---
apiVersion: v1
items:
- apiVersion: v1
  data:
    applied: '{"managementState":"Managed","logLevel":"Normal","operatorLogLevel":"Normal","unsupportedConfigOverrides":null,"observedConfig":null,"clusterNetwork":[{"cidr":"10.132.0.0/14","hostPrefix":23}],"serviceNetwork":["172.31.0.0/16"],"defaultNetwork":{"type":"OVNKubernetes","ovnKubernetesConfig":{"mtu":8901,"genevePort":6081,"ipsecConfig":{"mode":"Disabled"},"policyAuditConfig":{"rateLimit":20,"maxFileSize":50,"maxLogFiles":5,"destination":"null","syslogFacility":"local0"},"gatewayConfig":{"ipv4":{},"ipv6":{}},"egressIPConfig":{}}},"disableMultiNetwork":false,"useMultiNetworkPolicy":false,"deployKubeProxy":false,"disableNetworkDiagnostics":false}'
  kind: ConfigMap
  metadata:
    creationTimestamp: "2026-02-17T12:42:41Z"
    managedFields:
    - apiVersion: v1
      fieldsType: FieldsV1
      fieldsV1:
        f:data:
          f:applied: {}
        f:metadata:
          f:ownerReferences:
            k:{"uid":"90714041-3359-45e8-85cb-f85d3b3cdb86"}: {}
      manager: cluster-network-operator/operconfig
      operation: Apply
      time: "2026-02-17T12:43:04Z"
    name: applied-cluster
    namespace: openshift-network-operator
    ownerReferences:
    - apiVersion: operator.openshift.io/v1
      blockOwnerDeletion: true
      controller: true
      kind: Network
      name: cluster
      uid: 90714041-3359-45e8-85cb-f85d3b3cdb86
    resourceVersion: "3305"
    uid: 3c7af562-c99c-4dc7-8e07-d3fb787b03cc
- apiVersion: v1
  data:
    iptables-alerter.sh: |-
      #!/bin/bash

      set -euo pipefail

      function crictl {
          chroot /host /bin/crictl "$@"
      }
      function ip {
          chroot /host /sbin/ip "$@"
      }
      function nsenter {
          chroot /host /bin/nsenter "$@"
      }

      function check_pods {
          # We need to use crictl to be able to map pod information to network namespace
          # information, but there seems to be some bug in crictl that causes excessive CPU
          # usage on some hosts, for unknown reasons. Since we expect that most nodes won't
          # have any iptables-using pods anyway, do a pre-scan of all (non-hostnetwork)
          # namespaces without using crictl, and bail out early if we don't find anything
          iptables_output=""
          for netns_pid in $(lsns -t net -o pid -nr | sort -u | grep -v '^1$'); do
              # Set iptables_output to the first iptables rule in the network namespace, if any.
              # (We use `awk` here rather than `grep` intentionally to avoid awkwardness with
              # grep's exit status on no match.)
              iptables_output=$(
                  (nsenter -n -t "${netns_pid}" iptables-save || true;
                   nsenter -n -t "${netns_pid}" ip6tables-save || true) 2>/dev/null | \
                  awk '/^-A/ {print; exit}'
              )
              if [[ -n "${iptables_output}" ]]; then
                  break
              fi
          done
          if [[ -z "${iptables_output}" ]]; then
              # Nothing to see here
              return 0
          fi

          # Somebody was using iptables, so now we have to figure out who.
          for id in $(crictl pods -q); do
              # Inspect the pod
              read pod_namespace pod_name pod_uid netns netns_path <<<$(crictl inspectp -o go-template --template '{{.status.metadata.namespace}} {{.status.metadata.name}} {{.status.metadata.uid}} {{.status.linux.namespaces.options.network}} {{range .info.runtimeSpec.linux.namespaces }}{{if eq .type "network"}}{{.path}}{{end}}{{end}}' ${id}  2>/dev/null || true )

              # Check that it's a pod-network pod. (This also catches "crictl errored out".)
              if [[ "${netns}" != "POD" ]]; then
                  continue
              fi
              if [[ ! "${netns_path}" =~ ^/var/run/netns/ ]]; then
                  continue
              fi
              netns=$(basename "${netns_path}")

              # Set iptables_output to the first iptables rule in the pod's network
              # namespace, if any. (We use `awk` here rather than `grep` intentionally
              # to avoid awkwardness with grep's exit status on no match.)
              iptables_output=$(
                  (ip netns exec "${netns}" iptables-save || true;
                   ip netns exec "${netns}" ip6tables-save || true) 2>/dev/null | \
                  awk '/^-A/ {print; exit}'
              )
              if [[ -z "${iptables_output}" ]]; then
                  continue
              fi

