Thursday, 2019-03-28

« Wednesday, 2019-03-27 Index Friday, 2019-03-29 »
*** hongbin has joined #openstack-kuryr00:18
*** celebdor has quit IRC01:37
*** rh-jelabarre has quit IRC02:25
*** kmadac4 has joined #openstack-kuryr03:01
*** kmadac3 has quit IRC03:04
*** hongbin has quit IRC03:28
*** janki has joined #openstack-kuryr04:41
*** premsankar has quit IRC05:11
*** gcheresh has joined #openstack-kuryr06:08
*** gcheresh has quit IRC06:50
*** gcheresh has joined #openstack-kuryr06:56
*** ccamposr has joined #openstack-kuryr07:00
*** maysams has quit IRC07:14
*** pcaruana has joined #openstack-kuryr07:20
*** yboaron_ has joined #openstack-kuryr07:22
*** celebdor has joined #openstack-kuryr08:04
aperevalov_Hi, I told about definition of VF used by SRIOVDP, now it's more clear we need to obtain pciaddress, and seems to be it's possible to do by obtaining pod Resources08:11
aperevalov_https://godoc.org/k8s.io/kubernetes/pkg/kubelet/apis/podresources08:11
aperevalov_How do you think is K8sClient proper place to implement this request?08:12
*** maysams has joined #openstack-kuryr08:18
dulekaperevalov_: Is it a simple get? Then you have everything you need there.09:04
aperevalov_dulek, it's grpc, but yes just get, but on the other dedicated socket unix:/var/lib/kubelet/pod-resources/kubelet.sock. We think it's missed in public API.09:09
*** oanson has quit IRC09:10
*** snapiri has quit IRC09:10
dulekaperevalov_: Ah, okay. If it's grcp, can you create a new client class?09:12
dulekaperevalov_: I'm asking because we plan to use grcp for kuryr-cni->kuryr-daemon communication in the future.09:12
dulekaperevalov_: So it'll be useful to have it in another entity.09:13
dulekaperevalov_: How stable are those GRCP API's?09:13
aperevalov_it appeared in k8s 1.13 and by default it's disabled, API in v1alpha1 version. So it's not stable in time yet.09:14
aperevalov_it mostly used by prometheus09:15
*** snapiri has joined #openstack-kuryr09:18
*** shachar has joined #openstack-kuryr09:21
*** snapiri has quit IRC09:22
openstackgerritMerged openstack/kuryr-kubernetes master: Update master for stable/stein  https://review.openstack.org/64821009:23
*** oanson has joined #openstack-kuryr09:41
openstackgerritDaniel Mellado proposed openstack/kuryr-kubernetes master: Add ipBlock support to NP  https://review.openstack.org/64513909:45
dulekaperevalov_: Ah, okay then - if it's used by an outside project, then it'll be more-or-less stable.10:19
dulekSo it's totally fine you'll use it. :)10:19
dulekdmellado, ltomasbo: I fixed https://review.openstack.org/#/c/648209/ updating the upper-req links in Dockerfiles as well..10:52
ltomasbodulek, great! thanks!10:52
openstackgerritDaniel Mellado proposed openstack/kuryr-kubernetes master: Add support for text ports on Network Policy Spec  https://review.openstack.org/64308011:06
*** janki has quit IRC11:18
openstackgerritMaysa de Macedo Souza proposed openstack/kuryr-kubernetes master: Add support for text ports on Network Policy Spec  https://review.openstack.org/64308011:40
maysamsltomasbo, dmellado: I've updated it to cover more cases ^11:42
dmelladomaysams: did you see my rebase?11:42
dmelladonope, looks like you didn't xD11:43
maysamsdulek: When you have some free time could you run the upstream tests again with my ps applied?11:43
dmelladoplease get PS 10 and reapply your changes onto it11:43
dmelladomaysams: ^^11:43
maysamsdmellado: No, I did not see it yet11:43
dmelladomaysams: check PS10 from your patch11:43
dulekmaysams: Sure, but it'll take a moment as I'll need to recreate the env.11:43
*** janki has joined #openstack-kuryr11:43
dmelladohttps://review.openstack.org/#/c/643080/10..11/kuryr_kubernetes/controller/drivers/network_policy.py11:44
dmelladoi.e.11:44
maysamsdmellado: oh god, I did not see it at all11:44
dmelladomaysams: please reapply that as well as your new changes ;)11:44
dmelladoand ping me if there's anything that would block you11:45
dmelladothanks!11:45
maysamsdmellado: I will do it after lunch. Sorry for that11:45
dmelladono worries!11:45
*** rh-jelabarre has joined #openstack-kuryr12:01
dulekdmellado: Why is https://review.openstack.org/#/c/648209/ not necessary?12:06
*** celebdor has quit IRC12:41
*** celebdor has joined #openstack-kuryr12:50
dmelladodulek: I already created the stable branch and thought this was duplicated, but hold on13:18
dmelladoyep13:18
dmelladonot necessary IIUC13:18
dmelladohttps://github.com/openstack/requirements/tree/stable/stein13:18
dmelladorequirements has already a stable/stein branch so stable/stein kuryr will be matched against it13:19
dmelladobut I missed the dockerfile, would you mind amending a change to that that would only change the dockerfiles?13:19
dmelladothanks!13:19
dulekdmellado: It changes the tox envs to point to stable/stein upper-reqs from openstack/requirements.13:27
dulekhttps://git.openstack.org/cgit/openstack/requirements/plain/upper-constraints.txt will always point to master.13:27
dulekhttps://releases.openstack.org/constraints/upper/stein will point to stein.13:27
dulekdmellado: So IMO it doesn't matter if openstack/requirements are branched or not.13:29
dulekmaysams: The env is stacking. BTW - you can try to run those yourself actually.13:33
dulekNot sure why I thought of that only now. :P13:33
dulekmaysams: It's just `go get k8s.io/test-infra/kubetest && export PATH=$PATH:${HOME}/go/bin && kubetest --extract=${KUBETEST_VERSION} --provider=local --test --test_args="--ginkgo.focus=\[${KUBETEST_FOCUS}\]"`13:34
maysamsdulek: really? but this is going to run all the tests right?14:04
dulekmaysams: Ah, right, just a sec.14:05
dulekmaysams:  kubetest --test --test_args='--ginkgo.focus="should allow egress access on one named port \[Feature:NetworkPolicy\]"' --provider=local14:05
dulekmaysams: This way you only run one.14:05
maysamsnice, thanks dulek!14:08
maysamsdmellado: ping14:23
dmelladomaysams: pong, in a meeting but shoot and I'll reply asap14:25
maysamsdmellado: I was taking a look in your ps, we cannot rebase as is. We need to agree on how to handle the _parse_selectors function14:37
maysamsdmellado: note in that function that instead of returning the cidr and namespace of each selected resource, I changed to return the resource itself14:40
*** yboaron_ has quit IRC14:44
maysamsdmellado: so we would need to rework you ps or mine. Let me know what do you think14:44
maysamss/you/your14:45
maysamsdulek: Are you still going to run the test on your env? Just remembered you have OVN enabled14:48
maysamsmine is with Octavia14:49
dulekmaysams: Sure, but you'll need to decide which patchset I should take. :D14:49
maysamsXD14:49
maysamsdulek: the last one here https://review.openstack.org/#/c/643080/14:49
dmelladomaysams: well, I worked that around so I'm returning cidr/namespace only in that case as I'm parsing from the policy spec14:58
dmelladoIMHO it'd be cool with that, but feel free to send a PS if you'd prefer to redo anything14:59
dmelladoor comment there on mine/your patch and I'll be taking a look14:59
dmelladoI still have hours of meetings, sorry xD14:59
maysamsdmellado: right, I will leave a few comments regarding that and a few other things15:00
maysamsdmellado: Thanks, and sorry for disturbing you15:01
dmelladomaysams: no worries!15:01
dmelladofeel free to ping me in any case, and I'll reply whenever I can15:01
dmelladoI'm fine with async communication xD15:01
dmelladobut if there's something you'd rather discuss IRL let me know and we'll do a quick bluejeans15:01
*** yboaron_ has joined #openstack-kuryr15:05
dulekmaysams: Mar 28 15:51:36.173: Pod client-a should be able to connect to service svc-server, but was not able to connect.15:52
maysamswhaaat15:52
dulekmaysams: What should I check?15:55
maysamsdulek: would you mind sharing the sg applied on the client pod?15:55
dulekThough it might be easier for you to setup OVN's DevStack. :P15:55
dulekmaysams: Hm, okay, so one more run…15:56
maysamsdulek: true. Could you share the local.conf with me?15:56
dulekmaysams: Were we running the ingress or egress test last time?15:57
maysamsegress15:57
dulekOkay, so this one's the same, good.15:58
dulekmaysams: https://paste.fedoraproject.org/paste/Up6qLScZlPhgLTmBIscGyg15:58
dulekmaysams: Just remember that you need that specific version of networking-ovn.15:59
*** yboaron_ has quit IRC15:59
*** yboaron_ has joined #openstack-kuryr16:00
dulekmaysams: Here's the SG on client-a: https://paste.fedoraproject.org/paste/4Cg3JmnhznC1ybNNVKHU7Q16:01
dulekIngress on 10.1.0.128/26 looks cool, right?16:01
dulekAh, wait, that's client. :P16:02
*** premsankar has joined #openstack-kuryr16:03
maysamsdulek: well, the correct egress rule was created16:03
dulekYep, let's look deeper: https://paste.fedoraproject.org/paste/R~rdwVw3GqIs8SjgPiRBAQ16:04
dulekThis is LB's port.16:04
dulekIt allows anything ingress on 80 and 81, which is fine, right?16:04
maysamstotally fine16:04
maysamsthe problem seems to be with the egress default rules16:04
maysamsin the client16:04
maysamsif you remove them I have a filling it will work16:05
dulekmaysams: I don't think it's the cause.16:06
dulekmaysams: See the server: https://paste.fedoraproject.org/paste/HdvWYbH7~g3Lxo35o-N8YQ/16:06
dulekmaysams: It's the SG of server port. I'm skipping the default ones.16:06
dulekSee? It's not having anything that will allow connections from client-a.16:06
*** janki has quit IRC16:07
maysamswhich subnet is that 10.1.0.64/26 ?16:07
maysamssvc?16:07
dulekAh, I see, just a second…16:07
dulekmaysams: Heh, what if I say neither? :D16:08
maysamsdulek: xD which one then?16:09
dulekmaysams: Okay, that is set as k8s-pod-subnet.16:10
dulekBut I don't think I use it - it's env with subnet-per-namespace, right?16:10
dulekmaysams: Pod subnets are at 10.1.0.0/22.16:10
dulekThis might be it!16:11
dulekYes, pod_subnet is set, although it's never used.16:11
dulekmaysams: So for some reason pod_subnet CIDR's was taken and set as ingress part here. Now - why?16:15
maysamsdulek: When a pod is not selected by a NP, which is the case for the server, we apply the default pod sg16:17
dulekmaysams: This one is octavia_pod_access.16:18
dulekltomasbo: Ping?16:19
ltomasbodulek, pong16:19
dulekltomasbo: What's the purpose of octavia_pod_access?16:19
dulekSG16:19
ltomasbolet me remember that...16:20
dulekmaysams: You're right, it's one of SG's on [neutron_defaults]pod_security_groups.16:21
ltomasboI think it was for octavia L2 mode16:21
ltomasbodulek, ^^16:21
dulekltomasbo: Hm, so we're not looking in a correct direction, I guess.16:22
maysamsdulek: the problem might be, because there is no ingress rule in the po server allowing traffic from the SVC subnet16:22
ltomasbodulek, sorry I was not following the conversation...16:23
ltomasbodulek, https://github.com/openstack/kuryr-kubernetes/blob/master/devstack/plugin.sh#L347-L35216:23
dulekOh crap, I'm actually using the L2 mode!16:24
dulekFor the OVN stuff.16:24
dulekltomasbo: We're debugging why on OVN one test of usptream k82 e2e NP tests is failing.16:24
ltomasbodulek, ok, for OVN it may actually be a bit different16:24
ltomasbofailing as in not blocking traffic?16:24
dulekIt's blocking the one that should go through.16:25
ltomasboor as in, the traffic is not reaching there when it should?16:25
ltomasbook, ovn L2 is actually a bit different16:25
ltomasboas octavia_pod_access is only needed for amphoras16:25
dulekltomasbo: Everything is fine on client's port, on LB port and there's no correct ingress rule on the server.16:25
dulekserver pod port.16:25
dulekltomasbo: So one bug is that we put wrong CIDR there when running with namespace driver.16:26
dulekltomasbo: With subnet this: https://github.com/openstack/kuryr-kubernetes/blob/3e3ed9dbb31133b5175ff792a9636603b2df95e1/devstack/plugin.sh#L36516:26
dulekltomasbo: Should have CIDR of the subnetpool, isn't it?16:26
ltomasbodulek, umm... not sure actually... let me think16:27
dulekmaysams: I saw your comment, I think it depends if traffic is marked as originating from LB or from the source pod. :P16:27
ltomasbodulek, problem is, that I think that rule should not be there in case of namespace isolation16:30
ltomasboif we put all the subnetpool, then we break isolation, right?16:31
dulekltomasbo: Uhm, fair point… Okay, let's put it aside then.16:31
dulekltomasbo: It's only opening more and in our case we have too little open. :P16:31
ltomasbodulek, but yep, we need to think about it... and how we have it working...16:32
dulekltomasbo, maysams: So what's supposed to open an SG on loadbalancer listeners?16:32
ltomasbodulek, just to be on track16:32
ltomasbodulek, you are trying NPs16:32
dulekBecause clearly it shouldn't be on default. :D16:32
dulekltomasbo: Yep!16:32
ltomasbodulek, with ovn base deployment, right?16:32
ltomasboand with ovn-provider for lbs?16:33
dulekltomasbo: Yes. With L2, apparently.16:33
dulekYes!16:33
ltomasbook, and you are trying to curl16:33
ltomasbopodA -> serviceB -> podB16:33
maysamsyup16:33
ltomasboand network policy must allow that traffic?16:33
ltomasbosince there is an ingress policy enabling traffic on podB?16:34
dulekltomasbo: Uh, apparently yes - that's how test is built.16:34
dulekLet me find it…16:34
dulek(did we simply misunderstood the NP spec?)16:34
ltomasbocan you paste the spec?16:35
maysamshow?16:35
dulekltomasbo: https://github.com/kubernetes/kubernetes/blob/master/test/e2e/network/network_policy.go#L314-L35616:35
dulekBy spec I mean the K8s document describing the feature.16:36
dulekSo probably this: https://kubernetes.io/docs/concepts/services-networking/network-policies/16:36
ltomasbodulek, good enough! xD\16:36
ltomasbodulek, ahh, that is egress!16:36
ltomasbothat is not tested... so probably we are not generating the right SG group...16:37
dulekltomasbo: Yes, it's egress. And client-a has correct egress rules applied.16:37
ltomasboon podA16:37
ltomasbodulek, what about ingress?16:38
ltomasboon podA?16:38
dulekltomasbo: Nope, it's fine: https://paste.fedoraproject.org/paste/4Cg3JmnhznC1ybNNVKHU7Q16:38
ltomasboit is allowed?16:38
dulekltomasbo: This is podA a.k.a client-a in the test.16:38
maysamsltomasbo: it's not accepting ingress from the svc subnet only po subnet16:38
ltomasbo10.1.0/128/26 is service CIDR?16:39
dulekltomasbo: This looks nice: direction='egress', ethertype='IPv4', id='6ad62b4f-f802-4cab-a717-c66e86297787', port_range_max='80', port_range_min='80', protocol='tcp', updated_at='2019-03-28T15:58:51Z'16:39
dulekltomasbo: Yes.16:39
ltomasboso, perhaps with ovn-provider, the reply is with destination pod IP16:40
ltomasboor, you are hitting the bug for the neutron SG rules not being properly managed...16:40
