Bug 1996736 - Large number of 501 lr-policies in INCI2 env
Summary: Large number of 501 lr-policies in INCI2 env
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Networking
Version: 4.7
Hardware: Unspecified
OS: Unspecified
high
low
Target Milestone: ---
: 4.10.0
Assignee: Surya Seetharaman
QA Contact: Yurii Prokulevych
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-08-23 14:37 UTC by Jose Castillo Lema
Modified: 2022-03-10 16:06 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-03-10 16:05:43 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift ovn-kubernetes pull 834 0 None Merged Bug 2018966: [DownstreamMerge] Revert revert #834 2022-02-01 17:49:06 UTC
Github ovn-org ovn-kubernetes pull 2424 0 None Merged Scale/Perf: LGW: LRP 501: Reconstruct the policy using address sets 2022-02-01 17:49:08 UTC
Red Hat Product Errata RHSA-2022:0056 0 None None None 2022-03-10 16:06:24 UTC

Description Jose Castillo Lema 2021-08-23 14:37:53 UTC 
Description of problem:
Creating 18 application pods/worker with in a 120 node environment results in 2135 lr policies of type 501 out of a total of 2613 policies:

[kni@e16-h18-b03-fc640 kubeburner]$ oc exec -n openshift-ovn-kubernetes -it $POD -- ovn-nbctl lr-policy-list ovn_cluster_router | wc -l
Defaulting container name to northd.
Use 'oc describe pod/ovnkube-master-82fjr -n openshift-ovn-kubernetes' to see all of the containers in this pod.
2613

[kni@e16-h18-b03-fc640 kubeburner]$ oc exec -n openshift-ovn-kubernetes -it $POD -- ovn-nbctl lr-policy-list ovn_cluster_router | grep 501 | wc -l
Defaulting container name to northd.
Use 'oc describe pod/ovnkube-master-82fjr -n openshift-ovn-kubernetes' to see all of the containers in this pod.
2135

Version-Release number of selected component (if applicable):
 - OCP 4.7.11
 - local gateway

How reproducible:
100%

Steps to Reproduce:
1. Create several serving (lb) pods with proper ICNI2 annotations (40 in our scenario)
2. Create 18 app pods/worker
Comment 1 Sai Sindhur Malleni 2021-09-13 13:56:03 UTC 
Surya,

You had a patch to address this right?
Comment 2 Surya Seetharaman 2021-09-14 06:31:51 UTC 
yes let me rebase that PR now and we can get it in.
Comment 3 Surya Seetharaman 2021-10-28 18:14:45 UTC 
Moving this to post because the fix is merged upstream and downstream fix is https://github.com/openshift/ovn-kubernetes/pull/796.
Comment 4 Surya Seetharaman 2021-12-01 17:57:34 UTC 
Downstream merge got in. Moving this to modified state.
Comment 13 Surya Seetharaman 2022-02-01 17:22:59 UTC 
Hey Yurii,

Yes that looks good. Thanks for verifying this. Moving bz to VERIFIED.
Comment 16 errata-xmlrpc 2022-03-10 16:05:43 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.10.3 security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:0056
Note You need to log in before you can comment on or make changes to this bug.