1516228 – Normal user can delete networkpolicy in cli but cannot in web console

Bug 1516228 - Normal user can delete networkpolicy in cli but cannot in web console

Summary: Normal user can delete networkpolicy in cli but cannot in web console

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Networking
Sub Component:
Version:	3.7.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	---
Target Release:	3.7.z
Assignee:	Jacob Tanenbaum
QA Contact:	Meng Bo
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-11-22 10:16 UTC by shahan
Modified:	2018-04-05 09:32 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-04-05 09:32:08 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2018:0636	0	None	None	None	2018-04-05 09:32:45 UTC

Description shahan 2017-11-22 10:16:40 UTC

Description of problem:
 Normal user can delete networkpolicy in cli but cannot in web console

Version-Release number of selected component (if applicable):
v3.7.9

How reproducible:
Always

Steps to Reproduce:
1. $ cat allow-all.yaml
kind: NetworkPolicy
apiVersion: extensions/v1beta1
metadata:
  name: allow-all
spec:
  podSelector:
  ingress:
  - {}
oc create -f allow-all.yaml
2. Login in web console, goto 'Other resources' page, select NetworkPolicy in dropdown list and try delete it.
3. oc get NetworkPolicy
4. oc delete NetworkPolicy allow-all
5, oc get NetworkPolicy

Actual results:
3. After very long time, the allow-all networkpolicy still exists 
5. CLI could be deleted successfully.
Expected results:
Should delete it immediately.

Additional info:
CLi and web should be consistent with delete network policy

Comment 1 Jessica Forrester 2017-11-22 12:20:32 UTC

This appears to be an issue with the garbage collector and NetworkPolicy because the console does foreground deletion of resources by default and the CLI defaults to no garbage collection policy. I can see the resource getting marked with the deletionTimestamp and the finalizer:


apiVersion: extensions/v1beta1
kind: NetworkPolicy
metadata:
  creationTimestamp: '2017-11-22T12:15:02Z'
  deletionGracePeriodSeconds: 0
  deletionTimestamp: '2017-11-22T12:15:19Z'
  finalizers:
    - foregroundDeletion
  generation: 2
  name: allow-all
  namespace: jwforres
  resourceVersion: '65432501'
  selfLink: /apis/extensions/v1beta1/namespaces/jwforres/networkpolicies/allow-all
  uid: c465ede7-cf7e-11e7-89cc-02306c0cdc4b
spec:
  ingress:
    - {}
  podSelector: {}

Comment 3 David Eads 2017-11-22 16:02:10 UTC

See https://github.com/openshift/origin/pull/17426

Comment 4 Jacob Tanenbaum 2017-12-14 19:54:55 UTC

Is this still an issue? I can't reproduce I think the above PR fixed the issue

Comment 5 shahan 2017-12-15 02:32:58 UTC

This bug has been fixed by that PR, could you help change to ON_QA?

Comment 6 shahan 2017-12-18 02:47:38 UTC

Check this issue with the OCP v3.7.14, this bug has been fixed. Could delete networkpolicy on web console.

Comment 10 errata-xmlrpc 2018-04-05 09:32:08 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0636

Note You need to log in before you can comment on or make changes to this bug.