-
Bug
-
Resolution: Done
-
Critical
-
None
-
4.13
-
None
-
No
-
SDN Sprint 233, SDN Sprint 234
-
2
-
Rejected
-
False
-
-
N/A
-
Bug Fix
-
Done
Description of problem:
Since we updated hairpinned network policy acls, the number of ovs flows created for every ingress rule increased. For example, if the netpol selected 50 pods and gress address set also has 50 pod ips, in 4.12 we would create 200 flows. In 4.13 it creates ~5200 flows The problem is that new acl Match is actually 2 matches grouped together for simple gress case, and for hairpinned case. We would expect the number of flows be 2 times higher in that case, but because of how ovn-controller translates flows, we get a cross-product for one of the part and conjunction for the other.
Version-Release number of selected component (if applicable):
How reproducible:
always
Steps to Reproduce:
1. Create deployment with N pods, all on the same node (easier to count flows)
2. Create network policy that would select all pod from that namespace like
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: test-policy
spec:
podSelector: {}
ingress:
- from:
- podSelector: {}
3. check number of flows on the selected node where all pods reside.
oc exec -ti <ovnkube-node pod from that node> -n openshift-ovn-kubernetes -- /bin/bash
ovs-ofctl dump-flows br-int | grep table=44 | grep priority=2001 | wc -l
^ this will give the number of all ingress flows, it should include 302 flows that are not related to ingress, they should be subtracted from the sum
Actual results:
Expected results:
Additional info:
- clones
-
-
- Closed
-
- depends on
-
-
- Closed
-
- links to