Bug 1963846: Fix NPs for OVN LBs with hairpin traffic #518
Conversation
In case of hairpin LB traffic (member of the LB calls the LB and the request is directed back to the same member) OVN replaces the source-ip of the request with the LB IP. This means that pods with network policies applied may have that traffic blocked when it should be allowed. To fix that this commit makes sure that SGs used for NPs include ingress rules for each of the Service in it's namespace. It's not ideal but seems to be a fair compromise between opening as little traffic as possible and increasing number of security groups and rules. As this commit makes sure all the NPs in the namespaces are reanalyzed every time a Service is created or deleted, a little fixes in order to support that are also made. Change-Id: I7e0458c4071e4a43ab4d158429e05c67cd897a3c Closes-Bug: 1923452
|
@dulek: No Bugzilla bug is referenced in the title of this pull request. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
openshift-ci
bot
added
the
approved
|
/hold I need to run at least basic tests with this. |
openshift-ci
bot
added
the
do-not-merge/hold
|
/test images |
|
/hold cancel |
|
@MaysaMacedo, this seems to work just fine now. |
openshift-ci
bot
removed
the
do-not-merge/hold
dulek
changed the title
openshift-ci
bot
added
bugzilla/severity-high
|
@dulek: This pull request references Bugzilla bug 1963846, which is invalid:
Comment In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/bugzilla refresh |
openshift-ci
bot
added
the
bugzilla/valid-bug
|
@dulek: This pull request references Bugzilla bug 1963846, which is valid. The bug has been moved to the POST state. The bug has been updated to refer to the pull request using the external bug tracker. 6 validation(s) were run on this bug
Requesting review from QA contact: In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
openshift-ci
bot
removed
the
bugzilla/invalid-bug
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: dulek, gryf The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
sdodson
added
the
cherry-pick-approved
|
@dulek: All pull requests linked via external trackers have merged: Bugzilla bug 1963846 has been moved to the MODIFIED state. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
In case of hairpin LB traffic (member of the LB calls the LB and the
request is directed back to the same member) OVN replaces the source-ip
of the request with the LB IP. This means that pods with network
policies applied may have that traffic blocked when it should be
allowed.
To fix that this commit makes sure that SGs used for NPs include ingress
rules for each of the Service in it's namespace. It's not ideal but
seems to be a fair compromise between opening as little traffic as
possible and increasing number of security groups and rules.
As this commit makes sure all the NPs in the namespaces are reanalyzed
every time a Service is created or deleted, a little fixes in order to
support that are also made.
Change-Id: I7e0458c4071e4a43ab4d158429e05c67cd897a3c
Closes-Bug: 1923452