Fix NetworkPolicies allowing from all to *some* (not all) #12972
Conversation
|
[merge] |
|
[Test]ing while waiting on the merge queue |
|
Two flakes: openshift/origin-gce#17 |
|
The devicemapper failure looks scary and new, have not seen it before @stevekuznetsov |
|
Nope, @rhvgoyal may know more about that devmapper error though |
|
[test] |
|
Evaluated for origin test up to dcda31f |
|
continuous-integration/openshift-jenkins/test SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pull_requests_origin_future/241/) (Base Commit: c8e60fe) |
|
flake #12989, [merge] |
|
Evaluated for origin merge up to dcda31f |
|
continuous-integration/openshift-jenkins/merge SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pull_requests_origin_future/268/) (Base Commit: 19aa349) (Image: devenv-rhel7_5925) |
|
Most likely something is wrong with the thin pool. |
The NetworkPolicy flow-computing code had a short circuit where if you had a policy that allowed all traffic, it wouldn't bother outputting any other rules that might be present to only allow a subset of traffic, since those rules would be unnecessary. But (a) the short-circuit was buggy, in that it got triggered by any rule that accepted traffic from all sources, even if it wasn't supposed to allow traffic to all destinations, and (b) we weren't making any effort to filter out any other redundant rules (eg, if you had two identical copies of the same NetworkPolicy), and (c) there's no particular reason to think the kind of rule redundancy we were special-casing is going to be more likely than any other kind. So this just gets rid of the special case.
Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1421091
@openshift/networking PTAL