Skip to content

[backport v1.6] [NPM Lite] Bypassing IPSets for IP CIDR Block Based Network Policies … #4147

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Dec 2, 2025
Merged

[backport v1.6] [NPM Lite] Bypassing IPSets for IP CIDR Block Based Network Policies … #4147

merged 1 commit into from
Dec 2, 2025
+298 −192

Conversation

@rejain789
Copy link
Contributor

@rejain789 rejain789 commented Nov 26, 2025

…(#4107)

  • added logic to bypass ipsets for /32 cidrs with npm lite

  • removed logic to only look at /32 pod cidrs and allow all pod cidr

  • updated code specific to direct ip logic

  • fixed if else logic

  • added error for named port

  • get rid of unneeded comments

  • got rid of function in utils that was not neede

  • added unit test for translate policy

  • resolved pr comments

  • resolved copilot comments

  • fixed golinter

Reason for Change:

Issue Fixed:

Requirements:

Notes:

@rejain789
[NPM Lite] Bypassing IPSets for IP CIDR Block Based Network Policies (#…
aa5a358 
…4107)

* added logic to bypass ipsets for /32 cidrs with npm lite

* removed logic to only look at /32 pod cidrs and allow all pod cidr

* updated code specific to direct ip logic

* fixed if else logic

* added error for named port

* get rid of unneeded comments

* got rid of function in utils that was not neede

* added unit test for translate policy

* resolved pr comments

* resolved copilot comments

* fixed golinter
Copilot AI review requested due to automatic review settings November 26, 2025 19:51
@rejain789 rejain789 requested a review from a team as a code owner November 26, 2025 19:51
@rejain789 rejain789 requested a review from vakalapa November 26, 2025 19:51
@rejain789
Copy link
Contributor Author

rejain789 commented Nov 26, 2025

/azp run Azure Container Networking PR, NPM Scale Test, NPM Conformance Tests

@azure-pipelines
Copy link

azure-pipelines bot commented Nov 26, 2025

Azure Pipelines successfully started running 3 pipeline(s).

Copilot finished reviewing on behalf of rejain789 November 26, 2025 19:55
Copilot AI reviewed Nov 26, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR implements NPM Lite mode optimization for Windows by bypassing IPSet creation for all IP CIDR-based network policies. Instead of creating IPSets for CIDR blocks, the implementation now directly embeds IP addresses in ACL policies, reducing overhead and improving performance for CIDR-based network policies when npm lite is enabled.

Key Changes:

  • Added direct IP address fields (SrcDirectIPs, DstDirectIPs) to ACL policies for npm lite mode
  • Implemented directPeerAndPortAllowRule function to handle CIDR blocks without IPSets
  • Enhanced error messages for named port validation with additional context
  • Refactored Windows ACL settings to support both IPSet-based and direct IP approaches

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 5 comments.

File Description
npm/pkg/dataplane/policies/policy.go Added SrcDirectIPs and DstDirectIPs fields to ACLPolicy struct for direct IP matching; fixed comment formatting
npm/pkg/dataplane/policies/policy_windows.go Implemented direct IP handling in ACL settings conversion; fixed spelling of "definitions"
npm/pkg/controlplane/translation/translatePolicy.go Added directPeerAndPortAllowRule function for npm lite CIDR handling; removed npmLiteValidPolicy function; enhanced checkForNamedPortType with detailed error context
npm/pkg/controlplane/translation/translatePolicy_test.go Added comprehensive tests for direct IP/CIDR handling; removed obsolete TestNpmLiteCidrPolicy; updated TestCheckForNamedPortType for new function signature

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@jpayne3506 jpayne3506 added npm Related to NPM. release/1.6 Change affects 1.6 release train labels Dec 1, 2025
@jpayne3506 jpayne3506 changed the title [NPM Lite] Bypassing IPSets for IP CIDR Block Based Network Policies … [backport v1.6] [NPM Lite] Bypassing IPSets for IP CIDR Block Based Network Policies … Dec 1, 2025
@rejain789 rejain789 added this pull request to the merge queue Dec 1, 2025
@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to failed status checks Dec 2, 2025
@rejain789 rejain789 added this pull request to the merge queue Dec 2, 2025
@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to failed status checks Dec 2, 2025
@rejain789 rejain789 added this pull request to the merge queue Dec 2, 2025
Merged via the queue into release/v1.6 with commit 5332db0 Dec 2, 2025
34 of 39 checks passed
@rejain789 rejain789 deleted the jainriya-npmlite-bypassing-ipsets branch December 2, 2025 08:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@rayaisaiah rayaisaiah rayaisaiah approved these changes

@vakalapa vakalapa Awaiting requested review from vakalapa vakalapa is a code owner automatically assigned from Azure/acn-npm-reviewers

Assignees

No one assigned

Labels

npm Related to NPM. release/1.6 Change affects 1.6 release train

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@rejain789 @rayaisaiah @jpayne3506