- 
                Notifications
    You must be signed in to change notification settings 
- Fork 166
[WIP] Refactor: Simplify ACL rule to use positive matching #2765
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: master
Are you sure you want to change the base?
Conversation
| [APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: venkataanil The full list of commands accepted by this bot can be found here. 
Needs approval from an approver in each of these files:
 Approvers can indicate their approval by writing  | 
| /test | 
| @jtaleric: The  The following commands are available to trigger optional jobs: Use  In response to this: 
 Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. | 
As using "!=" in ACL matches potentially cause a lot of openflow rules
to be created by ovn-controller, we want to avoid using negative
exclusion (!=) in OVN ACL for IPBlock.exclude fields.
- Use IPSetBuilder API to the build the allowed CIDR by excluding
  IPBlock.except
- Then union of these allowed CIDRs will be done to get minimal CIDR
  ranges, which will be joined into brace-delimited lists for ACL L3
  matches (e.g., ip4.src == {p1, p2}).
- This reduces ACL churn by emitting a single match per IP family
  when possible.
- This path maintains Kubernetes NetworkPolicy union semantics.
TODO: Need to fix the unit tests. Also please ignore my previous
commit where I tried with "drop" rules.
Signed-off-by: venkataanil <[email protected]>
    db76f3e    to
    c926772      
    Compare
  
    | /test qe-perfscale-aws-ovn-small-udn-density-churn-l3 | 
| /test images | 
| @venkataanil: The following tests failed, say  
 Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. | 
As using "!=" in ACL matches potentially cause a lot of openflow rules to be created by ovn-controller, we want to avoid using negative exclusion (!=) in OVN ACL for IPBlock.exclude fields.
TODO: Need to fix the unit tests. Also please ignore my previous commit where I tried with "drop" rules.
This is D/S PR for Perf testing
Ref: ovn-kubernetes/ovn-kubernetes#5589