Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

hostfw tests flake workaround #25323

Merged
merged 1 commit into from
May 9, 2023
Merged

hostfw tests flake workaround #25323

merged 1 commit into from
May 9, 2023

Conversation

tommyp1ckles
Copy link
Contributor

@tommyp1ckles tommyp1ckles commented May 8, 2023
edited

Reopening #25199 as the issue continuous to plague our CI.

For reviewers: With this change, we want to further confirm suspicions relating to #15455 that these flakes are caused by this issue.

Currently, this issue is by-far the largest cause of failures in our CI, what we're interested in seeing if this significantly affects that.

@maintainer-s-little-helper maintainer-s-little-helper bot added the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label May 8, 2023
@tommyp1ckles tommyp1ckles changed the title Pr/tp/hostfw tests flake workaround hostfw tests flake workaround May 8, 2023
@tommyp1ckles tommyp1ckles force-pushed the pr/tp/hostfw-tests-flake-workaround branch 2 times, most recently from ab813bd to 7ab0d4e Compare May 8, 2023 19:51
@tommyp1ckles tommyp1ckles added area/CI Continuous Integration testing issue or flake release-note/ci This PR makes changes to the CI. labels May 8, 2023
@maintainer-s-little-helper maintainer-s-little-helper bot removed dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. labels May 8, 2023
@tommyp1ckles tommyp1ckles marked this pull request as ready for review May 8, 2023 19:57
@tommyp1ckles tommyp1ckles requested review from a team as code owners May 8, 2023 19:57
@tommyp1ckles
test: Fix ACK and FIN+ACK policy drops in hostfw tests
2b38775 
First see the code comments for the full explanation.

This issue with the faulty conntrack entries when enforcing host
policies is suspected to cause the flakes that have been polluting host
firewall tests. We've seen this faulty conntrack issue happen mostly to
health and kube-apiserver connections. And it turns out that the host
firewall flakes look like they are caused by connectivity blips on
kube-apiserver's side, which error messages such as:

    error: unable to upgrade connection: Authorization error (user=kube-apiserver-kubelet-client, verb=create, resource=nodes, subresource=proxy)

This commit therefore tries to workaround the issue of faulty conntrack
entries in host firewall tests. If the flakes are indeed caused by those
faulty entries, we shouldn't see them happen anymore.

Signed-off-by: Paul Chaignon <paul@cilium.io>
Signed-off-by: Tom Hadlaw <tom.hadlaw@isovalent.com>
@tommyp1ckles tommyp1ckles force-pushed the pr/tp/hostfw-tests-flake-workaround branch from 7ab0d4e to 2b38775 Compare May 8, 2023 19:57
@tommyp1ckles
Copy link
Contributor Author

/test

@pchaigno pchaigno added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label May 9, 2023
@youngnick youngnick merged commit 439a0a0 into cilium:main May 9, 2023
45 checks passed
@tommyp1ckles tommyp1ckles mentioned this pull request May 10, 2023
Closed
@julianwiedmann julianwiedmann mentioned this pull request May 12, 2023
Closed
@pchaigno pchaigno added needs-backport/1.11 needs-backport/1.13 This PR / issue needs backporting to the v1.13 branch labels May 17, 2023
@maintainer-s-little-helper maintainer-s-little-helper bot added this to Needs backport from main in 1.13.3 May 17, 2023
@maintainer-s-little-helper maintainer-s-little-helper bot added this to Needs backport from main in 1.12.10 May 17, 2023
@pchaigno
Copy link
Member

Marking this for backports everywhere as it's a fairly frequent flake that happens on all branches (I've seen reports on v1.10 backport PRs) and I expect it to be trivial to backport.

@thorn3r thorn3r added this to Needs backport from main in 1.13.4 May 17, 2023
@thorn3r thorn3r removed this from Needs backport from main in 1.13.3 May 17, 2023
@jibi jibi mentioned this pull request May 19, 2023
Merged
2 tasks
@maintainer-s-little-helper maintainer-s-little-helper bot added this to Needs backport from main in 1.13.3 May 19, 2023
@tklauser tklauser mentioned this pull request May 22, 2023
Merged
2 tasks
@maintainer-s-little-helper maintainer-s-little-helper bot moved this from Needs backport from main to Backport pending to v1.12 in 1.12.10 May 22, 2023
@tklauser tklauser mentioned this pull request May 22, 2023
Merged
4 tasks
@tklauser tklauser added backport-pending/1.13 The backport for Cilium 1.13.x for this PR is in progress. and removed needs-backport/1.13 This PR / issue needs backporting to the v1.13 branch labels May 22, 2023
@maintainer-s-little-helper maintainer-s-little-helper bot moved this from Needs backport from main to Backport pending to v1.13 in 1.13.3 May 22, 2023
@tklauser tklauser added backport-done/1.12 The backport for Cilium 1.12.x for this PR is done. and removed backport-pending/1.12 labels May 26, 2023
@maintainer-s-little-helper maintainer-s-little-helper bot moved this from Backport pending to v1.12 to Backport done to v1.12 in 1.12.10 May 26, 2023
@tklauser tklauser added backport-done/1.13 The backport for Cilium 1.13.x for this PR is done. and removed backport-pending/1.13 The backport for Cilium 1.13.x for this PR is in progress. labels May 26, 2023
@maintainer-s-little-helper maintainer-s-little-helper bot moved this from Backport pending to v1.13 to Backport done to v1.13 in 1.13.3 May 26, 2023
@aspsk aspsk mentioned this pull request Jun 9, 2023
Merged
2 tasks
@qmonnet qmonnet moved this from Needs backport from main to Backport done to v1.13 in 1.13.4 Jun 9, 2023
@qmonnet qmonnet mentioned this pull request Jun 9, 2023
Closed
This was referenced Jun 9, 2023
Closed
Closed
Merged
Merged
@julianwiedmann julianwiedmann added backport-done/1.11 The backport for Cilium 1.11.x for this PR is done. and removed backport-pending/1.11 labels Jul 11, 2023
@gentoo-root gentoo-root mentioned this pull request Jul 26, 2023
Merged
@julianwiedmann julianwiedmann added the area/host-firewall Impacts the host firewall or the host endpoint. label Mar 20, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gentoo-root gentoo-root gentoo-root approved these changes

@pchaigno pchaigno pchaigno approved these changes

@nebril nebril Awaiting requested review from nebril nebril is a code owner automatically assigned from cilium/ci-structure

Assignees
No one assigned
Labels
area/CI Continuous Integration testing issue or flake area/host-firewall Impacts the host firewall or the host endpoint. backport-done/1.11 The backport for Cilium 1.11.x for this PR is done. backport-done/1.12 The backport for Cilium 1.12.x for this PR is done. backport-done/1.13 The backport for Cilium 1.13.x for this PR is done. ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/ci This PR makes changes to the CI.
Projects
No open projects
1.12.10
Backport done to v1.12
1.13.3
Backport done to v1.13
1.13.4
Backport done to v1.13
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
7 participants
@tommyp1ckles @pchaigno @gentoo-root @jibi @tklauser @youngnick @julianwiedmann