Loading...

XML

Word

Printable

Type: Epic
Resolution: Obsolete
Priority: Normal
Fix Version/s: None
Affects Version/s: None
Component/s: None
Labels:

Epic Name:
Egress Firewall refactoring
Activity Type:
Quality / Stability / Reliability
Hierarchy Progress Bar:

56% To Do, 0% In Progress, 44% Done
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Ready:
False
Color Status:
Not Selected
Status Summary:

Hide

The epic was de-prioritized and will be worked on alongside 4.13

Show
The epic was de-prioritized and will be worked on alongside 4.13
Size:
None

Target Version:

openshift-4.14
Release Blocker:
None

WSJF:
0

Problem:

egress firewall affects node ips, but always allows management port ip, which gives access to the node.
performance: every egress firewall acl is created with a separate transaction (fixed in https://issues.redhat.com/browse/OCPBUGS-17970)
performance: using source port group instead of address set will decrease the number of ovs flows per node (tracked under https://issues.redhat.com/browse/SDN-4173)
performance: we use `dst != clusterSubnet` exclusion that may result in many ovs flows (fixed in https://github.com/ovn-org/ovn-kubernetes/pull/3338, )
dns address sets are not cleaned up on restart

depends on

CORENET-2304 ovn-k ACL indexing refactoring

Closed

links to

apply-after-lb ACL breaks hairpinning

There are no Sub-Tasks for this issue.

Assignee:: Nadia Pinaeva (Inactive)

Reporter:: Nadia Pinaeva (Inactive)

Need Info From:: None

Contributors:: None

QA Contact:: None

Doc Contact:: None

Votes:: 2 Vote for this issue

Watchers:: 7 Start watching this issue

Created:: 2022/07/07 7:56 AM

Updated:: 2025/09/13 4:49 AM

Resolved:: 2024/01/19 8:49 AM