Add an OPENSHIFT-ADMIN-OUTPUT-RULES chain for admins to use #14221
Conversation
|
$bikeshed: Is that a good name. It seems like OPENSHIFT is the on who would add rules to the chain. Not a huge deal to me. Don't bikeshed on that more than a minute or so... |
|
Entirely valid point, especially since #13465 defines three chains with OPENSHIFT in the name that we don't want people editing. But in both cases the intent was to make it obvious who was creating the chain, and to avoid conflicts with other chains (the same way upstream prefixes all its chains with "KUBE"). Maybe add "ADMIN" or "USER" to the chain name? And shorten "OPENSHIFT" to "OS" to compensate... Although "OS-ADMIN-OUTPUT-FILTERING" sounds like it's for filtering administrators or "administrator output". |
|
I think it should have OPENSHIFT somewhere in the name, since that's what's making the chain and that's the purpose of the chain. Could just do "OPENSHIFT-ADMIN-OUTPUT-FILTER" to keep it under 30 chars. |
danwinship
force-pushed
the
admin-iptables-filtering
branch
from
fd65052 to
98aa854
Compare
|
I went with OPENSHIFT-ADMIN-OUTPUT-RULES... That seems pretty clear I think? |
|
[merge] |
|
[Test]ing while waiting on the merge queue |
|
Evaluated for origin test up to 98aa854 |
|
continuous-integration/openshift-jenkins/test SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pull_request_origin/1651/) (Base Commit: c02131d) |
|
[merge]... last failed due to "FAILURE: Generated bootstrap bindata out of date. Please run hack/update-generated-bindata.sh" which can not be related. |
danwinship
changed the title
|
flake #14334 [merge] |
|
Evaluated for origin merge up to 98aa854 |
|
continuous-integration/openshift-jenkins/merge SUCCESS (https://ci.openshift.redhat.com/jenkins/job/merge_pull_request_origin/776/) (Base Commit: 491c8bd) (Image: devenv-rhel7_6269) |
This came out of a discussion with the Online ops people; it is currently difficult for admins to add their own iptables rules for filtering/rate-limiting/etc, because we prepend our own rule
-j ACCEPT-ing all outgoing SDN traffic, so they have to do something like, wait for OpenShift to prepend its rule, and then prepend their own rule before it, and of course this is totally fragile against future OpenShift changes. This patch makes OpenShift create an empty chain solely for use by admins who want to add rules that apply before OpenShift's rules (since this seemed like something other users might want too).Trello card: https://trello.com/c/dnZHuI5R
This conflicts with #13465 and will have to be rewritten if that merges first, but we'll still want to commit this version of the patch to 3.5 anyway.
@openshift/networking PTAL