Uploaded image for project: 'OpenShift SDN'
  1. OpenShift SDN
  2. SDN-3233

Egress Firewall refactoring

XMLWordPrintable

    • Egress Firewall refactoring
    • False
    • None
    • False
    • Not Selected
    • To Do
    • 56% To Do, 0% In Progress, 44% Done
    • M
    • Hide

      The epic was de-prioritized and will be worked on alongside 4.13

      Show
      The epic was de-prioritized and will be worked on alongside 4.13
    • ---
    • 0
    • 0

      Problem:

      1. egress firewall affects node ips, but always allows management port ip, which gives access to the node.
      2. performance: every egress firewall acl is created with a separate transaction (fixed in https://issues.redhat.com/browse/OCPBUGS-17970)
      3. performance: using source port group instead of address set will decrease the number of ovs flows per node (tracked under https://issues.redhat.com/browse/SDN-4173)
      4. performance: we use `dst != clusterSubnet` exclusion that may result in many ovs flows (fixed in https://github.com/ovn-org/ovn-kubernetes/pull/3338, )
      5. dns address sets are not cleaned up on restart

       

        1.
        Docs Tracker Sub-task Closed Undefined Jason Boxman
        2.
        PX Tracker Sub-task Closed Undefined Unassigned
        3.
        QE Tracker Sub-task Closed Undefined Jean Chen
        4.
        TE Tracker Sub-task Closed Undefined Unassigned

            npinaeva@redhat.com Nadia Pinaeva
            npinaeva@redhat.com Nadia Pinaeva
            Votes:
            2 Vote for this issue
            Watchers:
            7 Start watching this issue

              Created:
              Updated:
              Resolved: