SDN-4481: Set up NetPolicyTimeoutsHostNetworkedPodTraffic
#4744
Conversation
openshift-ci-robot
added
the
jira/valid-reference
|
@petr-muller: This pull request references SDN-4481 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the spike to target the "4.16.0" version, but no target version was set. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
openshift-ci
bot
added
the
do-not-merge/work-in-progress
openshift-ci
bot
added
the
approved
petr-muller
force-pushed
the
NetPolicyTimeoutsHostNetworkedPodTraffic
branch
from
2528c04
to
8e5bdd9
Compare
|
@petr-muller: This pull request references SDN-4481 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the spike to target the "4.16.0" version, but no target version was set. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
petr-muller
changed the title
NetPolicyTimeoutsHostNetworkedPodTrafficNetPolicyTimeoutsHostNetworkedPodTraffic
openshift-ci
bot
removed
the
do-not-merge/work-in-progress
petr-muller
force-pushed
the
NetPolicyTimeoutsHostNetworkedPodTraffic
branch
2 times, most recently
from
6b47fbd
to
c2d8dbe
Compare
|
/assign @wking |
Current understanding of the issue:
- 4.12.48+ _potentially_ affected, so we _may_ block upgrades from all 4.11 and 4.12.x<48
- 4.13.30+ confirmed affected, so we should block upgrades from <4.12.x<48 and k
- 4.14.9+ _potentially_ affected, so we _may_ block upgrades from 4.13.x<30 and 4.14.x<9
- 4.15.0-rc.1+ _potentially_ affected, so we _may_ block upgrades from 4.14.x<9 (I guess we can ignore rc0)
- 4.16.0-ec.0+ _potentially_ affected but there's no relevant unaffected 4.16 or 4.15 so there is nothing to block.
Using PromQL to apply only on clusters that use NetworkPolicy objects.
I have handrafted a file for each minor version and then copied the
rest:
```
$ for fifteen in 2 3 4 5
cp blocked-edges/4.15.0-rc.1-NetPolicyTimeoutsHostNetworkedPodTraffic.yaml blocked-edges/4.15.0-rc.$fifteen-NetPolicyTimeoutsHostNetworkedPodTraffic.yaml
sed -i -e "s|4.15.0-rc.1|4.15.0-rc.$fifteen|" blocked-edges/4.15.0-rc.$fifteen-NetPolicyTimeoutsHostNetworkedPodTraffic.yaml
end
$ for fourteen in 10 11 12
cp blocked-edges/4.14.9-NetPolicyTimeoutsHostNetworkedPodTraffic.yaml blocked-edges/4.14.$fourteen-NetPolicyTimeoutsHostNetworkedPodTraffic.yaml
sed -i -e "s|4.14.9|4.14.$fourteen|" blocked-edges/4.14.$fourteen-NetPolicyTimeoutsHostNetworkedPodTraffic.yaml
end
$ for thirteen in 31 32 33
cp blocked-edges/4.13.30-NetPolicyTimeoutsHostNetworkedPodTraffic.yaml blocked-edges/4.13.$thirteen-NetPolicyTimeoutsHostNetworkedPodTraffic.yaml
sed -i -e "s|4.13.30|4.13.$thirteen|" blocked-edges/4.13.$thirteen-NetPolicyTimeoutsHostNetworkedPodTraffic.yaml
end
$ for twelve in 49
cp blocked-edges/4.12.48-NetPolicyTimeoutsHostNetworkedPodTraffic.yaml blocked-edges/4.12.$twelve-NetPolicyTimeoutsHostNetworkedPodTraffic.yaml
sed -i -e "s|4.12.48|4.12.$twelve|" blocked-edges/4.12.$twelve-NetPolicyTimeoutsHostNetworkedPodTraffic.yaml
end
```
Review:
Applied the following to append a `[+].*` suffix to `from:`, to stop
incorrectly matching the path from 4.13.30 to 4.13.31+:
```
$ sed -r -i -e 's|(from:.*)|\1\[+].*|' blocked-edges/*NetPolicyTimeoutsHostNetworkedPodTraffic.yaml
```
petr-muller
force-pushed
the
NetPolicyTimeoutsHostNetworkedPodTraffic
branch
from
c2d8dbe
to
53ce42f
Compare
|
Lets drop 4.13.33 from this PR as signatures are missing for this build which is causing the tests to fail. |
Until 4.13.33 is signed, talking about it causes CI failures [1]: "Failed to find signatures for digest sha256:2e6962da6066332442fbd5d27b5917f3980bef59be6cabab263774ac615213db: [\n \"Error fetching https://mirror.openshift.com/pub/openshift-v4/signatures/openshift/release/sha256=2e6962da6066332442fbd5d27b5917f3980bef59be6cabab263774ac615213db/signature-1 - 404 Not Found\", ... [1]: https://prow.ci.openshift.org/view/gs/test-platform-results/pr-logs/pull/openshift_cincinnati-graph-data/4744/pull-ci-openshift-cincinnati-graph-data-master-e2e/1755662908202684416#1:build-log.txt%3A50
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: LalatenduMohanty, petr-muller The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/hold to sanity check the promql |
openshift-ci
bot
added
the
do-not-merge/hold
openshift-merge-bot
bot
merged commit beebfc5
into
openshift:master
|
I'm not clear on which clusters have NetworkPolicies, but:
is an OCP 4.16.0-ec.2 GCP
is an OSD 4.15.0-rc.5 AWS cluster where the CRD and some CRs exist understanding that it might be exposed. |
Current understanding of the issue:
Using PromQL to apply only on clusters that use NetworkPolicy objects.
I have handrafted a file for each minor version and then copied the
rest: