Bug 1904131
| Summary: | kuryr tempest plugin test test_ipblock_network_policy_sg_rules fails | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Michał Dulko <mdulko> |
| Component: | Networking | Assignee: | Michał Dulko <mdulko> |
| Networking sub component: | kuryr | QA Contact: | GenadiC <gcheresh> |
| Status: | CLOSED ERRATA | Docs Contact: | |
| Severity: | high | ||
| Priority: | medium | CC: | gcheresh, itbrown, ltomasbo, rlobillo |
| Version: | 4.6 | Keywords: | UpcomingSprint |
| Target Milestone: | --- | ||
| Target Release: | 4.7.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: |
Cause: kuryr-controller was comparing the security groups related to network policies incorrectly.
Consequence: All the security rules related to a network policy were recreated on every minor update of that network policy.
Fix: The rules are now compared correctly.
Result: On network policy update already existing rules are preserved and only additions or deletions are performed if needed.
|
Story Points: | --- |
| Clone Of: | 1904129 | Environment: | |
| Last Closed: | 2021-02-24 15:37:28 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1904129 | ||
|
Comment 1
Michał Dulko
2020-12-03 16:12:07 UTC
Verified on OCP4.7.0-0.nightly-2020-12-04-013308 on OSP13 with Amphora provider (2020-11-13.1)
# Setting up the scenario:
$ oc new-project test
$ oc run --image kuryr/demo demo
$ oc run --image kuryr/demo demo-allowed-caller
$ oc run --image kuryr/demo demo-caller
$ oc expose pod/demo --port 80 --target-port 8080
$ cat np_resource.yaml
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: np
spec:
podSelector:
matchLabels:
run: demo
ingress:
- from:
- podSelector:
matchLabels:
run: demo-allowed-caller
$ oc apply -f np_resource.yaml
networkpolicy.networking.k8s.io/np created
# Checking the setup before running the test:
$ oc get all
NAME READY STATUS RESTARTS AGE
pod/demo 1/1 Running 0 6m23s
pod/demo-allowed-caller 1/1 Running 0 6m22s
pod/demo-caller 1/1 Running 0 6m22s
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/demo ClusterIP 172.30.4.107 <none> 80/TCP 6m13s
$ oc rsh pod/demo-allowed-caller curl 172.30.4.107
demo: HELLO! I AM ALIVE!!!
$ oc rsh pod/demo-caller curl 172.30.4.107
^Ccommand terminated with exit code 130
$ oc get networkpolicy
NAME POD-SELECTOR AGE
np run=demo 113s
$ oc get knp
NAME SG-ID AGE
np 9fda470d-48ce-4d81-af3a-8c70ad219e88 6m55s
$ openstack security group rule list | grep -e ID -e 9fda470d-48ce-4d81-af3a-8c70ad219e88
| ID | IP Protocol | IP Range | Port Range | Remote Security Group | Security Group |
| 0abaf9c2-9f9e-48cc-a1cc-cc43e3a9d48e | None | None | | None | 9fda470d-48ce-4d81-af3a-8c70ad219e88 |
| 2acd3c37-f162-4e85-8ef3-45c6fbcf2014 | None | 10.196.0.0/16 | | None | 9fda470d-48ce-4d81-af3a-8c70ad219e88 |
| 6f7c483d-d685-47c6-9009-67ac473179b2 | None | None | | None | 9fda470d-48ce-4d81-af3a-8c70ad219e88 |
| 9817c27d-4fa2-4b51-8602-b6615c0e2ca7 | None | 172.30.0.0/15 | | None | 9fda470d-48ce-4d81-af3a-8c70ad219e88 |
| d44f899b-74ac-44ec-bf5f-d77d82c0b4fd | tcp | 10.128.121.209/32 | 1:65535 | None | 9fda470d-48ce-4d81-af3a-8c70ad219e88 |
# Test - Adding an annotation is not provoking the recreation of the security group rule (The ID remains unchangeable):
$ oc annotate networkpolicy np bar=baz
networkpolicy.networking.k8s.io/np annotated
$ openstack security group rule list | grep -e ID -e 9fda470d-48ce-4d81-af3a-8c70ad219e88
| ID | IP Protocol | IP Range | Port Range | Remote Security Group | Security Group |
| 0abaf9c2-9f9e-48cc-a1cc-cc43e3a9d48e | None | None | | None | 9fda470d-48ce-4d81-af3a-8c70ad219e88 |
| 2acd3c37-f162-4e85-8ef3-45c6fbcf2014 | None | 10.196.0.0/16 | | None | 9fda470d-48ce-4d81-af3a-8c70ad219e88 |
| 6f7c483d-d685-47c6-9009-67ac473179b2 | None | None | | None | 9fda470d-48ce-4d81-af3a-8c70ad219e88 |
| 9817c27d-4fa2-4b51-8602-b6615c0e2ca7 | None | 172.30.0.0/15 | | None | 9fda470d-48ce-4d81-af3a-8c70ad219e88 |
| d44f899b-74ac-44ec-bf5f-d77d82c0b4fd | tcp | 10.128.121.209/32 | 1:65535 | None | 9fda470d-48ce-4d81-af3a-8c70ad219e88 |
Behaviour is the expected one. The test test_ipblock_network_policy_sg_rules passed successfully on: https://rhos-ci-staging-jenkins.lab.eng.tlv2.redhat.com/job/DFG-osasinfra-shiftstack_ci-ocp_verification-osp13-ocp4.7/1//artifact/tempest-results/tempest-results-kuryr.1.html
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.7.0 security, bug fix, and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2020:5633 |