Cilium jobs are permafailing in CI: https://sippy.dptools.openshift.org/sippy-ng/jobs/4.11?filters=%257B%2522items%2522%253A%255B%257B%2522id%2522%253A99%252C%2522columnField%2522%253A%2522name%2522%252C%2522operatorValue%2522%253A%2522contains%2522%252C%2522value%2522%253A%2522cilium%2522%257D%255D%252C%2522linkOperator%2522%253A%2522and%2522%257D They appear to be failing various sig-network tests.
Any update on these? The 4.12 jobs are continuing to permafail. https://sippy.dptools.openshift.org/sippy-ng/jobs/4.12?filters=%257B%2522items%2522%253A%255B%257B%2522id%2522%253A99%252C%2522columnField%2522%253A%2522name%2522%252C%2522operatorValue%2522%253A%2522contains%2522%252C%2522value%2522%253A%2522cilium%2522%257D%255D%252C%2522linkOperator%2522%253A%2522and%2522%257D&sort=desc&sortField=current_pass_percentage
To conform to the sig-network tests the following CiliumConfig (which is not the default for installing for reasons stated below) needs to be used: ``` apiVersion: cilium.io/v1alpha1 kind: CiliumConfig metadata: name: cilium namespace: cilium spec: debug: enabled: true k8s: requireIPv4PodCIDR: true pprof: enabled: true logSystemLoad: true bpf: preallocateMaps: true etcd: leaseTTL: 30s ipv4: enabled: true ipv6: enabled: true identityChangeGracePeriod: 0s ipam: mode: "cluster-pool" operator: clusterPoolIPv4PodCIDR: "10.128.0.0/14" clusterPoolIPv4MaskSize: "23" nativeRoutingCIDR: "10.128.0.0/14" endpointRoutes: {enabled: true} kubeProxyReplacement: "probe" clusterHealthPort: 9940 tunnelPort: 4789 cni: binPath: "/var/lib/cni/bin" confPath: "/var/run/multus/cni/net.d" chainingMode: portMap prometheus: serviceMonitor: {enabled: false} hubble: tls: {enabled: false} ``` Note that `identityChangeGracePeriod: 0s` does not scale for production environments. Finally, the following 2 tests will fail no matter what: 1.NetworkPolicy between server and client should ensure an IP overlapping both IPBlock.CIDR and IPBlock.Except is allowed (Cilium does not allow CIDR blocks to define internal traffic and only supports identity based policy mapping for internal traffic) 2.NetworkPolicy between server and client should not allow access by TCP when a policy specifies only SCTP (Cilium does not support SCTP).
Hi @nathan.sweet, We are clearing our bug backlog and wish to hopefully resolve this issue. Couple of questions. Do you plan to fix this? If no, please close this issue. The test cases mentioned are located in "origin" repository right? If so, please set the component to origin. Since this is not an issue with Openshift SDN, but its being tracked as an issue of Openshift SDN, is there any possibility you can track any potential fix with a jira issue and component set to Cilium?
Nate, I will close this issue in two weeks if there are no responses. Thank you for your time.
> Do you plan to fix this? If no, please close this issue. I don't know how to implement the suggested fix. I don't know where this CI exists.
@nathan.sweet Can you reach out to me on kubernetes slack (mkennell) and Ill show you where the tests are and answer any questions that I can.
Submitted PR https://github.com/openshift/release/pull/36066 to fix.
@nathan.sweet Hey Nate, I see the Cilium CI is failing even with your PR. Do you have a timeline for when you can look at this?
Talked to Nate regarding this issue. We agreed this issue should be closed. We dont have a component for cilium. This issue is opened against openshift-sdn. There is no need for a bug anyway because the fix is going into master.
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days