OCPBUGS-10799: [release-4.13] Netpol performance: shared peer address sets, add metrics#1603
Conversation
ovn-k master to start watching every resource. Add scale metrics for network policies, rename existing enable-eip-scale-metrics flag to more general enable-scale-metrics, and use it for network policy metric too. Signed-off-by: Nadia Pinaeva <npinaeva@redhat.com> (cherry picked from commit 4a3f1dd)
Signed-off-by: Nadia Pinaeva <npinaeva@redhat.com> (cherry picked from commit fbc9e4e)
required, to unlock other handlers from the same namespace. Signed-off-by: Nadia Pinaeva <npinaeva@redhat.com> (cherry picked from commit f6f3ed8)
address sets for pod selector (network policy object is only responsible for local pods and peer namespace-only handlers). The locking mechanism is copied from networkPolicy. Update deletre logic for completed pods: match collided pod not only by podSeelctor, but also by namespace selector. PeerPod functions were moved from policy.go and gress_policy.go. Update syncNetworkPolicies to cleanup policies based on acls, and not address sets, since address sets are not created for policies without peers with selectors, and it doesn't cleanup default deny port groups. New sync is based on acls, it will only skip empty policies without any gress rules. This should be fixed later with proper ownership indexing for port groups. Rename metrics from peer/network_policy to pod_selector_address_set. Signed-off-by: Nadia Pinaeva <npinaeva@redhat.com> (cherry picked from commit 120140f)
least one selector had peerAddressSet, and empty gress (allow all)
was identified by "gp.sizeOfAddressSet() > 0". Now we don't create
address sets like that, therefore a new hasPeerSelector field was added
to distinguish empty gress from the one that just doesn't have any
address sets added yet.
Previously l3Match for gress with namespace selector that doesn't select
anything looked like "ip4.src == {<empty address set>}", now it will be
"ip4.src == {}".
Signed-off-by: Nadia Pinaeva <npinaeva@redhat.com>
update 2
Signed-off-by: Nadia Pinaeva <npinaeva@redhat.com>
(cherry picked from commit ed34024)
Add new functions to FakeAddressSetFactory for more insight into existing address sets. Add tests for PodSelectorAddressSet Update Netpol-owned address sets to be shared. Add netpol test that verifies that default deny port groups and port groups for policies without peer selectors (IpBlock) are cleaned up on sync. Move completed pod test from policy_test to pod_selector_address_set_test, simplify the test and make sure ip will be removed when collided pod is not selected by the address set. Update policy sync tests with existing policy in every namespace to make sure port groups won't be deleted as stale before being updated. Signed-off-by: Nadia Pinaeva <npinaeva@redhat.com> (cherry picked from commit 7f4b409)
Previously "ip4.dst == {}" match was created, and ovn-controller
throws an error on such acl
Signed-off-by: Nadia Pinaeva <npinaeva@redhat.com>
(cherry picked from commit 54b67a3)
openshift-ci-robot
added
jira/valid-reference
|
@npinaeva: This pull request references Jira Issue OCPBUGS-10799, which is invalid:
Comment The bug has been updated to refer to the pull request using the external bug tracker. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
@npinaeva: No Bugzilla bug is referenced in the title of this pull request. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/jira refresh |
|
@npinaeva: This pull request references Jira Issue OCPBUGS-10799, which is invalid:
Comment DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/retest |
|
/jira refresh |
openshift-ci-robot
added
jira/valid-bug
|
@npinaeva: This pull request references Jira Issue OCPBUGS-10799, which is valid. The bug has been moved to the POST state. 6 validation(s) were run on this bug
Requesting review from QA contact: DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Signed-off-by: Nadia Pinaeva <npinaeva@redhat.com>
npinaeva
force-pushed
the
netpol-perf-4.13
branch
from
3482b56 to
8513b38
Compare
|
@npinaeva: This pull request references Jira Issue OCPBUGS-10799, which is valid. 6 validation(s) were run on this bug
Requesting review from QA contact: DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
@npinaeva: No Bugzilla bug is referenced in the title of this pull request. Retaining the bugzilla/valid-bug label as it was manually added. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
trozet
left a comment
trozet
left a comment
There was a problem hiding this comment.
/lgtm
/label backport-risk-assessed
openshift-ci
bot
added
the
backport-risk-assessed
openshift-ci
bot
assigned
huiran0826,
jechen0648,
mffiedler,
qiowang721,
rbbratta,
weliang1,
yingwang-0320 and
zhaozhanqi
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: npinaeva, trozet The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
|
/label cherry-pick-approved |
openshift-ci
bot
added
the
cherry-pick-approved
|
/retest-required |
|
/label cherry-pick-approved |
|
/retest |
|
@npinaeva: Jira Issue OCPBUGS-10799: All pull requests linked via external trackers have merged: Jira Issue OCPBUGS-10799 has been moved to the MODIFIED state. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
@npinaeva: The following tests failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
15 participants
Bring required changes to 4.13
perf metrics ovn-kubernetes/ovn-kubernetes#3450
downstream #1556
shared address sets ovn-kubernetes/ovn-kubernetes#3329
downstream #1574
No conflicts, last commit fixes a "conflic" because k8s 1.26 bump is not yet merged to 4.13