Uploaded image for project: 'OpenShift Core Networking'
  1. OpenShift Core Networking
  2. CORENET-2258

Egress Firewall refactoring

XMLWordPrintable

    • Egress Firewall refactoring
    • Quality / Stability / Reliability
    • 56% To Do, 0% In Progress, 44% Done
    • False
    • Hide

      None

      Show
      None
    • False
    • Not Selected
    • Hide

      The epic was de-prioritized and will be worked on alongside 4.13

      Show
      The epic was de-prioritized and will be worked on alongside 4.13
    • None
    • 0

      Problem:

      1. egress firewall affects node ips, but always allows management port ip, which gives access to the node.
      2. performance: every egress firewall acl is created with a separate transaction (fixed in https://issues.redhat.com/browse/OCPBUGS-17970)
      3. performance: using source port group instead of address set will decrease the number of ovs flows per node (tracked under https://issues.redhat.com/browse/SDN-4173)
      4. performance: we use `dst != clusterSubnet` exclusion that may result in many ovs flows (fixed in https://github.com/ovn-org/ovn-kubernetes/pull/3338, )
      5. dns address sets are not cleaned up on restart

       

          1.
          Docs Tracker Sub-task Closed Undefined Jason Boxman
          2.
          PX Tracker Sub-task Closed Undefined Unassigned
          3.
          QE Tracker Sub-task Closed Undefined Jean Chen
          4.
          TE Tracker Sub-task Closed Undefined Unassigned

              npinaeva@redhat.com Nadia Pinaeva (Inactive)
              npinaeva@redhat.com Nadia Pinaeva (Inactive)
              None
              None
              None
              None
              Votes:
              2 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated:
                Resolved: