withdraw external IP from advertisement only if the deleted service is the last service using external IP (#850)

* withdraw external IP from advertisement only if the deleted service
is the last service using external IP

Fixes #828

* addressing review comment

--------------------------------------------
Copyright: Sony Interactive Entertainment Inc.
Co-authored-by: Author Name <Filinto.Duran@sony.com>

intercept pod egress traffic going through the OUTPUT chain of filter table and run through the (#875)

network policies.

Fixes #609

* in DeleteFunc handlers across the controllers  handle the case where received object can be of
type DeletedFinalStateUnknown

fixes one of the symptoms (panic on receiving DeletedFinalStateUnknown objects) reported in #712

* address review comments

While --set is still ambiguous it can clash with other module options,
so it is better to be more specific and use the --match-set option. This
also more closely aligns with all other areas of the code that already
use --match-set.

From iptables-extensions man page:
The option --match-set can be replaced by --set if that does not clash
with an option of other extensions.

API server to cached informer. Modify test to use informer

Fixes #862

use endpoint (IP, port) tuple to track active endpoints of a service in use. Currently only endpoint IP (#842)

used so any change in port of the endpoint leaves stale ipvs server config

Fixes #841

populate pod CID in network routing controler to simulate reading from node spec once at begining (#844)

* fix router controller unhealthy on api server down

* import glog

* use  NetworkRoutingController  podCidr

* fix undefind

* add a --excluded-cidrs
* ignore deletion of ipvs rules with address in excluded cidrs
Signed-off-by: Arthur Outhenin-Chalandre <arthur@cri.epita.fr>

* Use SNAT instead of MASQUERADE to source NAT outbound IPVS traffic

* Perform cleanup of depreciated masquerade iptables rules (if needed)

restrict externalTrafficPolicy=Local interpretation only to NodePort and LoadBalancer services (#836)

* restrict externalTrafficPolicy=Local interpretation only to NodePort and LoadBalancer services

Fixes #818

* addressing review comments

* fix broken CI

* fix .travis.yml

* skip gomoqs

* fix multi arch image building

Revert "restrict externalTrafficPolicy=Local interpretation only to NodePort and LoadBalancer services (#819)" (#835)

This reverts commit 27ec314e.

restrict externalTrafficPolicy=Local interpretation only to NodePort and LoadBalancer services (#819)

* restrict externalTrafficPolicy=Local interpretation only to NodePort and LoadBalancer services

Fixes #818

* refactoring service controller sync() logic to be more modular

Currently we can have error on service proxy if we cannot set sysctl (in my case), but those errors are return and not shown. Just show them, like other controllers

For very busy tcp connections there is a small possibility to receive
a TCP RST during the iptables sync.

A default `REJECT` rule is chronologically added before the allow-`RELATED,ESTABLISHED` rule for ingress and
egress connections.
In between of the creation of these two rules a connection reset can happen for already established connections.

This commits swaps the order of rule insertion.

Signed-off-by: Oleg Selin <oleg.selin@renhealth.com>

* Added flag and condition for open input on iptables #797

* Adding flag to docs.

* Updated to remove INPUT/CHAIN entirely. Name changed to IpvsDenyAll.

* Updated README.

* Updated docstring on ipvs-deny-all

* ipvsDenyAll -> ipvsPermitAll

* Updating user guide.

* Descriptions updates per review

Signed-off-by: Andrew Sy Kim <kiman@vmware.com>

* Refactor: seperate fetching service VIPs from advertise/withdrawal decision

* Refactor: simplify advertise/withdrawal logic

* Pass svcDeleted param to getVIPsForService

* Don't advertise VIPs from deleted services

* Test for withdrawing VIPs from deleted service

* Refactor: use explicit handleServiceDelete functions

GoBGP's default value for deferral time is 360 seconds.
That means that the routes are not sent to the BGP peer until
this timer is elapsed, so a server is unreachable for 360
seconds, when kube-router restarts.

The new parameter is --bgp-graceful-restart-deferral-time duration_with_unit

For example '--bgp-graceful-restart-deferral-time 10s'

LGTM. Thanks for the pr @zerkms 

In reference to issue #725, we modified kube-router to send
heartbeats before starting policy sync to prevent missing
heartbeats while running iptables commands.
Signed-off-by: Jérôme Poulin <jeromepoulin@gmail.com>

* Make gobgp compile in an image

This patch adds Makefile logic, similar to the kube-router target,
allowing gobgp to be built in a container.

* Use unix.Epoll* functions

To be able to compile and run on the Linux@arm64 architecture
one has to use the `golang.org/x/sys/unix` package instead
the `syscall` package. This is because of these Go upstream
bugs that won't be fixed in the standard library:

- syscall: arm64: epoll_wait syscall not implemented
  https://github.com/golang/go/issues/25813

* rename export policies to make it direction independent

* split creating neighborsets and prefixsets from applying export policy

* add bgp import policy to deny service VIPs

* add tests for addition of import policy