Bug 1643301

Summary: Provisioning two APB services temporarily broke networking in the namespace
Product: OpenShift Container Platform Reporter: Jesus M. Rodriguez <jesusr>
Component: Service BrokerAssignee: Jesus M. Rodriguez <jesusr>
Status: CLOSED ERRATA QA Contact: Zihan Tang <zitang>
Severity: high Docs Contact:
Priority: high    
Version: 3.11.0CC: aos-bugs, bbilgin, chezhang, chuo, dcaldwel, jdesousa, jiazha, jmatthew, zitang
Target Milestone: ---   
Target Release: 3.11.z   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Cause: The Automation Broker always created a network policy to give the transient namespace access to the target namespace. Consequence: Adding a network policy to a namespace that does not have any other network policies in place causes the namespace to be locked down to the newly created policy. Before the network policy, everything was open and namespaces could communicate with each other. Fix: The Automation Broker looks to see if there are any network policies in place for the target namespace. If there are none, the broker will not create a new network policy. The broker will assume that things are open enough to allow the transient namespace we create to communicate with the target namespace. The broker will still create a network policy giving the transient namespace access to the target namespace, if there are other network policies in place for the target namespace. Result: The fix allows the broker to perform the APB actions without affecting existing services running on the target namespace.
 Story Points: ---
Clone Of: 1613280 Environment:
Last Closed: 2018-11-20 03:11:52 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1613280, 1643303    
Bug Blocks: 1643300    

Comment 2 Zihan Tang 2018-11-02 08:11:13 UTC 
Verified:
ASB: v3.11.36 , version: 1.3.20

step:
1. provision mediawiki in test namespace, check the networkpolicy 
# oc get networkpolicy
No resources found.

#curl mediawiki-4f181005-de73-11e8-8a7a-0a580a800008.test1.svc:8080 -vvv
2. provision mediawiki-apb /postgresql-apb in test namespace, during provision, check the networkpolicy
# oc get networkpolicy
.
#curl mediawiki-4f181005-de73-11e8-8a7a-0a580a800008.test1.svc:8080 -vvv
.....

result : during new provision, no new networkpolicy created , and the old pod network service still responsed to `curl ` command.
Comment 4 errata-xmlrpc 2018-11-20 03:11:52 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3537