-
Notifications
You must be signed in to change notification settings - Fork 136
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bug 2092567: [Downstream Merge] 16/11/2022 #1381
Bug 2092567: [Downstream Merge] 16/11/2022 #1381
Conversation
Improve kubectl_wait_pods: * use kubectl rollout to wait for specific DaemonSets * use kubectl wait pods to wait for specific pods * respect total timeout Signed-off-by: Andreas Karis <ak.karis@gmail.com>
Apply retry to namespace controller in ovnk node that, upon a namespace update, syncs UDP conntrack entries. Signed-off-by: Riccardo Ravaioli <rravaiol@redhat.com>
Signed-off-by: Riccardo Ravaioli <rravaiol@redhat.com>
Signed-off-by: Riccardo Ravaioli <rravaiol@redhat.com>
…ange Command used: $ mockery --name NodeWatchFactory --dir ~/go/src/github.com/ovn-org/ovn-kubernetes/go-controller/pkg/factory/ --output ~/go/src/github.com/ovn-org/ovn-kubernetes/go-controller/pkg/factory/mocks/ 04 Oct 22 19:09 CEST INF Starting mockery dry-run=false version=v2.14.0 04 Oct 22 19:09 CEST INF Walking dry-run=false version=v2.14.0 04 Oct 22 19:09 CEST INF Generating mock dry-run=false interface=NodeWatchFactory qualified-name=github.com/ovn-org/ovn-kubernetes/go-controller/pkg/factory version=v2.14.0 Signed-off-by: Riccardo Ravaioli <rravaiol@redhat.com>
Signed-off-by: Riccardo Ravaioli <rravaiol@redhat.com>
Instead of exiting with an error, exit gracefully with an info message. Signed-off-by: Andreas Karis <ak.karis@gmail.com>
Signed-off-by: Andreas Karis <ak.karis@gmail.com>
general fixes to the windows node_linux.go testing to make the testing more meaningful. The tests are not ideal because there is no interface into fakeCmd to get the bundled ovs commands but we can compare the cache to what we believe it should be. I also removed tests that where no longer meaningful test "removes stale node flows on initial sync" and "removes stale pod flows on initial sync" are no longer needed because we sync to the flowCache on every sync and that stale nodes/pods will be taken care of then. test "sets up local pod flows" is a duplicate of "sets up local linux pod" so I removed the former Signed-off-by: Jacob Tanenbaum <jtanenba@redhat.com>
Add the option to deploy IPsec encryption on kind. Signed-off-by: Andreas Karis <ak.karis@gmail.com>
When changing the hybrid overlay to dynamically allocated IP addresses there where instanses where the .3 address was blindly returned. Correct that mistake Signed-off-by: Jacob Tanenbaum <jtanenba@redhat.com>
ovnkube-trace: Fail gracefully on failed ovn-detrace dependency check
fixes to windows testing
correct the hybrid overlay port MAC address
apply retry logic to ovnk node controllers
This commit adds a new masqueradeIP which can be used to tell OVN to explicitly SNAT towards that masqueradeIP for hairpin service traffic. Signed-off-by: Surya Seetharaman <suryaseetharaman.9@gmail.com> Co-authored-by: Andrew Stoycos <astoycos@redhat.com>
This commit adds the hairpin SNAT masqueradeIP to all the load balancers via the 'options:hairpin_snat_ip' field in OVN load balancers. This will help us in handling the NP service hairpin traffic correctly. Example: _uuid : c64e4c7b-66f7-4739-a633-06791efe835a external_ids : {"k8s.ovn.org/kind"=Service, "k8s.ovn.org/owner"="surya5/hello-world-net-pol"} health_check : [] ip_port_mappings : {} name : "Service_surya5/hello-world-net-pol_TCP_cluster" options : {event="false", hairpin_snat_ip="169.254.169.5 fd69::5", reject="true", skip_snat="false"} protocol : tcp selection_fields : [] vips : {"10.96.1.35:80"="10.244.1.3:8080,10.244.2.3:8080", "[fd00:10:96::a6a6]:80"="[fd00:10:244:2::3]:8080,[fd00:10:244:3::3]:8080"} NOTE: This might not be needed in the GR LBs, but no harm in adding it to all, so that we continue to leverage LBGs. An e2e test is added that demonstrates that the hairpin traffic will have the fixed masqueradeIP as the srcIP in its response packet. This commit also consolidates pokeEndpointHostName and pokeEndpointClientIP into a single function since they were both doing more or less the same logic. Signed-off-by: Surya Seetharaman <suryaseetharaman.9@gmail.com> Co-authored-by: Andrew Stoycos <astoycos@redhat.com>
