ANP: Add Support for Nodes as Egress Peers #4164
Conversation
tssurya
requested review from
trozet,
dcbw,
girishmg and
jcaamano
as code owners
tssurya
force-pushed
the
anp-node-selectors
branch
from
11ff8d4
to
e041b7b
Compare
tssurya
force-pushed
the
anp-node-selectors
branch
2 times, most recently
from
d625f21
to
2bd065b
Compare
tssurya
force-pushed
the
anp-node-selectors
branch
from
2bd065b
to
9ca20d1
Compare
tssurya
added
kind/feature
tssurya
force-pushed
the
anp-node-selectors
branch
from
9ca20d1
to
6a41512
Compare
✅ Deploy Preview for subtle-torrone-bb0c84 ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
tssurya
force-pushed
the
anp-node-selectors
branch
2 times, most recently
from
1e7d1f1
to
c011c03
Compare
|
@tssurya looks good to me. Couple of things: |
good question, default is 4 actually in OCP. so 5 is not printed, 4 is, do you think I move some of the anp_controller logging to 5 to avoid noise?
ah thanks Jaime for pointing me to this (I admit I got to know of that code only like 2 weeks ago when I was reviewing Peri's PR on QoS), (self-note-for-cncf-developer-docs: so these things should be brought up in upstream/team meetings more around the "templates and refactor changes that sneak in to reuse them" ; perhaps even developer docs :P "how to add a controller" section for someone starting new in this project). I am not against moving to this, its the right thing to do, but it will be a FUP if you are ok with it.
yes agreed, I am starting scale testing so let me leave some of the relevant ones but delete the rest of them, I will do a new push with new commit to remove the TODOs. |
I see things like this that could potentially be level 5 A lot of potential level 5 logging in the run method as well, there we would just need a start and shutdown message on level 4. I am certainly more mindful about this things now but I am ok if you want to do a FUP
that's ok |
so out of all the things above I felt it might be good to keep those logs to debug things but I think you are absolutely right that this will cause a lot noise. Let me fix this in this PR itself. I will do a new commit on top so that is easier to review where I move a bunch of these to level5. I will also do a TODO-Removal commit :) ok let me repush with these two things and then we are good.
+1 for FUP here. |
tssurya
force-pushed
the
anp-node-selectors
branch
from
c011c03
to
2031c6d
Compare
|
the last push adds the last 2 commits, first commits have no difference. |
tssurya
force-pushed
the
anp-node-selectors
branch
from
2031c6d
to
fdd1f8d
Compare
|
I was torn about the sync logs. I would probably have left them at 4 if you have some update filtering in place before hand, but up to you. What about the intial ones I know they only happen once but I think they are excessive compared to other controllers and distracting towards quickly determining if everything started successfully or not. But I will leave it up to you as well. |
yeah I thought about this and I was extremely torn about the levels, so I do have update filtering in place actually but the problem is we have a centralized queuing system. So ultimately syncAdminNetworkPolicy is called whenever relevant info for a pod (ips, labels), namespace (labels), nodes (ips,labels) + anp changes => which is not a whole lot unless the ENV is heavy pod/add/delete so that's why I moved it to 5 because I imagine ANP to span across all pods in a cluster and if a pod add/delete triggers this then we would flood too much during churn.
yeah i left them since they only happen once during startup, but you have a great point. I think just 1 or 2 that ensure all started up correctly can be kept at Info, rest of them I will move to level5. |
|
saving link for @kyrtapz : https://github.com/ovn-org/ovn-kubernetes/actions/runs/8455510894/job/23164322209?pr=4164 I see |
tssurya
force-pushed
the
anp-node-selectors
branch
from
fdd1f8d
to
3eebbde
Compare
|
done, last push was fixing the previous comment (only last commit changed, rest was rebased on master) |
Sorry for being so nitpicky, I can't resist :P I would keep this one at five as well It can be even more distracting to have one log for one type of handler and not for the rest. Any potential problems here are perfectly traceable since we return a specific error for any problem that can happen here. |
haha nw, aye aye captain, let me push with this fixed. |
This commit adds logic for processing node to the ANP controller Signed-off-by: Surya Seetharaman <suryaseetharaman.9@gmail.com>
This commit adds the plumbing required to queue the anp key when a node get's added, updated or deleted to handle node type peer. Signed-off-by: Surya Seetharaman <suryaseetharaman.9@gmail.com>
This commit adds support to also insert nodeIPs as peerIPs of a specific rule. The podIPs peer has been renamed to be peerIPs which is more accurate moving forward. Signed-off-by: Surya Seetharaman <suryaseetharaman.9@gmail.com>
1. creating an admin network policy with 3 egress rules that have node peers 2. creating another node2 that will act as peer of admin network policy; check if IP is added to address-set 3. update the labels of node2 such that it starts to match the DENY RULE peer selector; check if IPs are updated in address-sets 4. update the hostCIDR annotation of node2; check if IPs are updated in address-sets 5. update the peer selector of rule3 in admin network policy so that node1 stops matching; check if address-set is updated 6. delete node matching peer selector; check if IPs are updated in address-sets 7. update the ANP by deleting all rules; check if all objects are deleted correctly 8. delete the ANP; check if all objects are deleted correctly Signed-off-by: Surya Seetharaman <suryaseetharaman.9@gmail.com>
1. creating a baseline admin network policy with 2 egress rules that have node peers 2. creating another node2 that will act as peer of baseline admin network policy; check if IP is added to address-set 3. update the labels of node2 that matches the DENY RULE peer selector; check if IPs are updated in address-sets 4. update the hostCIDR annotation of node2 that matches the peer selector; check if IPs are updated in address-sets 5. update the peer selector of rule1 in admin network policy so that node1 stops matching; check if address-set is updated 6. delete node matching peer selector; check if IPs are updated in address-sets 7. update the BANP by deleting all rules; check if all objects are deleted correctly 8. delete the BANP; check if all objects are deleted correctly Signed-off-by: Surya Seetharaman <suryaseetharaman.9@gmail.com>
Signed-off-by: Surya Seetharaman <suryaseetharaman.9@gmail.com>
I was being over generous, many of this can be determined from the ovsdb transact logs so we can move most of them to level5. I moved all logs in the update path to level5, kept add/delete at level4 since those should not happen frequently. Signed-off-by: Surya Seetharaman <suryaseetharaman.9@gmail.com>
tssurya
force-pushed
the
anp-node-selectors
branch
from
3eebbde
to
a06afda
Compare
|
I have pushed now, only change is the last commit + rebased on master |
- What this PR does and why is it needed
This PR adds support for
nodeEgress peer in ANP and BANP.API changes added as part of: kubernetes-sigs/network-policy-api@23d3882
- Special notes for reviewers
- How to verify it
unit tests and e2e's have been added (e2e's will run and merge as part of #4235)
- Description for the changelog
allow support for selecting nodes as egress peers