Bug 1876376

Summary: [DOC] How long does it take to update dnsName of EgressNetworkPolicy settings
Product: OpenShift Container Platform Reporter: checheng
Component: DocumentationAssignee: Mike McKiernan <mmckiern>
Status: CLOSED CURRENTRELEASE QA Contact: huirwang
Severity: unspecified Docs Contact: Vikram Goyal <vigoyal>
Priority: unspecified    
Version: unspecifiedCC: aos-bugs, jboxman, jdesousa, jokerman, jtanenba, mmckiern, zzhao
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-03-29 15:05:12 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description checheng 2020-09-07 06:38:16 UTC 
Document URL: 
https://access.redhat.com/documentation/en-us/openshift_container_platform/3.11/html/cluster_administration/admin-guide-manage-pods#admin-guide-limit-pod-access-egress-pods

Section Number and Name: 
7.3.3. Limiting Pod Access with Egress Firewall

Describe the issue: 
The dnsName of EgressNetworkPolicy refresh time is 30 seconds in the document.
But it is different with code

1. The Egressnetworkpolicy dnsName ttl value will get from dns server domain ttl data first.

https://github.com/openshift/origin/blob/v3.11.0/pkg/network/common/dns.go#L154-#L165
https://github.com/openshift/origin/blob/v3.11.0/pkg/network/common/dns.go#L173

2. If the ttl data doesn't exist, the dnsName will refresh by default 30 mintues.
https://github.com/openshift/origin/blob/v3.11.0/pkg/network/common/dns.go#L17
https://github.com/openshift/origin/blob/v3.11.0/pkg/network/common/dns.go#L151
https://github.com/openshift/origin/blob/v3.11.0/pkg/network/common/dns.go#L170
https://github.com/openshift/origin/blob/v3.11.0/pkg/network/common/dns.go#L176

Suggestions for improvement: 


Additional information: 
Please confirm the dnsName of EgressNetworkPolicy refresh is same or not on OCP 3.x and 4.x.
Comment 1 Jason Boxman 2021-01-29 20:12:48 UTC 
Hi Jacob,

Can you confirm whether this update about the DNS refresh time makes sense?

Thanks!
Comment 3 Mike McKiernan 2021-02-22 19:26:14 UTC 
@zzhao, @jdesousa, @jtanenba PTAL: https://github.com/openshift/openshift-docs/pull/29660
Comment 5 Juan Luis de Sousa-Valadas 2021-02-24 17:53:18 UTC 
Hi Sorry for the delay.

So the current behavior is what Mike said. I just changed the behavior so that:
1- The default TTL is 30 seconds
2- If a TTL is larger or equal than 30 min we query it again after 30 minutes
3- If a TTL is larger than 30 seconds but smaller than 30 minutes, we query it after 30 seconds.
4- If a TTL is smaller than 30 seconds we wait TTL seconds to query it again

PR: https://github.com/openshift/sdn/pull/263

I know the docs bug is for 3.11 but I'm backporting this.
Comment 7 huirwang 2021-03-01 14:21:10 UTC 
Filed bug https://bugzilla.redhat.com/show_bug.cgi?id=1933711 to track PR https://github.com/openshift/sdn/pull/263 which is not only doc change anymore.
Comment 12 Red Hat Bugzilla 2023-09-15 00:47:37 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 500 days