Bug 2040338
| Summary: | Can not delete egressnetworkpolicy in Foreground propagation | |||
|---|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Chen <cchen> | |
| Component: | Networking | Assignee: | ffernand <ffernand> | |
| Networking sub component: | openshift-sdn | QA Contact: | huirwang | |
| Status: | CLOSED ERRATA | Docs Contact: | ||
| Severity: | medium | |||
| Priority: | medium | CC: | bpickard | |
| Version: | 4.9 | Keywords: | Triaged | |
| Target Milestone: | --- | |||
| Target Release: | 4.9.z | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | ||
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 2042169 (view as bug list) | Environment: | ||
| Last Closed: | 2022-02-10 06:33:21 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | 2042169 | |||
| Bug Blocks: | ||||
yes, I can reproduce this issue on 4.10 version also. below is with loglevel=8
$ oc delete --cascade=foreground egressnetworkpolicy deny-by-default --loglevel=8
I0114 10:14:25.132918 9584 loader.go:372] Config loaded from file: /home/zzhao/kubeconfig
I0114 10:14:25.143425 9584 request.go:1181] Request Body: {"propagationPolicy":"Foreground"}
I0114 10:14:25.143508 9584 round_trippers.go:432] DELETE https://api.zzhaom112.qe.devcluster.openshift.com:6443/apis/network.openshift.io/v1/namespaces/test-ping/egressnetworkpolicies/deny-by-default
I0114 10:14:25.143522 9584 round_trippers.go:438] Request Headers:
I0114 10:14:25.143531 9584 round_trippers.go:442] Content-Type: application/json
I0114 10:14:25.143539 9584 round_trippers.go:442] User-Agent: oc/4.9.0 (linux/amd64) kubernetes/c456714
I0114 10:14:25.143550 9584 round_trippers.go:442] Accept: application/json
I0114 10:14:25.921836 9584 round_trippers.go:457] Response Status: 200 OK in 778 milliseconds
I0114 10:14:25.921871 9584 round_trippers.go:460] Response Headers:
I0114 10:14:25.921892 9584 round_trippers.go:463] Audit-Id: 43b10172-e748-4910-b435-a0d4380e1dff
I0114 10:14:25.921901 9584 round_trippers.go:463] Cache-Control: no-cache, private
I0114 10:14:25.921910 9584 round_trippers.go:463] Content-Type: application/json
I0114 10:14:25.921920 9584 round_trippers.go:463] X-Kubernetes-Pf-Flowschema-Uid: ee106863-987a-4e4a-b750-8afb91a7f1ef
I0114 10:14:25.921929 9584 round_trippers.go:463] X-Kubernetes-Pf-Prioritylevel-Uid: 2697f45c-769c-4c1e-89e1-733b4722acf4
I0114 10:14:25.921939 9584 round_trippers.go:463] Content-Length: 648
I0114 10:14:25.921946 9584 round_trippers.go:463] Date: Fri, 14 Jan 2022 02:14:25 GMT
I0114 10:14:25.921983 9584 request.go:1181] Response Body: {"apiVersion":"network.openshift.io/v1","kind":"EgressNetworkPolicy","metadata":{"creationTimestamp":"2022-01-14T02:14:03Z","deletionGracePeriodSeconds":0,"deletionTimestamp":"2022-01-14T02:14:25Z","finalizers":["foregroundDeletion"],"generation":2,"managedFields":[{"apiVersion":"network.openshift.io/v1","fieldsType":"FieldsV1","fieldsV1":{"f:spec":{".":{},"f:egress":{}}},"manager":"kubectl-create","operation":"Update","time":"2022-01-14T02:14:03Z"}],"name":"deny-by-default","namespace":"test-ping","resourceVersion":"355923","uid":"141c5c67-9fd9-45ed-adce-49a10d89c40a"},"spec":{"egress":[{"to":{"cidrSelector":"0.0.0.0/0"},"type":"Deny"}]}}
egressnetworkpolicy.network.openshift.io "deny-by-default" deleted
I0114 10:14:25.922258 9584 round_trippers.go:432] GET https://api.zzhaom112.qe.devcluster.openshift.com:6443/apis/network.openshift.io/v1/namespaces/test-ping/egressnetworkpolicies?fieldSelector=metadata.name%3Ddeny-by-default
I0114 10:14:25.922272 9584 round_trippers.go:438] Request Headers:
I0114 10:14:25.922293 9584 round_trippers.go:442] Accept: application/json
I0114 10:14:25.922302 9584 round_trippers.go:442] User-Agent: oc/4.9.0 (linux/amd64) kubernetes/c456714
I0114 10:14:26.173413 9584 round_trippers.go:457] Response Status: 200 OK in 251 milliseconds
I0114 10:14:26.173435 9584 round_trippers.go:460] Response Headers:
I0114 10:14:26.173443 9584 round_trippers.go:463] Audit-Id: 3fcde551-b2b8-411a-ae2c-6362d1886079
I0114 10:14:26.173450 9584 round_trippers.go:463] Cache-Control: no-cache, private
I0114 10:14:26.173455 9584 round_trippers.go:463] Content-Type: application/json
I0114 10:14:26.173461 9584 round_trippers.go:463] X-Kubernetes-Pf-Flowschema-Uid: ee106863-987a-4e4a-b750-8afb91a7f1ef
I0114 10:14:26.173485 9584 round_trippers.go:463] X-Kubernetes-Pf-Prioritylevel-Uid: 2697f45c-769c-4c1e-89e1-733b4722acf4
I0114 10:14:26.173508 9584 round_trippers.go:463] Content-Length: 786
I0114 10:14:26.173518 9584 round_trippers.go:463] Date: Fri, 14 Jan 2022 02:14:26 GMT
I0114 10:14:26.173571 9584 request.go:1181] Response Body: {"apiVersion":"network.openshift.io/v1","items":[{"apiVersion":"network.openshift.io/v1","kind":"EgressNetworkPolicy","metadata":{"creationTimestamp":"2022-01-14T02:14:03Z","deletionGracePeriodSeconds":0,"deletionTimestamp":"2022-01-14T02:14:25Z","finalizers":["foregroundDeletion"],"generation":2,"managedFields":[{"apiVersion":"network.openshift.io/v1","fieldsType":"FieldsV1","fieldsV1":{"f:spec":{".":{},"f:egress":{}}},"manager":"kubectl-create","operation":"Update","time":"2022-01-14T02:14:03Z"}],"name":"deny-by-default","namespace":"test-ping","resourceVersion":"355923","uid":"141c5c67-9fd9-45ed-adce-49a10d89c40a"},"spec":{"egress":[{"to":{"cidrSelector":"0.0.0.0/0"},"type":"Deny"}]}}],"kind":"EgressNetworkPolicyList","metadata":{"continue":"","resourceVersion":"355926"}}
I0114 10:14:26.173955 9584 round_trippers.go:432] GET https://api.zzhaom112.qe.devcluster.openshift.com:6443/apis/network.openshift.io/v1/namespaces/test-ping/egressnetworkpolicies?fieldSelector=metadata.name%3Ddeny-by-default&resourceVersion=355926&watch=true
I0114 10:14:26.173981 9584 round_trippers.go:438] Request Headers:
I0114 10:14:26.173995 9584 round_trippers.go:442] Accept: application/json
I0114 10:14:26.174007 9584 round_trippers.go:442] User-Agent: oc/4.9.0 (linux/amd64) kubernetes/c456714
I0114 10:14:26.436456 9584 round_trippers.go:457] Response Status: 200 OK in 262 milliseconds
I0114 10:14:26.436478 9584 round_trippers.go:460] Response Headers:
I0114 10:14:26.436499 9584 round_trippers.go:463] Date: Fri, 14 Jan 2022 02:14:26 GMT
I0114 10:14:26.436513 9584 round_trippers.go:463] Audit-Id: d438d0ad-e43c-4c38-b85a-bacc0629d496
I0114 10:14:26.436527 9584 round_trippers.go:463] Cache-Control: no-cache, private
I0114 10:14:26.436540 9584 round_trippers.go:463] Content-Type: application/json
I0114 10:14:26.436554 9584 round_trippers.go:463] X-Kubernetes-Pf-Flowschema-Uid: ee106863-987a-4e4a-b750-8afb91a7f1ef
I0114 10:14:26.436569 9584 round_trippers.go:463] X-Kubernetes-Pf-Prioritylevel-Uid: 2697f45c-769c-4c1e-89e1-733b4722acf4
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (OpenShift Container Platform 4.9.19 bug fix update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2022:0340 |
Description of problem: Can not delete egressnetworkpolicy in Foreground propagation Version-Release number of selected component (if applicable): OpenShift 4.8.18 How reproducible: 100% Steps to Reproduce: 1. $ oc new-project test-ping 2. $ cat networkpolicy.yaml apiVersion: network.openshift.io/v1 kind: EgressNetworkPolicy metadata: name: deny-by-default namespace: test-ping spec: egress: - to: cidrSelector: 0.0.0.0/0 type: Deny 3. $ oc apply -f networkpolicy.yaml 4. $ oc delete --cascade=foreground egressnetworkpolicy deny-by-default Actual results: The deny-by-default EgressNetworkPolicy will exist forever Expected results: The dependents of the EgressNetworkPolicy CR should be deleted and EgressNetworkPolicy should disappear. Additional info: In GitOps by default it uses Foreground propagation policy so this is causing problems in OpenShift GitOps.