OCPBUGS-55962: DownStream Merge [08-20-2025] #2729
Conversation
In the current implementation, UDN is translated to NAD, but only labels are copied, annotations are not. This change ensures the annotations are also copied to support correct behavior. Signed-off-by: Lei Huang <[email protected]> Signed-off-by: Yun Zhou <[email protected]>
- Add VF device support for primary UDN interface To request the primary UDN interface of a pod to be backed by a VF interface, one needs to specifiy the k8s.v1.cni.cncf.io/resourceName annotation in the primary UDN to request the VF's associated network resource. The pod with the primary UDN interface needs to increase its resources limits and requests for the network resource the primary UDN interface needs. Note that is out of the scope of ovn-kubernetes. Signed-off-by: Yun Zhou <[email protected]>
Signed-off-by: Yun Zhou <[email protected]>
This reverts commit 089009c. Signed-off-by: Nadia Pinaeva <[email protected]>
This global knob helps to enable (or) disable pod isolation between BGP advertised UDN networks. The routed udn isolation is enabled by default. This can be disabled on kind with -rnd or --routed-udn-isolation-disable options while setting up the cluster. Signed-off-by: Periyasamy Palanisamy <[email protected]>
When Routed UDN Isolation is disabled, then ovnk must skip programming advertised network isolation rules on the given node so that traffic between advertised UDN networks can be steered out from the ovn overlay network, then with additional manual networking configuration in the underlay network inter UDN traffic can be made to work. To facilitate this, this commit skips programming network isolation rules when the routed udn isolation option is disabled. Signed-off-by: Periyasamy Palanisamy <[email protected]>
Co-Authored-by: Peng Liu <[email protected]> Signed-off-by: Periyasamy Palanisamy <[email protected]>
…ose mode In the advertised UDN isolation loose mode test, cross-UDN traffic will be routed by the external FRR router. Nodes shall send the UDN pod outbound traffic to the FRR router as the nexthop. Signed-off-by: Peng Liu <[email protected]>
- Add ingress flows to table 0 (priority 300/301) for MEG-enabled
pods, advertised UDNs, and node management traffic, ensuring these
are handled earlier in the pipeline. In LGW mode, the 301 flow is
unnecessary, as the traffic to mgmtIP will be forward to host
kernel by the 300 flow.
- Remove corresponding lower-priority flows (priority 15/16) from
table 1 to avoid duplication and improve processing efficiency.
- Modify egress flows in table 0 (priority 104/103, previous 109/104)
for advertised UDN or MEG egress traffic by not setting CT mark and
send to physical network directly.
example flows in SGW mode EIP enabled:
table=0, n_packets=0, n_bytes=0, priority=300,ip,in_port=eth0,nw_dst=<nodeSubnet> actions=output:4
table=0, n_packets=0, n_bytes=0, priority=301,ip,in_port=eth0,nw_dst=<mgmtIP> actions=output:LOCAL
table=0, n_packets=0, n_bytes=0, priority=104,ip,in_port=4,dl_src=02:42:ac:12:00:03,nw_src=<nodeSubnet> actions=output:eth0
table=0, n_packets=0, n_bytes=0, priority=103,ip,in_port=4,nw_src=<clusterSubnet> actions=drop
example flows in LGW mode EIP enabled:
table=0, n_packets=0, n_bytes=0, priority=300,ip,in_port=eth0,nw_dst=<nodeSubnet> actions=output:LOCAL
table=0, n_packets=0, n_bytes=0, priority=104,ip,in_port=LOCAL,dl_src=02:42:ac:12:00:03,nw_src=<nodeSubnet> actions=output:eth0
table=0, n_packets=0, n_bytes=0, priority=103,ip,in_port=4,nw_src=<clusterSubnet> actions=drop
example flows in SGW mode EIP disabled:
table=0, n_packets=0, n_bytes=0, priority=300,ip,in_port=eth0,nw_dst=<nodeSubnet> actions=output:4
table=0, n_packets=0, n_bytes=0, priority=301,ip,in_port=eth0,nw_dst=<mgmtIP> actions=output:LOCAL
table=0, n_packets=0, n_bytes=0, priority=104,ip,in_port=4,dl_src=02:42:ac:12:00:03,nw_src=<nodeSubnet> actions=output:eth0
example flows in LGW mode EIP disabled:
table=0, n_packets=0, n_bytes=0, priority=300,ip,in_port=eth0,nw_dst=<nodeSubnet> actions=output:LOCAL
table=0, n_packets=0, n_bytes=0, priority=104,ip,in_port=LOCAL,dl_src=02:42:ac:12:00:03,nw_src=<nodeSubnet> actions=output:eth0
Signed-off-by: Peng Liu <[email protected]>
…solation-mode The configuration parameter 'routed-udn-isolation' has been renamed to 'advertised-udn-isolation-mode' to more accurately reflect its purpose as a mode of operation rather than a simple boolean toggle. The corresponding values have been changed from 'enabled'/'disabled' to 'strict'/'loose' for better clarity: - 'strict' (formerly 'enabled') enforces complete isolation between UDNs. - 'loose' (formerly 'disabled') allows for more relaxed connectivity. Signed-off-by: Peng Liu <[email protected]>
add unprivileged CNI mode and hw offload support for primary UDN
Revert "Skip session affinity conformance test"
|
/ok-to-test |
|
@openshift-pr-manager[bot]: This pull request explicitly references no jira issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
openshift-ci-robot
added
the
jira/valid-reference
|
@openshift-pr-manager[bot]: user openshift-pr-manager[bot] is not trusted for pull request #2729 |
openshift-ci
bot
added
the
ok-to-test
|
/retest |
|
@jluhrsen: trigger 5 job(s) of type blocking for the ci release of OCP 4.20
See details on https://pr-payload-tests.ci.openshift.org/runs/ci/3fa04060-7d83-11f0-917b-d82d100294a5-0 trigger 10 job(s) of type blocking for the nightly release of OCP 4.20
See details on https://pr-payload-tests.ci.openshift.org/runs/ci/3fa04060-7d83-11f0-917b-d82d100294a5-1 |
|
/retitle OCPBUGS-55962: DownStream Merge [08-20-2025] |
openshift-ci
bot
changed the title
|
@openshift-pr-manager[bot]: This pull request references Jira Issue OCPBUGS-55962, which is valid. 3 validation(s) were run on this bug
Requesting review from QA contact: The bug has been updated to refer to the pull request using the external bug tracker. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
openshift-ci-robot
added
the
jira/valid-bug
|
/test e2e-aws-ovn-fdp-qe |
|
/override ci/prow/lint |
|
/retest |
|
@tssurya: trigger 3 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command
See details on https://pr-payload-tests.ci.openshift.org/runs/ci/4b88c910-7dba-11f0-8a85-80f21f39e96b-0 |
|
/payload-abort |
|
So /payload-job periodic-ci-openshift-hypershift-release-4.20-periodics-e2e-aks |
|
@jcaamano: trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command
See details on https://pr-payload-tests.ci.openshift.org/runs/ci/b069da60-7dc2-11f0-9631-dfc8c7ba4345-0 |
|
For because of a missing nodeID annotation. UPDATE: I guess what could be happening is that a node is being added and deleted quick enough as to not giving enough time for clustermanager to annotate it. Being able to process a node deletion should not depend on what clustermanager does or does not do to a node. This could probably be a bug or an improvement on our deletion flow but I see no changes on this PR that could have triggered the problem now. Maybe a new test or a change on the job itself? Triggering another batch of aggregates while we continue looking. /payload-aggregate periodic-ci-openshift-release-master-nightly-4.20-e2e-aws-ovn-upgrade-fips 10 |
|
@jcaamano: trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command
See details on https://pr-payload-tests.ci.openshift.org/runs/ci/41de9f60-7dca-11f0-9a0d-94fc90de5b5e-0 |
|
@jcaamano: trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command
See details on https://pr-payload-tests.ci.openshift.org/runs/ci/4a7c7210-7dce-11f0-86a8-fb10a7ddba09-0 |
|
/override ci/prow/e2e-metal-ipi-ovn-dualstack-bgp-local-gw |
|
@jcaamano: Overrode contexts on behalf of jcaamano: ci/prow/e2e-metal-ipi-ovn-dualstack-bgp-local-gw In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
The related test case seems to be |
|
/override ci/prow/4.20-upgrade-from-stable-4.19-e2e-aws-ovn-upgrade |
|
@jcaamano: Overrode contexts on behalf of jcaamano: ci/prow/4.20-upgrade-from-stable-4.19-e2e-aws-ovn-upgrade In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
/lgtm |
openshift-ci
bot
added
the
do-not-merge/hold
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: jcaamano, openshift-pr-manager[bot] The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
|
e2e-aws-ovn-fdp-qe Summarizing 1 Failure:
[INTERRUPTED] [sig-networking] SDN IPSEC EW [It] Author:anusaxen-Medium-83672-[FdpOvnOvs][Skipped Setup] IPSec Functionality check for FDP usecase. [Disruptive]
/go/src/github.com/openshift/openshift-tests-private/test/extended/networking/ipsec.go:859
Ran 1 of 1 Specs in 2096.330 seconds
FAIL! - Interrupted by User -- 0 Passed | 1 Failed | 0 Pending | 0 Skipped
fail [github.com/openshift/openshift-tests-private/test/extended/networking/ipsec.go:859]: Interrupted by User
|
|
/hold cancel |
openshift-ci
bot
removed
the
do-not-merge/hold
|
@openshift-pr-manager[bot]: Jira Issue OCPBUGS-55962: Some pull requests linked via external trackers have merged: The following pull requests linked via external trackers have not merged:
These pull request must merge or be unlinked from the Jira bug in order for it to move to the next state. Once unlinked, request a bug refresh with Jira Issue OCPBUGS-55962 has not been moved to the MODIFIED state. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
/jira refresh |
|
@Meina-rh: Jira Issue OCPBUGS-55962: All pull requests linked via external trackers have merged: Jira Issue OCPBUGS-55962 has been moved to the MODIFIED state. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
[ART PR BUILD NOTIFIER] Distgit: ovn-kubernetes-base |
|
[ART PR BUILD NOTIFIER] Distgit: ovn-kubernetes-microshift |
|
[ART PR BUILD NOTIFIER] Distgit: ose-ovn-kubernetes |
12 participants
Automated merge of upstream/master → master.