-
Notifications
You must be signed in to change notification settings - Fork 338
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add Support for Hierarchical ACLs #3645
Conversation
@jordigilh : e2e's are failing:
PTAL because presubmits on PRs are effected because of this.. |
Opened #3649 to fix some of the failures, but the first build failed on a unit test. Is this something that rings any bells to you? It has nothing to do with the code I removed from the e2e tests:
I will keep retesting though. |
@jordigilh : yes you may ignore the handler events flake, its not related to your changes. |
1bb7c9c
to
bea7ee9
Compare
I would say external_ids_syncer package should have zero value tier instead of the default one, because it is supposed to update old-version acls (that don't have any tier), same as any stale ACL update test. |
hmm you mean they don't exist anymore on our current versions? i don't want to keep anything at 0 tier since those will be first to be evaluated. So if you are sure these are stale ones that won't exist in our current version of the cluster where I am adding this feature then i can keep it at 0, else 2 would be the safest to go with...
yes by default it will be set to 0 on upgrades...(mentioned it in commit 3's message) |
The changes look fine. I wanted to see what the ACLs in the NBDB look like before applying this PR and noticed that the rows already contain the tier column:
then, I created a simple netpol to see get more acl entries
Then, I built the code with this PR changes and restarted the master pods
And confirmed all ACLs are tier 2 now:
|
BUT then, I manually set the tier back to 0 on a specific ACL and restarted the db:
Restarted master:
back in the db shell:
Which means... we are running the upgrade path every time? Should the tier be left alone once we had it set to 2 for the very first time?
|
no I think that is correct, upon startup if we find any of the ACLs in tier0 we should update them to tier2, no ACL other than the ones I'll add for ANP should be in non-2 tiers. So if you move it back to 0 and restart then yes we should upgrade all ACLs again. However if all ACLs are already at 2, then libovsdb cache will realised there is nothing to mutate so it won't update anything which is already at tier2 again.
If you find that ACLs which were already in Tier2 are getting updated again - which I hope is not the case, then there is some bug in libovsdb side TYSM @flavio-fernandes for doing a thorough review! |
yes, you are right. K8 mandates what it should be and I realized late last night that indeed fixing it back to 2 is the right implementation. |
/lgtm |
It may be reasonable to squash commits 2 and 3, because it is about the same change, and seeing sync path and updated tests and functions in the same commit may be less confusing, wdyt? |
thanks for reviewing @npinaeva !
that sounds to me like it really doesn't matter whether its 0 or 2? Let's keep it 2 so that its less confusing - to be on the safe side if there are bugs in that code and something is still left over etc.. who knows?! better to keep them at 2 worst case? The only reason I am hesitant to leave them at 0 is that if in some cluster there are really left overs because that code didn't run for whatever insane reason in the skew upgrades they will be left at tier0 and i don't want any of them outside of ANP at that tier. If all is well and we are at an ideal place its a no-op right? It is possible I am being paranoid - but just to get us both on the same page - the way I have done it now - are there any functional concerns?
I don't have any preference over process related things like how commits are organized. I will squash them together if that makes it less confusing for you. Happy to oblige. |
@npinaeva : squashed the commits together, hope that works for you. |
Unrelated failure:
https://github.com/ovn-org/ovn-kubernetes/actions/runs/5269310815/jobs/9527263051?pr=3645 |
/retest-failed |
Oops, something went wrong:
|
go-controller/pkg/ovn/external_ids_syncer/address_set/address_set_sync_test.go
Outdated
Show resolved
Hide resolved
i was running the tests locally:
that one is unrelated to this PR. otherwise we are looking good. |
@jcaamano raised an important point there. -> network disruption during upgrades. Since we are not updating all ACLs to tier2 at once from sync and doing it in stages, its possible we are stuck in a situation where 1000 priority default deny is in tier0 and 1001 priority allow-related is in tier2 in which case the allow won't work during upgrades. This should be fixed. kudos for @jcaamano for thinking of this corner scenario yet very important use case! two options:
(2) which might be a VERY large transaction in big clusters. Either ways i don't see how we can avoid have a seperate sync on startup.. |
90cc166
to
3fe5b3b
Compare
legacy egw failing unrelated |
sort.Slice(aclsInTier0, func(i, j int) bool { | ||
return aclsInTier0[i].Priority < aclsInTier0[j].Priority | ||
}) // O(nlogn); unstable sort | ||
klog.Infof("SURYA %v", aclsInTier0) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
TODO: Remove these once you see logs from successful upgrade that shows the sorted order being processed.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
all right! tested upgrades:
I0711 07:51:35.776294 58 acl_sync.go:150] Updating Tier of existing ACLs...
I0711 07:51:35.776356 58 acl_sync.go:159] SURYA [0xc0007214d0 0xc000721560 0xc0007215f0 0xc000721680 0xc000721710 0xc000721830 0xc000721290 0xc000721440 0xc0007218c0 0xc0007217a0 0xc000721950 0xc000721320 0xc0007213b0]
I0711 07:51:35.776374 58 acl_sync.go:161] SURYA: Before sort
I0711 07:51:35.776385 58 acl_sync.go:164] SURYA map[direction:Ingress gress-index:0 ip-block-index:-1 k8s.ovn.org/id:default-network-controller:NetworkPolicy:surya5:allow-ingress-to-foo4-from-surya5:Ingress:0:-1:-1 k8s.ovn.org/name:surya5:allow-ingress-to-foo4-from-surya5 k8s.ovn.org/owner-controller:default-network-controller k8s.ovn.org/owner-type:NetworkPolicy port-policy-index:-1]/1001
I0711 07:51:35.776407 58 acl_sync.go:164] SURYA map[direction:Egress k8s.ovn.org/id:default-network-controller:NetpolNamespace:surya5:Egress:arpAllow k8s.ovn.org/name:surya5 k8s.ovn.org/owner-controller:default-network-controller k8s.ovn.org/owner-type:NetpolNamespace type:arpAllow]/1001
I0711 07:51:35.776434 58 acl_sync.go:164] SURYA map[direction:Ingress k8s.ovn.org/id:default-network-controller:NetpolNamespace:surya5:Ingress:arpAllow k8s.ovn.org/name:surya5 k8s.ovn.org/owner-controller:default-network-controller k8s.ovn.org/owner-type:NetpolNamespace type:arpAllow]/1001
I0711 07:51:35.776458 58 acl_sync.go:164] SURYA map[direction:Ingress gress-index:0 ip-block-index:-1 k8s.ovn.org/id:default-network-controller:NetworkPolicy:surya5:allow-ingress-to-foo4-from-foo2:Ingress:0:-1:-1 k8s.ovn.org/name:surya5:allow-ingress-to-foo4-from-foo2 k8s.ovn.org/owner-controller:default-network-controller k8s.ovn.org/owner-type:NetworkPolicy port-policy-index:-1]/1001
I0711 07:51:35.776476 58 acl_sync.go:164] SURYA map[direction:Ingress k8s.ovn.org/id:default-network-controller:NetpolDefault:allow-hairpinning:Ingress k8s.ovn.org/name:allow-hairpinning k8s.ovn.org/owner-controller:default-network-controller k8s.ovn.org/owner-type:NetpolDefault]/1001
I0711 07:51:35.776490 58 acl_sync.go:164] SURYA map[direction:Egress k8s.ovn.org/id:default-network-controller:NetpolDefault:allow-hairpinning:Egress k8s.ovn.org/name:allow-hairpinning k8s.ovn.org/owner-controller:default-network-controller k8s.ovn.org/owner-type:NetpolDefault]/1001
I0711 07:51:35.776506 58 acl_sync.go:164] SURYA map[direction:Egress k8s.ovn.org/id:default-network-controller:NetpolNamespace:surya5:Egress:defaultDeny k8s.ovn.org/name:surya5 k8s.ovn.org/owner-controller:default-network-controller k8s.ovn.org/owner-type:NetpolNamespace type:defaultDeny]/1000
I0711 07:51:35.776520 58 acl_sync.go:164] SURYA map[direction:Ingress k8s.ovn.org/id:default-network-controller:NetpolNamespace:surya5:Ingress:defaultDeny k8s.ovn.org/name:surya5 k8s.ovn.org/owner-controller:default-network-controller k8s.ovn.org/owner-type:NetpolNamespace type:defaultDeny]/1000
I0711 07:51:35.776536 58 acl_sync.go:164] SURYA map[ip:10.244.2.2 k8s.ovn.org/id:default-network-controller:NetpolNode:ovn-control-plane:10.244.2.2 k8s.ovn.org/name:ovn-control-plane k8s.ovn.org/owner-controller:default-network-controller k8s.ovn.org/owner-type:NetpolNode]/1001
I0711 07:51:35.776551 58 acl_sync.go:164] SURYA map[k8s.ovn.org/id:default-network-controller:EgressFirewall:default:0 k8s.ovn.org/name:default k8s.ovn.org/owner-controller:default-network-controller k8s.ovn.org/owner-type:EgressFirewall rule-index:0]/10000
I0711 07:51:35.776566 58 acl_sync.go:164] SURYA map[ip:10.244.1.2 k8s.ovn.org/id:default-network-controller:NetpolNode:ovn-worker2:10.244.1.2 k8s.ovn.org/name:ovn-worker2 k8s.ovn.org/owner-controller:default-network-controller k8s.ovn.org/owner-type:NetpolNode]/1001
I0711 07:51:35.776581 58 acl_sync.go:164] SURYA map[k8s.ovn.org/id:default-network-controller:EgressFirewall:default:1 k8s.ovn.org/name:default k8s.ovn.org/owner-controller:default-network-controller k8s.ovn.org/owner-type:EgressFirewall rule-index:1]/9999
I0711 07:51:35.776595 58 acl_sync.go:164] SURYA map[ip:10.244.0.2 k8s.ovn.org/id:default-network-controller:NetpolNode:ovn-worker:10.244.0.2 k8s.ovn.org/name:ovn-worker k8s.ovn.org/owner-controller:default-network-controller k8s.ovn.org/owner-type:NetpolNode]/1001
I0711 07:51:35.776613 58 acl_sync.go:169] SURYA: After sort
I0711 07:51:35.776624 58 acl_sync.go:172] SURYA map[direction:Egress k8s.ovn.org/id:default-network-controller:NetpolNamespace:surya5:Egress:defaultDeny k8s.ovn.org/name:surya5 k8s.ovn.org/owner-controller:default-network-controller k8s.ovn.org/owner-type:NetpolNamespace type:defaultDeny]/1000
I0711 07:51:35.776649 58 acl_sync.go:172] SURYA map[direction:Ingress k8s.ovn.org/id:default-network-controller:NetpolNamespace:surya5:Ingress:defaultDeny k8s.ovn.org/name:surya5 k8s.ovn.org/owner-controller:default-network-controller k8s.ovn.org/owner-type:NetpolNamespace type:defaultDeny]/1000
I0711 07:51:35.776665 58 acl_sync.go:172] SURYA map[direction:Ingress gress-index:0 ip-block-index:-1 k8s.ovn.org/id:default-network-controller:NetworkPolicy:surya5:allow-ingress-to-foo4-from-foo2:Ingress:0:-1:-1 k8s.ovn.org/name:surya5:allow-ingress-to-foo4-from-foo2 k8s.ovn.org/owner-controller:default-network-controller k8s.ovn.org/owner-type:NetworkPolicy port-policy-index:-1]/1001
I0711 07:51:35.776687 58 acl_sync.go:172] SURYA map[direction:Ingress gress-index:0 ip-block-index:-1 k8s.ovn.org/id:default-network-controller:NetworkPolicy:surya5:allow-ingress-to-foo4-from-surya5:Ingress:0:-1:-1 k8s.ovn.org/name:surya5:allow-ingress-to-foo4-from-surya5 k8s.ovn.org/owner-controller:default-network-controller k8s.ovn.org/owner-type:NetworkPolicy port-policy-index:-1]/1001
I0711 07:51:35.776704 58 acl_sync.go:172] SURYA map[direction:Ingress k8s.ovn.org/id:default-network-controller:NetpolDefault:allow-hairpinning:Ingress k8s.ovn.org/name:allow-hairpinning k8s.ovn.org/owner-controller:default-network-controller k8s.ovn.org/owner-type:NetpolDefault]/1001
I0711 07:51:35.776720 58 acl_sync.go:172] SURYA map[direction:Egress k8s.ovn.org/id:default-network-controller:NetpolDefault:allow-hairpinning:Egress k8s.ovn.org/name:allow-hairpinning k8s.ovn.org/owner-controller:default-network-controller k8s.ovn.org/owner-type:NetpolDefault]/1001
I0711 07:51:35.776736 58 acl_sync.go:172] SURYA map[direction:Ingress k8s.ovn.org/id:default-network-controller:NetpolNamespace:surya5:Ingress:arpAllow k8s.ovn.org/name:surya5 k8s.ovn.org/owner-controller:default-network-controller k8s.ovn.org/owner-type:NetpolNamespace type:arpAllow]/1001
I0711 07:51:35.776751 58 acl_sync.go:172] SURYA map[direction:Egress k8s.ovn.org/id:default-network-controller:NetpolNamespace:surya5:Egress:arpAllow k8s.ovn.org/name:surya5 k8s.ovn.org/owner-controller:default-network-controller k8s.ovn.org/owner-type:NetpolNamespace type:arpAllow]/1001
I0711 07:51:35.776767 58 acl_sync.go:172] SURYA map[ip:10.244.2.2 k8s.ovn.org/id:default-network-controller:NetpolNode:ovn-control-plane:10.244.2.2 k8s.ovn.org/name:ovn-control-plane k8s.ovn.org/owner-controller:default-network-controller k8s.ovn.org/owner-type:NetpolNode]/1001
I0711 07:51:35.776782 58 acl_sync.go:172] SURYA map[ip:10.244.1.2 k8s.ovn.org/id:default-network-controller:NetpolNode:ovn-worker2:10.244.1.2 k8s.ovn.org/name:ovn-worker2 k8s.ovn.org/owner-controller:default-network-controller k8s.ovn.org/owner-type:NetpolNode]/1001
I0711 07:51:35.776796 58 acl_sync.go:172] SURYA map[ip:10.244.0.2 k8s.ovn.org/id:default-network-controller:NetpolNode:ovn-worker:10.244.0.2 k8s.ovn.org/name:ovn-worker k8s.ovn.org/owner-controller:default-network-controller k8s.ovn.org/owner-type:NetpolNode]/1001
I0711 07:51:35.776822 58 acl_sync.go:172] SURYA map[k8s.ovn.org/id:default-network-controller:EgressFirewall:default:1 k8s.ovn.org/name:default k8s.ovn.org/owner-controller:default-network-controller k8s.ovn.org/owner-type:EgressFirewall rule-index:1]/9999
I0711 07:51:35.776838 58 acl_sync.go:172] SURYA map[k8s.ovn.org/id:default-network-controller:EgressFirewall:default:0 k8s.ovn.org/name:default k8s.ovn.org/owner-controller:default-network-controller k8s.ovn.org/owner-type:EgressFirewall rule-index:0]/10000
I0711 07:51:35.776853 58 acl_sync.go:176] SURYA map[direction:Egress k8s.ovn.org/id:default-network-controller:NetpolNamespace:surya5:Egress:defaultDeny k8s.ovn.org/name:surya5 k8s.ovn.org/owner-controller:default-network-controller k8s.ovn.org/owner-type:NetpolNamespace type:defaultDeny]/1000
I0711 07:51:35.776869 58 acl_sync.go:176] SURYA map[direction:Ingress k8s.ovn.org/id:default-network-controller:NetpolNamespace:surya5:Ingress:defaultDeny k8s.ovn.org/name:surya5 k8s.ovn.org/owner-controller:default-network-controller k8s.ovn.org/owner-type:NetpolNamespace type:defaultDeny]/1000
I0711 07:51:35.776886 58 acl_sync.go:176] SURYA map[direction:Ingress gress-index:0 ip-block-index:-1 k8s.ovn.org/id:default-network-controller:NetworkPolicy:surya5:allow-ingress-to-foo4-from-foo2:Ingress:0:-1:-1 k8s.ovn.org/name:surya5:allow-ingress-to-foo4-from-foo2 k8s.ovn.org/owner-controller:default-network-controller k8s.ovn.org/owner-type:NetworkPolicy port-policy-index:-1]/1001
I0711 07:51:35.776910 58 acl_sync.go:176] SURYA map[direction:Ingress gress-index:0 ip-block-index:-1 k8s.ovn.org/id:default-network-controller:NetworkPolicy:surya5:allow-ingress-to-foo4-from-surya5:Ingress:0:-1:-1 k8s.ovn.org/name:surya5:allow-ingress-to-foo4-from-surya5 k8s.ovn.org/owner-controller:default-network-controller k8s.ovn.org/owner-type:NetworkPolicy port-policy-index:-1]/1001
I0711 07:51:35.776930 58 acl_sync.go:176] SURYA map[direction:Ingress k8s.ovn.org/id:default-network-controller:NetpolDefault:allow-hairpinning:Ingress k8s.ovn.org/name:allow-hairpinning k8s.ovn.org/owner-controller:default-network-controller k8s.ovn.org/owner-type:NetpolDefault]/1001
I0711 07:51:35.776945 58 acl_sync.go:176] SURYA map[direction:Egress k8s.ovn.org/id:default-network-controller:NetpolDefault:allow-hairpinning:Egress k8s.ovn.org/name:allow-hairpinning k8s.ovn.org/owner-controller:default-network-controller k8s.ovn.org/owner-type:NetpolDefault]/1001
I0711 07:51:35.776961 58 acl_sync.go:176] SURYA map[direction:Ingress k8s.ovn.org/id:default-network-controller:NetpolNamespace:surya5:Ingress:arpAllow k8s.ovn.org/name:surya5 k8s.ovn.org/owner-controller:default-network-controller k8s.ovn.org/owner-type:NetpolNamespace type:arpAllow]/1001
I0711 07:51:35.776977 58 acl_sync.go:176] SURYA map[direction:Egress k8s.ovn.org/id:default-network-controller:NetpolNamespace:surya5:Egress:arpAllow k8s.ovn.org/name:surya5 k8s.ovn.org/owner-controller:default-network-controller k8s.ovn.org/owner-type:NetpolNamespace type:arpAllow]/1001
I0711 07:51:35.776992 58 acl_sync.go:176] SURYA map[ip:10.244.2.2 k8s.ovn.org/id:default-network-controller:NetpolNode:ovn-control-plane:10.244.2.2 k8s.ovn.org/name:ovn-control-plane k8s.ovn.org/owner-controller:default-network-controller k8s.ovn.org/owner-type:NetpolNode]/1001
I0711 07:51:35.777007 58 acl_sync.go:176] SURYA map[ip:10.244.1.2 k8s.ovn.org/id:default-network-controller:NetpolNode:ovn-worker2:10.244.1.2 k8s.ovn.org/name:ovn-worker2 k8s.ovn.org/owner-controller:default-network-controller k8s.ovn.org/owner-type:NetpolNode]/1001
I0711 07:51:35.777022 58 acl_sync.go:176] SURYA map[ip:10.244.0.2 k8s.ovn.org/id:default-network-controller:NetpolNode:ovn-worker:10.244.0.2 k8s.ovn.org/name:ovn-worker k8s.ovn.org/owner-controller:default-network-controller k8s.ovn.org/owner-type:NetpolNode]/1001
I0711 07:51:35.777038 58 acl_sync.go:176] SURYA map[k8s.ovn.org/id:default-network-controller:EgressFirewall:default:1 k8s.ovn.org/name:default k8s.ovn.org/owner-controller:default-network-controller k8s.ovn.org/owner-type:EgressFirewall rule-index:1]/9999
I0711 07:51:35.777054 58 acl_sync.go:176] SURYA map[k8s.ovn.org/id:default-network-controller:EgressFirewall:default:0 k8s.ovn.org/name:default k8s.ovn.org/owner-controller:default-network-controller k8s.ovn.org/owner-type:EgressFirewall rule-index:0]/10000
I0711 07:51:35.777203 58 model_client.go:372] Update operations generated as: [{Op:update Table:ACL Row:map[action:drop direction:from-lport external_ids:{GoMap:map[direction:Egress k8s.ovn.org/id:default-network-controller:NetpolNamespace:surya5:Egress:defaultDeny k8s.ovn.org/name:surya5 k8s.ovn.org/owner-controller:default-network-controller k8s.ovn.org/owner-type:NetpolNamespace type:defaultDeny]} log:false match:inport == @a11718373952692888238_egressDefaultDeny meter:{GoSet:[acl-logging]} name:{GoSet:[NP:surya5:Egress]} options:{GoMap:map[apply-after-lb:true]} priority:1000 severity:{GoSet:[]} tier:2] Rows:[] Columns:[] Mutations:[] Timeout:<nil> Where:[where column _uuid == {b32fe188-bb11-49cf-bf39-0cfc7361e3c9}] Until: Durable:<nil> Comment:<nil> Lock:<nil> UUIDName:}]
I0711 07:51:35.777371 58 model_client.go:372] Update operations generated as: [{Op:update Table:ACL Row:map[action:drop direction:to-lport external_ids:{GoMap:map[direction:Ingress k8s.ovn.org/id:default-network-controller:NetpolNamespace:surya5:Ingress:defaultDeny k8s.ovn.org/name:surya5 k8s.ovn.org/owner-controller:default-network-controller k8s.ovn.org/owner-type:NetpolNamespace type:defaultDeny]} log:false match:outport == @a11718373952692888238_ingressDefaultDeny meter:{GoSet:[acl-logging]} name:{GoSet:[NP:surya5:Ingress]} options:{GoMap:map[]} priority:1000 severity:{GoSet:[]} tier:2] Rows:[] Columns:[] Mutations:[] Timeout:<nil> Where:[where column _uuid == {9fa36da4-8cb4-4286-a00e-ba62fa5c80d7}] Until: Durable:<nil> Comment:<nil> Lock:<nil> UUIDName:}]
I0711 07:51:35.777541 58 model_client.go:372] Update operations generated as: [{Op:update Table:ACL Row:map[action:allow-related direction:to-lport external_ids:{GoMap:map[direction:Ingress gress-index:0 ip-block-index:-1 k8s.ovn.org/id:default-network-controller:NetworkPolicy:surya5:allow-ingress-to-foo4-from-foo2:Ingress:0:-1:-1 k8s.ovn.org/name:surya5:allow-ingress-to-foo4-from-foo2 k8s.ovn.org/owner-controller:default-network-controller k8s.ovn.org/owner-type:NetworkPolicy port-policy-index:-1]} log:false match:ip4.src == {$a1822410377753831280} && outport == @a14627396333488653719 meter:{GoSet:[acl-logging]} name:{GoSet:[NP:surya5:allow-ingress-to-foo4-from-foo2:Ingress:0]} options:{GoMap:map[]} priority:1001 severity:{GoSet:[]} tier:2] Rows:[] Columns:[] Mutations:[] Timeout:<nil> Where:[where column _uuid == {e7835318-3717-45e2-9716-ef3f8c236f51}] Until: Durable:<nil> Comment:<nil> Lock:<nil> UUIDName:}]
I0711 07:51:35.777707 58 model_client.go:372] Update operations generated as: [{Op:update Table:ACL Row:map[action:allow-related direction:to-lport external_ids:{GoMap:map[direction:Ingress gress-index:0 ip-block-index:-1 k8s.ovn.org/id:default-network-controller:NetworkPolicy:surya5:allow-ingress-to-foo4-from-surya5:Ingress:0:-1:-1 k8s.ovn.org/name:surya5:allow-ingress-to-foo4-from-surya5 k8s.ovn.org/owner-controller:default-network-controller k8s.ovn.org/owner-type:NetworkPolicy port-policy-index:-1]} log:false match:ip4.src == {$a15450058810467113962} && outport == @a3548240021545986166 meter:{GoSet:[acl-logging]} name:{GoSet:[NP:surya5:allow-ingress-to-foo4-from-surya5:Ingress:0]} options:{GoMap:map[]} priority:1001 severity:{GoSet:[]} tier:2] Rows:[] Columns:[] Mutations:[] Timeout:<nil> Where:[where column _uuid == {dda99940-ee99-4cf9-909c-56f4a1b2dd63}] Until: Durable:<nil> Comment:<nil> Lock:<nil> UUIDName:}]
I0711 07:51:35.777847 58 model_client.go:372] Update operations generated as: [{Op:update Table:ACL Row:map[action:allow-related direction:to-lport external_ids:{GoMap:map[direction:Ingress k8s.ovn.org/id:default-network-controller:NetpolDefault:allow-hairpinning:Ingress k8s.ovn.org/name:allow-hairpinning k8s.ovn.org/owner-controller:default-network-controller k8s.ovn.org/owner-type:NetpolDefault]} log:false match:ip4.src == 169.254.169.5 meter:{GoSet:[acl-logging]} name:{GoSet:[]} options:{GoMap:map[]} priority:1001 severity:{GoSet:[]} tier:2] Rows:[] Columns:[] Mutations:[] Timeout:<nil> Where:[where column _uuid == {28c394e2-13d8-4e66-9c8f-f2e288cd0f36}] Until: Durable:<nil> Comment:<nil> Lock:<nil> UUIDName:}]
I0711 07:51:35.777997 58 model_client.go:372] Update operations generated as: [{Op:update Table:ACL Row:map[action:allow-related direction:from-lport external_ids:{GoMap:map[direction:Egress k8s.ovn.org/id:default-network-controller:NetpolDefault:allow-hairpinning:Egress k8s.ovn.org/name:allow-hairpinning k8s.ovn.org/owner-controller:default-network-controller k8s.ovn.org/owner-type:NetpolDefault]} log:false match:ip4.src == 169.254.169.5 meter:{GoSet:[acl-logging]} name:{GoSet:[]} options:{GoMap:map[apply-after-lb:true]} priority:1001 severity:{GoSet:[]} tier:2] Rows:[] Columns:[] Mutations:[] Timeout:<nil> Where:[where column _uuid == {3bdd27b4-90fc-41c7-ae78-0405af3e0eb3}] Until: Durable:<nil> Comment:<nil> Lock:<nil> UUIDName:}]
I0711 07:51:35.778138 58 model_client.go:372] Update operations generated as: [{Op:update Table:ACL Row:map[action:allow direction:to-lport external_ids:{GoMap:map[direction:Ingress k8s.ovn.org/id:default-network-controller:NetpolNamespace:surya5:Ingress:arpAllow k8s.ovn.org/name:surya5 k8s.ovn.org/owner-controller:default-network-controller k8s.ovn.org/owner-type:NetpolNamespace type:arpAllow]} log:false match:outport == @a11718373952692888238_ingressDefaultDeny && (arp || nd) meter:{GoSet:[acl-logging]} name:{GoSet:[NP:surya5:Ingress]} options:{GoMap:map[]} priority:1001 severity:{GoSet:[]} tier:2] Rows:[] Columns:[] Mutations:[] Timeout:<nil> Where:[where column _uuid == {f4ab3018-8beb-4ab6-9fd2-b655247f48ac}] Until: Durable:<nil> Comment:<nil> Lock:<nil> UUIDName:}]
I0711 07:51:35.778277 58 model_client.go:372] Update operations generated as: [{Op:update Table:ACL Row:map[action:allow direction:from-lport external_ids:{GoMap:map[direction:Egress k8s.ovn.org/id:default-network-controller:NetpolNamespace:surya5:Egress:arpAllow k8s.ovn.org/name:surya5 k8s.ovn.org/owner-controller:default-network-controller k8s.ovn.org/owner-type:NetpolNamespace type:arpAllow]} log:false match:inport == @a11718373952692888238_egressDefaultDeny && (arp || nd) meter:{GoSet:[acl-logging]} name:{GoSet:[NP:surya5:Egress]} options:{GoMap:map[apply-after-lb:true]} priority:1001 severity:{GoSet:[]} tier:2] Rows:[] Columns:[] Mutations:[] Timeout:<nil> Where:[where column _uuid == {884c23b8-5789-4d72-b184-28914f0bb0b2}] Until: Durable:<nil> Comment:<nil> Lock:<nil> UUIDName:}]
I0711 07:51:35.778418 58 model_client.go:372] Update operations generated as: [{Op:update Table:ACL Row:map[action:allow-related direction:to-lport external_ids:{GoMap:map[ip:10.244.2.2 k8s.ovn.org/id:default-network-controller:NetpolNode:ovn-control-plane:10.244.2.2 k8s.ovn.org/name:ovn-control-plane k8s.ovn.org/owner-controller:default-network-controller k8s.ovn.org/owner-type:NetpolNode]} log:false match:ip4.src==10.244.2.2 meter:{GoSet:[acl-logging]} name:{GoSet:[]} options:{GoMap:map[]} priority:1001 severity:{GoSet:[]} tier:2] Rows:[] Columns:[] Mutations:[] Timeout:<nil> Where:[where column _uuid == {b1475e2d-aedb-4018-9a07-34179cb72ad9}] Until: Durable:<nil> Comment:<nil> Lock:<nil> UUIDName:}]
I0711 07:51:35.778596 58 model_client.go:372] Update operations generated as: [{Op:update Table:ACL Row:map[action:allow-related direction:to-lport external_ids:{GoMap:map[ip:10.244.1.2 k8s.ovn.org/id:default-network-controller:NetpolNode:ovn-worker2:10.244.1.2 k8s.ovn.org/name:ovn-worker2 k8s.ovn.org/owner-controller:default-network-controller k8s.ovn.org/owner-type:NetpolNode]} log:false match:ip4.src==10.244.1.2 meter:{GoSet:[acl-logging]} name:{GoSet:[]} options:{GoMap:map[]} priority:1001 severity:{GoSet:[]} tier:2] Rows:[] Columns:[] Mutations:[] Timeout:<nil> Where:[where column _uuid == {1a84986b-d2a3-4cad-9d3d-3121a24d9f1c}] Until: Durable:<nil> Comment:<nil> Lock:<nil> UUIDName:}]
I0711 07:51:35.778747 58 model_client.go:372] Update operations generated as: [{Op:update Table:ACL Row:map[action:allow-related direction:to-lport external_ids:{GoMap:map[ip:10.244.0.2 k8s.ovn.org/id:default-network-controller:NetpolNode:ovn-worker:10.244.0.2 k8s.ovn.org/name:ovn-worker k8s.ovn.org/owner-controller:default-network-controller k8s.ovn.org/owner-type:NetpolNode]} log:false match:ip4.src==10.244.0.2 meter:{GoSet:[acl-logging]} name:{GoSet:[]} options:{GoMap:map[]} priority:1001 severity:{GoSet:[]} tier:2] Rows:[] Columns:[] Mutations:[] Timeout:<nil> Where:[where column _uuid == {9c36a2f5-8486-42d9-b79c-af79e78ff3d4}] Until: Durable:<nil> Comment:<nil> Lock:<nil> UUIDName:}]
I0711 07:51:35.778883 58 model_client.go:372] Update operations generated as: [{Op:update Table:ACL Row:map[action:drop direction:to-lport external_ids:{GoMap:map[k8s.ovn.org/id:default-network-controller:EgressFirewall:default:1 k8s.ovn.org/name:default k8s.ovn.org/owner-controller:default-network-controller k8s.ovn.org/owner-type:EgressFirewall rule-index:1]} log:false match:(ip4.dst == 0.0.0.0/0 && ip4.dst != 10.244.0.0/16) && ip4.src == $a4322231855293774466 meter:{GoSet:[acl-logging]} name:{GoSet:[EF:default:1]} options:{GoMap:map[]} priority:9999 severity:{GoSet:[]} tier:2] Rows:[] Columns:[] Mutations:[] Timeout:<nil> Where:[where column _uuid == {6eed1ca4-db38-41cf-a2a3-076897535a06}] Until: Durable:<nil> Comment:<nil> Lock:<nil> UUIDName:}]
I0711 07:51:35.779026 58 model_client.go:372] Update operations generated as: [{Op:update Table:ACL Row:map[action:allow direction:to-lport external_ids:{GoMap:map[k8s.ovn.org/id:default-network-controller:EgressFirewall:default:0 k8s.ovn.org/name:default k8s.ovn.org/owner-controller:default-network-controller k8s.ovn.org/owner-type:EgressFirewall rule-index:0]} log:false match:(ip4.dst == 172.25.75.11/32) && ip4.src == $a4322231855293774466 && ((tcp && ( tcp.dst == 8888 ))) meter:{GoSet:[acl-logging]} name:{GoSet:[EF:default:0]} options:{GoMap:map[]} priority:10000 severity:{GoSet:[]} tier:2] Rows:[] Columns:[] Mutations:[] Timeout:<nil> Where:[where column _uuid == {48a8cb2c-2046-4347-87a3-356856e21536}] Until: Durable:<nil> Comment:<nil> Lock:<nil> UUIDName:}]
I0711 07:51:35.779061 58 transact.go:41] Configuring OVN: [{Op:update Table:ACL Row:map[action:drop direction:from-lport external_ids:{GoMap:map[direction:Egress k8s.ovn.org/id:default-network-controller:NetpolNamespace:surya5:Egress:defaultDeny k8s.ovn.org/name:surya5 k8s.ovn.org/owner-controller:default-network-controller k8s.ovn.org/owner-type:NetpolNamespace type:defaultDeny]} log:false match:inport == @a11718373952692888238_egressDefaultDeny meter:{GoSet:[acl-logging]} name:{GoSet:[NP:surya5:Egress]} options:{GoMap:map[apply-after-lb:true]} priority:1000 severity:{GoSet:[]} tier:2] Rows:[] Columns:[] Mutations:[] Timeout:<nil> Where:[where column _uuid == {b32fe188-bb11-49cf-bf39-0cfc7361e3c9}] Until: Durable:<nil> Comment:<nil> Lock:<nil> UUIDName:} {Op:update Table:ACL Row:map[action:drop direction:to-lport external_ids:{GoMap:map[direction:Ingress k8s.ovn.org/id:default-network-controller:NetpolNamespace:surya5:Ingress:defaultDeny k8s.ovn.org/name:surya5 k8s.ovn.org/owner-controller:default-network-controller k8s.ovn.org/owner-type:NetpolNamespace type:defaultDeny]} log:false match:outport == @a11718373952692888238_ingressDefaultDeny meter:{GoSet:[acl-logging]} name:{GoSet:[NP:surya5:Ingress]} options:{GoMap:map[]} priority:1000 severity:{GoSet:[]} tier:2] Rows:[] Columns:[] Mutations:[] Timeout:<nil> Where:[where column _uuid == {9fa36da4-8cb4-4286-a00e-ba62fa5c80d7}] Until: Durable:<nil> Comment:<nil> Lock:<nil> UUIDName:} {Op:update Table:ACL Row:map[action:allow-related direction:to-lport external_ids:{GoMap:map[direction:Ingress gress-index:0 ip-block-index:-1 k8s.ovn.org/id:default-network-controller:NetworkPolicy:surya5:allow-ingress-to-foo4-from-foo2:Ingress:0:-1:-1 k8s.ovn.org/name:surya5:allow-ingress-to-foo4-from-foo2 k8s.ovn.org/owner-controller:default-network-controller k8s.ovn.org/owner-type:NetworkPolicy port-policy-index:-1]} log:false match:ip4.src == {$a1822410377753831280} && outport == @a14627396333488653719 meter:{GoSet:[acl-logging]} name:{GoSet:[NP:surya5:allow-ingress-to-foo4-from-foo2:Ingress:0]} options:{GoMap:map[]} priority:1001 severity:{GoSet:[]} tier:2] Rows:[] Columns:[] Mutations:[] Timeout:<nil> Where:[where column _uuid == {e7835318-3717-45e2-9716-ef3f8c236f51}] Until: Durable:<nil> Comment:<nil> Lock:<nil> UUIDName:} {Op:update Table:ACL Row:map[action:allow-related direction:to-lport external_ids:{GoMap:map[direction:Ingress gress-index:0 ip-block-index:-1 k8s.ovn.org/id:default-network-controller:NetworkPolicy:surya5:allow-ingress-to-foo4-from-surya5:Ingress:0:-1:-1 k8s.ovn.org/name:surya5:allow-ingress-to-foo4-from-surya5 k8s.ovn.org/owner-controller:default-network-controller k8s.ovn.org/owner-type:NetworkPolicy port-policy-index:-1]} log:false match:ip4.src == {$a15450058810467113962} && outport == @a3548240021545986166 meter:{GoSet:[acl-logging]} name:{GoSet:[NP:surya5:allow-ingress-to-foo4-from-surya5:Ingress:0]} options:{GoMap:map[]} priority:1001 severity:{GoSet:[]} tier:2] Rows:[] Columns:[] Mutations:[] Timeout:<nil> Where:[where column _uuid == {dda99940-ee99-4cf9-909c-56f4a1b2dd63}] Until: Durable:<nil> Comment:<nil> Lock:<nil> UUIDName:} {Op:update Table:ACL Row:map[action:allow-related direction:to-lport external_ids:{GoMap:map[direction:Ingress k8s.ovn.org/id:default-network-controller:NetpolDefault:allow-hairpinning:Ingress k8s.ovn.org/name:allow-hairpinning k8s.ovn.org/owner-controller:default-network-controller k8s.ovn.org/owner-type:NetpolDefault]} log:false match:ip4.src == 169.254.169.5 meter:{GoSet:[acl-logging]} name:{GoSet:[]} options:{GoMap:map[]} priority:1001 severity:{GoSet:[]} tier:2] Rows:[] Columns:[] Mutations:[] Timeout:<nil> Where:[where column _uuid == {28c394e2-13d8-4e66-9c8f-f2e288cd0f36}] Until: Durable:<nil> Comment:<nil> Lock:<nil> UUIDName:} {Op:update Table:ACL Row:map[action:allow-related direction:from-lport external_ids:{GoMap:map[direction:Egress k8s.ovn.org/id:default-network-controller:NetpolDefault:allow-hairpinning:Egress k8s.ovn.org/name:allow-hairpinning k8s.ovn.org/owner-controller:default-network-controller k8s.ovn.org/owner-type:NetpolDefault]} log:false match:ip4.src == 169.254.169.5 meter:{GoSet:[acl-logging]} name:{GoSet:[]} options:{GoMap:map[apply-after-lb:true]} priority:1001 severity:{GoSet:[]} tier:2] Rows:[] Columns:[] Mutations:[] Timeout:<nil> Where:[where column _uuid == {3bdd27b4-90fc-41c7-ae78-0405af3e0eb3}] Until: Durable:<nil> Comment:<nil> Lock:<nil> UUIDName:} {Op:update Table:ACL Row:map[action:allow direction:to-lport external_ids:{GoMap:map[direction:Ingress k8s.ovn.org/id:default-network-controller:NetpolNamespace:surya5:Ingress:arpAllow k8s.ovn.org/name:surya5 k8s.ovn.org/owner-controller:default-network-controller k8s.ovn.org/owner-type:NetpolNamespace type:arpAllow]} log:false match:outport == @a11718373952692888238_ingressDefaultDeny && (arp || nd) meter:{GoSet:[acl-logging]} name:{GoSet:[NP:surya5:Ingress]} options:{GoMap:map[]} priority:1001 severity:{GoSet:[]} tier:2] Rows:[] Columns:[] Mutations:[] Timeout:<nil> Where:[where column _uuid == {f4ab3018-8beb-4ab6-9fd2-b655247f48ac}] Until: Durable:<nil> Comment:<nil> Lock:<nil> UUIDName:} {Op:update Table:ACL Row:map[action:allow direction:from-lport external_ids:{GoMap:map[direction:Egress k8s.ovn.org/id:default-network-controller:NetpolNamespace:surya5:Egress:arpAllow k8s.ovn.org/name:surya5 k8s.ovn.org/owner-controller:default-network-controller k8s.ovn.org/owner-type:NetpolNamespace type:arpAllow]} log:false match:inport == @a11718373952692888238_egressDefaultDeny && (arp || nd) meter:{GoSet:[acl-logging]} name:{GoSet:[NP:surya5:Egress]} options:{GoMap:map[apply-after-lb:true]} priority:1001 