e2e-benchmarking icon indicating copy to clipboard operation
e2e-benchmarking copied to clipboard

Published 20 hours ago verified publisher icon cloud-bulldozer

update code for for large networkpolicy and egress firewall rule

Open liqcui opened this issue 11 months ago • 9 comments

Type of change

  • [ ] Refactor
  • [ Yes ] New feature
  • [ ] Bug fix
  • [ ] Optimization
  • [ ] Documentation Update

Description

To simulate a customer zero trust environment. We deny all traffic of ingress and egress for network policy and egress firewall, adding a whitelist to open essential ports.

For network policy, create two type workloads to send network traffic. pod to pod traffic in the same namespace - node density heavy, create two pods, one pod is postgres DB, another is client to insert data into database continuously. across namespace traffic, it will query dns to prometheus pod hostname from others namespace. For egress firewall, adding allow/deny rules for egress firewall. We create one pod to send network traffic from the OCP network to the internet continuously.

Creating 10500 pods, 20k networkpolicy, 200k egress firewall rule(acl) first, then create 9 additional new ns with 20k networkpolicy, 200k egress firewall rule, then delete those additional ns to simulate customer maybe remove unuseless network policy.

After all pods/network policy/egress firewall created and ready, wait for 90 minutes to create a new namespace and add new network-policy, create new pods again to check OVN init-sync time.

Related Tickets & Documents

  • Related Issue # https://issues.redhat.com/browse/OCPQE-17154
  • Closes #

Checklist before requesting a review

  • [ Yes ] I have performed a self-review of my code.
  • [ ] If it is a core feature, I have added thorough tests.

Testing

  • Please describe the System Under Test.

master: 16 vCPUs 64 GiB 

worker: 8 vCPUs 32 GiB | x86 | 100 worker node

  • Please provide detailed steps to perform tests related to this code change.

    https://mastern-jenkins-csb-openshift-qe.apps.ocp-c1.prod.psi.redhat.com/job/scale-ci/job/liqcui-e2e-benchmarking-multibranch-pipeline/job/kube-burner/373/console

    The key variable to set pods number, networkpolicy and egressfirewall rules

    export POD_RPLICAS=25. # Create 75 pods each namespace

    export NETWORKPOLICY_RPLICAS=75. # Create 150 networkpolicy each namespace

    export EGRESS_FIREWALL_POLICY_TOTAL_NUM=600 # Create 600 egress firewall each namespace

    export QPS=50

    export BURST=100

    export MAX_WAIT_TIMEOUT=5h

    export JOB_TIMEOUT=8h

  • How were the fix/results from this change verified? Please provide relevant screenshots or results.

https://docs.google.com/document/d/1X3YNRXmPB1boDeEk0OCZdZPoYdA2B0q2yYrDzJWBcaw/edit

liqcui avatar Feb 28 '24 02:02 liqcui

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: liqcui Once this PR has been reviewed and has the lgtm label, please assign morenod for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment Approvers can cancel approval by writing /approve cancel in a comment

openshift-ci[bot] avatar Feb 28 '24 02:02 openshift-ci[bot]

Hi @liqcui. Thanks for your PR.

I'm waiting for a cloud-bulldozer member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

openshift-ci[bot] avatar Feb 28 '24 02:02 openshift-ci[bot]

/assign @qiliRedHat @paigerube14 Please review the PR when you are available, thanks!

liqcui avatar Feb 28 '24 02:02 liqcui

/cc @qiliRedHat @paigerube14

liqcui avatar Feb 28 '24 02:02 liqcui

@liqcui Can you please sign-off the PR?

krishvoor avatar Feb 28 '24 06:02 krishvoor

@krishvoor Sorry, I don't quite understand what's your mean, you mean the case isn't suitable for merge into e2e-benchmarking code repository now? right?

liqcui avatar Feb 28 '24 07:02 liqcui

@liqcui we recently added DCO a mandatory check which needs users to sign commits first this could be performed via git commit -s

krishvoor avatar Feb 28 '24 08:02 krishvoor

@liqcui we recently added DCO a mandatory check which needs users to sign commits first this could be performed via git commit -s Thank you, I have sign-off the PR now!

liqcui avatar Feb 28 '24 08:02 liqcui

/cc @mohit-sheth

liqcui avatar Mar 01 '24 10:03 liqcui