Bug 1996729 - [backport-4.8] Creating a network policy in OVN-Kubernetes can be very inefficient.
Summary: [backport-4.8] Creating a network policy in OVN-Kubernetes can be very ineffi...
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Networking
Version: 4.8
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: 4.8.z
Assignee: Casey Callendrello
QA Contact: Mike Fiedler
: 1991621 (view as bug list)
Depends On: 1968569
TreeView+ depends on / blocked
Reported: 2021-08-23 14:28 UTC by Casey Callendrello
Modified: 2021-09-27 19:53 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2021-09-27 19:53:12 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Github openshift ovn-kubernetes pull 678 0 None None None 2021-08-23 15:20:30 UTC
Red Hat Product Errata RHBA-2021:3632 0 None None None 2021-09-27 19:53:38 UTC

Description Casey Callendrello 2021-08-23 14:28:33 UTC
This bug was initially created as a copy of Bug #1968569

I am copying this bug because: 

Description of problem: When creating a network policy in ovn-kubernetes that selects a lot of pods, it is very inefficient.

This is because it executes multiple (1-4) nbdb transactions for each pod selected by the policy.

We can fix this by being smart and bulk-processing pods on policy creation.

How reproducible: Very

Steps to Reproduce:
1. Create 100-200 pods in a cluster
2. Create a policy that selects those pods
3. Watch to see that it takes 10s of seconds for the policy to take effect

Comment 3 Andrew Stoycos 2021-09-22 18:50:38 UTC
*** Bug 1991621 has been marked as a duplicate of this bug. ***

Comment 4 Mike Fiedler 2021-09-24 15:43:18 UTC
Verified on 4.8.13.   Creating deny and allow policies selecting 1500 pods in a namespace by label takes effect almost instantaneously.  < 2 seconds.

Comment 6 errata-xmlrpc 2021-09-27 19:53:12 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.8.13 bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.