-
Notifications
You must be signed in to change notification settings - Fork 4.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CNF-8553: add a test for applying the firewall by the commatrix that created by the endpointslice and make sure that will not affect the behavior of the cluster #28935
Conversation
Hi @aabughosh. Thanks for your PR. I'm waiting for a openshift member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
/ok-to-test |
administrative:
content concerns:
|
|
/retest-required |
/retest |
Job Failure Risk Analysis for sha: 7b9c174
|
@aabughosh: This pull request references CNF-8553 which is a valid jira issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
/retest |
/retest-required |
/retest |
Job Failure Risk Analysis for sha: bc5f243
|
/retest |
Job Failure Risk Analysis for sha: 378a78c
|
… the endpointslice and make sure that will not affect the behavior of the cluster Update apply_commatrix_firewall.go watchevents: add cert rotation events library-go emits events when cert rotation happens, these should be displayed as interesting events OCPBUGS-36672: Shorten stabilization time for etcd profiles test Revert "Revert "Fail on APIs removed in the next release"" This reverts commit 387f417. Move all ClusterVersion related invocations to common helpers Drop unnecessary check in mustgather test Fail on removed APIs based on cluster version Fix vSphereDriverConfiguration tests We no longer store vSphere configuration in a ConfigMap. IR-471: Add test for ChunkSizeMiB configuration for Registry egressfirewall: skip ping tests in case of hypershift kubevirt on Azure infra In case the cluster under test is an HCP/HyperShift cluster of the kubevirt provider, and the management cluster is running on Azure, ICMP responses from outside of the cluster to the guest cluster are getting blocked. Thus, skipping the ping tests in that case, in addition to the existing exception. Signed-off-by: Oren Cohen <ocohen@redhat.com> upkeep: add better logging for crio failures update the logging for workload partitioning to include namespace/pod/container when failures occur for cpu affinity Signed-off-by: ehila <ehila@redhat.com> rebase use the nft creater code and apply the nft file on nodes Aligned the code with the commatrix repo Delete raw-ss-udp update the generated file removing writing to file add rules to be available also after reboot nodes Update commatrix.go Update commatrix.go Update commatrix.go Update commatrix.go add list nft rules then save them in the node resolve comments Update zz_generated.annotations.go save to artifact update the commatrix code update test name run go mod vendor few updates to the get infra and resolve comments Update commatrix.go
update comatrix code
378a78c
to
bd5fb89
Compare
Job Failure Risk Analysis for sha: 094cbce
|
Job Failure Risk Analysis for sha: 12af59f
|
@aabughosh: The following tests failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
Job Failure Risk Analysis for sha: 019928f
|
) | ||
|
||
var _ = g.Describe("[sig-network][Feature:commatrix][Serial]", func() { | ||
g.It("should apply firewall by blocking all ports except the ones OCP is listening on", func() { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This leaves the cluster in a modified state after it runs; this will break tests that run after it that assume they can connect to random hostports, etc.
But obviously, just applying and then removing the rules wouldn't test much of anything either.
What we need is not a firewalling test case but rather a separate firewalling test job. As I suggested in the enhancement PR, I think the right procedure is:
- install the cluster
- apply the firewall
- upgrade
We probably want one job that does a "same-version" upgrade (ie, from the current release version to a fresh build that is basically identical but has a different version number), and eventually also have y-stream upgrade tests (where it would apply a firewall that allows everything needed by either release before doing the upgrade).
These should be periodics rather than being presubmits associated with any particular repo, because any component could potentially break things by adding a new port dependency.
And we shouldn't try to run openshift-tests
as part of this job, because too much of it will randomly fail.
add a test for applying the firewall by the commatrix that created by the endpointslice and make sure that will not affect the behavior of the cluster
jira link https://issues.redhat.com/browse/CNF-8553