Closed astoycos closed 2 years ago
[APPROVALNOTIFIER] This PR is NOT APPROVED
This pull-request has been approved by: astoycos
To complete the pull request process, please assign smarterclayton after the PR has been reviewed.
You can assign the PR to them by writing /assign @smarterclayton
in a comment when ready.
The full list of commands accepted by this bot can be found here.
/hold Since we need to skip this test for the OCP-SDN network plugin in the rules defined in openshift/kubernetes
and then re-vendor once https://github.com/openshift/kubernetes/pull/664 merges
/assign @squeed
Did I do this workflow right? (i.e opening the PR in openshift/k8s
in order to ensure we don't run the test for the default openshift-sdn plugin)
The test seems reasonable as written; just needs to be structured more like an Openshift / kube test.
Easiest way to skip this is in code; just retrieve the network.config.openshift.io object and check the configured plugin.
@danwinship If you could give this another look I'd appreciate it
/retest
The test is good, but needs to be structured a bit differently to ensure it tolerates delays in ovn-kubernetes (and thus doesn't become a flake-fest). ovn sadly sometimes falls behind during load or restarts / upgrades.
I'd recommend doing two things:
Those should work around any asynchronicity.
I fixed this concern by ensuring we retest both pings (allow and deny) until the results are as expected, I don't think we need to provide a retry mechanism for the log parsing, since if the traffic is flowing as expected (i.e the OVN ACLs are there) then we should always be seeing the correct logs
I also added a mechanism that collects all created pod logs on failure which should make any potential bugs much easier to fix
/retest
/unhold
/test e2e-aws-ovn
/test e2e-gcp-ovn
@astoycos: The specified target(s) for /test
were not found.
The following commands are available to trigger jobs:
/test e2e-agnostic-cmd
/test e2e-aws
/test e2e-aws-csi
/test e2e-aws-disruptive
/test e2e-aws-fips
/test e2e-aws-image-registry
/test e2e-aws-jenkins
/test e2e-aws-multitenant
/test e2e-aws-ovn
/test e2e-aws-proxy
/test e2e-aws-serial
/test e2e-aws-single-node
/test e2e-aws-upgrade
/test e2e-azure
/test e2e-gcp
/test e2e-gcp-builds
/test e2e-gcp-csi
/test e2e-gcp-disruptive
/test e2e-gcp-image-ecosystem
/test e2e-gcp-upgrade
/test e2e-metal-ipi
/test e2e-metal-ipi-ovn-dualstack
/test e2e-metal-ipi-ovn-ipv6
/test e2e-metal-ipi-virtualmedia
/test e2e-openstack
/test e2e-openstack-ipi
/test e2e-openstack-serial
/test e2e-vsphere
/test images
/test okd-e2e-gcp
/test verify
/test verify-deps
/test extended_gssapi
/test extended_ldap_groups
/test extended_networking
Use /test all
to run the following jobs:
pull-ci-openshift-origin-master-e2e-agnostic-cmd
pull-ci-openshift-origin-master-e2e-aws-csi
pull-ci-openshift-origin-master-e2e-aws-disruptive
pull-ci-openshift-origin-master-e2e-aws-fips
pull-ci-openshift-origin-master-e2e-aws-serial
pull-ci-openshift-origin-master-e2e-gcp
pull-ci-openshift-origin-master-e2e-gcp-builds
pull-ci-openshift-origin-master-e2e-gcp-csi
pull-ci-openshift-origin-master-e2e-gcp-disruptive
pull-ci-openshift-origin-master-e2e-gcp-upgrade
pull-ci-openshift-origin-master-e2e-metal-ipi-ovn-ipv6
pull-ci-openshift-origin-master-images
pull-ci-openshift-origin-master-verify
pull-ci-openshift-origin-master-verify-deps
/test e2e-metal-ipi-ovn-dualstack
/test e2e-metal-ipi-ovn-dualstack
/test e2e-aws-ovn
[sig-network][Feature:Network Policy Audit logging] when using openshift ovn-kubernetes should ensure acl logs are created and correct [Suite:openshift/conformance/parallel]
Is now passing on
ci/prow/e2e-metal-ipi-ovn-dualstack
ci/prow/e2e-metal-ipi-ovn-ipv6
ci/prow/e2e-aws-ovn
retesting those tests for further verification
/test e2e-metal-ipi-ovn-dualstack
/test e2e-metal-ipi-ovn-ipv6
@astoycos: The specified target(s) for /test
were not found.
