NetworkPolicies being ignored in some OpenShift projects and "TooManyFlows" event showing up in the projects affected
Environment
- Red Hat OpenShift Container Platform 4.x with OpenShift SDN network plugin.
Issue
- A NetworkPolicy is not being applied and the following event shows up in the project affected:
TooManyFlows%!(EXTRA string=This NetworkPolicy generates an extremely large number of OVS flows (%d) and so it will be ignored to prevent network degradation., int=11254)
- The issue can be experienced in clusters using OpenShift SDN network plugin.
Resolution
Reduce the number of Open vSwitch rules as explained here: Optimizations for network policy with OpenShift SDN.
Root Cause
When OpenShift SDN detects that the number of Open vSwitch rules is greater than 10,000, it creates the event mentioned above in "Issue" and ignores the NetworkPolicy on purpose. The reason is to prevent the workload generated in the nodes from becoming too high.
Diagnostic Steps
If it is found or suspected that a NetworkPolicy is not being applied, search for the "TooManyFlows" message mentioned in "Issue" by executing oc get events -n <project> or oc get events -n <project> | grep TooManyFlows. Alternatively, the event can be detected in any project by executing the following command: oc get events -A | grep TooManyFlows.
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments