Closed
Conversation
our current implementation of Ipblock is incorrect. creating a deny rule for the
except blocks will not allow ips that overlap another IPblock to be allowed.
I changed this so that we only create one ACL rule per ipBlock
so if you have one policy that says
- from:
- ipBlock:
cidr: 10.0.0.0/8
except:
- 10.0.1.0/24
and another that says
- from:
- ipBlock:
cidr: 10.0.0.0/8
it will translate two acls that are
match=ip4.src == 10.0.0.0/8 && ip4.src !={10.0.1.0/24}
match=ip4.src == 10.0.0.0/8
the first rule will not evaluate to true with a packet from 10.0.1.0
it will cascade to the second ACL and correctly be allowed. If the except
is not overlapping an additional range it will be denied by the
default deny ACL
Signed-off-by: Jacob Tanenbaum <jtanenba@redhat.com>
fix ipBlock except for network policy
Signed-off-by: Antonio Ojea <aojea@redhat.com>
current resync period was set to 12 hours, instead of having such large period with the risk of overwhelming ovn with events every 12 hours, just disable the resync period. AddEventHandlerWithResyncPeriod can specify a per handler resync if necessary. Signed-off-by: Antonio Ojea <aojea@redhat.com>
Avoids the copy exiting with code 1 when it tries to copy the 'windows' directory if you ever ran 'make windows'. + pushd ../dist/images ~/Development/containers/ovn-kubernetes/dist/images ~/Development/containers/ovn-kubernetes/contrib + sudo cp -f ../../go-controller/_output/go/bin/hybrid-overlay-node ../../go-controller/_output/go/bin/ovn-k8s-cni-overlay ../../go-controller/_output/go/bin/ovnkube ../../go-controller/_output/go/bin/ovn-kube-util ../../go-controller/_output/go/bin/windows . cp: -r not specified; omitting directory '../../go-controller/_output/go/bin/windows' Signed-off-by: Dan Williams <dcbw@redhat.com>
Ubuntu 18.04 repository contains old OVS/OVN packages, (2.9.5-0), which are not compatable with current implementation. With Ubuntu 20.04 `apt-get` installs OVS 2.13 and OVN 20.03 Signed-off-by: Alexey Roytman <roytman@il.ibm.com>
we have to untaint the master nodes so we can schedule pods on them, however, the kind get nodes does not report the nodes in the right order. Signed-off-by: Antonio Ojea <antonio.ojea.garcia@gmail.com>
fix a bug on kind deployment
We were setting it correctly in the mac_binding table for OVN, but the mac did not match the address configured on the host. This caused host destined packets from OVN to be dropped in IPv6. Signed-off-by: Tim Rozet <trozet@redhat.com>
Change egressfirewall to use logical_router_policies on the ovn_cluster_router as oppsed to using ACLs on each nodes join switches. This changes optimizes the generation of egressfirewall policies because we only have to create one object and put it in one place the ovn_cluster_router applies to all namespaces so we only need to attach the policy there. because the single router applies to all namespaces the test "correctly adds an existing egressFirewall to a new node" is no longer needed Signed-off-by: Jacob Tanenbaum <jtanenba@redhat.com>
…outer make egressfirewall use logical_router_policies
Fix setting ovn-k8s-gw0 mac address for ipv6 single-stack
Signed-off-by: Antonio Ojea <aojea@redhat.com>
enable ipv6 ha local job in CI
Bare metal OCP adds temporary IPs to the primary interface for use with external load-balancing. These should be ignored when determining the primary node IP. Signed-off-by: Dan Winship <danwinship@redhat.com>
disable informers factory resync period
The previous code assumed that the host network pod backend to a service would always be in the same subnet as the host accessing the service, which is not always the case. Additionally, the code used the mask on the host interface to determine the host subnet, which is not correct for IPv6. IPv6 addresses may be assigned with /128 prefixes. Since we really just care about non-pod subnet traffic from mp0 hitting this policy and going out DGP, we can just inverse the match to match not on pod subnet. Signed-off-by: Tim Rozet <trozet@redhat.com>
Pods configured with egress gws were unable to reach other pods in other subnets, via service or otherwise. This is because the lr-policy for routing traffic to GR was not specific enough. This patch adds criteria for matching not cluster subnet, so only external traffic is forwarded to GR. Signed-off-by: Tim Rozet <trozet@redhat.com>
node: ignore "deprecated" IPv6 IPs when determining primary IP
…_policy Fixes inter node DGP policy for local gw mode
Fixes lr-policy for egress gw
Increase the priority of egressfirewall router policies to ensure that they get processed first. In order to make sure that no cluster traffic is interrrupted by the egressfirewall rules ensure that cluster traffic is explicitily excluded from the pattern match move all the constants for the priority level on the ovn_logical_router into one place so that all specified priority levels are centralized Signed-off-by: Jacob Tanenbaum <jtanenba@redhat.com>
increase the priority of egressfirewall router policies
Since local gateway mode only needs the shared gateway bridge for egress gw and potentially egress IP features, we can disable it by passing a gateway-interface of "none". We need this temporarily to be able to upgrade from a previous local gateway cluster to a local gateway mode using the shared topology. Signed-off-by: Tim Rozet <trozet@redhat.com>
Signed-off-by: Tim Rozet <trozet@redhat.com>
openshift-ci-robot
added
the
do-not-merge/work-in-progress
Contributor
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: trozet The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci-robot
added
the
approved
Contributor
|
@trozet: The following tests failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
7 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Just testing that local gateway mode still functions without shared gw bridge.