search

ovn-org / ovn-kubernetes

A robust Kubernetes networking platform
https://ovn-kubernetes.io/
Apache License 2.0
767 stars 333 forks source link

network-segmentation: Handle namespace active-network annotation #4435

Closed qinqon closed 4 days ago

qinqon commented 2 weeks ago

What this PR does and why is it needed

This change annotate a namespace with k8s.ovn.org/active-network selecting the network used for the pod primary interface, by default all the namespaces will contain k8s.ovn.org/active-network=default and if a primary network is configured at a namespace using a network attachment definition the annotation will be k8s.ovn.org/active-network=[network].

Special notes for reviewers

Stuff that will be done at follow up PRs:

How to verify it

The PR included e2e test to cover the success scenarios and some "unknown" and nad delete scenarios.

Details to documentation updates

Documentation will be done at follow up PRs.

Description for the changelog

Annotate namespaces with k8s.ovn.org/active-network

Does this PR introduce a user-facing change?

NONE

Annotate namespaces with `k8s.ovn.org/active-network`
coveralls commented 2 weeks ago

Coverage Status

coverage: 52.704% (-0.03%) from 52.729% when pulling 32a4f6786f286ff0f50b8cf5dff7271e21ff5723 on qinqon:active-network-annotation into 17dce5cc7a56cf9cb082b6ba44e8f69809b8763a on ovn-org:master.

qinqon commented 2 weeks ago 
I0613 05:33:50.857824      16 kube.go:154] Setting annotations map[k8s.ovn.org/active-network:hllj2_tenant-blue] on namespace primary-network-5868
E0613 05:33:50.859357      16 kube.go:163] Error in setting annotation on namespace primary-network-5868: namespaces "primary-network-5868" is forbidden: User "system:serviceaccount:ovn-kubernetes:ovnkube-cluster-manager" cannot patch resource "namespaces/status" in API group "" in the namespace "primary-network-5868"
I0613 05:33:50.859414      16 network_attach_def_controller.go:239] cluster-manager: Finished syncing net-attach-def primary-network-5868/tenant-blue: 1.870971ms
I0613 05:33:50.859462      16 network_attach_def_controller.go:272] "Error syncing net-attach-def, retrying" net-attach-def="primary-network-5868/tenant-blue" err="failed ensuring namespace active network: failed annotating namespace 'primary-network-5868' with the active network 'hllj2_tenant-blue'"
coveralls commented 2 weeks ago

Coverage Status

coverage: 52.67% (-0.06%) from 52.729% when pulling b3d7b1822e99fad2e972e5bc5dd1666ce9dc13e6 on qinqon:active-network-annotation into 17dce5cc7a56cf9cb082b6ba44e8f69809b8763a on ovn-org:master.

coveralls commented 2 weeks ago

Coverage Status

coverage: 52.683% (-0.05%) from 52.729% when pulling 4e90ac30ea9f0123b29124a7b89d63de04c9b5c3 on qinqon:active-network-annotation into 17dce5cc7a56cf9cb082b6ba44e8f69809b8763a on ovn-org:master.

coveralls commented 2 weeks ago

Coverage Status

coverage: 52.657% (-0.07%) from 52.729% when pulling 2db2c0f51e2c069110ea61836afe8bdc5dab19c3 on qinqon:active-network-annotation into 17dce5cc7a56cf9cb082b6ba44e8f69809b8763a on ovn-org:master.

coveralls commented 2 weeks ago

Coverage Status

coverage: 52.734% (+0.005%) from 52.729% when pulling 133d8d4b77b2692d91e51af8edd4f6c1124a3d45 on qinqon:active-network-annotation into 17dce5cc7a56cf9cb082b6ba44e8f69809b8763a on ovn-org:master.

coveralls commented 2 weeks ago

Coverage Status

coverage: 52.693% (-0.04%) from 52.729% when pulling 4090baae43a2bbe325cee31dc8107fcc2d644c26 on qinqon:active-network-annotation into 17dce5cc7a56cf9cb082b6ba44e8f69809b8763a on ovn-org:master.

coveralls commented 2 weeks ago

Coverage Status

coverage: 52.697% (-0.03%) from 52.729% when pulling fd5b2a76fa189eeaf24c1711cbee244dab9072b5 on qinqon:active-network-annotation into 17dce5cc7a56cf9cb082b6ba44e8f69809b8763a on ovn-org:master.

qinqon commented 2 weeks ago

Optimistic locking is not working at the annotation utilities, we have to fix it for this PR to work.

coveralls commented 2 weeks ago

Coverage Status

coverage: 52.664% (-0.07%) from 52.729% when pulling c0777fa933c9d7e66f7646b1c5b49292a52502ba on qinqon:active-network-annotation into 17dce5cc7a56cf9cb082b6ba44e8f69809b8763a on ovn-org:master.

coveralls commented 2 weeks ago

Coverage Status

coverage: 52.627% (-0.1%) from 52.729% when pulling 63b8eb1cc0487e62e6901aec21c1600cb94af8ac on qinqon:active-network-annotation into 17dce5cc7a56cf9cb082b6ba44e8f69809b8763a on ovn-org:master.

coveralls commented 2 weeks ago

Coverage Status

coverage: 52.66% (-0.07%) from 52.729% when pulling fbbe12ba7358037742bd105ca2946736390e2bfb on qinqon:active-network-annotation into 17dce5cc7a56cf9cb082b6ba44e8f69809b8763a on ovn-org:master.

coveralls commented 1 week ago

Coverage Status

coverage: 52.702% (-0.01%) from 52.716% when pulling 02e7aa38453f80735b7d56dac48368e0668477cf on qinqon:active-network-annotation into 701b8e077c6d5639c45ad5cc41fbd4d8759ddc56 on ovn-org:master.

coveralls commented 1 week ago

Coverage Status

coverage: 52.733% (+0.02%) from 52.716% when pulling 627c5003ef339451c99a09b86ccfbd56051865eb on qinqon:active-network-annotation into 701b8e077c6d5639c45ad5cc41fbd4d8759ddc56 on ovn-org:master.

coveralls commented 1 week ago

Coverage Status

coverage: 52.71% (-0.006%) from 52.716% when pulling bbcc7696303d02b479f28d2ee10f385c6584a44f on qinqon:active-network-annotation into 701b8e077c6d5639c45ad5cc41fbd4d8759ddc56 on ovn-org:master.

tssurya commented 4 days ago

https://github.com/ovn-org/ovn-kubernetes/pull/4462 will superceed this, this is currently only a placeholder to unblock people by building on top. @qinqon let's close this?

qinqon commented 4 days ago

Superceed by https://github.com/ovn-org/ovn-kubernetes/pull/4462