NE-1476: Allow test pods to access DNS metrics ports#30753
NE-1476: Allow test pods to access DNS metrics ports#30753rfredette wants to merge 1 commit intoopenshift:mainfrom
Conversation
|
Pipeline controller notification For optional jobs, comment This repository is configured in: automatic mode |
|
@rfredette: This pull request references NE-1476 which is a valid jira issue. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: rfredette The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
|
Scheduling required tests: |
|
/retest |
d023e22 to
a8e8ab9
Compare
|
Scheduling required tests: |
New default network policies will limit access to DNS and DNS operator metrics ports to only pods in the openshift-monitoring namespace. Rather than creating test pods in the openshift-monitoring namespace, add a network policy that allows access to these metrics ports from the test namespace.
a8e8ab9 to
545fbde
Compare
|
Scheduling required tests: |
|
Job Failure Risk Analysis for sha: 545fbde
|
|
Test failures are unrelated /retest |
|
@rfredette: all tests passed! Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
@rfredette: This pull request references NE-1476 which is a valid jira issue. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
Hey @simonpasquier, can you review this PR, or let me know what the process is for requesting a PR review from the monitoring team? Thanks in advance! |
| // do not provide network policies, creating these policies can | ||
| // restrict traffic to/from other pods in the relevant namespace, | ||
| // causing unexpected behavior. | ||
| if len(policies.Items) != 0 { |
There was a problem hiding this comment.
(nit) easier to read
| if len(policies.Items) != 0 { | |
| if len(policies.Items) == 0 { | |
| continue | |
| } |
|
|
||
| g.By("checking that targets reject the requests with 401 or 403") | ||
| TCP := v1.ProtocolTCP | ||
| networkPolicies := []networkingv1.NetworkPolicy{ |
There was a problem hiding this comment.
can we refactor this so it's easy to add more network policies for other components if needed? IIUC we need only the target's namespace + port.
New default network policies added in openshift/cluster-dns-operator#458 will limit access to DNS and DNS operator metrics ports to only pods in the openshift-monitoring namespace, which is causing the test
[sig-instrumentation][Late] Platform Prometheus targets should not be accessible without auth [Serial] [Suite:openshift/conformance/serial]to fail.The test fails because the test pods it creates are in a test namespace, and pods in that namespace do not have permission to access the DNS/DNS operator's monitoring ports to test if they require auth. This PR adds a network policy in both the
openshift-dnsandopenshift-dns-operatornamespaces that grants the test namespace access to each of the monitoring ports so that the test can continue to function as expected.