Uploaded image for project: 'OpenShift SDN'
  1. OpenShift SDN
  2. SDN-3098

Enhance EgressFirewall to include a nodeSelector for destinations

    XMLWordPrintable

Details

    • nodeSelector for Egress Firewall
    • False
    • None
    • False
    • Green
    • To Do
    • OCPSTRAT-355 - Enhance EgressFirewall to include a nodeSelector for destinations
    • OCPSTRAT-355Enhance EgressFirewall to include a nodeSelector for destinations
    • 100
    • 100% 100%
    • ---
    • 0
    • 0

    Description

      OCP/Telco Definition of Done
      Epic Template descriptions and documentation.

      <--- Cut-n-Paste the entire contents of this description into your new Epic --->

      Epic Goal

      • Add the ability to create egress firewall rules based on nodes to allow host network access to specific nodes

      Why is this important?

      • There is a difference between SDN and OVN's implementation of Egress Firewall where SDN implicitly allows services to bypass Egress Firewall. Some customers rely on this behavior in order to implicitly allow pods to reach services backed by host network pods. This traffic blocked by default today in OVN, and adding manual rules per host IP can be tedious.

      See https://bugzilla.redhat.com/show_bug.cgi?id=1993841 for more info.

      Scenarios

      1. As a user I want to allow pods behind an egress firewall to access host network pods on any master node. Rather than making an egress firewall rule per host IP, I can just configure a node selector label on the egress firewall.

      Acceptance Criteria

      • CI - MUST be running successfully with tests automated
      • Release Technical Enablement - Provide necessary release enablement details and documents.

      Dependencies (internal and external)

      1. None

      Previous Work (Optional):

      Open questions::

      1. None

      Done Checklist

      • CI - CI is running, tests are automated and merged.
      • Release Enablement <link to Feature Enablement Presentation>
      • DEV - Upstream code and tests merged: <link to meaningful PR or GitHub Issue>
      • DEV - Upstream documentation merged: <link to meaningful PR or GitHub Issue>
      • DEV - Downstream build attached to advisory: <link to errata>
      • QE - Test plans in Polarion: <link or reference to Polarion>
      • QE - Automated tests merged: <link or reference to automated tests>
      • DOC - Downstream documentation merged: <link to meaningful PR>

      Attachments

        Issue Links

          is cloned by

          Feature - Capability or a well-defined set of functionality that delivers business value. Features can include additions or changes to existing functionality. Features can easily span multiple teams, and potentially multiple releases. OCPSTRAT-355 Enhance EgressFirewall to include a nodeSelector for destinations

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Activity

            People

              trozet@redhat.com Tim Rozet
              trozet@redhat.com Tim Rozet
              Huiran Wang Huiran Wang
              Joe Aldinger Joe Aldinger
              Votes:
              1 Vote for this issue
              Watchers:
              9 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: