
+| - 10.120.0.0/24 | implicit deny (L3) |
 | 192.168.100.0/24 | deny (L4) |

e2e/testdata/policy/cidr-group.yaml

@@ -0,0 +1,10 @@
+apiVersion: cilium.io/v2alpha1
+kind: CiliumCIDRGroup
+metadata:
+  name: test
+  labels:
+    group: test
+spec:
+  externalCIDRs:
+    - "10.140.0.0/24"
+    - "10.140.10.0/24"

e2e/testdata/policy/l3.yaml

@@ -27,7 +27,14 @@ spec:
       k8s:test: self
   ingress:
     - fromCIDR:
-        - 10.100.0.0/16
+        - 10.100.0.0/24
+        - 10.100.10.0/24
+    - fromCIDRSet:
+        - cidr: 10.120.0.0/16
+          except:
+            - 10.120.0.0/24
+        # CiliumCIDRGroup is not supported for now
+        # - cidrGroupRef: test
   egress:
     - toEndpoints:
         - matchLabels:

go.mod

@@ -1,19 +1,19 @@
 module github.com/cybozu-go/network-policy-viewer
 
-go 1.26.1
+go 1.26.2
 
 require (
-	github.com/cilium/cilium v1.16.19
+	github.com/cilium/cilium v1.17.15
 	github.com/onsi/ginkgo/v2 v2.28.1
 	github.com/onsi/gomega v1.39.1
 	github.com/spf13/cobra v1.10.2
 	github.com/spf13/viper v1.19.0
 	golang.org/x/exp v0.0.0-20260218203240-3dfff04db8fa
 	golang.org/x/mod v0.34.0
-	golang.org/x/term v0.41.0
-	k8s.io/api v0.35.2
-	k8s.io/apimachinery v0.35.2
-	k8s.io/client-go v0.35.2
+	golang.org/x/term v0.42.0
+	k8s.io/api v0.35.4
+	k8s.io/apimachinery v0.35.4
+	k8s.io/client-go v0.35.4
 	sigs.k8s.io/controller-runtime v0.23.3
 	sigs.k8s.io/yaml v1.6.0
 )
@@ -24,50 +24,59 @@ require (
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/blang/semver/v4 v4.0.0 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
-	github.com/cilium/ebpf v0.15.0 // indirect
-	github.com/cilium/hive v0.0.0-20240529072208-d997f86e4219 // indirect
-	github.com/cilium/statedb v0.2.4 // indirect
-	github.com/cilium/stream v0.0.0-20240226091623-f979d32855f8 // indirect
+	github.com/cilium/ebpf v0.17.1 // indirect
+	github.com/cilium/hive v0.0.0-20250522145610-0734675df148 // indirect
+	github.com/cilium/proxy v0.0.0-20250526114940-b80199397e8a // indirect
+	github.com/cilium/statedb v0.4.5 // indirect
+	github.com/cilium/stream v0.0.0-20241203114243-53c3e5d79744 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/emicklei/go-restful/v3 v3.13.0 // indirect
 	github.com/evanphx/json-patch/v5 v5.9.11 // indirect
+	github.com/fatih/color v1.18.0 // indirect
 	github.com/fsnotify/fsnotify v1.9.0 // indirect
-	github.com/fxamacker/cbor/v2 v2.9.0 // indirect
+	github.com/fxamacker/cbor/v2 v2.9.1 // indirect
 	github.com/go-logr/logr v1.4.3 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-openapi/analysis v0.23.0 // indirect
 	github.com/go-openapi/errors v0.22.0 // indirect
-	github.com/go-openapi/jsonpointer v0.22.5 // indirect
+	github.com/go-openapi/jsonpointer v0.23.0 // indirect
 	github.com/go-openapi/jsonreference v0.21.5 // indirect
 	github.com/go-openapi/loads v0.22.0 // indirect
 	github.com/go-openapi/runtime v0.28.0 // indirect
 	github.com/go-openapi/spec v0.21.0 // indirect
 	github.com/go-openapi/strfmt v0.23.0 // indirect
-	github.com/go-openapi/swag v0.25.5 // indirect
-	github.com/go-openapi/swag/cmdutils v0.25.5 // indirect
-	github.com/go-openapi/swag/conv v0.25.5 // indirect
-	github.com/go-openapi/swag/fileutils v0.25.5 // indirect
-	github.com/go-openapi/swag/jsonname v0.25.5 // indirect
-	github.com/go-openapi/swag/jsonutils v0.25.5 // indirect
-	github.com/go-openapi/swag/loading v0.25.5 // indirect
-	github.com/go-openapi/swag/mangling v0.25.5 // indirect
-	github.com/go-openapi/swag/netutils v0.25.5 // indirect
-	github.com/go-openapi/swag/stringutils v0.25.5 // indirect
-	github.com/go-openapi/swag/typeutils v0.25.5 // indirect
-	github.com/go-openapi/swag/yamlutils v0.25.5 // indirect
+	github.com/go-openapi/swag v0.26.0 // indirect
+	github.com/go-openapi/swag/cmdutils v0.26.0 // indirect
+	github.com/go-openapi/swag/conv v0.26.0 // indirect
+	github.com/go-openapi/swag/fileutils v0.26.0 // indirect
+	github.com/go-openapi/swag/jsonname v0.26.0 // indirect
+	github.com/go-openapi/swag/jsonutils v0.26.0 // indirect
