Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-718

Inefficient use of SG rules when creating Service LBs leads to scale issues

    XMLWordPrintable

Details

    • Moderate
    • Proposed
    • Hide

      None

      Show
      None

    Description

      Description of problem:

      Each LB created for a Service type LoadBalancer results in 1 client rule and <# of public subnets> health rules being created.  The rules per SG quota in AWS is quite small; 60 by default, and 200 hard max.  OCP has about 40 rules OOTB. Assuming an HA cluster in 3 AZs, that is 4 rules per LB.  With default AWS quota, only ~5 LBs can be create and with the hard max of 200, only ~40 LBs can be created.

      Version-Release number of selected component (if applicable):

      4.12

      How reproducible:

      Always

      Steps to Reproduce:

      1.  Create Service type LoadBalancer and observe increase in master-sg and worker-sg rules sets
2.
3.

      Actual results:

      4 rules are created

      Expected results:

      1 rules is created when the client rule is a superset of the per-subnet health rules

      Additional info:

      This ~4x the number of Services of type LoadBalancer.  This is required for Hypershift.

      Attachments

        Issue Links

          is cloned by

          Bug - A problem which impairs or prevents the functions of the product. OCPBUGS-1540 [OCP 4.11] Inefficient use of SG rules when creating Service LBs leads to scale issues

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed
          is depended on by

          Bug - A problem which impairs or prevents the functions of the product. HOSTEDCP-531 Security groups rules quota prevent more than ~20HC on a single management cluster

          • Critical - To be worked on immediately following BLOCKER issues.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. OCPBUGS-1540 [OCP 4.11] Inefficient use of SG rules when creating Service LBs leads to scale issues

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed
          links to

          GitHub openshift/kubernetes#1358: OCPBUGS-718: UPSTREAM: <carry>: aws: skip health rules if they are a subnet of the client rule

          Activity

            Public project attachment banner

              context keys: [headless, issue, helper, isAsynchronousRequest, project, action, user]
              current Project key: OCPBUGS

              People

                sjenning Seth Jennings
                sjenning Seth Jennings
                Milind Yadav Milind Yadav
                Votes:
                0 Vote for this issue
                Watchers:
                6 Start watching this issue

                Dates

                  Created:
                  Updated:
                  Resolved: