-
Notifications
You must be signed in to change notification settings - Fork 217
OCPCLOUD-2980: add ingress/egress network policy #1387
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: main
Are you sure you want to change the base?
Conversation
@huali9: This pull request references OCPCLOUD-2951 which is a valid jira issue. In response to this: Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/retest |
- ports: | ||
- protocol: TCP | ||
port: 1 | ||
endPort: 65535 | ||
- ports: | ||
- protocol: UDP | ||
port: 5353 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would it make sense to just allow all traffic to egress? What does the recommendations document suggest?
ingress: | ||
- ports: | ||
- protocol: TCP | ||
port: 8443 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This one is present in multiple policies, what's it for?
- ports: | ||
- protocol: TCP | ||
port: 8440 | ||
endPort: 8444 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also includes 8443, third time now, I assume it's not an issue including a port multiple times, just curious why it's showing up so much
@@ -0,0 +1,16 @@ | |||
# Default deny all ingress and egress |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks different to @miyadav's one for CAPI, can we co-ordinate what is and isn't needed between the two PRs
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I double checked @miyadav's pr openshift/cluster-capi-operator#325, this file install/0000_90_machine-api-operator_05_networkpolicy-default-deny.yaml
looks similar with his manifests/0000_30_cluster-api_17_deny-all.yaml
, but he added many comments, do you mean it's different here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry, you're right, they are the same apart from naming and comments.
Can we call these both default-deny
? @miyadav would you be happy to update yours so the name is consistent with Huali's one?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yes sure , thanks
Thank you @JoelSpeed for your review. I addressed the comments on the jira, because table can be added on that. |
@huali9: This pull request references OCPCLOUD-2980 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.20.0" version, but no target version was set. In response to this: Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
/retest |
This change looks like it's impacting our spot instance e2e tests, can you PTAL? |
Yeah, thank you Joel, I'm checking that. |
I found out the root cause of the case |
@huali9 Could the test suite be updated to create a network policy to allow this traffic? And then remove it once the test is complete? |
Cool, good idea! Let me update that case. |
/retest |
@huali9: The following tests failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
No description provided.