+	github.com/go-openapi/swag/loading v0.26.0 // indirect
+	github.com/go-openapi/swag/mangling v0.26.0 // indirect
+	github.com/go-openapi/swag/netutils v0.26.0 // indirect
+	github.com/go-openapi/swag/stringutils v0.26.0 // indirect
+	github.com/go-openapi/swag/typeutils v0.26.0 // indirect
+	github.com/go-openapi/swag/yamlutils v0.26.0 // indirect
 	github.com/go-openapi/validate v0.24.0 // indirect
 	github.com/go-task/slim-sprig/v3 v3.0.0 // indirect
+	github.com/gogo/protobuf v1.3.2 // indirect
+	github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 // indirect
 	github.com/google/btree v1.1.3 // indirect
 	github.com/google/gnostic-models v0.7.1 // indirect
 	github.com/google/go-cmp v0.7.0 // indirect
-	github.com/google/gopacket v1.1.19 // indirect
 	github.com/google/pprof v0.0.0-20260302011040-a15ffb7f9dcc // indirect
 	github.com/google/uuid v1.6.0 // indirect
+	github.com/gopacket/gopacket v1.3.1 // indirect
+	github.com/hashicorp/go-hclog v1.6.3 // indirect
 	github.com/hashicorp/hcl v1.0.1-vault-5 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
+	github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de // indirect
 	github.com/mackerelio/go-osstat v0.2.5 // indirect
 	github.com/magiconair/properties v1.8.7 // indirect
+	github.com/mattn/go-colorable v0.1.13 // indirect
+	github.com/mattn/go-isatty v0.0.20 // indirect
+	github.com/mitchellh/go-wordwrap v1.0.1 // indirect
 	github.com/mitchellh/mapstructure v1.5.0 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee // indirect
@@ -87,27 +96,27 @@ require (
 	github.com/sirupsen/logrus v1.9.3 // indirect
 	github.com/sourcegraph/conc v0.3.0 // indirect
 	github.com/spf13/afero v1.11.0 // indirect
-	github.com/spf13/cast v1.6.0 // indirect
+	github.com/spf13/cast v1.7.0 // indirect
 	github.com/spf13/pflag v1.0.10 // indirect
 	github.com/subosito/gotenv v1.6.0 // indirect
-	github.com/vishvananda/netlink v1.3.1-0.20241022031324-976bd8de7d81 // indirect
-	github.com/vishvananda/netns v0.0.4 // indirect
+	github.com/vishvananda/netlink v1.3.1-0.20250303224720-0e7078ed04c8 // indirect
+	github.com/vishvananda/netns v0.0.5 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
 	go.mongodb.org/mongo-driver v1.14.0 // indirect
-	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
-	go.opentelemetry.io/otel v1.36.0 // indirect
-	go.opentelemetry.io/otel/metric v1.36.0 // indirect
-	go.opentelemetry.io/otel/trace v1.36.0 // indirect
+	go.opentelemetry.io/auto/sdk v1.2.1 // indirect
+	go.opentelemetry.io/otel v1.41.0 // indirect
+	go.opentelemetry.io/otel/metric v1.41.0 // indirect
+	go.opentelemetry.io/otel/trace v1.41.0 // indirect
 	go.uber.org/dig v1.17.1 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	go.yaml.in/yaml/v2 v2.4.4 // indirect
 	go.yaml.in/yaml/v3 v3.0.4 // indirect
 	go4.org/netipx v0.0.0-20231129151722-fdeea329fbba // indirect
-	golang.org/x/net v0.52.0 // indirect
+	golang.org/x/net v0.53.0 // indirect
 	golang.org/x/oauth2 v0.36.0 // indirect
 	golang.org/x/sync v0.20.0 // indirect
-	golang.org/x/sys v0.42.0 // indirect
-	golang.org/x/text v0.35.0 // indirect
+	golang.org/x/sys v0.43.0 // indirect
+	golang.org/x/text v0.36.0 // indirect
 	golang.org/x/time v0.15.0 // indirect
 	golang.org/x/tools v0.43.0 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.5.0 // indirect
@@ -116,11 +125,11 @@ require (
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	k8s.io/apiextensions-apiserver v0.35.2 // indirect
+	k8s.io/apiextensions-apiserver v0.35.4 // indirect
 	k8s.io/klog/v2 v2.140.0 // indirect
-	k8s.io/kube-openapi v0.0.0-20260304202019-5b3e3fdb0acf // indirect
-	k8s.io/utils v0.0.0-20260210185600-b8788abfbbc2 // indirect
+	k8s.io/kube-openapi v0.0.0-20260414162039-ec9c827d403f // indirect
+	k8s.io/utils v0.0.0-20260319190234-28399d86e0b5 // indirect
 	sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 // indirect
 	sigs.k8s.io/randfill v1.0.0 // indirect
-	sigs.k8s.io/structured-merge-diff/v6 v6.3.2 // indirect
+	sigs.k8s.io/structured-merge-diff/v6 v6.4.0 // indirect
 )