Bug 1756981

Summary: Wrongly try to enforce Network Policies on SVCs without selectors and ports
Product: OpenShift Container Platform Reporter: Maysa Macedo <mdemaced>
Component: NetworkingAssignee: Maysa Macedo <mdemaced>
Networking sub component: kuryr QA Contact: Jon Uriarte <juriarte>
Status: CLOSED ERRATA Docs Contact:
Severity: high    
Priority: high CC: asegurap, bbennett, juriarte, ltomasbo
Version: 4.2.0   
Target Milestone: ---   
Target Release: 4.3.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1757560 (view as bug list) Environment:
Last Closed: 2020-05-13 21:26:05 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1757560    

Description Maysa Macedo 2019-09-30 11:17:32 UTC 
Description of problem:

When a Network Policy is enforced, an update of the SG of a LBaaS affected by the Network Policy is triggered. However, when checking if the k8s service should be affected by the Network Policy, services without selector are also taken into account and they shouldn't as Kuryr does not wires them.
Also it's assumed that the ports field will be always defined in the service specification and this might not always happen.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. Run the Kubernetes Upstream Network Policy e2e test: "should enforce updated policy"
2.
3.

Actual results:


Expected results:


Additional info:
Comment 3 Jon Uriarte 2019-10-03 16:17:35 UTC 
Verified on an OCP 4.2 cluster (4.2.0-0.nightly-2019-10-02-001405) with Kuryr-controller image from OCP 4.3 (4.3.0-0.ci-2019-10-02-101344),
which includes the fix.
Verified that the fix does not add new regressions as well.

$ oc get pods -n openshift-kuryr kuryr-controller-5744b8d79d-wpdjl -o yaml | grep image
   image: registry.svc.ci.openshift.org/ocp/4.3-2019-10-02-101344@sha256:313a91b60fb5f49ece7e351ffee86e6f799b4399025d07cff9df8fec5adb5d06

It was not possible to verify on OCP 4.3 cluster as there are no nightly builds available at the moment.
Comment 6 Jon Uriarte 2019-10-18 08:05:00 UTC 
Verified on OCP 4.3.0-0.nightly-2019-10-17-061631 build on top of OSP 13 2019-10-01.1 puddle.

release image: registry.svc.ci.openshift.org/ocp/release@sha256:2cafe25ec1ed2dfdec361cde13b4461d2a30194d0b41fbd1c6d3fad5ab34ca05

K8s NP (test/e2e/network/network_policy.go) tests passed.
Comment 8 errata-xmlrpc 2020-05-13 21:26:05 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:0062