              # Check if we already logged an event for it
              events=$(kubectl get events -n "${pod_namespace}" -l pod-uid="${pod_uid}" 2>/dev/null)
              if [[ -n "${events}" ]]; then
                  echo "Skipping pod ${pod_namespace}/${pod_name} which we already logged an event for."
                  continue
              fi

              echo "Logging event for ${pod_namespace}/${pod_name} which has iptables rules"

              # eg "2023-10-19T15:45:10.353846Z"
              event_time=$(date -u +%FT%T.%6NZ)

              kubectl create -f - <<EOF
      apiVersion: events.k8s.io/v1
      kind: Event
      metadata:
        namespace: ${pod_namespace}
        generateName: iptables-alert-
        labels:
          pod-uid: ${pod_uid}
      regarding:
        apiVersion: v1
        kind: Pod
        namespace: ${pod_namespace}
        name: ${pod_name}
        uid: ${pod_uid}
      reportingController: openshift.io/iptables-deprecation-alerter
      reportingInstance: ${ALERTER_POD_NAME}
      action: IPTablesUsageObserved
      reason: IPTablesUsageObserved
      type: Normal
      note: |
        This pod appears to have created one or more iptables rules. IPTables is
        deprecated and will no longer be available in RHEL 10 and later. You should
        consider migrating to another API such as nftables or eBPF. See also
        https://access.redhat.com/solutions/6739041

        Example iptables rule seen in this pod:
        ${iptables_output}
      eventTime: ${event_time}
      EOF
          done
      }

      while :; do
          date
          check_pods
          echo ""

