Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add policy processed verification for NetworkPolicyEvaluation #5801

Closed
wants to merge 1 commit into from
Closed

Add policy processed verification for NetworkPolicyEvaluation #5801

wants to merge 1 commit into from

Conversation

Dyanngg
Copy link
Contributor

@Dyanngg Dyanngg commented Dec 14, 2023
edited
Loading

This PR adds a function to verify that all policies in the cluster has
been processed by the Antrea controller before running the
antctl query networkpolicyevaluation command.

@Dyanngg Dyanngg added this to the Antrea v1.15 release milestone Dec 14, 2023
@Dyanngg Dyanngg added the area/component/antctl Issues or PRs releated to the command line interface component label Dec 14, 2023
qiyueyao
qiyueyao reviewed Dec 14, 2023
View reviewed changes
Copy link
Contributor

@qiyueyao qiyueyao left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks nice to simplify and reuse NetworkPolicyReference!

pkg/controller/networkpolicy/networkpolicy_controller.go Outdated Show resolved Hide resolved
pkg/controller/networkpolicy/networkpolicy_controller.go Show resolved Hide resolved
@Dyanngg Dyanngg changed the title Add policy processed verification for networkpolicyanalysis Add policy processed verification for NetworkPolicyEvaluation Mar 4, 2024
@Dyanngg Dyanngg requested a review from tnqn March 4, 2024 21:07
@tnqn
Copy link
Member

tnqn commented Mar 14, 2024

I'm trying to understand why this is needed and whether it really helps:

  1. In theory, there is no good way to ensure everything in K8s apiserver has been realized by Antrea as we never know whether informer is in sync with apiserver. Even we don't consider apiserver, informer can keep changing after you get a snapshot, the policies in the snapshot being realized doesn't mean all policies have received by antrea have been realized.
  2. Converting upstream policies to internal policies should be pretty fast, I would say there is no human-sensible interval between antrea-controller receives the policy and converts it. Does it affect anything without the check?

@luolanzone
Copy link
Contributor

@Dyanngg could you resolve the code conflicts and check @tnqn 's comment? Let me know if this is a must-have or we can move it out of milestone 2.0, Thanks.

@Dyanngg Dyanngg removed this from the Antrea v2.0 release milestone Apr 16, 2024
@luolanzone
Copy link
Contributor

Hi @Dyanngg I will close this since you confirmed that this is no need anymore, please reopen if you plan to rework on this. Thanks.

@luolanzone luolanzone closed this May 31, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@qiyueyao qiyueyao Awaiting requested review from qiyueyao

@tnqn tnqn Awaiting requested review from tnqn

Assignees
No one assigned
Labels
area/component/antctl Issues or PRs releated to the command line interface component
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@Dyanngg @tnqn @luolanzone @qiyueyao