Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Multi policies ipamless ipblock #3574

Merged
merged 5 commits into from May 26, 2023
Merged

Multi policies ipamless ipblock #3574

merged 5 commits into from May 26, 2023

Conversation

maiqueb
Copy link
Contributor

@maiqueb maiqueb commented May 5, 2023

- What this PR does and why is it needed

This PR adds support for multi-network policies for secondary networks whose peers are of IPBlock type.

- Special notes for reviewers

- How to verify it

Run the multi-net tests.

- Description for the changelog

Add support for multi-network policies for secondary networks whose peers are of IPBlock type.

@maiqueb
Copy link
Contributor Author

maiqueb commented May 5, 2023

/cc @npinaeva

Don't bother looking yet, the production code implementation will change - I don't like the code I've added.

But still, this has an e2e test to assert the feature, and right now, I'm just pushing the simplest thing that works.

@maiqueb
Copy link
Contributor Author

maiqueb commented May 5, 2023

/cc @cathy-zhou

For your awareness. I plan on re-writing the code I'm adding to make it more readable, but for now I just want you to be able to track this work.

I'll let you know once this is ready for review.

Thanks in advance.

@maiqueb
Copy link
Contributor Author

maiqueb commented May 5, 2023

FWIW, the e2e test I've added to check multi-network policies for IPAM less networks using IPBlock peers is working.

@maiqueb maiqueb force-pushed the multi-policies-ipamless-ipblock branch 3 times, most recently from 73dfd96 to 6fd239e Compare May 10, 2023 11:22
@maiqueb maiqueb marked this pull request as ready for review May 10, 2023 11:23
@maiqueb maiqueb force-pushed the multi-policies-ipamless-ipblock branch from 6fd239e to 71c89a5 Compare May 10, 2023 11:27
npinaeva
npinaeva reviewed May 10, 2023
View reviewed changes
Copy link
Member

@npinaeva npinaeva left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

some initial suggestions

go-controller/pkg/ovn/base_network_controller_policy.go Outdated Show resolved Hide resolved
go-controller/pkg/ovn/base_network_controller_policy.go Outdated Show resolved Hide resolved
go-controller/pkg/ovn/base_network_controller_policy.go Outdated Show resolved Hide resolved
@maiqueb maiqueb force-pushed the multi-policies-ipamless-ipblock branch 3 times, most recently from 4969f15 to 2ac62b2 Compare May 11, 2023 08:06
@maiqueb maiqueb force-pushed the multi-policies-ipamless-ipblock branch 2 times, most recently from 0ad6bb3 to c143c74 Compare May 11, 2023 16:34
@maiqueb maiqueb force-pushed the multi-policies-ipamless-ipblock branch from c143c74 to 4898f24 Compare May 11, 2023 16:43
@maiqueb maiqueb closed this May 16, 2023
@maiqueb maiqueb force-pushed the multi-policies-ipamless-ipblock branch from 4898f24 to d68a5f8 Compare May 16, 2023 17:02
@maiqueb
Copy link
Contributor Author

maiqueb commented May 16, 2023

0_o waaaat.

I guess I broke the PR when I tried to push a rebase + new code separately :S

@maiqueb maiqueb reopened this May 16, 2023
@maiqueb maiqueb requested a review from jcaamano May 16, 2023 17:04
@maiqueb maiqueb force-pushed the multi-policies-ipamless-ipblock branch from 4ed4a43 to df83cc2 Compare May 18, 2023 10:30
@coveralls
Copy link

coveralls commented May 18, 2023
edited

Coverage Status

Coverage: 53.518% (+0.009%) from 53.51% when pulling 9cd62fb on maiqueb:multi-policies-ipamless-ipblock into bbb9d7a on ovn-org:master.

@jcaamano
Copy link
Contributor

I think there is some of warnings we might want to get rid of.

Not sure we even want GetPodIPsOfNetwork to return an error, given that IPs are not mandatory:

ovn-kubernetes/go-controller/pkg/ovn/base_network_controller_namespace.go

Lines 362 to 366 in 0e395d5

podIPs, err := util.GetPodIPsOfNetwork(pod, bnc.NetInfo)
if err != nil {
klog.Warningf(err.Error())
continue
}

Here neither the comment nor the returned error are very precise:

ovn-kubernetes/go-controller/pkg/util/pod_annotation.go

Lines 302 to 316 in 0e395d5

// An OVN annotation should never have empty IPs, but just in case
if len(ips) == 0 {
klog.Warningf("No IPs found in existing OVN annotation for NAD %s! Pod Name: %s, Annotation: %#v",
nadName, pod.Name, annotation)
}
}
}
if len(ips) != 0 {
return ips, nil
}
if nInfo.IsSecondary() {
return []net.IP{}, fmt.Errorf("no pod annotation of pod %s/%s found for network %s",
pod.Namespace, pod.Name, nInfo.GetNetworkName())
}

Again, here:

ovn-kubernetes/go-controller/pkg/util/pod_annotation.go

Lines 264 to 268 in 0e395d5

if err != nil {
// this should not happen;
klog.Warningf("Failed to parse pod IP %v err: %v", podIP, err)
continue
}

@maiqueb
Copy link
Contributor Author

maiqueb commented May 23, 2023

I think there is some of warnings we might want to get rid of.

Not sure we even want GetPodIPsOfNetwork to return an error, given that IPs are not mandatory:

ovn-kubernetes/go-controller/pkg/ovn/base_network_controller_namespace.go

Lines 362 to 366 in 0e395d5

podIPs, err := util.GetPodIPsOfNetwork(pod, bnc.NetInfo)
if err != nil {
klog.Warningf(err.Error())
continue
}

Here neither the comment nor the returned error are very precise:

ovn-kubernetes/go-controller/pkg/util/pod_annotation.go

Lines 302 to 316 in 0e395d5

// An OVN annotation should never have empty IPs, but just in case
if len(ips) == 0 {
klog.Warningf("No IPs found in existing OVN annotation for NAD %s! Pod Name: %s, Annotation: %#v",
nadName, pod.Name, annotation)
}
}
}
if len(ips) != 0 {
return ips, nil
}
if nInfo.IsSecondary() {
return []net.IP{}, fmt.Errorf("no pod annotation of pod %s/%s found for network %s",
pod.Namespace, pod.Name, nInfo.GetNetworkName())
}

Again, here:

ovn-kubernetes/go-controller/pkg/util/pod_annotation.go

Lines 264 to 268 in 0e395d5

if err != nil {
// this should not happen;
klog.Warningf("Failed to parse pod IP %v err: %v", podIP, err)
continue
}

What if I do not even invoke util.GetPodIPsOfNetwork if the network does not have IPAM ?

It would reduce the code changes, while preventing all those misleading warnings from being printed.
@jcaamano

@maiqueb
Copy link
Contributor Author

maiqueb commented May 23, 2023

Added the simplest way out of this @jcaamano .

I can push a follow-up PR to fix the 3 utility funcs you have pointed out.

@maiqueb maiqueb force-pushed the multi-policies-ipamless-ipblock branch from 35e3d0e to bbcac93 Compare May 23, 2023 16:38
@maiqueb maiqueb force-pushed the multi-policies-ipamless-ipblock branch from bbcac93 to af0021b Compare May 24, 2023 10:00
@maiqueb maiqueb requested review from jcaamano and npinaeva May 24, 2023 10:01
npinaeva
npinaeva approved these changes May 24, 2023
View reviewed changes
Copy link
Member

@npinaeva npinaeva left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Very nice PR, thanks @maiqueb !

@maiqueb maiqueb mentioned this pull request May 24, 2023
Closed
@maiqueb
Copy link
Contributor Author

maiqueb commented May 25, 2023

/retest-required

@jcaamano
Copy link
Contributor

/retest-failed

@ovn-robot
Copy link
Collaborator

Oops, something went wrong:

This workflow run cannot be retried

@jcaamano
Copy link
Contributor

/retest

@maiqueb maiqueb force-pushed the multi-policies-ipamless-ipblock branch from 6092c49 to faf5d85 Compare May 25, 2023 16:10
@maiqueb
Copy link
Contributor Author

maiqueb commented May 25, 2023

rebasing in this forced push since it appears the bot is a bit incoherent today.

Hope now it goes back to work.

@maiqueb
Copy link
Contributor Author

maiqueb commented May 25, 2023

/retest-failed

2 similar comments
@maiqueb
Copy link
Contributor Author

maiqueb commented May 26, 2023

/retest-failed

@maiqueb
Copy link
Contributor Author

maiqueb commented May 26, 2023

/retest-failed

@maiqueb
e2e: improve the error message of the getNetCIDRSubnet func
5acded9 
Signed-off-by: Miguel Duarte Barroso <mdbarroso@redhat.com>
@maiqueb
multi-net policies, IPAM less: fail when converting invalid policies
8ae10c3 
Network policies targeting IPAM less networks can only have `ipBlock`
peers; while this behavior already existed, it now fails a lot earlier,
when translating the multi-net policies into regular `NetworkPolicy`,
thus making the flow more explicit, efficient, and readable.

Signed-off-by: Miguel Duarte Barroso <mdbarroso@redhat.com>
@maiqueb
multi-net policies, IPAM less: allow ipBlock peers
faa0a7e 
Signed-off-by: Miguel Duarte Barroso <mdbarroso@redhat.com>
@maiqueb
multi-net policies, IPAM less, e2e: add test for IPAMless flat L2 pol…
dc94736 
…icies

Signed-off-by: Miguel Duarte Barroso <mdbarroso@redhat.com>
@maiqueb
multi-net policies, IPAM less: only warn for IPAMed networks
ae94d5b 
Signed-off-by: Miguel Duarte Barroso <mdbarroso@redhat.com>
@maiqueb maiqueb force-pushed the multi-policies-ipamless-ipblock branch from faf5d85 to ae94d5b Compare May 26, 2023 11:39
@jcaamano jcaamano merged commit 119b745 into ovn-org:master May 26, 2023
22 checks passed
@maiqueb maiqueb deleted the multi-policies-ipamless-ipblock branch May 26, 2023 14:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@npinaeva npinaeva npinaeva approved these changes

@jcaamano jcaamano jcaamano approved these changes

@trozet trozet Awaiting requested review from trozet

@dcbw dcbw Awaiting requested review from dcbw

@girishmg girishmg Awaiting requested review from girishmg

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@maiqueb @coveralls @jcaamano @ovn-robot @npinaeva