Bug 2083616

Any update on these? The 4.12 jobs are continuing to permafail.


https://sippy.dptools.openshift.org/sippy-ng/jobs/4.12?filters=%257B%2522items%2522%253A%255B%257B%2522id%2522%253A99%252C%2522columnField%2522%253A%2522name%2522%252C%2522operatorValue%2522%253A%2522contains%2522%252C%2522value%2522%253A%2522cilium%2522%257D%255D%252C%2522linkOperator%2522%253A%2522and%2522%257D&sort=desc&sortField=current_pass_percentage

To conform to the sig-network tests the following CiliumConfig (which is not the default for installing for reasons stated below) needs to be used:

```
apiVersion: cilium.io/v1alpha1
kind: CiliumConfig
metadata:
  name: cilium
  namespace: cilium
spec:
  debug:
    enabled: true
  k8s:
    requireIPv4PodCIDR: true
  pprof:
    enabled: true
  logSystemLoad: true
  bpf:
    preallocateMaps: true
  etcd:
    leaseTTL: 30s
  ipv4:
    enabled: true
  ipv6:
    enabled: true
  identityChangeGracePeriod: 0s
  ipam:
    mode: "cluster-pool"
    operator:
      clusterPoolIPv4PodCIDR: "10.128.0.0/14"
      clusterPoolIPv4MaskSize: "23"
  nativeRoutingCIDR: "10.128.0.0/14"
  endpointRoutes: {enabled: true}
  kubeProxyReplacement: "probe"
  clusterHealthPort: 9940
  tunnelPort: 4789
  cni:
    binPath: "/var/lib/cni/bin"
    confPath: "/var/run/multus/cni/net.d"
    chainingMode: portMap
  prometheus:
    serviceMonitor: {enabled: false}
  hubble:
    tls: {enabled: false}
```

Note that `identityChangeGracePeriod: 0s` does not scale for production environments.

Finally, the following 2 tests will fail no matter what:
1.NetworkPolicy between server and client should ensure an IP overlapping both IPBlock.CIDR and IPBlock.Except is allowed (Cilium does not allow CIDR blocks to define internal traffic and only supports identity based policy mapping for internal traffic)
2.NetworkPolicy between server and client should not allow access by TCP when a policy specifies only SCTP (Cilium does not support SCTP).

Hi @nathan.sweet,

We are clearing our bug backlog and wish to hopefully resolve this issue.
Couple of questions.

Do you plan to fix this? If no, please close this issue.
The test cases mentioned are located in "origin" repository right? If so, please set the component to origin.
Since this is not an issue with Openshift SDN, but its being tracked as an issue of Openshift SDN, is there any possibility you can track any potential fix with a jira issue and component set to Cilium?

Nate, I will close this issue in two weeks if there are no responses. Thank you for your time.

> Do you plan to fix this? If no, please close this issue.

I don't know how to implement the suggested fix. I don't know where this CI exists.

@nathan.sweet Can you reach out to me on kubernetes slack (mkennell) and Ill show you where the tests are and answer any questions that I can.

Submitted PR https://github.com/openshift/release/pull/36066 to fix.

@nathan.sweet Hey Nate, I see the Cilium CI is failing even with your PR. Do you have a timeline for when you can look at this?

Talked to Nate regarding this issue. We agreed this issue should be closed.
We dont have a component for cilium. This issue is opened against openshift-sdn.
There is no need for a bug anyway because the fix is going into master.

The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days