-
Notifications
You must be signed in to change notification settings - Fork 74
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
update code for for large networkpolicy and egress firewall rule #688
base: master
Are you sure you want to change the base?
Conversation
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: liqcui The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Hi @liqcui. Thanks for your PR. I'm waiting for a cloud-bulldozer member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
e3f04b9
to
1c906d7
Compare
/assign @qiliRedHat @paigerube14 Please review the PR when you are available, thanks! |
@liqcui Can you please sign-off the PR? |
@krishvoor Sorry, I don't quite understand what's your mean, you mean the case isn't suitable for merge into e2e-benchmarking code repository now? right? |
4dce2aa
to
0d78ed0
Compare
4a68e78
to
f78cabe
Compare
/cc @mohit-sheth |
|
||
## large-networkpolicy-egress | ||
|
||
With the help of [large-networkpolicy-egress] customer cases that combined with node-density-heavy, network policy and egress firewall |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@liqcui This sentence seems not completed.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@qiliRedHat Thank you for taking time to review my pr, I have updated the README, please review again, if still have something that didn't describe clearly. thanks!
workloads/kube-burner/workloads/large-networkpolicy-egress/README.md
Outdated
Show resolved
Hide resolved
workloads/kube-burner/workloads/large-networkpolicy-egress/README.md
Outdated
Show resolved
Hide resolved
workloads/kube-burner/workloads/large-networkpolicy-egress/README.md
Outdated
Show resolved
Hide resolved
workloads/kube-burner/workloads/large-networkpolicy-egress/README.md
Outdated
Show resolved
Hide resolved
- Default deny large-networkpolicy-egress is applied first that blocks traffic to any test namespace | ||
- 100 network policies in each namespace that allows traffic from the same namespace and two other namespaces using namespace selectors,NETWORKPOLICY_RPLICAS=50, default value of NETWORKPOLICY_RPLICAS is 50 | ||
- 1 egress policy in each namespace, you can specified how many egress policy rule by EGRESS_FIREWALL_POLICY_TOTAL_NUM=80, it will create 80 rules for one policy. default value of EGRESS_FIREWALL_POLICY_TOTAL_NUM is 80 | ||
- WAIT_OVN_DB_SYNC_TIME used for specify the time that wait for OVN DB sync, the memory usage of ovn node pod will increase during the time. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could you be more specific about the exact pod name?
Could you describe when the OVN DB sync will happen, is that right after applying all the network policies and egress firewalls? How long it usually take with the default settings (the default WAIT_OVN_DB_SYNC_TIME setting). What will happen if this is set too short?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@qiliRedHat I will update the pod name since the script did a minor change. got the pod name from new testing.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Update the pod name now!
apiVersion: networking.k8s.io/v1 | ||
kind: NetworkPolicy | ||
metadata: | ||
name: case-amadeus-mgob-allow-dns |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@liqcui I searched and found 11 'amadeus', please remove or replace them.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed in new code, thanks!
pod-security.kubernetes.io/audit: privileged | ||
pod-security.kubernetes.io/warn: privileged | ||
objects: | ||
- objectTemplate: case-engress-firewall.yaml |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I didn't find the case-engress-firewall.yaml file.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This file will be automatically generated by https://github.com/liqcui/e2e-benchmarking/blob/large-networkpolicy-egress/workloads/kube-burner/common.sh#L195
e9966d0
to
e9ae1d4
Compare
e9ae1d4
to
f6d0c1a
Compare
…o-trust environment Signed-off-by: Liquan Cui <liqcui@redhat.com>
f6d0c1a
to
15a55af
Compare
Type of change
Description
To simulate a customer zero trust environment. We deny all traffic of ingress and egress for network policy and egress firewall, adding a whitelist to open essential ports.
For network policy, create two type workloads to send network traffic.
pod to pod traffic in the same namespace - node density heavy, create two pods, one pod is postgres DB, another is client to insert data into database continuously.
across namespace traffic, it will query dns to prometheus pod hostname from others namespace.
For egress firewall, adding allow/deny rules for egress firewall. We create one pod to send network traffic from the OCP network to the internet continuously.
Creating 10500 pods, 20k networkpolicy, 200k egress firewall rule(acl) first, then create 9 additional new ns with 20k networkpolicy, 200k egress firewall rule, then delete those additional ns to simulate customer maybe remove unuseless network policy.
After all pods/network policy/egress firewall created and ready, wait for 90 minutes to create a new namespace and add new network-policy, create new pods again to check OVN init-sync time.
Related Tickets & Documents
https://issues.redhat.com/browse/OCPQE-17154
Checklist before requesting a review
Testing
master: 16 vCPUs 64 GiB
worker: 8 vCPUs 32 GiB | x86 | 100 worker node
Please provide detailed steps to perform tests related to this code change.
https://mastern-jenkins-csb-openshift-qe.apps.ocp-c1.prod.psi.redhat.com/job/scale-ci/job/liqcui-e2e-benchmarking-multibranch-pipeline/job/kube-burner/373/console
The key variable to set pods number, networkpolicy and egressfirewall rules
export POD_RPLICAS=25. # Create 75 pods each namespace
export NETWORKPOLICY_RPLICAS=75. # Create 150 networkpolicy each namespace
export EGRESS_FIREWALL_POLICY_TOTAL_NUM=600 # Create 600 egress firewall each namespace
export QPS=50
export BURST=100
export MAX_WAIT_TIMEOUT=5h
export JOB_TIMEOUT=8h
How were the fix/results from this change verified? Please provide relevant screenshots or results.
https://docs.google.com/document/d/1X3YNRXmPB1boDeEk0OCZdZPoYdA2B0q2yYrDzJWBcaw/edit