ltomasbothought that should be on ml2/ovs not ovn (I hope)16:41
ltomasbowith tcpdump, can you check the destination pod receives and reply to traffic?16:41
maysamsltomasbo: Do you think this is correct? This is SG applied on the Server pod https://paste.fedoraproject.org/paste/HdvWYbH7~g3Lxo35o-N8YQ16:42
dulekltomasbo, maysams: Let's take a step back, okay?16:42
ltomasboserver pod?16:42
dulekltomasbo: So what we want to do is to do client-a -> LB -> server16:42
ltomasbodulek, got it!16:43
dulekltomasbo: client-a, as you can see, has egress everywhere due to default rules, so no problem.16:43
dulekThis is client-a https://paste.fedoraproject.org/paste/4Cg3JmnhznC1ybNNVKHU7Q16:43
ltomasbodulek, I dont see everywhere16:44
ltomasbobut port 8016:44
ltomasbo(and 53)16:44
ltomasboahh, you mean any destination... ok16:44
dulekltomasbo: And SG rule aba4221a-74d8-403f-9e4a-baed9304501e?16:44
ltomasboahh, true16:44
dulekltomasbo: :)16:45
ltomasbook, next16:45
ltomasbowhat SGs are on the lbs?16:45
dulekltomasbo: Now let me just ask - to receive the response it doesn't need a corresponding ingress rule, right?16:45
dulekLB: https://paste.fedoraproject.org/paste/R~rdwVw3GqIs8SjgPiRBAQ16:45
dulekSeems good, correct ingress rules are there.16:45
dulekRight?16:46
ltomasboyep, allowing port 80 and 8116:46
dulekltomasbo: So now this is the server pod: https://paste.fedoraproject.org/paste/HdvWYbH7~g3Lxo35o-N8YQ16:46
dulekltomasbo: Ah, and just a sec, there's a second rule.16:46
dulekltomasbo: https://paste.fedoraproject.org/paste/ki-BJxYL92StgynHptgyig/16:47
dulekSo server pod has those two. We can ignore the first one, it's octavia_pod_access, we assume it shouldn't really be there.16:48
dulekltomasbo: So we're only left with the default there. Which doesn't allow ingress from the outside.16:48
dulekltomasbo: And client-a and LB has no default rule applied.16:48
dulekWhich seems to make sense, isn't it?16:48
ltomasboumm, ok16:49
ltomasbowhat sg is 34faaab2-0fd0-460a-8ecd-027da62cd1bc16:49
dulekltomasbo: It's pointing to itself. :P16:49
ltomasbook, I think I got it now16:50
ltomasbowithout namespaces, connectivity is ensure by adding the same sg to all the pods, rights?16:50
ltomasbonow, we are removing those on some pods (for the egress) and not in the others (no ingress)16:50
dulekltomasbo: Yeaaah, I think so.16:50
dulekltomasbo: Yes, but hold a second.16:50
dulekltomasbo, maysams: Now my point is, do we think that our behavior is correct here, as server pod has no ingress NP?16:51
ltomasboshouldn't we have a default SG being applied? that allows everything?16:51
dulekltomasbo: Where?16:51
maysamsdulek: in the server pod16:51
maysamsI think16:52
ltomasbono, I think the accepted behavior is that, unless a NP is pointing to it, it should be open16:52
maysamsright16:52
dulekOoooh…16:52
dulekThat's missing, isn't it?16:52
dulek:D16:52
ltomasbodulek, but we are creating this SG on devstack, right?16:52
*** ccamposr has quit IRC16:52
dulekltomasbo: Let me check what's on my env.16:52
ltomasboit will be as simple as changing it by open ingress for everything, right?16:53
ltomasbothat should not be used for namespace isolation (the default sg)16:53
dulekltomasbo: Yes, it would be.16:53
ltomasboand once the NP is applied, it should be removed16:53
dulekltomasbo: So I don't have any allow-all SG in my env…16:53
ltomasbodulek, yep, instead of allow all, it seems we had that sg that allows from himself, right?16:54
dulekltomasbo: Yes, but see, that's the default SG, created by OpenStack, not us.16:55
ltomasboahh, and why are we using that one?16:55
ltomasboprobably that is why it is different from openshift-ansible?16:55
dulekltomasbo: Well, I don't know. :D Looking at DevStack at the moment.16:55
dulekltomasbo: It is different from openshfit-ansible in what sense?16:56
ltomasbohttps://github.com/openshift/openshift-ansible/blob/release-3.11/roles/openshift_openstack/templates/heat_stack.yaml.j2#L45916:57
ltomasbodulek, ^^ in the sense we are creating the default sg group and rules16:58
dulekHey, dmellado, still here?16:59
dmelladohey dulek, in meetings, but still around, what's up?16:59
dulekdmellado: In the initial NP implementation - what was ensuring that pods with any NP's applied have free-for-all access?17:00
dulekdmellado: Was that only the groups from pod_security_groups?17:00
dulekltomasbo: Ah, sorry, missed your message due to disconnection. Yes, you're right. :)17:01
dmelladodulek, if you mean the initial that we implemented yeah. The huawei's patches are actually a different story. I'm actually rewriting the whole devref, but you can still see17:02
ltomasbodulek, https://github.com/openshift/openshift-ansible/blob/release-3.11/roles/openshift_openstack/templates/heat_stack.yaml.j2#L489-L49217:02
dmelladoit there on the queens blueprint, if you're interested17:02
ltomasbodulek, though I'm not sure if we are creating the same time of sg anyway...17:02
dmelladoI'll submit a patch with the new devref soon17:02
dulekdmellado: Okay, thanks…17:03
dmelladodulek: what would you need that for?17:04
dulekdmellado: We're debugging an issue here, that pods without any SG's applied aren't really having everything open.17:04
dulekltomasbo, maysams: IMO the correct behavior for DevStack is to create an allow-all SG and add it to pod_security_groups if policy SG driver is enabled.17:04
dulekDo you think this makes sense?17:05
dmelladodulek: you mean you'd like a default-open?17:05
dmelladoI'd rather do the opposite, tbh17:05
ltomasbodulek, but, remove NP and namespace isolation from the equation17:05
ltomasbodulek, what was enabling the traffic between pods before? that we were creating a SG that allows the traffic between pods with the same sg?17:06
dulekdmellado: Then we wouldn't match how NP's are defined in K8s.17:06
dmelladodulek: should you need that you could just use this17:06
dmelladohttps://kubernetes.io/docs/concepts/services-networking/network-policies/#default-allow-all-ingress-traffic17:06
ltomasbodulek, I guess we need to simply change that, so that all ingress is allowed instead17:06
dulekltomasbo: Without policy all the pods were in the same default SG, so they had connection.17:06
ltomasbodulek, just insttead of remote_group_id, remote_cidr 0.0.0.0/017:06
maysamsltomasbo +117:07
maysamsthat makes sense17:07
dmelladoltomasbo: dulek we could just have devstack apply that policy17:07
dmelladoonce we create that with policy17:07
dulekltomasbo: Yes, but I'd rather not touch a DevStack-created default SG and just create my own.17:07
dulekltomasbo: In the DevStack plugin.17:07
ltomasbodulek, and now we can simply change that rule so taht it doesn't depend on the other ports having the same SG17:07
ltomasbodulek, no no, but we can simply create an extra one17:07
ltomasbodefault-kuryr-sg17:07
ltomasboand then tell kuryr-config to use tthat one instead of the devstack default one17:08
dulekltomasbo: That's my point exactly.17:08
dulekltomasbo: Yep!17:08
dmelladodulek: yeah, please don't touch the default devstack one17:08
dmelladoI'd rather implement that on our plugin as you folks suggest17:08
ltomasbogreat! so we all agree xD17:08
maysams:)17:09
ltomasboanyway, dulek perhaps you can quickly try to change that in your env17:09
ltomasbojust switch that rule, and see if actually is fixing the problem17:09
