Bug 1910221
| Summary: | kuryr tempest plugin test test_ipblock_network_policy_sg_rules fails | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | OpenShift BugZilla Robot <openshift-bugzilla-robot> | ||||||
| Component: | Networking | Assignee: | MichaĆ Dulko <mdulko> | ||||||
| Networking sub component: | kuryr | QA Contact: | GenadiC <gcheresh> | ||||||
| Status: | CLOSED ERRATA | Docs Contact: | |||||||
| Severity: | high | ||||||||
| Priority: | medium | CC: | ltomasbo, rlobillo | ||||||
| Version: | 4.5 | ||||||||
| Target Milestone: | --- | ||||||||
| Target Release: | 4.4.z | ||||||||
| Hardware: | Unspecified | ||||||||
| OS: | Unspecified | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||
| Doc Text: |
Cause: kuryr-controller was comparing the security groups related to network policies incorrectly.
Consequence: All the security rules related to a network policy were recreated on every minor update of that network policy.
Fix: The rules are now compared correctly.
Result: On network policy update already existing rules are preserved and only additions or deletions are performed if needed.
|
Story Points: | --- | ||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2021-02-03 10:11:43 UTC | Type: | --- | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Bug Depends On: | 1901495 | ||||||||
| Bug Blocks: | |||||||||
| Attachments: |
|
||||||||
Created attachment 1746299 [details]
NP test results
Created attachment 1746300 [details]
tempest results with the fix
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Important: OpenShift Container Platform 4.4.33 bug fix and security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:0281 |
Verified on OCP4.4.0-0.nightly-2021-01-10-060925 over OSP16.1 (RHOS-16.1-RHEL-8-20201124.n.0). # Setting up the scenario: $ oc new-project test2 $ oc run --image kuryr/demo demo $ oc run --image kuryr/demo demo-allowed-caller $ oc run --image kuryr/demo demo-caller $ oc expose pod/demo-1-plqwq --port 80 --target-port 8080 $ cat np_resource.yaml kind: NetworkPolicy apiVersion: networking.k8s.io/v1 metadata: name: np spec: podSelector: matchLabels: run: demo ingress: - from: - podSelector: matchLabels: run: demo-allowed-caller $ oc apply -f np_resource.yaml networkpolicy.networking.k8s.io/np created # Checking the setup before running the test: $ oc get all NAME READY STATUS RESTARTS AGE pod/demo-1-deploy 0/1 Completed 0 7m9s pod/demo-1-plqwq 1/1 Running 0 6m46s pod/demo-allowed-caller-1-deploy 0/1 Completed 0 6m57s pod/demo-allowed-caller-1-l4mxd 1/1 Running 0 6m29s pod/demo-caller-1-deploy 0/1 Completed 0 6m50s pod/demo-caller-1-pn2t2 1/1 Running 0 6m44s NAME DESIRED CURRENT READY AGE replicationcontroller/demo-1 1 1 1 7m10s replicationcontroller/demo-allowed-caller-1 1 1 1 6m57s replicationcontroller/demo-caller-1 1 1 1 6m50s NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE service/demo-1-plqwq ClusterIP 172.30.201.54 <none> 80/TCP 5m39s NAME REVISION DESIRED CURRENT TRIGGERED BY deploymentconfig.apps.openshift.io/demo 1 1 1 config deploymentconfig.apps.openshift.io/demo-allowed-caller 1 1 1 config deploymentconfig.apps.openshift.io/demo-caller 1 1 1 config $ oc rsh pod/demo-allowed-caller-1-l4mxd curl 172.30.201.54 demo-1-plqwq: HELLO! I AM ALIVE!!! $ oc rsh pod/demo-caller-1-pn2t2 curl 172.30.201.54 ^Ccommand terminated with exit code 130 $ oc get knp NAME SG-ID AGE np-np 50b0755e-5e8f-43e0-a4ee-8ff619c39d6c 109s (shiftstack) [stack@undercloud-0 ~]$ openstack security group rule list | grep -e ID -e 50b0755e-5e8f-43e0-a4ee-8ff619c39d6c | ID | IP Protocol | Ethertype | IP Range | Port Range | Remote Security Group | Security Group | | 2b38565c-58bd-4d6e-8c8a-050b10cd2930 | None | IPv4 | 0.0.0.0/0 | | None | 50b0755e-5e8f-43e0-a4ee-8ff619c39d6c | | 941a8786-5e8b-42cf-8666-af382a9f3b29 | None | IPv4 | 10.196.0.0/16 | | None | 50b0755e-5e8f-43e0-a4ee-8ff619c39d6c | | ab3cfc0c-068b-4910-b2a5-361ef07db6aa | tcp | IPv4 | 10.128.114.47/32 | 1:65535 | None | 50b0755e-5e8f-43e0-a4ee-8ff619c39d6c | # Test - Adding an annotation is not provoking the recreation of the security group rule (The ID remains unchangeable): $ oc annotate networkpolicy np bar=baz networkpolicy.networking.k8s.io/np annotated $ openstack security group rule list | grep -e ID -e 50b0755e-5e8f-43e0-a4ee-8ff619c39d6c | ID | IP Protocol | Ethertype | IP Range | Port Range | Remote Security Group | Security Group | | 2b38565c-58bd-4d6e-8c8a-050b10cd2930 | None | IPv4 | 0.0.0.0/0 | | None | 50b0755e-5e8f-43e0-a4ee-8ff619c39d6c | | 941a8786-5e8b-42cf-8666-af382a9f3b29 | None | IPv4 | 10.196.0.0/16 | | None | 50b0755e-5e8f-43e0-a4ee-8ff619c39d6c | | ab3cfc0c-068b-4910-b2a5-361ef07db6aa | tcp | IPv4 | 10.128.114.47/32 | 1:65535 | None | 50b0755e-5e8f-43e0-a4ee-8ff619c39d6c | Furthermore, all tempest and NP tests passed. Logs attached.