This PR adds the logic to allow or deny traffic correctly in case of podA->svc->podA traffic. If allow-from-podA is specified then the hairpin traffic should be allowed and if podA is not in the whitelist then we shouldn't be allowing hairpin traffic to come back in. Logic is to add an extra match to all existing ingress ACLs that match on namespace or pod selectors. This will look like this: _uuid : 6f2566ce-9236-4bee-896c-be56a91aba16 action : allow-related direction : to-lport external_ids : {Ingress_num="0", ipblock_cidr="false", l4Match=None, namespace=surya5, policy=allow-ingress-to-foo4-from-foo2, policy_type=Ingress} label : 0 log : false match : "((ip4.src == {$a6612447164629805900} || (ip4.src == 169.254.169.5 && ip4.dst == {$a6612447164629805900})) || (ip6.src == {$a6612449363653062322} || (ip6.src == fd69::5 && ip6.dst == {$a6612449363653062322}))) && outport == @a14627396333488653719" meter : acl-logging name : surya5_allow-ingress-to-foo4-from-foo2_0 options : {} priority : 1001 severity : [] The match here tries to check if: 1) traffic is from the allowed-list-address-set OR 2) traffic is hairpin traffic destined towards allowed-list-address-set for both v4 and v6 cases. second point is what enables service hairpinning to behave correctly since we know destination will be same as source for hairpin. Signed-off-by: Surya Seetharaman <suryaseetharaman.9@gmail.com> Co-authored-by: Andrew Stoycos <astoycos@redhat.com> Co-authored-by: Nadia Pinaeva <npinaeva@redhat.com>
Signed-off-by: Riccardo Ravaioli <rravaiol@redhat.com>
Signed-off-by: Riccardo Ravaioli <rravaiol@redhat.com>
OCPBUGS-2868: Ignore addresses in masquerade subnet when retrieving gateway IPs
Don't log in iterateRetryResources when there are no retry entries
When nextQueryTime for dns entry is already expired and update goroutine is trying to use negative duration to reset ticker. This causes process crash on the ovnk master. This change avoids proces crash and ensures to trigger ticker in shortest possible time (1 ms) so that update happens immediately on expired dns entry. Signed-off-by: Periyasamy Palanisamy <pepalani@redhat.com>
…anic Handle expired entry while handling dns update
Fix Network Policy Service Hairpin Traffic
Signed-off-by: Riccardo Ravaioli <rravaiol@redhat.com>
Hold lock when deleting completed pod during update event
/LGTM |
node: mock conntrack delete operations for service and EgressIP testcases
kind.sh: Add IPsec option to kind deployments
/approve |
f8c5a5f
to
039f756
Compare
/hold cancel |
/retest |
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: dcbw, pperiyasamy, ricky-rav, trozet, tssurya The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/retest |
/retest |
/retest-required |
/retest |
/retest-required |
@tssurya: The following tests failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
@tssurya: All pull requests linked via external trackers have merged: Bugzilla bug 2092567 has been moved to the MODIFIED state. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/cherry-pick release-4.12 |
@vrutkovs: #1381 failed to apply on top of branch "release-4.12":
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Tagging commit authors
@ricky-rav for lgtm since you have lots of small fixes coming in
@andreaskaris : PTAL your commits
@JacobTanenbaum @dcbw : Please note that we are not cherry-picking individual commits any more for bug fixes since 4.13 branch has already opened (in context of #1377 ), we are back to bulk merges.
@pperiyasamy: Please check your commit.
CLEAN MERGE, NO CONFLICTS. cc @trozet @dcbw for merge.