New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bug 1966833: BACKPORT Add a cluster-wide group with node ls-to-cluster-router ports. #573
Bug 1966833: BACKPORT Add a cluster-wide group with node ls-to-cluster-router ports. #573
Conversation
@astoycos: No Bugzilla bug is referenced in the title of this pull request. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Signed-off-by: Dumitru Ceara <dceara@redhat.com>
Commit 40a90f0 removed the multicast deny port group and used instead the cluster port group. However, this breaks pod-to-pod multicast when pods reside on different nodes. That is because OVN ACLs are applied on all logical switch ports, including logical switch ports connected to router ports. Hence, an ACL of the form "if ip.mcast then deny" applied on the clusterPortGroup will drop all multicast traffic that would normally be routed by the cluster router even when multicast is allowed for a namespace. Instead, add a new (smaller) cluster wide group that only contains the node logical switch ports connected to the cluster router. This allows us to define two allow ACLs for multicast traffic from/to node switches to/from cluster router, therefore not breaking the namespace multicast allow policy if pods reside on different nodes. Fixes: 40a90f0 ("Migrate default deny multicast policy to port-group") Signed-off-by: Dumitru Ceara <dceara@redhat.com>
Add the necessary constants for: ovn-org/ovn-kubernetes@c21cce7 and ovn-org/ovn-kubernetes@3864f2b Signed-off-by: Andrew Stoycos <astoycos@redhat.com>
9feca1f
to
76e2806
Compare
@astoycos: No Bugzilla bug is referenced in the title of this pull request. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@astoycos: This pull request references Bugzilla bug 1966833, which is invalid:
Comment In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/bugzilla refresh |
@astoycos: This pull request references Bugzilla bug 1966833, which is invalid:
Comment In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/bugzilla refresh |
@astoycos: This pull request references Bugzilla bug 1966833, which is valid. The bug has been moved to the POST state. The bug has been updated to refer to the pull request using the external bug tracker. 6 validation(s) were run on this bug
No GitHub users were found matching the public email listed for the QA contact in Bugzilla (anusaxen@redhat.com), skipping review request. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/retest |
I only did a visual review and compiled the changes. I didn't actually test if multicast works with this in 4.6 although it should. The backport looks ok to me. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: astoycos, trozet The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
3 similar comments
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
@astoycos: All pull requests linked via external trackers have merged: Bugzilla bug 1966833 has been moved to the MODIFIED state. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Backport to fix multicast on 4.6
Commit 40a90f0 removed the multicast deny port group and used
instead the cluster port group. However, this breaks pod-to-pod
multicast when pods reside on different nodes. That is because OVN ACLs
are applied on all logical switch ports, including logical switch ports
connected to router ports.
Hence, an ACL of the form "if ip.mcast then deny" applied on the
clusterPortGroup will drop all multicast traffic that would normally be
routed by the cluster router even when multicast is allowed for a
namespace.
Instead, add a new (smaller) cluster wide group that only contains the
node logical switch ports connected to the cluster router. This allows us
to define two allow ACLs for multicast traffic from/to node switches to/from
cluster router, therefore not breaking the namespace multicast allow policy
if pods reside on different nodes.
Fixes: 40a90f0 ("Migrate default deny multicast policy to port-group")
Signed-off-by: Dumitru Ceara dceara@redhat.com