OCPBUGS-61215: Tweak iptables-alerter to try to avoid crictl bug

[danwinship]

We keep getting reports of iptables-alerter causing CPU usage alerts... we debugged this at one point and it was because crictl was suddenly using a ton of CPU and RAM for no apparent reason. We weren't able to reproduce beyond that and it's not really worth spending a lot of time trying to fix since crictl is not in the critical path of any normal pods anyway. I had tried improving things by using less crictl before (#2404) but we're still getting reports. This fixes it to not use crictl until after we've determined that some pod, somewhere on the node is using iptables, and that should hopefully be "never".

[openshift-ci-robot]

@danwinship: This pull request references Jira Issue OCPBUGS-61215, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.21.0) matches configured target version for branch (4.21.0)
• bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @anuragthehatter

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

We keep getting reports of iptables-alerter causing CPU usage alerts... we debugged this at one point and it was because crictl was suddenly using a ton of CPU and RAM for no apparent reason. We weren't able to reproduce beyond that and it's not really worth spending a lot of time trying to fix since crictl is not in the critical path of any normal pods anyway. I had tried improving things by using less crictl before (#2404) but we're still getting reports. This fixes it to not use crictl until after we've determined that some pod, somewhere on the node is using iptables, and that should hopefully be "never".

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[danwinship]

/retest-required

[danwinship]

/verified by @danwinship

no e2e test, tested by hand

[danwinship]

/retest-required

[openshift-ci-robot]

@danwinship: This PR has been marked as verified by @danwinship.

In response to this:

/verified by @danwinship

no e2e test, tested by hand

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[martinkennelly]

/lgtm

[martinkennelly]

not for others; '^1$' excludes pid 1 :)

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: danwinship, martinkennelly

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [danwinship]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD 6f6d0ee and 2 for PR HEAD 1bf470b in total

[martinkennelly]

/test e2e-aws-ovn-serial-2of2

Unrelated disruption

[martinkennelly]

/test e2e-aws-ovn-upgrade

Unrelated - job reached timeout limit.

[openshift-ci]

@danwinship: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/4.20-upgrade-from-stable-4.19-e2e-gcp-ovn-upgrade	1bf470b	link	false	/test 4.20-upgrade-from-stable-4.19-e2e-gcp-ovn-upgrade
ci/prow/e2e-vsphere-ovn	1bf470b	link	false	/test e2e-vsphere-ovn
ci/prow/e2e-aws-hypershift-ovn-kubevirt	1bf470b	link	false	/test e2e-aws-hypershift-ovn-kubevirt
ci/prow/e2e-vsphere-ovn-dualstack	1bf470b	link	false	/test e2e-vsphere-ovn-dualstack
ci/prow/e2e-network-mtu-migration-ovn-ipv4	1bf470b	link	false	/test e2e-network-mtu-migration-ovn-ipv4
ci/prow/okd-scos-e2e-aws-ovn	1bf470b	link	false	/test okd-scos-e2e-aws-ovn
ci/prow/4.20-upgrade-from-stable-4.19-e2e-azure-ovn-upgrade	1bf470b	link	false	/test 4.20-upgrade-from-stable-4.19-e2e-azure-ovn-upgrade
ci/prow/e2e-openstack-ovn	1bf470b	link	false	/test e2e-openstack-ovn
ci/prow/4.20-upgrade-from-stable-4.19-e2e-aws-ovn-upgrade	1bf470b	link	false	/test 4.20-upgrade-from-stable-4.19-e2e-aws-ovn-upgrade
ci/prow/security	1bf470b	link	false	/test security

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[danwinship]

/override ci/prow/e2e-ovn-ipsec-step-registry
/override ci/prow/e2e-aws-ovn-serial-2of2

unrelated, very failure-prone jobs

[openshift-ci]

@danwinship: Overrode contexts on behalf of danwinship: ci/prow/e2e-aws-ovn-serial-2of2, ci/prow/e2e-ovn-ipsec-step-registry

In response to this:

/override ci/prow/e2e-ovn-ipsec-step-registry
/override ci/prow/e2e-aws-ovn-serial-2of2

unrelated, very failure-prone jobs

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-ci-robot]

@danwinship: Jira Issue Verification Checks: Jira Issue OCPBUGS-61215
✔️ This pull request was pre-merge verified.
✔️ All associated pull requests have merged.
✔️ All associated, merged pull requests were pre-merge verified.

Jira Issue OCPBUGS-61215 has been moved to the MODIFIED state and will move to the VERIFIED state when the change is available in an accepted nightly payload. 🕓

In response to this:

We keep getting reports of iptables-alerter causing CPU usage alerts... we debugged this at one point and it was because crictl was suddenly using a ton of CPU and RAM for no apparent reason. We weren't able to reproduce beyond that and it's not really worth spending a lot of time trying to fix since crictl is not in the critical path of any normal pods anyway. I had tried improving things by using less crictl before (#2404) but we're still getting reports. This fixes it to not use crictl until after we've determined that some pod, somewhere on the node is using iptables, and that should hopefully be "never".

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[danwinship]

/cherry-pick release-4.20

[openshift-cherrypick-robot]

@danwinship: new pull request created: #2811

In response to this:

/cherry-pick release-4.20

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-merge-robot]

Fix included in accepted release 4.21.0-0.nightly-2025-10-02-215712