Bug 1876376 - [DOC] How long does it take to update dnsName of EgressNetworkPolicy settings
Summary: [DOC] How long does it take to update dnsName of EgressNetworkPolicy settings
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Documentation
Version: unspecified
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
: ---
Assignee: Mike McKiernan
QA Contact: huirwang
Vikram Goyal
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-09-07 06:38 UTC by checheng
Modified: 2023-09-15 00:47 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-03-29 15:05:12 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description checheng 2020-09-07 06:38:16 UTC 
Document URL: 
https://access.redhat.com/documentation/en-us/openshift_container_platform/3.11/html/cluster_administration/admin-guide-manage-pods#admin-guide-limit-pod-access-egress-pods

Section Number and Name: 
7.3.3. Limiting Pod Access with Egress Firewall

Describe the issue: 
The dnsName of EgressNetworkPolicy refresh time is 30 seconds in the document.
But it is different with code

1. The Egressnetworkpolicy dnsName ttl value will get from dns server domain ttl data first.

https://github.com/openshift/origin/blob/v3.11.0/pkg/network/common/dns.go#L154-#L165
https://github.com/openshift/origin/blob/v3.11.0/pkg/network/common/dns.go#L173

2. If the ttl data doesn't exist, the dnsName will refresh by default 30 mintues.
https://github.com/openshift/origin/blob/v3.11.0/pkg/network/common/dns.go#L17
https://github.com/openshift/origin/blob/v3.11.0/pkg/network/common/dns.go#L151
https://github.com/openshift/origin/blob/v3.11.0/pkg/network/common/dns.go#L170
https://github.com/openshift/origin/blob/v3.11.0/pkg/network/common/dns.go#L176

Suggestions for improvement: 


Additional information: 
Please confirm the dnsName of EgressNetworkPolicy refresh is same or not on OCP 3.x and 4.x.
Comment 1 Jason Boxman 2021-01-29 20:12:48 UTC 
Hi Jacob,

Can you confirm whether this update about the DNS refresh time makes sense?

Thanks!
Comment 3 Mike McKiernan 2021-02-22 19:26:14 UTC 
@zzhao, @jdesousa, @jtanenba PTAL: https://github.com/openshift/openshift-docs/pull/29660
Comment 5 Juan Luis de Sousa-Valadas 2021-02-24 17:53:18 UTC 
Hi Sorry for the delay.

So the current behavior is what Mike said. I just changed the behavior so that:
1- The default TTL is 30 seconds
2- If a TTL is larger or equal than 30 min we query it again after 30 minutes
3- If a TTL is larger than 30 seconds but smaller than 30 minutes, we query it after 30 seconds.
4- If a TTL is smaller than 30 seconds we wait TTL seconds to query it again

PR: https://github.com/openshift/sdn/pull/263

I know the docs bug is for 3.11 but I'm backporting this.
Comment 7 huirwang 2021-03-01 14:21:10 UTC 
Filed bug https://bugzilla.redhat.com/show_bug.cgi?id=1933711 to track PR https://github.com/openshift/sdn/pull/263 which is not only doc change anymore.
Comment 12 Red Hat Bugzilla 2023-09-15 00:47:37 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 500 days
Note You need to log in before you can comment on or make changes to this bug.