Bug 1818061

Summary:	Wrong attempt to delete sg rules owned by Octavia tenant
Product:	OpenShift Container Platform	Reporter:	Jon Uriarte <juriarte>
Component:	Networking	Assignee:	Maysa Macedo <mdemaced>
Networking sub component:	kuryr	QA Contact:	Jon Uriarte <juriarte>
Status:	CLOSED ERRATA	Docs Contact:
Severity:	medium
Priority:	high	CC:	ltomasbo, mdemaced
Version:	4.5
Target Milestone:	---
Target Release:	4.5.0
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:		Doc Type:	No Doc Update
Doc Text:		Story Points:	---
Clone Of:
Clones:	1818066 1818067 (view as bug list)		Environment:
Last Closed:	2020-08-04 18:07:26 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:
Bug Blocks:	1818066, 1824052

Description Jon Uriarte 2020-03-27 15:02:56 UTC

Description of problem:

When updating the LB security group with only the rules applied
on a Network Policy we are also considering the sg rules owned by
octavia, this result on failure when trying to delete the rules
as this operation is not allowed.

startCount': 0, 'image': 'docker.io/library/busybox:1.29-glibc', 'imageID': '', 'started': False}], 'qosClass': 'BestEffort'}}}: openstack.exceptions.HttpException: HttpException: 403: Client Error for url: http://10.0.0.102:9696/v2.0/sec
urity-group-rules/bcf9a113-1014-4ba8-b337-e76cec8ec2df, rule:delete_security_group_rule is disallowed by policy
2020-03-25 16:26:44.780 1 ERROR kuryr_kubernetes.handlers.logging Traceback (most recent call last):
2020-03-25 16:26:44.780 1 ERROR kuryr_kubernetes.handlers.logging File "/usr/lib/python3.6/site-packages/kuryr_kubernetes/handlers/logging.py", line 37, in __call__
2020-03-25 16:26:44.780 1 ERROR kuryr_kubernetes.handlers.logging self._handler(event)
2020-03-25 16:26:44.780 1 ERROR kuryr_kubernetes.handlers.logging File "/usr/lib/python3.6/site-packages/kuryr_kubernetes/handlers/retry.py", line 79, in __call__
2020-03-25 16:26:44.780 1 ERROR kuryr_kubernetes.handlers.logging self._handler(event)
2020-03-25 16:26:44.780 1 ERROR kuryr_kubernetes.handlers.logging File "/usr/lib/python3.6/site-packages/kuryr_kubernetes/handlers/k8s_base.py", line 72, in __call__
2020-03-25 16:26:44.780 1 ERROR kuryr_kubernetes.handlers.logging self.on_present(obj)
2020-03-25 16:26:44.780 1 ERROR kuryr_kubernetes.handlers.logging File "/usr/lib/python3.6/site-packages/kuryr_kubernetes/controller/handlers/vif.py", line 155, in on_present
2020-03-25 16:26:44.780 1 ERROR kuryr_kubernetes.handlers.logging services, crd_pod_selectors, project_id)
2020-03-25 16:26:44.780 1 ERROR kuryr_kubernetes.handlers.logging File "/usr/lib/python3.6/site-packages/kuryr_kubernetes/controller/handlers/vif.py", line 253, in _update_services
2020-03-25 16:26:44.780 1 ERROR kuryr_kubernetes.handlers.logging self._drv_lbaas.update_lbaas_sg(service, sgs)
2020-03-25 16:26:44.780 1 ERROR kuryr_kubernetes.handlers.logging File "/usr/lib/python3.6/site-packages/kuryr_kubernetes/controller/drivers/lbaasv2.py", line 1092, in update_lbaas_sg
2020-03-25 16:26:44.780 1 ERROR kuryr_kubernetes.handlers.logging sg_rule_name, listener_id, sgs)
2020-03-25 16:26:44.780 1 ERROR kuryr_kubernetes.handlers.logging File "/usr/lib/python3.6/site-packages/kuryr_kubernetes/controller/drivers/lbaasv2.py", line 339, in _apply_members_security_groups
2020-03-25 16:26:44.780 1 ERROR kuryr_kubernetes.handlers.logging os_net.delete_security_group_rule(rule.id)
2020-03-25 16:26:44.780 1 ERROR kuryr_kubernetes.handlers.logging File "/usr/lib/python3.6/site-packages/openstack/network/v2/_proxy.py", line 3126, in delete_security_group_rule
2020-03-25 16:26:44.780 1 ERROR kuryr_kubernetes.handlers.logging security_group_rule, ignore_missing=ignore_missing)
2020-03-25 16:26:44.780 1 ERROR kuryr_kubernetes.handlers.logging File "/usr/lib/python3.6/site-packages/openstack/proxy.py", line 46, in check
2020-03-25 16:26:44.780 1 ERROR kuryr_kubernetes.handlers.logging return method(self, expected, actual, *args, **kwargs)
2020-03-25 16:26:44.780 1 ERROR kuryr_kubernetes.handlers.logging File "/usr/lib/python3.6/site-packages/openstack/proxy.py", line 362, in _delete
2020-03-25 16:26:44.780 1 ERROR kuryr_kubernetes.handlers.logging rv = res.delete(self)
2020-03-25 16:26:44.780 1 ERROR kuryr_kubernetes.handlers.logging File "/usr/lib/python3.6/site-packages/openstack/resource.py", line 1522, in delete
2020-03-25 16:26:44.780 1 ERROR kuryr_kubernetes.handlers.logging self._translate_response(response, has_body=False, **kwargs)
2020-03-25 16:26:44.780 1 ERROR kuryr_kubernetes.handlers.logging File "/usr/lib/python3.6/site-packages/openstack/resource.py", line 1107, in _translate_response
2020-03-25 16:26:44.780 1 ERROR kuryr_kubernetes.handlers.logging exceptions.raise_from_response(response, error_message=error_message)
2020-03-25 16:26:44.780 1 ERROR kuryr_kubernetes.handlers.logging File "/usr/lib/python3.6/site-packages/openstack/exceptions.py", line 229, in raise_from_response
2020-03-25 16:26:44.780 1 ERROR kuryr_kubernetes.handlers.logging http_status=http_status, request_id=request_id
2020-03-25 16:26:44.780 1 ERROR kuryr_kubernetes.handlers.logging openstack.exceptions.HttpException: HttpException: 403: Client Error for url: http://10.0.0.102:9696/v2.0/security-group-rules/bcf9a113-1014-4ba8-b337-e76cec8ec2df, rule:de
lete_security_group_rule is disallowed by policy
2020-03-25 16:26:44.780 1 ERROR kuryr_kubernetes.handlers.logging
2020-03-25 16:26:46.662 1 WARNING kuryr_kubernetes.k8s_client [-] 60s without data received from watching /api/v1/namespaces. Retrying the connection with resourceVersion=219366.: ssl.SSLError: ('timed out',)
2020-03-25 16:26:54.246 1 INFO werkzeug [-] 10.196.0.14 - - [25/Mar/2020 16:26:54] "GET /alive HTTP/1.1" 500 -


Steps to Reproduce:
1. Deploy OSP
2. Deploy OCP
3. Run K8s NP tests

Actual results: NP tests fail

Expected results: NP tests pass

Comment 3 Jon Uriarte 2020-04-08 17:01:57 UTC

Verified in 4.5.0-0.nightly-2020-04-08-045556 on OSP 13 2020-04-01.3 puddle.

Could not find the error described in this BZ after running K8s Network Policy tests.

All the tests passed except the "should enforce policy based on PodSelector or NamespaceSelector [Feature:NetworkPolicy-06]" one,
but another BZ will be raised for that if needed as it's being analysed at this moment.

Comment 5 errata-xmlrpc 2020-08-04 18:07:26 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.5 image release advisory), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:2409