Bug 1966833: BACKPORT Add a cluster-wide group with node ls-to-cluster-router ports. #573
Conversation
|
@astoycos: No Bugzilla bug is referenced in the title of this pull request. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
openshift-ci
bot
added
the
do-not-merge/work-in-progress
Signed-off-by: Dumitru Ceara <dceara@redhat.com>
Commit 40a90f0 removed the multicast deny port group and used instead the cluster port group. However, this breaks pod-to-pod multicast when pods reside on different nodes. That is because OVN ACLs are applied on all logical switch ports, including logical switch ports connected to router ports. Hence, an ACL of the form "if ip.mcast then deny" applied on the clusterPortGroup will drop all multicast traffic that would normally be routed by the cluster router even when multicast is allowed for a namespace. Instead, add a new (smaller) cluster wide group that only contains the node logical switch ports connected to the cluster router. This allows us to define two allow ACLs for multicast traffic from/to node switches to/from cluster router, therefore not breaking the namespace multicast allow policy if pods reside on different nodes. Fixes: 40a90f0 ("Migrate default deny multicast policy to port-group") Signed-off-by: Dumitru Ceara <dceara@redhat.com>
Add the necessary constants for: ovn-org/ovn-kubernetes@c21cce7 and ovn-org/ovn-kubernetes@3864f2b Signed-off-by: Andrew Stoycos <astoycos@redhat.com>
astoycos
force-pushed
the
fix-multicast-4.6
branch
from
9feca1f
to
76e2806
Compare
astoycos
changed the title
|
@astoycos: No Bugzilla bug is referenced in the title of this pull request. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
openshift-ci
bot
removed
the
do-not-merge/work-in-progress
astoycos
changed the title
|
@astoycos: This pull request references Bugzilla bug 1966833, which is invalid:
Comment In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
openshift-ci
bot
added
bugzilla/severity-urgent
|
/bugzilla refresh |
|
@astoycos: This pull request references Bugzilla bug 1966833, which is invalid:
Comment In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
astoycos
changed the title
|
/bugzilla refresh |
openshift-ci
bot
added
the
bugzilla/valid-bug
|
@astoycos: This pull request references Bugzilla bug 1966833, which is valid. The bug has been moved to the POST state. The bug has been updated to refer to the pull request using the external bug tracker. 6 validation(s) were run on this bug
No GitHub users were found matching the public email listed for the QA contact in Bugzilla (anusaxen@redhat.com), skipping review request. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
openshift-ci
bot
removed
the
bugzilla/invalid-bug
|
/retest |
|
I only did a visual review and compiled the changes. I didn't actually test if multicast works with this in 4.6 although it should. The backport looks ok to me. |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: astoycos, trozet The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
3 similar comments
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
bparees
added
the
cherry-pick-approved
|
@astoycos: All pull requests linked via external trackers have merged: Bugzilla bug 1966833 has been moved to the MODIFIED state. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Backport to fix multicast on 4.6
Commit 40a90f0 removed the multicast deny port group and used
instead the cluster port group. However, this breaks pod-to-pod
multicast when pods reside on different nodes. That is because OVN ACLs
are applied on all logical switch ports, including logical switch ports
connected to router ports.
Hence, an ACL of the form "if ip.mcast then deny" applied on the
clusterPortGroup will drop all multicast traffic that would normally be
routed by the cluster router even when multicast is allowed for a
namespace.
Instead, add a new (smaller) cluster wide group that only contains the
node logical switch ports connected to the cluster router. This allows us
to define two allow ACLs for multicast traffic from/to node switches to/from
cluster router, therefore not breaking the namespace multicast allow policy
if pods reside on different nodes.
Fixes: 40a90f0 ("Migrate default deny multicast policy to port-group")
Signed-off-by: Dumitru Ceara dceara@redhat.com