Skip to content

CORENET-6130, CORENET-6261, CORENET-6092: Implement PreconfiguredUDNAddresses API changes #2743

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

CORENET-6130, CORENET-6261, CORENET-6092: Implement PreconfiguredUDNAddresses API changes #2743

wants to merge 3 commits into from

Conversation

kyrtapz
Copy link
Contributor

@kyrtapz kyrtapz commented Jul 15, 2025
edited
Loading

Introduce the following changes behind the featuregate:

  • Layer2 (Cluster) UDN API update: Add new API fields to both CUDN and UDN CRDs behind the PreconfiguredUDNAddresses featuregate
  • Add ValidatingAdmissionPolicy blocking v1.multus-cni.io/default-network updates: Prevent modification of v1.multus-cni.io/default-network once a pod is created, applies to environments with PreconfiguredUDNAddresses featuregate enabled
  • Avoid multus-admission webhook race with ovn-kubernetes: Add CEL expression to ignore default/openshift-ovn-kubernetes NAD to prevent circular dependency where ovn-k fails to start because multus webhook blocks NAD creation, while webhook uses cluster-networked pods which require ovn-k to be running

@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Jul 15, 2025
@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Jul 15, 2025
edited by openshift-ci bot
Loading

@kyrtapz: This pull request references CORENET-6130 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.20.0" version, but no target version was set.

In response to this:

It is not allowed to modify the v1.multus-cni.io/default-network once the pod was created.
The added ValidatingAdmissionPolicy applies to environments with PreconfiguredUDNAddresses featuregate enabled.

Depends on: #2742

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci openshift-ci bot requested review from JacobTanenbaum and trozet July 15, 2025 11:55
@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Jul 15, 2025

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: kyrtapz

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 15, 2025
@kyrtapz kyrtapz force-pushed the default_net_annot_vap branch from 1390e6b to 77084fb Compare July 15, 2025 12:42
@openshift-merge-robot openshift-merge-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jul 18, 2025
@kyrtapz kyrtapz force-pushed the default_net_annot_vap branch from 77084fb to b7cf7ff Compare July 22, 2025 06:56
@openshift-merge-robot openshift-merge-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jul 22, 2025
@maiqueb maiqueb mentioned this pull request Jul 23, 2025
Open
@kyrtapz kyrtapz force-pushed the default_net_annot_vap branch 4 times, most recently from affd6d6 to 9b2b372 Compare August 5, 2025 09:18
@qinqon qinqon mentioned this pull request Aug 8, 2025
Open
@maiqueb
Copy link
Contributor

maiqueb commented Aug 12, 2025

@kyrtapz could you rebase, now that #2770 was merged ?

I see these warnings being logged in the ovnkube control plane pods:

2025-08-11T14:14:07.099359183Z E0811 14:14:07.099115       1 obj_retry.go:681] Failed to update *v1.Pod, old=e2e-network-segmentation-e2e-3110/virt-launcher-myvm-wm4dt, new=e2e-network-segmentation-e2e-3110/virt-launcher-myvm-wm4dt, error: failed to update pod e2e-network-segmentation-e2e-3110/virt-launcher-myvm-wm4dt: error retrieving IPAMClaim for pod e2e-network-segmentation-e2e-3110/virt-launcher-myvm-wm4dt: failed to get IPAMClaim "myvm.overlay": ipamclaim.k8s.cni.cncf.io "myvm.overlay" not found
2025-08-11T14:14:07.139482397Z W0811 14:14:07.137061       1 warnings.go:70] unknown field "status.ownerPod"

I think it's a red herring, but still, it would give us a cleaner signal.

Thanks in advance

@kyrtapz kyrtapz force-pushed the default_net_annot_vap branch 2 times, most recently from d5c2f3a to 781728a Compare August 18, 2025 12:04
kyrtapz added 2 commits August 20, 2025 13:51
@kyrtapz
Layer2 (Cluster) UDN API update
e0a33f4 
Add the new API fields to both CUDN and UDN CRDs behind the
PreconfiguredUDNAddresses featuregate.

Signed-off-by: Patryk Diak <[email protected]>
@kyrtapz
Add a ValidatingAdmissionPolicy blocking v1.multus-cni.io/default-net…
4df46f9 
…work updates

It is not allowed to modify the v1.multus-cni.io/default-network once the pod was created.
The added ValidatingAdmissionPolicy applies to environments with PreconfiguredUDNAddresses featuregate enabled.

Signed-off-by: Patryk Diak <[email protected]>
@kyrtapz kyrtapz force-pushed the default_net_annot_vap branch from 781728a to ad73589 Compare August 20, 2025 11:57
@kyrtapz kyrtapz changed the title CORENET-6130: Add a ValidatingAdmissionPolicy blocking v1.multus-cni.io/default-network updates CORENET-6130, CORENET-6261, CORENET-6092: Implement PreconfiguredUDNAddresses API changes Aug 20, 2025
@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Aug 20, 2025
edited by openshift-ci bot
Loading

@kyrtapz: This pull request references CORENET-6130 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.20.0" version, but no target version was set.

This pull request references CORENET-6261 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.20.0" version, but no target version was set.

This pull request references CORENET-6092 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.20.0" version, but no target version was set.

In response to this:

It is not allowed to modify the v1.multus-cni.io/default-network once the pod was created.
The added ValidatingAdmissionPolicy applies to environments with PreconfiguredUDNAddresses featuregate enabled.

Depends on: #2742

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Aug 20, 2025
edited by openshift-ci bot
Loading

@kyrtapz: This pull request references CORENET-6130 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.20.0" version, but no target version was set.

This pull request references CORENET-6261 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.20.0" version, but no target version was set.

This pull request references CORENET-6092 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.20.0" version, but no target version was set.

In response to this:

Introduce the following changes behind the featuregate:

  • Layer2 (Cluster) UDN API update: Add new API fields to both CUDN and UDN CRDs behind the PreconfiguredUDNAddresses featuregate
  • Add ValidatingAdmissionPolicy blocking v1.multus-cni.io/default-network updates: Prevent modification of v1.multus-cni.io/default-network once a pod is created, applies to environments with PreconfiguredUDNAddresses featuregate enabled
  • Avoid multus-admission webhook race with ovn-kubernetes: Add CEL expression to ignore default/openshift-ovn-kubernetes NAD to prevent circular dependency where ovn-k fails to start because multus webhook blocks NAD creation, while webhook uses cluster-networked pods which require ovn-k to be running

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@kyrtapz
Copy link
Contributor Author

kyrtapz commented Aug 20, 2025

/test e2e-gcp-ovn-techpreview

@kyrtapz kyrtapz force-pushed the default_net_annot_vap branch from ad73589 to fbd111c Compare August 20, 2025 12:14
@kyrtapz
Copy link
Contributor Author

kyrtapz commented Aug 20, 2025

/test e2e-gcp-ovn-techpreview

@kyrtapz kyrtapz closed this Aug 20, 2025
@kyrtapz kyrtapz reopened this Aug 20, 2025
@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Aug 20, 2025
edited by openshift-ci bot
Loading

@kyrtapz: This pull request references CORENET-6130 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.20.0" version, but no target version was set.

This pull request references CORENET-6261 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.20.0" version, but no target version was set.

This pull request references CORENET-6092 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.20.0" version, but no target version was set.

In response to this:

Introduce the following changes behind the featuregate:

  • Layer2 (Cluster) UDN API update: Add new API fields to both CUDN and UDN CRDs behind the PreconfiguredUDNAddresses featuregate
  • Add ValidatingAdmissionPolicy blocking v1.multus-cni.io/default-network updates: Prevent modification of v1.multus-cni.io/default-network once a pod is created, applies to environments with PreconfiguredUDNAddresses featuregate enabled
  • Avoid multus-admission webhook race with ovn-kubernetes: Add CEL expression to ignore default/openshift-ovn-kubernetes NAD to prevent circular dependency where ovn-k fails to start because multus webhook blocks NAD creation, while webhook uses cluster-networked pods which require ovn-k to be running

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@kyrtapz
Copy link
Contributor Author

kyrtapz commented Aug 20, 2025

/test e2e-gcp-ovn-techpreview

@kyrtapz kyrtapz force-pushed the default_net_annot_vap branch from fbd111c to 02608c9 Compare August 20, 2025 12:26
@kyrtapz
Copy link
Contributor Author

kyrtapz commented Aug 20, 2025

/test e2e-gcp-ovn-techpreview

@kyrtapz
Copy link
Contributor Author

kyrtapz commented Aug 20, 2025

verify failed due to lint issues, will re-push once we get some signal from the techpreview job.

