Bug 1880974: 9-21-2020 merge #279
Conversation
our current implementation of Ipblock is incorrect. creating a deny rule for the
except blocks will not allow ips that overlap another IPblock to be allowed.
I changed this so that we only create one ACL rule per ipBlock
so if you have one policy that says
- from:
- ipBlock:
cidr: 10.0.0.0/8
except:
- 10.0.1.0/24
and another that says
- from:
- ipBlock:
cidr: 10.0.0.0/8
it will translate two acls that are
match=ip4.src == 10.0.0.0/8 && ip4.src !={10.0.1.0/24}
match=ip4.src == 10.0.0.0/8
the first rule will not evaluate to true with a packet from 10.0.1.0
it will cascade to the second ACL and correctly be allowed. If the except
is not overlapping an additional range it will be denied by the
default deny ACL
Signed-off-by: Jacob Tanenbaum <jtanenba@redhat.com>
fix ipBlock except for network policy
Signed-off-by: Antonio Ojea <aojea@redhat.com>
current resync period was set to 12 hours, instead of having such large period with the risk of overwhelming ovn with events every 12 hours, just disable the resync period. AddEventHandlerWithResyncPeriod can specify a per handler resync if necessary. Signed-off-by: Antonio Ojea <aojea@redhat.com>
Avoids the copy exiting with code 1 when it tries to copy the 'windows' directory if you ever ran 'make windows'. + pushd ../dist/images ~/Development/containers/ovn-kubernetes/dist/images ~/Development/containers/ovn-kubernetes/contrib + sudo cp -f ../../go-controller/_output/go/bin/hybrid-overlay-node ../../go-controller/_output/go/bin/ovn-k8s-cni-overlay ../../go-controller/_output/go/bin/ovnkube ../../go-controller/_output/go/bin/ovn-kube-util ../../go-controller/_output/go/bin/windows . cp: -r not specified; omitting directory '../../go-controller/_output/go/bin/windows' Signed-off-by: Dan Williams <dcbw@redhat.com>
Ubuntu 18.04 repository contains old OVS/OVN packages, (2.9.5-0), which are not compatable with current implementation. With Ubuntu 20.04 `apt-get` installs OVS 2.13 and OVN 20.03 Signed-off-by: Alexey Roytman <roytman@il.ibm.com>
we have to untaint the master nodes so we can schedule pods on them, however, the kind get nodes does not report the nodes in the right order. Signed-off-by: Antonio Ojea <antonio.ojea.garcia@gmail.com>
fix a bug on kind deployment
We were setting it correctly in the mac_binding table for OVN, but the mac did not match the address configured on the host. This caused host destined packets from OVN to be dropped in IPv6. Signed-off-by: Tim Rozet <trozet@redhat.com>
Change egressfirewall to use logical_router_policies on the ovn_cluster_router as oppsed to using ACLs on each nodes join switches. This changes optimizes the generation of egressfirewall policies because we only have to create one object and put it in one place the ovn_cluster_router applies to all namespaces so we only need to attach the policy there. because the single router applies to all namespaces the test "correctly adds an existing egressFirewall to a new node" is no longer needed Signed-off-by: Jacob Tanenbaum <jtanenba@redhat.com>
…outer make egressfirewall use logical_router_policies
Fix setting ovn-k8s-gw0 mac address for ipv6 single-stack
Signed-off-by: Antonio Ojea <aojea@redhat.com>
enable ipv6 ha local job in CI
Bare metal OCP adds temporary IPs to the primary interface for use with external load-balancing. These should be ignored when determining the primary node IP. Signed-off-by: Dan Winship <danwinship@redhat.com>
disable informers factory resync period
The previous code assumed that the host network pod backend to a service would always be in the same subnet as the host accessing the service, which is not always the case. Additionally, the code used the mask on the host interface to determine the host subnet, which is not correct for IPv6. IPv6 addresses may be assigned with /128 prefixes. Since we really just care about non-pod subnet traffic from mp0 hitting this policy and going out DGP, we can just inverse the match to match not on pod subnet. Signed-off-by: Tim Rozet <trozet@redhat.com>
Pods configured with egress gws were unable to reach other pods in other subnets, via service or otherwise. This is because the lr-policy for routing traffic to GR was not specific enough. This patch adds criteria for matching not cluster subnet, so only external traffic is forwarded to GR. Signed-off-by: Tim Rozet <trozet@redhat.com>
node: ignore "deprecated" IPv6 IPs when determining primary IP
…_policy Fixes inter node DGP policy for local gw mode
Fixes lr-policy for egress gw
Increase the priority of egressfirewall router policies to ensure that they get processed first. In order to make sure that no cluster traffic is interrrupted by the egressfirewall rules ensure that cluster traffic is explicitily excluded from the pattern match move all the constants for the priority level on the ovn_logical_router into one place so that all specified priority levels are centralized Signed-off-by: Jacob Tanenbaum <jtanenba@redhat.com>
increase the priority of egressfirewall router policies
openshift-ci-robot
added
bugzilla/severity-urgent
|
@trozet: This pull request references Bugzilla bug 1880974, which is valid. The bug has been moved to the POST state. The bug has been updated to refer to the pull request using the external bug tracker. 3 validation(s) were run on this bug
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
openshift-ci-robot
added
the
approved
|
/retest Please review the full test history for this PR and help us cut down flakes. |
2 similar comments
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
@danwinship @dcbw verified on GCP cluster with this PR I can access host network service endpoints from another host in a different subnet: |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
2 similar comments
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
vsphere has been replaced by vsphere-ovn and we don't care about its failure |
|
@dcbw: /override requires a failed status context to operate on.
Only the following contexts were expected:
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/override ci/prow/e2e-vsphere |
|
@dcbw: Overrode contexts on behalf of dcbw: ci/prow/e2e-vsphere In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
10 similar comments
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
Last test runs have failed 1-2 volume tests only with i/o timeouts to the gcp apiserver public IP. |
|
@dcbw: Overrode contexts on behalf of dcbw: ci/prow/e2e-gcp-ovn In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
@trozet: The following tests failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
@trozet: All pull requests linked via external trackers have merged: Bugzilla bug 1880974 has been moved to the MODIFIED state. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Fixes for: