[release-4.7] Bug 1976242: Update existing policy ACLs on start #650
Conversation
Adds the following improvements namespace address set handling of network policies: 1) Adds processExistingItems to the namespace selector handlers so that all namespace address sets are accounted for from the get go. 2) Setups the namespace selector handlers before the initial creation/update of the corresponding ACL. Handler Add function will be noop for existing items, as these are not adding any new address set compared to those added previously by 1. This avoids adding address sets to the ACL match gradually in several updates. A single op after these handlers are setup will set the ACL in its final form accounting for all the existing namespace address sets that need to be considered at that time. 3) Updates existing allow ACLS on startup, fixing or realigning these ACLs to its desired form be it due to lost events during downtime or changes from one ovn-k8s version to annother, like for example updating pre-dual stack address sets to dual stack address sets in the ACL's match. 3) Updating an allow ACL no longer relies on finding by match. This could block us from being able to update an ACL if any namespace selector on a policy were to be modified during a period of k8s-ovn downtime. Signed-off-by: Jaime Caamaño Ruiz <jcaamano@redhat.com> (cherry picked from commit 9830624) (cherry picked from commit 1ec2bcb)
|
@jcaamano: An error was encountered searching for bug 1976242 on the Bugzilla server at https://bugzilla.redhat.com. No known errors were detected, please see the full error message for details. Full error message.
could not unmarshal response body: invalid character '<' looking for beginning of value
Please contact an administrator to resolve this issue, then request a bug refresh with In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Cleans up address sets that are in old non dual stack format if there is a corresponding address set in the new dual stack format. Done after all resource handlers have sync'ed so that the clean up is performed after ACLs are updated to reference the new dual stack address sets. partially fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1962387 needs: "Update existing policy ACLs on start" a5c9f085 Signed-off-by: Jaime Caamaño Ruiz <jcaamano@redhat.com> (cherry picked from commit 8a635a8) (cherry picked from commit 642c37c)
jcaamano
force-pushed
the
release-4.7-dual-stack-address-set
branch
from
c572073
to
bdd003d
Compare
|
/bugzilla refresh |
openshift-ci
bot
added
bugzilla/severity-high
|
@jcaamano: This pull request references Bugzilla bug 1976242, which is invalid:
Comment In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/retest |
1 similar comment
|
/retest |
|
/bugzilla refresh |
|
@jcaamano: This pull request references Bugzilla bug 1976242, which is invalid:
Comment In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/bugzilla refresh |
openshift-ci
bot
added
bugzilla/valid-bug
|
@jcaamano: This pull request references Bugzilla bug 1976242, which is valid. The bug has been moved to the POST state. The bug has been updated to refer to the pull request using the external bug tracker. 6 validation(s) were run on this bug
No GitHub users were found matching the public email listed for the QA contact in Bugzilla (anusaxen@redhat.com), skipping review request. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: jcaamano, trozet The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
jupierce
added
the
cherry-pick-approved
|
/retest-required Please review the full test history for this PR and help us cut down flakes. |
3 similar comments
|
/retest-required Please review the full test history for this PR and help us cut down flakes. |
|
/retest-required Please review the full test history for this PR and help us cut down flakes. |
|
/retest-required Please review the full test history for this PR and help us cut down flakes. |
|
@jcaamano: All pull requests linked via external trackers have merged: Bugzilla bug 1976242 has been moved to the MODIFIED state. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
This is a backport cherry-pick of 1ec2bcb && 642c37c