          sleep 3600
      done
  kind: ConfigMap
  metadata:
    annotations:
      kubernetes.io/description: |
        This is a script used by the iptables-alerter DaemonSet
      release.openshift.io/version: 4.20.14
    creationTimestamp: "2026-02-17T12:43:02Z"
    managedFields:
    - apiVersion: v1
      fieldsType: FieldsV1
      fieldsV1:
        f:data:
          f:iptables-alerter.sh: {}
        f:metadata:
          f:annotations:
            f:kubernetes.io/description: {}
            f:release.openshift.io/version: {}
          f:ownerReferences:
            k:{"uid":"90714041-3359-45e8-85cb-f85d3b3cdb86"}: {}
      manager: cluster-network-operator/operconfig
      operation: Apply
      time: "2026-02-17T12:43:02Z"
    name: iptables-alerter-script
    namespace: openshift-network-operator
    ownerReferences:
    - apiVersion: operator.openshift.io/v1
      blockOwnerDeletion: true
      controller: true
      kind: Network
      name: cluster
      uid: 90714041-3359-45e8-85cb-f85d3b3cdb86
    resourceVersion: "3051"
    uid: fce2f8b5-5ce1-45b3-b8ef-b6424c8c20c0
- apiVersion: v1
  data:
    ca.crt: |
      -----BEGIN CERTIFICATE-----
      MIIDPDCCAiSgAwIBAgIIPZnEyJe0e3QwDQYJKoZIhvcNAQELBQAwJjESMBAGA1UE
      CxMJb3BlbnNoaWZ0MRAwDgYDVQQDEwdyb290LWNhMB4XDTI2MDIxNzEyNDA0NVoX
      DTM2MDIxNTEyNDA0NVowJjESMBAGA1UECxMJb3BlbnNoaWZ0MRAwDgYDVQQDEwdy
      b290LWNhMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwvWfCw+SkOpQ
      rZmIcu/Gn6SCnfNPgXEZaPyYtF1SI0MFkP5SXLwwzplW6zzZIqtwGVknm73UerAG
      PdPvI8BwTQMhWO/amr3yUfnJLWuCWts5S/UrT5+i7pnize5+YkdBAXc0kZ/tu/Yz
      JRjCLML/MkFtsSgVvOJF2BzzgpCWdQ32Kk5i9a8AYFWsFJbgfsPIfFTsOZAqbP57
      mL2mddNs3U+2MaxuE7LL/TJHEHqxmfZpxP8zNXqr3VIp2r9fBLJWvQLNeHEdsHfI
      g2NWXGI59PG5bWluVIP4QxRHW2rpmQoCJFNULUv88RbPq1m9cJiQHYp85m9XXPh7
      zxivIwe3GQIDAQABo24wbDAOBgNVHQ8BAf8EBAMCAqQwDwYDVR0TAQH/BAUwAwEB
      /zBJBgNVHQ4EQgRA1WE6pNFdKGGcUszJ60wylFqXry6iuBv9muKm0B4Tew/13Ha3
      BRClOiTo/1Ze1ZySYkRJDJiK4y/Ipjq5kbcgKzANBgkqhkiG9w0BAQsFAAOCAQEA
      c0Gtdel/Pt+3yk4H6mBS9zMoXO1Aq11QPdFNaD6K/x/oASR4XN4Nbs2HP3fVoQJ4
      PvlSIXRuvARXdb3840mZr/HjOb+00qTDe8lUI5I43uy7bAmlrYAifbag2cDEgBtB
      qqjhGQHsE6Wfn6obm8dQjaG1/05L+GUTC1+7u/L7RdU8Wt5/jULjqjMFOS9BauYs
      rA9ehDkBwDakVB7HjH3R0KD1IIxyJNiFwVPOdJspniMHzM8/1nXd9iqK4Ot4WzhQ
      r/cZYuGGafwKMeHDzAUf7/U2hGOq4fUHy79hMUe2SEreH4LmsDCGWKEfTR5T0oah
      59tk3wPTxJoLzrmqgMRVpg==
      -----END CERTIFICATE-----
      -----BEGIN CERTIFICATE-----
      MIIEADCCAuigAwIBAgIIdLT9MzzDny0wDQYJKoZIhvcNAQELBQAwJjESMBAGA1UE
      CxMJb3BlbnNoaWZ0MRAwDgYDVQQDEwdyb290LWNhMB4XDTI2MDIxNzEyNDExMVoX
      DTI3MDIxNzEyNDExMVowMDESMBAGA1UEChMJb3BlbnNoaWZ0MRowGAYDVQQDExFv
      cGVuc2hpZnQtaW5ncmVzczCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
      AKXOpDmdgmeZ57RHYH4B2qIrwNh4DGCsOKJbomfoFjI7KqyuitzKp7wCceZHbvDA
      1DckIcUMKGDVNX1spqgnwtTNafTqy3cQTG0cNOZPTON76A/ulX40GkJM+UTCypQg
      dlXDELiMOZBcQc2gZV9/m8Qz1E9GZ81qxAsfPt0D4QuoNpFbHpXz3+5RqICzIfve
      B9M1vNjo9oPC1wwhi9Nce9OkO0kIChcnjk1qO5/Pm2Ne+L6vfoML1Kpf24fkTWyn
      6NDOCBm/45wrlNMxscPPv87PWTWrfTQj3rfiiudmhobH9fUt23MqGLqxyQC5G4WC
      mE6eTdE1hGs/2MsXflm4mXMCAwEAAaOCASYwggEiMA4GA1UdDwEB/wQEAwIFoDAd
      BgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADBJBgNV
      HQ4EQgRAc2qlERK+cn1nalkvEgBggg71J+TT0S0jgz9clbnyKdjzxS8NedJxtJtv
      ZYgELjI9ZHBFjGlgbfaL0KNRZghHlzBLBgNVHSMERDBCgEDVYTqk0V0oYZxSzMnr
      TDKUWpevLqK4G/2a4qbQHhN7D/XcdrcFEKU6JOj/Vl7VnJJiREkMmIrjL8imOrmR
      tyArMEsGA1UdEQREMEKCQCouYXBwcy5kNDgyMzZhZi0xZGI3LTQ1YjAtYTA1Ny00
      ZmEyMWZhZGZjMmYucHJvZC5rb25mbHV4ZWFhcy5jb20wDQYJKoZIhvcNAQELBQAD
      ggEBAEcwhtbhJ8wPZLncISqBOyATmGP+dUbGztVk0okHZmUaj06+geGsnM4Aa2hm
      lvJBFLs/StlqaQEWOJvQeXouG0PsKuOOQTLC9dopN+mIlFR3OLt9knqZNQ1DARj1
      DiF14jjArzRunOSpSMWAhC9Cif7+sjJkM006H0/c2Jt19DICHOtorSi1gI1sDaYZ
      AgIewjzWripHVHcWiM98OMw6wMGtFNCEXwDJwj6oJlgZSVzhSNAZlw5j5AQ3Xwgv
      BxrEwxuV1lAW1O1KHi7QDKlrJJrVkfwZSb6JMfgLfygrkwR33scPHod79jqH2l6A
      mbkn/CfHhgSx2myl4+EeClEtutE=
      -----END CERTIFICATE-----
  kind: ConfigMap
  metadata:
    annotations:
      kubernetes.io/description: Contains a CA bundle that can be used to verify the
        kube-apiserver when using internal endpoints such as the internal service
        IP or kubernetes.default.svc. No other usage is guaranteed across distributions
        of Kubernetes clusters.
    creationTimestamp: "2026-02-17T12:42:11Z"
    managedFields:
    - apiVersion: v1
      fieldsType: FieldsV1
      fieldsV1:
        f:data:
          .: {}
          f:ca.crt: {}
        f:metadata:
          f:annotations:
            .: {}
            f:kubernetes.io/description: {}
      manager: kube-controller-manager
      operation: Update
      time: "2026-02-17T12:43:23Z"
    name: kube-root-ca.crt
    namespace: openshift-network-operator
    resourceVersion: "4385"
    uid: 42b02dd5-5787-4ebb-bec4-600098034bcf
- apiVersion: v1
  data:
    service-ca.crt: |
      -----BEGIN CERTIFICATE-----
      MIIDUTCCAjmgAwIBAgIIZHl6OEClQ4cwDQYJKoZIhvcNAQELBQAwNjE0MDIGA1UE
      Awwrb3BlbnNoaWZ0LXNlcnZpY2Utc2VydmluZy1zaWduZXJAMTc3MTMzMjUzNzAe
      Fw0yNjAyMTcxMjQ4NTZaFw0yODA0MTcxMjQ4NTdaMDYxNDAyBgNVBAMMK29wZW5z
      aGlmdC1zZXJ2aWNlLXNlcnZpbmctc2lnbmVyQDE3NzEzMzI1MzcwggEiMA0GCSqG
      SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDOrXhNhsjVCauH+9B9QfVQT/rfbYh0Adqg
      jba5GmtBmZp8+Ts+LuMzhRIN+9VKhJ2bVfi9iJYnRqvErny065xuluo4d3ZC28Qy
      s4XtqBsq9dah12mXcAcT/+TDbq4DH9TuNM8YrHDR0cSz6ycNzrwvRtsUCVGno7yn
      pvdRUvf9vKxvHNchBk/kvZrZGNO6rnz2zP0MxLxeg/tbZDWXUcpB63VAHnACkRio
      K92QQojPr2sMfLZPpoZu5FG8/D1j3KRXka9meLopEWNx2vyX9hpZ4/1Ia3tNp2hD
      kNE9LAngX5GPjj9Vd6zKA4FUVrk310mIuIiVQLiPe9yVfI4O6hAVAgMBAAGjYzBh
      MA4GA1UdDwEB/wQEAwICpDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTI3fvH
      pmf47CEKG7n66sGgZYwbJTAfBgNVHSMEGDAWgBTI3fvHpmf47CEKG7n66sGgZYwb
      JTANBgkqhkiG9w0BAQsFAAOCAQEAPxT/Xp5LUAHbh4WEgKExy0Z8B4MU+KLceKDF
      Z4cJ5XygKIDG+1F7h22p/dVKUCm5QhONx4Jxl+RSbtamQjTw8F3DQPwqAf8JQwO8
      K+WAlC/Q2sAq4jjXe0hHPhoTe0t4V5BgXC12MQoLKvvIpqysu1AXMX/Xxzyb1bK0
      VKyuIAmKUBElXrFuXhs8tyNHsGhtYz6V4R5n6BjktbEC/kr+yPmnn0jnLGpwir6W
      DQcgVWqzBBxVgxmmb+6JrK9JYSODOGuG1u++XiK0PEuKYWpzWUa+gmyjePSaQNJI
      Sj5sTiNkHaSO9o9HuQn7J8o2LJISqsUFwymVtIuRkYr6DuGYWA==
      -----END CERTIFICATE-----
  kind: ConfigMap
  metadata:
    annotations:
      service.beta.openshift.io/inject-cabundle: "true"
    creationTimestamp: "2026-02-17T12:42:11Z"
    managedFields:
    - apiVersion: v1
      fieldsType: FieldsV1
      fieldsV1:
        f:data: {}
        f:metadata:
          f:annotations:
            .: {}
            f:service.beta.openshift.io/inject-cabundle: {}
      manager: kube-controller-manager
      operation: Update
      time: "2026-02-17T12:42:11Z"
    - apiVersion: v1
      fieldsType: FieldsV1
      fieldsV1:
        f:data:
          f:service-ca.crt: {}
      manager: service-ca-operator
      operation: Update
      time: "2026-02-17T12:49:10Z"
    name: openshift-service-ca.crt
    namespace: openshift-network-operator
    resourceVersion: "8352"
    uid: 772c4d30-31fe-44af-b9a8-f8c568563cf2
kind: ConfigMapList
metadata:
  resourceVersion: "18962"