Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

netpol: fix duplicate default drop acl #3197

Merged
merged 1 commit into from
Sep 11, 2023
Merged

netpol: fix duplicate default drop acl #3197

merged 1 commit into from
Sep 11, 2023

Conversation

zhangzujian
Copy link
Member

@zhangzujian zhangzujian commented Sep 11, 2023
edited
Loading

What type of this PR

  • Bug fixes

Which issue(s) this PR fixes:

E0911 06:23:53.500514       1 ovn-nb-acl.go:599] more than one acl with same 'parent np.1.kube.system direction from-lport priority 2000 match inport == @np.1.kube.system && ip4'
E0911 06:23:53.500571       1 network_policy.go:500] failed to set egress acl log for np kube-system/np-1, more than one acl with same 'parent np.1.kube.system direction from-lport priority 2000 match inport == @np.1.kube.system && ip4'

WHAT

🤖 Generated by Copilot at 8b3a751

Fix a bug that caused unnecessary default drop rules for network policies with no ports or selectors. Refactor the address set name format and update the unit tests accordingly. Improve the performance and readability of the ACL allow rules functions.

🤖 Generated by Copilot at 8b3a751

There once was a bug in the code
That made default drop rules explode
But with nil and a suffix
The logic got fixed
And the network policies flowed

HOW

🤖 Generated by Copilot at 8b3a751

  • Avoid creating duplicate default drop rules for port groups when network policy has no pod or namespace selector (link, link)
  • Replace empty slice with nil for port argument in UpdateIngressACLOps and UpdateEgressACLOps functions (link, link)
  • Update test cases for UpdateIngressACLOps and UpdateEgressACLOps functions (link, link, link, link)

@zhangzujian
netpol: fix duplicate default drop acl
8b3a751 
Signed-off-by: 张祖建 <zhangzujian.7@gmail.com>
@zhangzujian zhangzujian marked this pull request as ready for review September 11, 2023 06:24
@zhangzujian zhangzujian merged commit 2cba74b into kubeovn:master Sep 11, 2023
@zhangzujian zhangzujian deleted the fix-duplicate-acl branch September 11, 2023 07:03
zhangzujian added a commit that referenced this pull request Sep 11, 2023
@zhangzujian
netpol: fix duplicate default drop acl (#3197)
012e003 
Signed-off-by: 张祖建 <zhangzujian.7@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@oilbeater oilbeater oilbeater approved these changes

Assignees
No one assigned
Labels
bug Something isn't working need backport network policy
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@zhangzujian @oilbeater