Introduce "Failed" phase in ANP status

[wenyingd]

Modify the ANP status phase as "Failed" when all Agents have reported the status and at least one failure is received.

Signed-off-by: wenyingd wenyingd@vmware.com

[codecov]

Codecov Report

Merging #4608 (faf986d) into main (bc74667) will increase coverage by 4.09%.
The diff coverage is 100.00%.

@@            Coverage Diff             @@
##             main    #4608      +/-   ##
==========================================
+ Coverage   65.52%   69.61%   +4.09%     
==========================================
  Files         390      400      +10     
  Lines       58147    58236      +89     
==========================================
+ Hits        38098    40539    +2441     
+ Misses      17361    14913    -2448     
- Partials     2688     2784      +96     

Flag	Coverage Δ
e2e-tests	38.29% <0.00%> (-0.05%)	⬇️
integration-tests	34.63% <ø> (+0.03%)	⬆️
kind-e2e-tests	46.66% <0.00%> (-1.35%)	⬇️
unit-tests	59.62% <100.00%> (+1.95%)	⬆️

Impacted Files	Coverage Δ
pkg/controller/networkpolicy/status_controller.go	72.02% <100.00%> (+1.25%)	⬆️

... and 85 files with indirect coverage changes

[wenyingd]

/test-all

[luolanzone]

Why this calculation is needed? we may just check failedNodes only like below:

if len(failedNodes) > 0 {
  phase = crdv1alpha1.NetworkPolicyFailed
}

[tnqn]

Guess this is one of the reasons why K8s API doc recommends to use conditions over phase.

Rather than encouraging clients to infer implicit properties from phases, we prefer to explicitly expose the individual conditions that clients need to monitor.

When there are both failed Nodes and realizing Nodes, it's hard to say which phase name is more proper, "Failed" or "Realizing", user may infer different properties regardless of which one is used. But since there is already an individual condition "RealizationFailure" to indicate failed Node exist, I think the phase should describe the overall progress of realization instead of whether there is any failure, so if currentNodes+len(failedNodes) == desiredNodes makes more sense to me.

cc @jianjuns for opinions.

[jianjuns]

Question - in K8s Node case, do we have permanent realization failure - that is agent already gave up retrying realizing?

I agree "failed" and "realized" seems not match, but on the other hand people also wonder why we just have "realized" which seems a condition too (rather a phase), but no phase to express failure.

[tnqn]

For Pod case:

• If the Pod's restart policy is never
  • If any of containers is still running, the phase is Running
  • If none of containers is running, and there is any failure, the phase is Failed
  • If none of contaienrs is running, and there is no failure, the phase is Succeeded
• If the Pod's restart policy is always
  • The phase is running regardless whethere there is running Pod or failed Pod

Its principle seems: if the system keeps trying to reach desired state, the phase will always be "XXXing"; if the system is asked to not retry, the phase will be "XXXed".

[jianjuns]

In our case, does agent always keep realizing?

[wenyingd]

Antrea Agent always try to realize the ANP rules. Nephe may set "RealizationFailure: true" when the ANP rules are failed to realize on cloud.

[wenyingd]

Any other comments on this patch @tnqn @jianjuns @luolanzone ?

[wenyingd]

/test-all
/test-windows-all

[wenyingd]

/test-e2e

[wenyingd]

/test-e2e
/test-windows-all