NETOBSERV-15: list pods affected by a network policy #9953
Conversation
openshift-ci
bot
added
component/core
|
/retest |
|
/cc |
openshift-ci
bot
added
the
needs-rebase
For a better/faster identification of pods impacted by a policy, show pods targeted by the combined namespace and pod selectors in peer definition and/or rule definition and/or whole ingress/egress section. JIRA issue: https://issues.redhat.com/browse/NETOBSERV-15
openshift-ci
bot
removed
the
needs-rebase
|
There's an error breaking the UI when an invalid label is entered and the pods are watched. For example, in pod selector enter label key: "app" and value "test-" Value ending with a dash is not accepted. We should show an empty list on error, with perhaps (even better) an error icon somewhere ? |
frontend/package.json
Outdated
| "@patternfly/react-catalog-view-extension": "4.12.38", | ||
| "@patternfly/react-charts": "6.15.14", | ||
| "@patternfly/react-core": "4.147.2", | ||
| "@patternfly/react-core": "4.152.4", |
There was a problem hiding this comment.
required update, as the TreeView component did not provide the hasGuides property in the previous version (even if it's part of the Patternfly specification)
openshift-ci
bot
added
the
needs-rebase
openshift-ci
bot
removed
the
needs-rebase
|
/retest |
openshift-ci
bot
added
the
needs-rebase
openshift-ci
bot
removed
the
needs-rebase
| <Button ref={podsPreviewPopoverRef} variant="link" isInline> | ||
| {t('public~affected pods')} | ||
| </Button>{' '} | ||
| {t('that this policy will apply to')} |
There was a problem hiding this comment.
Text namespace is missing here, no? t('console app~blah blah')
There was a problem hiding this comment.
Also, to mix an element within translated text, afaik we should use the Trans component. Should be something like that:
<Trans ns="public">
Show a preview of the{' '}
<Button ref={podsPreviewPopoverRef} variant="link" isInline>
affected pods
</Button>{' '}
that this policy will apply to
</Trans>
Though not sure if affected pods can be left as is or has to be explicitly translated as {t('public~affected pods')}
| margin-right: 0; | ||
| } | ||
|
|
||
| .pf-c-tree-view__list-item { |
There was a problem hiding this comment.
The TreeView component should get a className, for instance <TreeView className="co-create-networkpolicy__selector-preview" ... so that this style is scoped and doesn't risk to have side effects in other parts; (hence this rule would be rewritten .co-create-networkpolicy__selector-preview .pf-c-tree-view__list-item)
There was a problem hiding this comment.
(or alternatively, use a surrounding class related to networkpolicy to ensure a narrow scope is used)
There was a problem hiding this comment.
In this case, I decided to use only a class selector, as I consider that showing the bullets at the left margin is a bug that should not be visible on any Tree View. E.g. without this entry:
There was a problem hiding this comment.
Anyway this issue has been already fixed in PatternFly so I'll remove this code.
|
|
||
| .pf-c-tree-view__list-item { | ||
| list-style: none; | ||
| } |
There was a problem hiding this comment.
I did some tests to fix the pointer issue (so that the cursor doesn't suggest clicking on a pod trigger any effect), this CSS would do the trick:
.co-create-networkpolicy__selector-preview button.pf-c-tree-view__node[role="treeitem"],
.co-create-networkpolicy__selector-preview button.pf-c-tree-view__node[role="treeitem"] > .pf-c-tree-view__node-container {
cursor: default;
}
Alternatively, patternfly provides a variant named "compactNoBackground" in TreeView that also removes the pointer cursor, but weirdly this variant is less compact than the normal one and IMO doesn't look good in our use case, so I'd stick with a CSS override.
| /> | ||
| </div> | ||
| <p> | ||
| {t('public~Show a preview of the')}{' '} |
There was a problem hiding this comment.
Same as above, perhaps a Trans component makes sense here
| {preview.total && preview.total > maxPreviewPods && ( | ||
| <> | ||
| {_.size(safeNsSelector.matchLabels) === 0 ? ( | ||
| <a href={`${resourceListPathFromModel(PodModel, namespace)}${podsFilterQuery}`}> |
There was a problem hiding this comment.
About this "View all N results" link: I wonder if this link should always open in a new window, wdyt? (@mariomac and @andrew-ronaldson ) I don't imagine anyone while creating a new network policy would like to quit that page to view these search results...
Or alternatively, when asked to view more results, we show all the results within that popup (which then would be scrollable).
There was a problem hiding this comment.
Do you mean the size of the modal stays the same but it is scrollable to show the list? I have a few other questions if that's alright:
- What is the benefit the user gets from having this feature in the form?
- Is there value in seeing the total count of pods or just list them out?
- Could we in future show the status of the pods? (Example: Failed to connect)
There was a problem hiding this comment.
Another compromise option could be that, instead of opening the table in a new window, to visualize an embedded table below, like in the original commit. Maybe limited in height and scrollable.
There was a problem hiding this comment.
To clarify: first option is to show the popup tree, as now. If the customer clicks into the "View all" link, instead opening a new window, it closes the popup and attaches the preview table below the label selector.
This would also fix an "issue" I noticed with the popup: if I want to update the label selector, the popup is closed while I change the labels, and then I have to open again the popup. I felt more confortable getting an updated view of the affected pods as long as I typed.
There was a problem hiding this comment.
Do you mean the size of the modal stays the same but it is scrollable to show the list? I have a few other questions if that's alright:
1. What is the benefit the user gets from having this feature in the form?
IMO, to avoid having to go back and forth between separate views when setting up the labels, as the user tries to make sure the selector targets strictly the desired pods, no more, no less.
If we think showing all pods is to risky (could slow down the page too much), we can keep a limit, but should be much more than 5 IMO
The solution proposed by @mariomac would also work.
2. Is there value in seeing the total count of pods or just list them out?
I would say yes, especially if not everything is displayed. But it still has less value that showing them out as the user would still have to list them to make sure everything is correct.
3. Could we in future show the status of the pods? (Example: Failed to connect)
Not in the near future, but yes maybe; there's a RFE for checking pods connectivity (RFE-1874)
There was a problem hiding this comment.
To clarify: first option is to show the popup tree, as now. If the customer clicks into the "View all" link, instead opening a new window, it closes the popup and attaches the preview table below the label selector.
This would also fix an "issue" I noticed with the popup: if I want to update the label selector, the popup is closed while I change the labels, and then I have to open again the popup. I felt more confortable getting an updated view of the affected pods as long as I typed.
+1 I also like when it's updated as you type
There was a problem hiding this comment.
As agreed offline, I have submitted a new PR with the following changes:
- "View all xx results" link now opens in a new tab
- Increased pod limit to 10
|
Added the following
|
| Show a preview of the{' '} | ||
| <Button ref={podsPreviewPopoverRef} variant="link" isInline> | ||
| <Button | ||
| data-test={`show-affected-pods-${props.direction}}`} |
There was a problem hiding this comment.
there seems to be extra closing brace bracket here }
There was a problem hiding this comment.
Good catch! thank you
| "ingress rule": "ingress rule", | ||
| "egress rule": "egress rule", | ||
| "If no namespace selector is provided, pods from all namespaces will be eligible.": "If no namespace selector is provided, pods from all namespaces will be eligible.", | ||
| "netpolicy_peers_preview_affected_pods": "Show a preview of the <2>affected pods</2> that this <5></5> will apply to", |
There was a problem hiding this comment.
is that expected? First time I'm seeing this in the locale file
There was a problem hiding this comment.
I mean, the key != the value ; running yarn i18n won't break that?
There was a problem hiding this comment.
yes, it won't break. The key is automatically fetched from the i18nKey property of the Trans element. Before this, I was having errors because the Trans element had too much conditional logic inside and the key became malformed. Maybe now we can remove it as I simplified the Trans element.
Maybe we haven't seen this more often because there are no more Trans instances in the console.
|
/label qe-approved |
openshift-ci
bot
added
the
qe-approved
|
/lgtm |
|
/assign @invincibleJai |
|
/unassign |
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: jotak, mariomac, spadgett The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
|
/label px-approved |
openshift-ci
bot
added
the
px-approved
|
/retest ci/prow/e2e-gcp |
|
@mariomac: The
Use
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/test e2e-gcp |
For a better/faster identification of pods impacted by a policy, show pods
targeted by the combined namespace and pod selectors in peer definition and/or
rule definition and/or whole ingress/egress section.
JIRA issue: https://issues.redhat.com/browse/NETOBSERV-15
Demo (updated after @andrew-ronaldson redesign request):
demo.mp4