severity:{GoSet:[]} tier:2] Rows:[] Columns:[] Mutations:[] Timeout:<nil> Where:[where column _uuid == {884c23b8-5789-4d72-b184-28914f0bb0b2}] Until: Durable:<nil> Comment:<nil> Lock:<nil> UUIDName:} {Op:update Table:ACL Row:map[action:allow-related direction:to-lport external_ids:{GoMap:map[ip:10.244.2.2 k8s.ovn.org/id:default-network-controller:NetpolNode:ovn-control-plane:10.244.2.2 k8s.ovn.org/name:ovn-control-plane k8s.ovn.org/owner-controller:default-network-controller k8s.ovn.org/owner-type:NetpolNode]} log:false match:ip4.src==10.244.2.2 meter:{GoSet:[acl-logging]} name:{GoSet:[]} options:{GoMap:map[]} priority:1001 severity:{GoSet:[]} tier:2] Rows:[] Columns:[] Mutations:[] Timeout:<nil> Where:[where column _uuid == {b1475e2d-aedb-4018-9a07-34179cb72ad9}] Until: Durable:<nil> Comment:<nil> Lock:<nil> UUIDName:} {Op:update Table:ACL Row:map[action:allow-related direction:to-lport external_ids:{GoMap:map[ip:10.244.1.2 k8s.ovn.org/id:default-network-controller:NetpolNode:ovn-worker2:10.244.1.2 k8s.ovn.org/name:ovn-worker2 k8s.ovn.org/owner-controller:default-network-controller k8s.ovn.org/owner-type:NetpolNode]} log:false match:ip4.src==10.244.1.2 meter:{GoSet:[acl-logging]} name:{GoSet:[]} options:{GoMap:map[]} priority:1001 severity:{GoSet:[]} tier:2] Rows:[] Columns:[] Mutations:[] Timeout:<nil> Where:[where column _uuid == {1a84986b-d2a3-4cad-9d3d-3121a24d9f1c}] Until: Durable:<nil> Comment:<nil> Lock:<nil> UUIDName:} {Op:update Table:ACL Row:map[action:allow-related direction:to-lport external_ids:{GoMap:map[ip:10.244.0.2 k8s.ovn.org/id:default-network-controller:NetpolNode:ovn-worker:10.244.0.2 k8s.ovn.org/name:ovn-worker k8s.ovn.org/owner-controller:default-network-controller k8s.ovn.org/owner-type:NetpolNode]} log:false match:ip4.src==10.244.0.2 meter:{GoSet:[acl-logging]} name:{GoSet:[]} options:{GoMap:map[]} priority:1001 severity:{GoSet:[]} tier:2] Rows:[] Columns:[] Mutations:[] Timeout:<nil> Where:[where column _uuid == {9c36a2f5-8486-42d9-b79c-af79e78ff3d4}] Until: Durable:<nil> Comment:<nil> Lock:<nil> UUIDName:} {Op:update Table:ACL Row:map[action:drop direction:to-lport external_ids:{GoMap:map[k8s.ovn.org/id:default-network-controller:EgressFirewall:default:1 k8s.ovn.org/name:default k8s.ovn.org/owner-controller:default-network-controller k8s.ovn.org/owner-type:EgressFirewall rule-index:1]} log:false match:(ip4.dst == 0.0.0.0/0 && ip4.dst != 10.244.0.0/16) && ip4.src == $a4322231855293774466 meter:{GoSet:[acl-logging]} name:{GoSet:[EF:default:1]} options:{GoMap:map[]} priority:9999 severity:{GoSet:[]} tier:2] Rows:[] Columns:[] Mutations:[] Timeout:<nil> Where:[where column _uuid == {6eed1ca4-db38-41cf-a2a3-076897535a06}] Until: Durable:<nil> Comment:<nil> Lock:<nil> UUIDName:} {Op:update Table:ACL Row:map[action:allow direction:to-lport external_ids:{GoMap:map[k8s.ovn.org/id:default-network-controller:EgressFirewall:default:0 k8s.ovn.org/name:default k8s.ovn.org/owner-controller:default-network-controller k8s.ovn.org/owner-type:EgressFirewall rule-index:0]} log:false match:(ip4.dst == 172.25.75.11/32) && ip4.src == $a4322231855293774466 && ((tcp && ( tcp.dst == 8888 ))) meter:{GoSet:[acl-logging]} name:{GoSet:[EF:default:0]} options:{GoMap:map[]} priority:10000 severity:{GoSet:[]} tier:2] Rows:[] Columns:[] Mutations:[] Timeout:<nil> Where:[where column _uuid == {48a8cb2c-2046-4347-87a3-356856e21536}] Until: Durable:<nil> Comment:<nil> Lock:<nil> UUIDName:}]
I0711 07:51:35.779705 58 client.go:783] "msg"="transacting operations" "database"="OVN_Northbound" "operations"="[{Op:update Table:ACL Row:map[action:drop direction:from-lport external_ids:{GoMap:map[direction:Egress k8s.ovn.org/id:default-network-controller:NetpolNamespace:surya5:Egress:defaultDeny k8s.ovn.org/name:surya5 k8s.ovn.org/owner-controller:default-network-controller k8s.ovn.org/owner-type:NetpolNamespace type:defaultDeny]} log:false match:inport == @a11718373952692888238_egressDefaultDeny meter:{GoSet:[acl-logging]} name:{GoSet:[NP:surya5:Egress]} options:{GoMap:map[apply-after-lb:true]} priority:1000 severity:{GoSet:[]} tier:2] Rows:[] Columns:[] Mutations:[] Timeout:<nil> Where:[where column _uuid == {b32fe188-bb11-49cf-bf39-0cfc7361e3c9}] Until: Durable:<nil> Comment:<nil> Lock:<nil> UUIDName:} {Op:update Table:ACL Row:map[action:drop direction:to-lport external_ids:{GoMap:map[direction:Ingress k8s.ovn.org/id:default-network-controller:NetpolNamespace:surya5:Ingress:defaultDeny k8s.ovn.org/name:surya5 k8s.ovn.org/owner-controller:default-network-controller k8s.ovn.org/owner-type:NetpolNamespace type:defaultDeny]} log:false match:outport == @a11718373952692888238_ingressDefaultDeny meter:{GoSet:[acl-logging]} name:{GoSet:[NP:surya5:Ingress]} options:{GoMap:map[]} priority:1000 severity:{GoSet:[]} tier:2] Rows:[] Columns:[] Mutations:[] Timeout:<nil> Where:[where column _uuid == {9fa36da4-8cb4-4286-a00e-ba62fa5c80d7}] Until: Durable:<nil> Comment:<nil> Lock:<nil> UUIDName:} {Op:update Table:ACL Row:map[action:allow-related direction:to-lport external_ids:{GoMap:map[direction:Ingress gress-index:0 ip-block-index:-1 k8s.ovn.org/id:default-network-controller:NetworkPolicy:surya5:allow-ingress-to-foo4-from-foo2:Ingress:0:-1:-1 k8s.ovn.org/name:surya5:allow-ingress-to-foo4-from-foo2 k8s.ovn.org/owner-controller:default-network-controller k8s.ovn.org/owner-type:NetworkPolicy port-policy-index:-1]} log:false match:ip4.src == {$a1822410377753831280} && outport == @a14627396333488653719 meter:{GoSet:[acl-logging]} name:{GoSet:[NP:surya5:allow-ingress-to-foo4-from-foo2:Ingress:0]} options:{GoMap:map[]} priority:1001 severity:{GoSet:[]} tier:2] Rows:[] Columns:[] Mutations:[] Timeout:<nil> Where:[where column _uuid == {e7835318-3717-45e2-9716-ef3f8c236f51}] Until: Durable:<nil> Comment:<nil> Lock:<nil> UUIDName:} {Op:update Table:ACL Row:map[action:allow-related direction:to-lport external_ids:{GoMap:map[direction:Ingress gress-index:0 ip-block-index:-1 k8s.ovn.org/id:default-network-controller:NetworkPolicy:surya5:allow-ingress-to-foo4-from-surya5:Ingress:0:-1:-1 k8s.ovn.org/name:surya5:allow-ingress-to-foo4-from-surya5 k8s.ovn.org/owner-controller:default-network-controller k8s.ovn.org/owner-type:NetworkPolicy port-policy-index:-1]} log:false match:ip4.src == {$a15450058810467113962} && outport == @a3548240021545986166 meter:{GoSet:[acl-logging]} name:{GoSet:[NP:surya5:allow-ingress-to-foo4-from-surya5:Ingress:0]} options:{GoMap:map[]} priority:1001 severity:{GoSet:[]} tier:2] Rows:[] Columns:[] Mutations:[] Timeout:<nil> Where:[where column _uuid == {dda99940-ee99-4cf9-909c-56f4a1b2dd63}] Until: Durable:<nil> Comment:<nil> Lock:<nil> UUIDName:} {Op:update Table:ACL Row:map[action:allow-related direction:to-lport external_ids:{GoMap:map[direction:Ingress k8s.ovn.org/id:default-network-controller:NetpolDefault:allow-hairpinning:Ingress k8s.ovn.org/name:allow-hairpinning k8s.ovn.org/owner-controller:default-network-controller k8s.ovn.org/owner-type:NetpolDefault]} log:false match:ip4.src == 169.254.169.5 meter:{GoSet:[acl-logging]} name:{GoSet:[]} options:{GoMap:map[]} priority:1001 severity:{GoSet:[]} tier:2] Rows:[] Columns:[] Mutations:[] Timeout:<nil> Where:[where column _uuid == {28c394e2-13d8-4e66-9c8f-f2e288cd0f36}] Until: Durable:<nil> Comment:<nil> Lock:<nil> UUIDName:} {Op:update Table:ACL Row:map[action:allow-related direction:from-lport external_ids:{GoMap:map[direction:Egress k8s.ovn.org/id:default-network-controller:NetpolDefault:allow-hairpinning:Egress k8s.ovn.org/name:allow-hairpinning k8s.ovn.org/owner-controller:default-network-controller k8s.ovn.org/owner-type:NetpolDefault]} log:false match:ip4.src == 169.254.169.5 meter:{GoSet:[acl-logging]} name:{GoSet:[]} options:{GoMap:map[apply-after-lb:true]} priority:1001 severity:{GoSet:[]} tier:2] Rows:[] Columns:[] Mutations:[] Timeout:<nil> Where:[where column _uuid == {3bdd27b4-90fc-41c7-ae78-0405af3e0eb3}] Until: Durable:<nil> Comment:<nil> Lock:<nil> UUIDName:} {Op:update Table:ACL Row:map[action:allow direction:to-lport external_ids:{GoMap:map[direction:Ingress k8s.ovn.org/id:default-network-controller:NetpolNamespace:surya5:Ingress:arpAllow k8s.ovn.org/name:surya5 k8s.ovn.org/owner-controller:default-network-controller k8s.ovn.org/owner-type:NetpolNamespace type:arpAllow]} log:false match:outport == @a11718373952692888238_ingressDefaultDeny && (arp || nd) meter:{GoSet:[acl-logging]} name:{GoSet:[NP:surya5:Ingress]} options:{GoMap:map[]} priority:1001 severity:{GoSet:[]} tier:2] Rows:[] Columns:[] Mutations:[] Timeout:<nil> Where:[where column _uuid == {f4ab3018-8beb-4ab6-9fd2-b655247f48ac}] Until: Durable:<nil> Comment:<nil> Lock:<nil> UUIDName:} {Op:update Table:ACL Row:map[action:allow direction:from-lport external_ids:{GoMap:map[direction:Egress k8s.ovn.org/id:default-network-controller:NetpolNamespace:surya5:Egress:arpAllow k8s.ovn.org/name:surya5 k8s.ovn.org/owner-controller:default-network-controller k8s.ovn.org/owner-type:NetpolNamespace type:arpAllow]} log:false match:inport == @a11718373952692888238_egressDefaultDeny && (arp || nd) meter:{GoSet:[acl-logging]} name:{GoSet:[NP:surya5:Egress]} options:{GoMap:map[apply-after-lb:true]} priority:1001 severity:{GoSet:[]} tier:2] Rows:[] Columns:[] Mutations:[] Timeout:<nil> Where:[where column _uuid == {884c23b8-5789-4d72-b184-28914f0bb0b2}] Until: Durable:<nil> Comment:<nil> Lock:<nil> UUIDName:} {Op:update Table:ACL Row:map[action:allow-related direction:to-lport external_ids:{GoMap:map[ip:10.244.2.2 k8s.ovn.org/id:default-network-controller:NetpolNode:ovn-control-plane:10.244.2.2 k8s.ovn.org/name:ovn-control-plane k8s.ovn.org/owner-controller:default-network-controller k8s.ovn.org/owner-type:NetpolNode]} log:false match:ip4.src==10.244.2.2 meter:{GoSet:[acl-logging]} name:{GoSet:[]} options:{GoMap:map[]} priority:1001 severity:{GoSet:[]} tier:2] Rows:[] Columns:[] Mutations:[] Timeout:<nil> Where:[where column _uuid == {b1475e2d-aedb-4018-9a07-34179cb72ad9}] Until: Durable:<nil> Comment:<nil> Lock:<nil> UUIDName:} {Op:update Table:ACL Row:map[action:allow-related direction:to-lport external_ids:{GoMap:map[ip:10.244.1.2 k8s.ovn.org/id:default-network-controller:NetpolNode:ovn-worker2:10.244.1.2 k8s.ovn.org/name:ovn-worker2 k8s.ovn.org/owner-controller:default-network-controller k8s.ovn.org/owner-type:NetpolNode]} log:false match:ip4.src==10.244.1.2 meter:{GoSet:[acl-logging]} name:{GoSet:[]} options:{GoMap:map[]} priority:1001 severity:{GoSet:[]} tier:2] Rows:[] Columns:[] Mutations:[] Timeout:<nil> Where:[where column _uuid == {1a84986b-d2a3-4cad-9d3d-3121a24d9f1c}] Until: Durable:<nil> Comment:<nil> Lock:<nil> UUIDName:} {Op:update Table:ACL Row:map[action:allow-related direction:to-lport external_ids:{GoMap:map[ip:10.244.0.2 k8s.ovn.org/id:default-network-controller:NetpolNode:ovn-worker:10.244.0.2 k8s.ovn.org/name:ovn-worker k8s.ovn.org/owner-controller:default-network-controller k8s.ovn.org/owner-type:NetpolNode]} log:false match:ip4.src==10.244.0.2 meter:{GoSet:[acl-logging]} name:{GoSet:[]} options:{GoMap:map[]} priority:1001 severity:{GoSet:[]} tier:2] Rows:[] Columns:[] Mutations:[] Timeout:<nil> Where:[where column _uuid == {9c36a2f5-8486-42d9-b79c-af79e78ff3d4}] Until: Durable:<nil> Comment:<nil> Lock:<nil> UUIDName:} {Op:update Table:ACL Row:map[action:drop direction:to-lport external_ids:{GoMap:map[k8s.ovn.org/id:default-network-controller:EgressFirewall:default:1 k8s.ovn.org/name:default k8s.ovn.org/owner-controller:default-network-controller k8s.ovn.org/owner-type:EgressFirewall rule-index:1]} log:false match:(ip4.dst == 0.0.0.0/0 && ip4.dst != 10.244.0.0/16) && ip4.src == $a4322231855293774466 meter:{GoSet:[acl-logging]} name:{GoSet:[EF:default:1]} options:{GoMap:map[]} priority:9999 severity:{GoSet:[]} tier:2] Rows:[] Columns:[] Mutations:[] Timeout:<nil> Where:[where column _uuid == {6eed1ca4-db38-41cf-a2a3-076897535a06}] Until: Durable:<nil> Comment:<nil> Lock:<nil> UUIDName:} {Op:update Table:ACL Row:map[action:allow direction:to-lport external_ids:{GoMap:map[k8s.ovn.org/id:default-network-controller:EgressFirewall:default:0 k8s.ovn.org/name:default k8s.ovn.org/owner-controller:default-network-controller k8s.ovn.org/owner-type:EgressFirewall rule-index:0]} log:false match:(ip4.dst == 172.25.75.11/32) && ip4.src == $a4322231855293774466 && ((tcp && ( tcp.dst == 8888 ))) meter:{GoSet:[acl-logging]} name:{GoSet:[EF:default:0]} options:{GoMap:map[]} priority:10000 severity:{GoSet:[]} tier:2] Rows:[] Columns:[] Mutations:[] Timeout:<nil> Where:[where column _uuid == {48a8cb2c-2046-4347-87a3-356856e21536}] Until: Durable:<nil> Comment:<nil> Lock:<nil> UUIDName:}]"
I0711 07:51:35.780934 58 cache.go:1028] cache "msg"="processing update" "database"="OVN_Northbound" "table"="ACL" "uuid"="1a84986b-d2a3-4cad-9d3d-3121a24d9f1c"
I0711 07:51:35.780997 58 cache.go:1069] cache "msg"="updated row" "database"="OVN_Northbound" "new"="&{UUID:1a84986b-d2a3-4cad-9d3d-3121a24d9f1c Action:allow-related Direction:to-lport ExternalIDs:map[ip:10.244.1.2 k8s.ovn.org/id:default-network-controller:NetpolNode:ovn-worker2:10.244.1.2 k8s.ovn.org/name:ovn-worker2 k8s.ovn.org/owner-controller:default-network-controller k8s.ovn.org/owner-type:NetpolNode] Label:0 Log:false Match:ip4.src==10.244.1.2 Meter:0xc00092e470 Name:<nil> Options:map[] Priority:1001 Severity:<nil> Tier:2}" "old"="&{UUID:1a84986b-d2a3-4cad-9d3d-3121a24d9f1c Action:allow-related Direction:to-lport ExternalIDs:map[ip:10.244.1.2 k8s.ovn.org/id:default-network-controller:NetpolNode:ovn-worker2:10.244.1.2 k8s.ovn.org/name:ovn-worker2 k8s.ovn.org/owner-controller:default-network-controller k8s.ovn.org/owner-type:NetpolNode] Label:0 Log:false Match:ip4.src==10.244.1.2 Meter:0xc00092e480 Name:<nil> Options:map[] Priority:1001 Severity:<nil> Tier:0}" "table"="ACL" "uuid"="1a84986b-d2a3-4cad-9d3d-3121a24d9f1c"
I0711 07:51:35.781014 58 cache.go:1028] cache "msg"="processing update" "database"="OVN_Northbound" "table"="ACL" "uuid"="28c394e2-13d8-4e66-9c8f-f2e288cd0f36"
I0711 07:51:35.781063 58 cache.go:1069] cache "msg"="updated row" "database"="OVN_Northbound" "new"="&{UUID:28c394e2-13d8-4e66-9c8f-f2e288cd0f36 Action:allow-related Direction:to-lport ExternalIDs:map[direction:Ingress k8s.ovn.org/id:default-network-controller:NetpolDefault:allow-hairpinning:Ingress k8s.ovn.org/name:allow-hairpinning k8s.ovn.org/owner-controller:default-network-controller k8s.ovn.org/owner-type:NetpolDefault] Label:0 Log:false Match:ip4.src == 169.254.169.5 Meter:0xc00092e7e0 Name:<nil> Options:map[] Priority:1001 Severity:<nil> Tier:2}" "old"="&{UUID:28c394e2-13d8-4e66-9c8f-f2e288cd0f36 Action:allow-related Direction:to-lport ExternalIDs:map[direction:Ingress k8s.ovn.org/id:default-network-controller:NetpolDefault:allow-hairpinning:Ingress k8s.ovn.org/name:allow-hairpinning k8s.ovn.org/owner-controller:default-network-controller k8s.ovn.org/owner-type:NetpolDefault] Label:0 Log:false Match:ip4.src == 169.254.169.5 Meter:0xc00092e7f0 Name:<nil> Options:map[] Priority:1001 Severity:<nil> Tier:0}" "table"="ACL" "uuid"="28c394e2-13d8-4e66-9c8f-f2e288cd0f36"
I0711 07:51:35.781078 58 cache.go:1028] cache "msg"="processing update" "database"="OVN_Northbound" "table"="ACL" "uuid"="48a8cb2c-2046-4347-87a3-356856e21536"
I0711 07:51:35.781120 58 cache.go:1069] cache "msg"="updated row" "database"="OVN_Northbound" "new"="&{UUID:48a8cb2c-2046-4347-87a3-356856e21536 Action:allow Direction:to-lport ExternalIDs:map[k8s.ovn.org/id:default-network-controller:EgressFirewall:default:0 k8s.ovn.org/name:default k8s.ovn.org/owner-controller:default-network-controller k8s.ovn.org/owner-type:EgressFirewall rule-index:0] Label:0 Log:false Match:(ip4.dst == 172.25.75.11/32) && ip4.src == $a4322231855293774466 && ((tcp && ( tcp.dst == 8888 ))) Meter:0xc00092eb50 Name:0xc00092eb60 Options:map[] Priority:10000 Severity:<nil> Tier:2}" "old"="&{UUID:48a8cb2c-2046-4347-87a3-356856e21536 Action:allow Direction:to-lport ExternalIDs:map[k8s.ovn.org/id:default-network-controller:EgressFirewall:default:0 k8s.ovn.org/name:default k8s.ovn.org/owner-controller:default-network-controller k8s.ovn.org/owner-type:EgressFirewall rule-index:0] Label:0 Log:false Match:(ip4.dst == 172.25.75.11/32) && ip4.src == $a4322231855293774466 && ((tcp && ( tcp.dst == 8888 ))) Meter:0xc00092eb70 Name:0xc00092eb80 Options:map[] Priority:10000 Severity:<nil> Tier:0}" "table"="ACL" "uuid"="48a8cb2c-2046-4347-87a3-356856e21536"
I0711 07:51:35.781138 58 cache.go:1028] cache "msg"="processing update" "database"="OVN_Northbound" "table"="ACL" "uuid"="884c23b8-5789-4d72-b184-28914f0bb0b2"
I0711 07:51:35.781179 58 cache.go:1069] cache "msg"="updated row" "database"="OVN_Northbound" "new"="&{UUID:884c23b8-5789-4d72-b184-28914f0bb0b2 Action:allow Direction:from-lport ExternalIDs:map[direction:Egress k8s.ovn.org/id:default-network-controller:NetpolNamespace:surya5:Egress:arpAllow k8s.ovn.org/name:surya5 k8s.ovn.org/owner-controller:default-network-controller k8s.ovn.org/owner-type:NetpolNamespace type:arpAllow] Label:0 Log:false Match:inport == @a11718373952692888238_egressDefaultDeny && (arp || nd) Meter:0xc00092eef0 Name:0xc00092ef00 Options:map[apply-after-lb:true] Priority:1001 Severity:<nil> Tier:2}" "old"="&{UUID:884c23b8-5789-4d72-b184-28914f0bb0b2 Action:allow Direction:from-lport ExternalIDs:map[direction:Egress k8s.ovn.org/id:default-network-controller:NetpolNamespace:surya5:Egress:arpAllow k8s.ovn.org/name:surya5 k8s.ovn.org/owner-controller:default-network-controller k8s.ovn.org/owner-type:NetpolNamespace type:arpAllow] Label:0 Log:false Match:inport == @a11718373952692888238_egressDefaultDeny && (arp || nd) Meter:0xc00092ef10 Name:0xc00092ef20 Options:map[apply-after-lb:true] Priority:1001 Severity:<nil> Tier:0}" "table"="ACL" "uuid"="884c23b8-5789-4d72-b184-28914f0bb0b2"
I0711 07:51:35.781194 58 cache.go:1028] cache "msg"="processing update" "database"="OVN_Northbound" "table"="ACL" "uuid"="9c36a2f5-8486-42d9-b79c-af79e78ff3d4"
I0711 07:51:35.781233 58 cache.go:1069] cache "msg"="updated row" "database"="OVN_Northbound" "new"="&{UUID:9c36a2f5-8486-42d9-b79c-af79e78ff3d4 Action:allow-related Direction:to-lport ExternalIDs:map[ip:10.244.0.2 k8s.ovn.org/id:default-network-controller:NetpolNode:ovn-worker:10.244.0.2 k8s.ovn.org/name:ovn-worker k8s.ovn.org/owner-controller:default-network-controller k8s.ovn.org/owner-type:NetpolNode] Label:0 Log:false Match:ip4.src==10.244.0.2 Meter:0xc00092f310 Name:<nil> Options:map[] Priority:1001 Severity:<nil> Tier:2}" "old"="&{UUID:9c36a2f5-8486-42d9-b79c-af79e78ff3d4 Action:allow-related Direction:to-lport ExternalIDs:map[ip:10.244.0.2 k8s.ovn.org/id:default-network-controller:NetpolNode:ovn-worker:10.244.0.2 k8s.ovn.org/name:ovn-worker k8s.ovn.org/owner-controller:default-network-controller k8s.ovn.org/owner-type:NetpolNode] Label:0 Log:false Match:ip4.src==10.244.0.2 Meter:0xc00092f320 Name:<nil> Options:map[] Priority:1001 Severity:<nil> Tier:0}" "table"="ACL" "uuid"="9c36a2f5-8486-42d9-b79c-af79e78ff3d4"
I0711 07:51:35.781254 58 cache.go:1028] cache "msg"="processing update" "database"="OVN_Northbound" "table"="ACL" "uuid"="e7835318-3717-45e2-9716-ef3f8c236f51"
I0711 07:51:35.781301 58 cache.go:1069] cache "msg"="updated row" "database"="OVN_Northbound" "new"="&{UUID:e7835318-3717-45e2-9716-ef3f8c236f51 Action:allow-related Direction:to-lport ExternalIDs:map[direction:Ingress gress-index:0 ip-block-index:-1 k8s.ovn.org/id:default-network-controller:NetworkPolicy:surya5:allow-ingress-to-foo4-from-foo2:Ingress:0:-1:-1 k8s.ovn.org/name:surya5:allow-ingress-to-foo4-from-foo2 k8s.ovn.org/owner-controller:default-network-controller k8s.ovn.org/owner-type:NetworkPolicy port-policy-index:-1] Label:0 Log:false Match:ip4.src == {$a1822410377753831280} && outport == @a14627396333488653719 Meter:0xc00092f680 Name:0xc00092f690 Options:map[] Priority:1001 Severity:<nil> Tier:2}" "old"="&{UUID:e7835318-3717-45e2-9716-ef3f8c236f51 Action:allow-related Direction:to-lport ExternalIDs:map[direction:Ingress gress-index:0 ip-block-index:-1 k8s.ovn.org/id:default-network-controller:NetworkPolicy:surya5:allow-ingress-to-foo4-from-foo2:Ingress:0:-1:-1 k8s.ovn.org/name:surya5:allow-ingress-to-foo4-from-foo2 k8s.ovn.org/owner-controller:default-network-controller k8s.ovn.org/owner-type:NetworkPolicy port-policy-index:-1] Label:0 Log:false Match:ip4.src == {$a1822410377753831280} && outport == @a14627396333488653719 Meter:0xc00092f6a0 Name:0xc00092f6b0 Options:map[] Priority:1001 Severity:<nil> Tier:0}" "table"="ACL" "uuid"="e7835318-3717-45e2-9716-ef3f8c236f51"
I0711 07:51:35.781315 58 cache.go:1028] cache "msg"="processing update" "database"="OVN_Northbound" "table"="ACL" "uuid"="f4ab3018-8beb-4ab6-9fd2-b655247f48ac"
I0711 07:51:35.781351 58 cache.go:1069] cache "msg"="updated row" "database"="OVN_Northbound" "new"="&{UUID:f4ab3018-8beb-4ab6-9fd2-b655247f48ac Action:allow Direction:to-lport ExternalIDs:map[direction:Ingress k8s.ovn.org/id:default-network-controller:NetpolNamespace:surya5:Ingress:arpAllow k8s.ovn.org/name:surya5 k8s.ovn.org/owner-controller:default-network-controller k8s.ovn.org/owner-type:NetpolNamespace type:arpAllow] Label:0 Log:false Match:outport == @a11718373952692888238_ingressDefaultDeny && (arp || nd) Meter:0xc00092fae0 Name:0xc00092faf0 Options:map[] Priority:1001 Severity:<nil> Tier:2}" "old"="&{UUID:f4ab3018-8beb-4ab6-9fd2-b655247f48ac Action:allow Direction:to-lport ExternalIDs:map[direction:Ingress k8s.ovn.org/id:default-network-controller:NetpolNamespace:surya5:Ingress:arpAllow k8s.ovn.org/name:surya5 k8s.ovn.org/owner-controller:default-network-controller k8s.ovn.org/owner-type:NetpolNamespace type:arpAllow] Label:0 Log:false Match:outport == @a11718373952692888238_ingressDefaultDeny && (arp || nd) Meter:0xc00092fb00 Name:0xc00092fb10 Options:map[] Priority:1001 Severity:<nil> Tier:0}" "table"="ACL" "uuid"="f4ab3018-8beb-4ab6-9fd2-b655247f48ac"
I0711 07:51:35.781363 58 cache.go:1028] cache "msg"="processing update" "database"="OVN_Northbound" "table"="ACL" "uuid"="3bdd27b4-90fc-41c7-ae78-0405af3e0eb3"
I0711 07:51:35.781407 58 cache.go:1069] cache "msg"="updated row" "database"="OVN_Northbound" "new"="&{UUID:3bdd27b4-90fc-41c7-ae78-0405af3e0eb3 Action:allow-related Direction:from-lport ExternalIDs:map[direction:Egress k8s.ovn.org/id:default-network-controller:NetpolDefault:allow-hairpinning:Egress k8s.ovn.org/name:allow-hairpinning k8s.ovn.org/owner-controller:default-network-controller k8s.ovn.org/owner-type:NetpolDefault] Label:0 Log:false Match:ip4.src == 169.254.169.5 Meter:0xc00092fec0 Name:<nil> Options:map[apply-after-lb:true] Priority:1001 Severity:<nil> Tier:2}" "old"="&{UUID:3bdd27b4-90fc-41c7-ae78-0405af3e0eb3 Action:allow-related Direction:from-lport ExternalIDs:map[direction:Egress k8s.ovn.org/id:default-network-controller:NetpolDefault:allow-hairpinning:Egress k8s.ovn.org/name:allow-hairpinning k8s.ovn.org/owner-controller:default-network-controller k8s.ovn.org/owner-type:NetpolDefault] Label:0 Log:false Match:ip4.src == 169.254.169.5 Meter:0xc00092fed0 Name:<nil> Options:map[apply-after-lb:true] Priority:1001 Severity:<nil> Tier:0}" "table"="ACL" "uuid"="3bdd27b4-90fc-41c7-ae78-0405af3e0eb3"
I0711 07:51:35.781427 58 cache.go:1028] cache "msg"="processing update" "database"="OVN_Northbound" "table"="ACL" "uuid"="6eed1ca4-db38-41cf-a2a3-076897535a06"
I0711 07:51:35.781502 58 cache.go:1069] cache "msg"="updated row" "database"="OVN_Northbound" "new"="&{UUID:6eed1ca4-db38-41cf-a2a3-076897535a06 Action:drop Direction:to-lport ExternalIDs:map[k8s.ovn.org/id:default-network-controller:EgressFirewall:default:1 k8s.ovn.org/name:default k8s.ovn.org/owner-controller:default-network-controller k8s.ovn.org/owner-type:EgressFirewall rule-index:1] Label:0 Log:false Match:(ip4.dst == 0.0.0.0/0 && ip4.dst != 10.244.0.0/16) && ip4.src == $a4322231855293774466 Meter:0xc000a12270 Name:0xc000a12280 Options:map[] Priority:9999 Severity:<nil> Tier:2}" "old"="&{UUID:6eed1ca4-db38-41cf-a2a3-076897535a06 Action:drop Direction:to-lport ExternalIDs:map[k8s.ovn.org/id:default-network-controller:EgressFirewall:default:1 k8s.ovn.org/name:default k8s.ovn.org/owner-controller:default-network-controller k8s.ovn.org/owner-type:EgressFirewall rule-index:1] Label:0 Log:false Match:(ip4.dst == 0.0.0.0/0 && ip4.dst != 10.244.0.0/16) && ip4.src == $a4322231855293774466 Meter:0xc000a12290 Name:0xc000a122a0 Options:map[] Priority:9999 Severity:<nil> Tier:0}" "table"="ACL" "uuid"="6eed1ca4-db38-41cf-a2a3-076897535a06"
I0711 07:51:35.781519 58 cache.go:1028] cache "msg"="processing update" "database"="OVN_Northbound" "table"="ACL" "uuid"="9fa36da4-8cb4-4286-a00e-ba62fa5c80d7"
I0711 07:51:35.781562 58 cache.go:1069] cache "msg"="updated row" "database"="OVN_Northbound" "new"="&{UUID:9fa36da4-8cb4-4286-a00e-ba62fa5c80d7 Action:drop Direction:to-lport ExternalIDs:map[direction:Ingress k8s.ovn.org/id:default-network-controller:NetpolNamespace:surya5:Ingress:defaultDeny k8s.ovn.org/name:surya5 k8s.ovn.org/owner-controller:default-network-controller k8s.ovn.org/owner-type:NetpolNamespace type:defaultDeny] Label:0 Log:false Match:outport == @a11718373952692888238_ingressDefaultDeny Meter:0xc000a12610 Name:0xc000a12620 Options:map[] Priority:1000 Severity:<nil> Tier:2}" "old"="&{UUID:9fa36da4-8cb4-4286-a00e-ba62fa5c80d7 Action:drop Direction:to-lport ExternalIDs:map[direction:Ingress k8s.ovn.org/id:default-network-controller:NetpolNamespace:surya5:Ingress:defaultDeny k8s.ovn.org/name:surya5 k8s.ovn.org/owner-controller:default-network-controller k8s.ovn.org/owner-type:NetpolNamespace type:defaultDeny] Label:0 Log:false Match:outport == @a11718373952692888238_ingressDefaultDeny Meter:0xc000a12630 Name:0xc000a12640 Options:map[] Priority:1000 Severity:<nil> Tier:0}" "table"="ACL" "uuid"="9fa36da4-8cb4-4286-a00e-ba62fa5c80d7"
I0711 07:51:35.781582 58 cache.go:1028] cache "msg"="processing update" "database"="OVN_Northbound" "table"="ACL" "uuid"="b1475e2d-aedb-4018-9a07-34179cb72ad9"
I0711 07:51:35.781625 58 cache.go:1069] cache "msg"="updated row" "database"="OVN_Northbound" "new"="&{UUID:b1475e2d-aedb-4018-9a07-34179cb72ad9 Action:allow-related Direction:to-lport ExternalIDs:map[ip:10.244.2.2 k8s.ovn.org/id:default-network-controller:NetpolNode:ovn-control-plane:10.244.2.2 k8s.ovn.org/name:ovn-control-plane k8s.ovn.org/owner-controller:default-network-controller k8s.ovn.org/owner-type:NetpolNode] Label:0 Log:false Match:ip4.src==10.244.2.2 Meter:0xc000a129f0 Name:<nil> Options:map[] Priority:1001 Severity:<nil> Tier:2}" "old"="&{UUID:b1475e2d-aedb-4018-9a07-34179cb72ad9 Action:allow-related Direction:to-lport ExternalIDs:map[ip:10.244.2.2 k8s.ovn.org/id:default-network-controller:NetpolNode:ovn-control-plane:10.244.2.2 k8s.ovn.org/name:ovn-control-plane k8s.ovn.org/owner-controller:default-network-controller k8s.ovn.org/owner-type:NetpolNode] Label:0 Log:false Match:ip4.src==10.244.2.2 Meter:0xc000a12a00 Name:<nil> Options:map[] Priority:1001 Severity:<nil> Tier:0}" "table"="ACL" "uuid"="b1475e2d-aedb-4018-9a07-34179cb72ad9"
I0711 07:51:35.781647 58 cache.go:1028] cache "msg"="processing update" "database"="OVN_Northbound" "table"="ACL" "uuid"="b32fe188-bb11-49cf-bf39-0cfc7361e3c9"
I0711 07:51:35.781693 58 cache.go:1069] cache "msg"="updated row" "database"="OVN_Northbound" "new"="&{UUID:b32fe188-bb11-49cf-bf39-0cfc7361e3c9 Action:drop Direction:from-lport ExternalIDs:map[direction:Egress k8s.ovn.org/id:default-network-controller:NetpolNamespace:surya5:Egress:defaultDeny k8s.ovn.org/name:surya5 k8s.ovn.org/owner-controller:default-network-controller k8s.ovn.org/owner-type:NetpolNamespace type:defaultDeny] Label:0 Log:false Match:inport == @a11718373952692888238_egressDefaultDeny Meter:0xc000a12d60 Name:0xc000a12d70 Options:map[apply-after-lb:true] Priority:1000 Severity:<nil> Tier:2}" "old"="&{UUID:b32fe188-bb11-49cf-bf39-0cfc7361e3c9 Action:drop Direction:from-lport ExternalIDs:map[direction:Egress k8s.ovn.org/id:default-network-controller:NetpolNamespace:surya5:Egress:defaultDeny k8s.ovn.org/name:surya5 k8s.ovn.org/owner-controller:default-network-controller k8s.ovn.org/owner-type:NetpolNamespace type:defaultDeny] Label:0 Log:false Match:inport == @a11718373952692888238_egressDefaultDeny Meter:0xc000a12d80 Name:0xc000a12d90 Options:map[apply-after-lb:true] Priority:1000 Severity:<nil> Tier:0}" "table"="ACL" "uuid"="b32fe188-bb11-49cf-bf39-0cfc7361e3c9"
I0711 07:51:35.781709 58 cache.go:1028] cache "msg"="processing update" "database"="OVN_Northbound" "table"="ACL" "uuid"="dda99940-ee99-4cf9-909c-56f4a1b2dd63"
I0711 07:51:35.781757 58 cache.go:1069] cache "msg"="updated row" "database"="OVN_Northbound" "new"="&{UUID:dda99940-ee99-4cf9-909c-56f4a1b2dd63 Action:allow-related Direction:to-lport ExternalIDs:map[direction:Ingress gress-index:0 ip-block-index:-1 k8s.ovn.org/id:default-network-controller:NetworkPolicy:surya5:allow-ingress-to-foo4-from-surya5:Ingress:0:-1:-1 k8s.ovn.org/name:surya5:allow-ingress-to-foo4-from-surya5 k8s.ovn.org/owner-controller:default-network-controller k8s.ovn.org/owner-type:NetworkPolicy port-policy-index:-1] Label:0 Log:false Match:ip4.src == {$a15450058810467113962} && outport == @a3548240021545986166 Meter:0xc000a13180 Name:0xc000a13190 Options:map[] Priority:1001 Severity:<nil> Tier:2}" "old"="&{UUID:dda99940-ee99-4cf9-909c-56f4a1b2dd63 Action:allow-related Direction:to-lport ExternalIDs:map[direction:Ingress gress-index:0 ip-block-index:-1 k8s.ovn.org/id:default-network-controller:NetworkPolicy:surya5:allow-ingress-to-foo4-from-surya5:Ingress:0:-1:-1 k8s.ovn.org/name:surya5:allow-ingress-to-foo4-from-surya5 k8s.ovn.org/owner-controller:default-network-controller k8s.ovn.org/owner-type:NetworkPolicy port-policy-index:-1] Label:0 Log:false Match:ip4.src == {$a15450058810467113962} && outport == @a3548240021545986166 Meter:0xc000a131a0 Name:0xc000a131b0 Options:map[] Priority:1001 Severity:<nil> Tier:0}" "table"="ACL" "uuid"="dda99940-ee99-4cf9-909c-56f4a1b2dd63"
I0711 07:51:35.781806 58 acl_sync.go:187] Updating tier's of all ACLs in cluster took 5.491447ms
its working as expected...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
used the nice batching logic Nadia added for previous updates, so upto 20K ACLs we do in single transact.
6fe15f4
to
b53b9f7
Compare
// for default deny is in tier0 while 1001 ACL for allow-ing traffic is in tier2 for a given namespace network policy). | ||
// NOTE: This is a one-time operation as no ACLs should ever be created in types.PlaceHolderACLTier moving forward. | ||
// Fetch all ACLs in types.PlaceHolderACLTier (Tier0); update their Tier to 2 and batch the ACL update. | ||
klog.Info("Updating Tier of existing ACLs...") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Any chance to have a test for this?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
so we have tests in the go-controller/pkg/ovn/external_ids_syncer/acl/acl_sync_test.go
; specifically here: b53b9f7#diff-fbf87e9a26d9865f6ce3881764044151ed71700db9c0440b1c527acba89024f9R451 and b53b9f7#diff-fbf87e9a26d9865f6ce3881764044151ed71700db9c0440b1c527acba89024f9R593 -> those parts are starting the tests with Placeholder ACLs and then moving them to Tier2 and verifying final state is tier2. That tests this specific code path...
Did you have something else in mind?
Also I tried to write the test to check if lower priorities are moved before higher, but I didn't have bright ideas there..Maybe I need to create like 40K acls and see if the 1st batch all has lower priority something like that..but that would be hard to test when calling syncACLs
.. let me know what you think
(latest push is just rebase to master... no changes) |
the multi-homing lane failure seems a flake?:
saving link, will open issue if i see it again: https://github.com/ovn-org/ovn-kubernetes/actions/runs/5540252630/jobs/10112572522?pr=3645 |
This commit bumps the OVN DB schema to the new OVN release. In particular we want to bring in Tiered ACLs construct to lay out the pre-work for ANPs Signed-off-by: Surya Seetharaman <[email protected]>
We have a new feature called Hierarchical ACLs that is introduced in OVN to enable support for tiered ACLs. This commit ensures that from this point on, all ACLs for all features are created in tier2. By default all new ACLs must be added to tier2. Ensure existing ACLs without tiers are migrated post upgrade Since the column in NBDB is an int, when OVN schema upgrade happens, by default the value for this column will be set to 0. We want all existing ACLs to move to tier2. This commit ensures all existing ACLs for all features are migrated towards tier2. This PR ensures that is done by OVNK controller upon upgrade restart. Signed-off-by: Surya Seetharaman <[email protected]>
@jcaamano : shall we merge this? CI looking good |
- What this PR does and why is it needed
Change all existing ACLs to tier2
- Special notes for reviewers
Tiered ACLs will be used for ANP & BANP in #3659. This PR splits the initial framework addition so that its easier to review this.
- How to verify it
- Description for the changelog
Move all existing ACLs to tier2 which will be the default