The following commands are available to trigger jobs:
/test e2e-agnostic-cmd
/test e2e-aws
/test e2e-aws-csi
/test e2e-aws-disruptive
/test e2e-aws-fips
/test e2e-aws-image-registry
/test e2e-aws-jenkins
/test e2e-aws-multitenant
/test e2e-aws-ovn
/test e2e-aws-proxy
/test e2e-aws-serial
/test e2e-aws-single-node
/test e2e-aws-upgrade
/test e2e-azure
/test e2e-gcp
/test e2e-gcp-builds
/test e2e-gcp-csi
/test e2e-gcp-disruptive
/test e2e-gcp-image-ecosystem
/test e2e-gcp-upgrade
/test e2e-metal-ipi
/test e2e-metal-ipi-ovn-dualstack
/test e2e-metal-ipi-ovn-ipv6
/test e2e-metal-ipi-virtualmedia
/test e2e-openstack
/test e2e-openstack-ipi
/test e2e-openstack-serial
/test e2e-vsphere
/test images
/test okd-e2e-gcp
/test verify
/test verify-deps
/test extended_gssapi
/test extended_ldap_groups
/test extended_networking
Use /test all
to run the following jobs:
pull-ci-openshift-origin-master-e2e-agnostic-cmd
pull-ci-openshift-origin-master-e2e-aws-csi
pull-ci-openshift-origin-master-e2e-aws-disruptive
pull-ci-openshift-origin-master-e2e-aws-fips
pull-ci-openshift-origin-master-e2e-aws-serial
pull-ci-openshift-origin-master-e2e-gcp
pull-ci-openshift-origin-master-e2e-gcp-builds
pull-ci-openshift-origin-master-e2e-gcp-csi
pull-ci-openshift-origin-master-e2e-gcp-disruptive
pull-ci-openshift-origin-master-e2e-gcp-upgrade
pull-ci-openshift-origin-master-e2e-metal-ipi-ovn-ipv6
pull-ci-openshift-origin-master-images
pull-ci-openshift-origin-master-verify
pull-ci-openshift-origin-master-verify-deps
/test e2e-aws-ovn
Otherwise this test should be ready to go
/test e2e-aws-ovn
/test e2e-metal-ipi-ovn-dualstack
/approve /lgtm
@knobunc could you approve this (it touches some helper code)
/test e2e-aws-ovn
/lgtm
@squeed I lost the lgtm because I saw a flake on the recent run, and added some better "on failure" logic to see what was going on
Most recent changes should fix the flake (sorry I lost the LGTM again)
/test e2e-aws-ovn
/test e2e-metal-ipi-ovn-dualstack
Letting this curn in CI for a bit, I will revisit late this afternoon (also looks like I need an accompanying bug for this)
/test e2e-aws-serial
I am seeing the test pass without flakes in
ci/prow/e2e-metal-ipi-ovn-dualstack
ci/prow/e2e-metal-ipi-ovn-ipv6
ci/prow/e2e-aws-ovn
/test e2e-aws-serial
/approve /lgtm
[APPROVALNOTIFIER] This PR is APPROVED
This pull-request has been approved by: astoycos, knobunc, squeed
The full list of commands accepted by this bot can be found here.
The pull request process is described here
/retest
Please review the full test history for this PR and help us cut down flakes.
/retest
Please review the full test history for this PR and help us cut down flakes.
/retest
Please review the full test history for this PR and help us cut down flakes.
/retest
Please review the full test history for this PR and help us cut down flakes.
/retest
Please review the full test history for this PR and help us cut down flakes.
/retest
Please review the full test history for this PR and help us cut down flakes.
/retest
Please review the full test history for this PR and help us cut down flakes.
/retest
Please review the full test history for this PR and help us cut down flakes.
/retest
Please review the full test history for this PR and help us cut down flakes.
/retest
Please review the full test history for this PR and help us cut down flakes.
This works adds a networking extended test for the new network policy audit logging feature
The name of the new test is:
"[sig-network] acl-logging should activate acl-logging [Suite:openshift/conformance/parallel]"
It first activates the audit logging by applying new annotations to the
acl-logging
nsNext it make's three pods, two(pod[0] and pod[1]) in the ns
acl-logging
and one(pod[3]) in the nsacl-logging-off
Then it makes two networkPolicies in the
acl-logging
ns ->Finally it sends packets from pods 1 and 2 to pod 0..... The packet from pod[1] will be allowed by the allow-same-namespace policy and the packet from pod[2] will be dropped by the default-deny-all policy. This info will be captured by the acl-audit-logs.
The logs are then collected and verified with an
oc adm node-logs