dulekdmellado: And sorry, I don't understand that allow-all NP. :P17:09
* dmellado in meetings where they're speaking about synergies17:10
dulekdmellado: Unless the expected default behavior for pods without any NP is not "allow-all". :P17:10
dulekltomasbo: Okay, give me a sec.17:10
dmelladodulek: no worries, we can just use that default-sg and match the default behavior in a cleaner way17:10
dulekmaysams: Okay, running that test again with modified default SG.17:13
maysamsnice, let's see17:13
dmelladodulek: any issue besides that on the tests?17:13
dulekdmellado: That was the last one failing. :D17:14
dmelladogreat news17:14
dulekmaysams: Sorry. xD17:17
dulekPod client-a should not be able to connect to service svc-server, but was able to connect.17:18
dulek    Pod logs:17:18
dulek    svc-server.network-policy-5443 (10.1.0.147:81) open17:18
dulekNow it complains about allowing on port 81. I'll see why this happens.17:18
maysamsdulek: remove the default egress rules17:18
maysamsdulek: from the client, pls17:18
maysamsit might be that17:18
dulekmaysams: We add them to any NP SG?17:19
dulekSeems to make sense, let's see if I'll be able to kill the test before namespace is destroyed. :P17:19
maysamsno, but when a new sg is created it automatically generates default egress, if I'm not mistaken17:20
dulekmaysams: Oh crap. Can we somehow prevent it?17:20
ltomasbodulek, I'm checking the code in openshift-ansible... and I see the same type of SG being attached to t he pods... not sure how this was working... perhaps it just happen when combining egress and ingress17:20
maysamsdulek: I'm not sure, we can always remove it.17:20
ltomasboand it is happening there too17:20
maysamsdulek: as we were not testing egress behavior, we didn't see it before(the default rules). But we also need to add the removal of those rules17:23
dulekmaysams: Yep, those are the rules allowing it. :)17:24
dulekmaysams: I'll take a look how those are created.17:24
maysamsdulek: niceee!! so, all green with the tests?17:25
dulekmaysams: I can't really do the run, as deleting the rules would need to be implemented in Kuryr. :P17:26
dulekmaysams: Here's how terraform deals with this https://github.com/hashicorp/terraform/pull/11466/files17:26
maysamsdulek: I can also take a look on how to remove them when a NP is applied17:29
dulekmaysams: Just remove it here: https://github.com/openstack/kuryr-kubernetes/blob/02b51775a4c385badaf9e22965fe19889516406a/kuryr_kubernetes/controller/drivers/network_policy.py#L168 ? :P17:30
maysamsdulek, yup! that works17:30
dulekmaysams: Fair enough. :) Do you want to work on both those patches or should I take any?17:32
ltomasbodulek, there is a method to add some default needed rules at line 12317:32
ltomasbodulek, perhaps you can add them the egress removal17:32
maysamsyup, go for it17:32
ltomasbodulek, problem is... you still need those rules if there is no egress rules at the NP, right?17:33
dulekltomasbo: Hm…17:34
dulekltomasbo: This is okay IMO. Those default rules created by us are only ingress.17:36
*** gcheresh has quit IRC17:36
*** gcheresh has joined #openstack-kuryr17:45
*** maysams has quit IRC17:57
openstackgerritMichał Dulko proposed openstack/kuryr-kubernetes master: NP: Create allow-all SG and add it to pod SG's  https://review.openstack.org/64848818:05
*** celebdor has quit IRC18:23
openstackgerritMichał Dulko proposed openstack/kuryr-kubernetes master: NP: Delete default egress rules  https://review.openstack.org/64849718:24
*** gcheresh has quit IRC18:31
*** pcaruana has quit IRC20:08
*** openstackgerrit has quit IRC21:07
« Wednesday, 2019-03-27 Index Friday, 2019-03-29 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!