@kyrtapz
Avoid multus-admission webhook race with ovn-kubernetes
59a03f2 
Add CEL expression to ignore default/openshift-ovn-kubernetes NAD to prevent
circular dependency where ovn-k fails to start because multus webhook blocks
NAD creation, while webhook uses cluster-networked pdos which require ovn-k to be running.

Signed-off-by: Patryk Diak <[email protected]>
@kyrtapz kyrtapz force-pushed the default_net_annot_vap branch from 02608c9 to 59a03f2 Compare August 20, 2025 16:23
@kyrtapz
Copy link
Contributor Author

kyrtapz commented Aug 20, 2025

https://gcsweb-ci.apps.ci.l2s4.p1.openshiftapps.com/gcs/test-platform-results/pr-logs/pull/openshift_cluster-network-operator/2743/pull-ci-openshift-cluster-network-operator-master-e2e-gcp-ovn-techpreview/1958143914649063424/artifacts/e2e-gcp-ovn-techpreview/gather-extra/artifacts/pods/openshift-network-operator_network-operator-57d5656d84-6zjq6_network-operator.log
CNO was good in this job: https://gcsweb-ci.apps.ci.l2s4.p1.openshiftapps.com/gcs/test-platform-results/pr-logs/pull/openshift_cluster-network-operator/2743/pull-ci-openshift-cluster-network-operator-master-e2e-gcp-ovn-techpreview/1958143914649063424/

/test e2e-gcp-ovn-techpreview

@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Aug 20, 2025

@kyrtapz: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-vsphere-ovn-dualstack-primaryv6 9b2b372 link false /test e2e-vsphere-ovn-dualstack-primaryv6
ci/prow/e2e-metal-ipi-ovn-ipv6-ipsec 59a03f2 link true /test e2e-metal-ipi-ovn-ipv6-ipsec
ci/prow/okd-scos-e2e-aws-ovn 59a03f2 link false /test okd-scos-e2e-aws-ovn
ci/prow/e2e-azure-ovn 59a03f2 link false /test e2e-azure-ovn
ci/prow/e2e-gcp-ovn-techpreview 59a03f2 link true /test e2e-gcp-ovn-techpreview
ci/prow/4.20-upgrade-from-stable-4.19-e2e-gcp-ovn-upgrade 59a03f2 link false /test 4.20-upgrade-from-stable-4.19-e2e-gcp-ovn-upgrade
ci/prow/4.20-upgrade-from-stable-4.19-e2e-aws-ovn-upgrade 59a03f2 link false /test 4.20-upgrade-from-stable-4.19-e2e-aws-ovn-upgrade
ci/prow/e2e-aws-hypershift-ovn-kubevirt 59a03f2 link false /test e2e-aws-hypershift-ovn-kubevirt
ci/prow/security 59a03f2 link false /test security
ci/prow/e2e-aws-ovn-serial-ipsec 59a03f2 link false /test e2e-aws-ovn-serial-ipsec
ci/prow/e2e-metal-ipi-ovn-dualstack-bgp-local-gw 59a03f2 link true /test e2e-metal-ipi-ovn-dualstack-bgp-local-gw
ci/prow/4.20-upgrade-from-stable-4.19-e2e-azure-ovn-upgrade 59a03f2 link false /test 4.20-upgrade-from-stable-4.19-e2e-azure-ovn-upgrade
ci/prow/e2e-ovn-hybrid-step-registry 59a03f2 link false /test e2e-ovn-hybrid-step-registry
ci/prow/e2e-aws-ovn-windows 59a03f2 link true /test e2e-aws-ovn-windows
ci/prow/e2e-aws-ovn-upgrade 59a03f2 link true /test e2e-aws-ovn-upgrade
ci/prow/e2e-aws-ovn-serial 59a03f2 link false /test e2e-aws-ovn-serial

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@JacobTanenbaum JacobTanenbaum Awaiting requested review from JacobTanenbaum

@trozet trozet Awaiting requested review from trozet

Assignees
No one assigned
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@kyrtapz @openshift-ci-robot @maiqueb @openshift-merge-robot