Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

OCPBUGS-46529: kubevirt, Don't break on hostname NodePort.Address #5313

Conversation

qinqon
Copy link
Contributor

@qinqon qinqon commented Dec 18, 2024

What this PR does / why we need it:
Using a hostname at NodePort service strategy is allowed by the api but the kubevirt provider breaks trying to check if it's an ipv4 or ipv6 to populate a network policy, this change skip that network policy because hostname would be an external address so no network policy is needed.

Which issue(s) this PR fixes
Fixes #OCPBUGS-46529

Checklist

  • Subject and description added to both, commit and PR.
  • Relevant issues have been referenced.
  • This change includes docs.
  • This change includes unit tests.

@openshift-ci-robot openshift-ci-robot added jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. labels Dec 18, 2024
@openshift-ci-robot
Copy link

@qinqon: This pull request references Jira Issue OCPBUGS-46529, which is invalid:

  • expected the bug to target the "4.19.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

What this PR does / why we need it:
Using a hostname at NodePort service strategy is allowed by the api but the kubevirt provider breaks trying to check if it's an ipv4 or ipv6 to populate a network policy, this change skip that network policy because hostname would be an external address so no network policy is needed.

Which issue(s) this PR fixes
Fixes #OCPBUGS-46529

Checklist

  • Subject and description added to both, commit and PR.
  • Relevant issues have been referenced.
  • This change includes docs.
  • This change includes unit tests.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci openshift-ci bot requested review from csrwng and sjenning December 18, 2024 10:29
@openshift-ci openshift-ci bot added area/hypershift-operator Indicates the PR includes changes for the hypershift operator and API - outside an OCP release and removed do-not-merge/needs-area labels Dec 18, 2024
@qinqon
Copy link
Contributor Author

qinqon commented Dec 18, 2024

/jira refresh

@openshift-ci-robot openshift-ci-robot added the jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. label Dec 18, 2024
@openshift-ci-robot
Copy link

@qinqon: This pull request references Jira Issue OCPBUGS-46529, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (4.19.0) matches configured target version for branch (4.19.0)
  • bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @LiangquanLi930

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci-robot openshift-ci-robot removed the jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. label Dec 18, 2024
@qinqon
Copy link
Contributor Author

qinqon commented Dec 18, 2024

/cc @orenc1 @davidvossel

@openshift-ci openshift-ci bot requested review from davidvossel and orenc1 December 18, 2024 10:30
Copy link
Contributor

@davidvossel davidvossel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm
/approve

if the hostname points to a LB that then redirects traffic to the baremetal nodes, then this solution of skipping the NP will be fine.

However, if someone attempts to point the hostname's DNS entry directly to one of the infra cluster's nodes, then it's possible the VM pods won't be able to connect to the api server using the baremetal node's IP due to lack of network policy.

in that second scenario, my expectation is that someone creates a network policy to allow the traffic to flow from the VMs to the host network. There's no practical way I'm aware of we can use to detect which scenario (LB vs usage of node IPs directly) is in use in order to auto create the NP in the event hostname is in use. For example, a DNS lookup wouldn't necessarily help here because the DNS could be doing some round robin strategy when it hands out IPs, so us trying to infer anything from DNS wouldn't be accurate.

Anyway... This is all to say, i think your PR is accurate, and we probably need to account for how to handle NodePort + Hostname for the kubevirt platform in documentation

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Dec 18, 2024
Copy link
Contributor

openshift-ci bot commented Dec 18, 2024

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: davidvossel, qinqon

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Dec 18, 2024
Using a hostname at NodePort service strategy is allowed by the api but
the kubevirt provider breaks trying to check if it's an ipv4 or ipv6 to
populate a network policy, this change skip that network policy because
hostname would be an external address so no network policy is needed.

Signed-off-by: Enrique Llorente <[email protected]>
@qinqon qinqon force-pushed the kv-continue-on-hostname-nodeport-address branch from a604f8e to 4661fc0 Compare December 18, 2024 14:34
@openshift-ci openshift-ci bot removed the lgtm Indicates that a PR is ready to be merged. label Dec 18, 2024
Copy link
Contributor

@davidvossel davidvossel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Dec 18, 2024
@openshift-ci-robot
Copy link

/retest-required

Remaining retests: 0 against base HEAD 3fddc32 and 2 for PR HEAD 4661fc0 in total

@openshift-ci-robot
Copy link

/retest-required

Remaining retests: 0 against base HEAD 21fa1e5 and 1 for PR HEAD 4661fc0 in total

@openshift-ci-robot
Copy link

/retest-required

Remaining retests: 0 against base HEAD 19d3a67 and 0 for PR HEAD 4661fc0 in total

Copy link
Contributor

openshift-ci bot commented Dec 19, 2024

@qinqon: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/okd-scos-e2e-aws-ovn 4661fc0 link false /test okd-scos-e2e-aws-ovn

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@openshift-merge-bot openshift-merge-bot bot merged commit ef4835d into openshift:main Dec 19, 2024
12 of 13 checks passed
@openshift-ci-robot
Copy link

@qinqon: Jira Issue OCPBUGS-46529: All pull requests linked via external trackers have merged:

Jira Issue OCPBUGS-46529 has been moved to the MODIFIED state.

In response to this:

What this PR does / why we need it:
Using a hostname at NodePort service strategy is allowed by the api but the kubevirt provider breaks trying to check if it's an ipv4 or ipv6 to populate a network policy, this change skip that network policy because hostname would be an external address so no network policy is needed.

Which issue(s) this PR fixes
Fixes #OCPBUGS-46529

Checklist

  • Subject and description added to both, commit and PR.
  • Relevant issues have been referenced.
  • This change includes docs.
  • This change includes unit tests.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@qinqon
Copy link
Contributor Author

qinqon commented Dec 19, 2024

/cherry-pick release-4.18

@openshift-cherrypick-robot

@qinqon: new pull request created: #5317

In response to this:

/cherry-pick release-4.18

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/hypershift-operator Indicates the PR includes changes for the hypershift operator and API - outside an OCP release jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. lgtm Indicates that a PR is ready to be merged.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants