Description of problem: When creating a network policy in ovn-kubernetes that selects a lot of pods, it is very inefficient. This is because it executes multiple (1-4) nbdb transactions for each pod selected by the policy. We can fix this by being smart and bulk-processing pods on policy creation. How reproducible: Very Steps to Reproduce: 1. Create 100-200 pods in a cluster 2. Create a policy that selects those pods 3. Watch to see that it takes 10s of seconds for the policy to take effect
Upstream PR: https://github.com/ovn-org/ovn-kubernetes/pull/2249
Disregard comment 5 - I missed the fact the rebase is part of the rest of 4.9 work. Verified on 4.9.0-0.nightly-2021-08-07-175228 as compared to 4.8.3 Both versions: 1500 pods/svc in a namespace spread over 20 computes Create a deny-all - time to deny traffic 4.8.3: 24 seconds 4.9.nightly: 3.5 seconds Delete the deny-all - time to allow traffic 4.8.3: 88 seconds 4.9.nightly: 4 seconds
Verified on 4.8.13. Creating deny and allow policies selecting 1500 pods in a namespace by label takes effect almost instantaneously. < 2 seconds.
Ignore comment 8 - this is the 4.9.0 version of the bz
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.9.0 bug fix and security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:3759