Bug 2104578

Summary: Installer creates unnecessary master_ingress_cluster_policy_controller security group rule
Product: OpenShift Container Platform Reporter: Martin André <m.andre>
Component: InstallerAssignee: Martin André <maandre>
Installer sub component: OpenShift on OpenStack QA Contact: rlobillo
Status: CLOSED ERRATA Docs Contact:
Severity: medium    
Priority: medium CC: pprinett
Version: 4.11Keywords: Triaged
Target Milestone: ---   
Target Release: 4.12.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-01-17 19:51:47 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2104825    

Description Martin André 2022-07-06 16:10:43 UTC
The installer on openstack platform creates a security group rule that it does not need.

The master_ingress_cluster_policy_controller security group rule was initially introduced with 2636aef [1] but later reverted with a7040d4 [2]. It was then re-introduced by mistake with 40febcf [3].

We should remove the unneeded rule.

[1] https://github.com/openshift/installer/commit/2636aef6cdf0f897f98446e29c969d61b6b009a7
[2] https://github.com/openshift/installer/commit/a7040d40041941cd4a649e7c5caf98c26cfbbb90
[3] https://github.com/openshift/installer/commit/40febcfdace6795ab661a17d59fe5882d1a12890

Comment 3 rlobillo 2022-07-29 14:00:44 UTC
Verified on ocp4.12.0-0.nightly-2022-07-27-133042 on top of RHOS-16.2-RHEL-8-20220610.n.1

(shiftstack) [stack@undercloud-0 ~]$ oc get clusterversion
NAME      VERSION                              AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.12.0-0.nightly-2022-07-27-133042   True        False         43s     Cluster version is 4.12.0-0.nightly-2022-07-27-133042
(shiftstack) [stack@undercloud-0 ~]$ openstack security group show ostest-5w6hf-master -c rules -f json | jq '.rules[] | select(.port_range_min==10357)'
(shiftstack) [stack@undercloud-0 ~]$

Comment 6 errata-xmlrpc 2023-01-17 19:51:47 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.12.0 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:7399