Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[wip] service reject acl on portgroups #233

Closed
wants to merge 2 commits into from
Closed

[wip] service reject acl on portgroups #233

wants to merge 2 commits into from

Conversation

dcbw
Copy link
Contributor

@dcbw dcbw commented Aug 11, 2020

soak test

@dcbw
ovn: create cluster-wide Port Group for pods and management ports
b3e3c05 
Signed-off-by: Dan Williams <dcbw@redhat.com>
@openshift-ci-robot
Copy link
Contributor

@dcbw: No Bugzilla bug is referenced in the title of this pull request.
To reference a bug, add 'Bug XXX:' to the title of this pull request and request another bug refresh with /bugzilla refresh.

In response to this:

[wip] service reject acl on portgroups

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-ci-robot openshift-ci-robot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Aug 11, 2020
@openshift-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dcbw

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci-robot openshift-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Aug 11, 2020
@dcbw
ovn: add empty Service reject ACLs to cluster port group, not switches
b2b462e 
Adding an ACL-per-service-per-node switch doesn't scale. OVN team instead
suggested adding the ACL-per-service to a Port Group which all logical
switch ports are members of.

Note that this does now deny multicast traffic across the management port,
but I can't think of a good reason why that should be allowed or even work
today anyway.

Reported-at: https://bugzilla.redhat.com/show_bug.cgi?id=1855408
Signed-off-by: Dan Williams <dcbw@redhat.com>
@dcbw dcbw force-pushed the 45-service-reject-acl-portgroup branch from e0ba10a to b2b462e Compare August 11, 2020 18:42
@dcbw
Copy link
Contributor Author

dcbw commented Aug 11, 2020

/retest

@openshift-ci-robot
Copy link
Contributor

@dcbw: The following tests failed, say /retest to rerun all failed tests:

Test name Commit Details Rerun command
ci/prow/e2e-aws-ovn b2b462e link /test e2e-aws-ovn
ci/prow/e2e-gcp-ovn b2b462e link /test e2e-gcp-ovn
ci/prow/e2e-gcp-ovn-upgrade b2b462e link /test e2e-gcp-ovn-upgrade

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@dcbw dcbw closed this Oct 1, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rcarrillocruz rcarrillocruz Awaiting requested review from rcarrillocruz

@squeed squeed Awaiting requested review from squeed

Assignees
No one assigned
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@dcbw @openshift-ci-robot