1623855 – Namespace isolation for services not working for normal tenants

Bug 1623855 - Namespace isolation for services not working for normal tenants

Summary: Namespace isolation for services not working for normal tenants

Keywords:
Status:	CLOSED DUPLICATE of bug 1626377
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-kuryr-kubernetes
Sub Component:
Version:	14.0 (Rocky)
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	z1
Target Release:	14.0 (Rocky)
Assignee:	Luis Tomas Bolivar
QA Contact:	GenadiC
Docs Contact:
URL:
Whiteboard:
Depends On:	1626377 1635892
Blocks:
TreeView+	depends on / blocked

Reported:	2018-08-30 10:33 UTC by Luis Tomas Bolivar
Modified:	2019-01-17 12:48 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-01-17 12:48:56 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Luis Tomas Bolivar 2018-08-30 10:33:06 UTC

Namespace isolation for services is not working for normal tenants. The kuryr namespace isolation functionality relies on modifying the default security group rules created by octavia to, instead of allowing traffic from everywhere to the specified port, allow just the traffic from the specific namespaces (itself and default one). The problem is that this security group does not belong to the tenant but to admin, and unless the tenant has access to modify it, the next error will pop up on the kuryr-controller, leaving the security group rules unmodified, and therefore enabling the access to the specified port from everywhere:

2018-08-30 09:58:51.484 1 ERROR kuryr_kubernetes.controller.drivers.lbaasv2 [-] Failed when creating security group rule for listener test/demo:TCP:80.: NotFound: Security group 397abbf5-1106-4311-93a3-472f9bbcb9e9 does not exist
Neutron server returns request_ids: ['req-301617bf-51e3-4eed-b3d2-4788fb977fb3']
2018-08-30 09:58:51.484 1 ERROR kuryr_kubernetes.controller.drivers.lbaasv2 Traceback (most recent call last):
2018-08-30 09:58:51.484 1 ERROR kuryr_kubernetes.controller.drivers.lbaasv2   File "/usr/lib/python2.7/site-packages/kuryr_kubernetes/controller/drivers/lbaasv2.py", line 165, in _extend_lb_security_group_rules
2018-08-30 09:58:51.484 1 ERROR kuryr_kubernetes.controller.drivers.lbaasv2     'description': listener.name,
2018-08-30 09:58:51.484 1 ERROR kuryr_kubernetes.controller.drivers.lbaasv2   File "/usr/lib/python2.7/site-packages/neutronclient/v2_0/client.py", line 989, in create_security_group_rule
2018-08-30 09:58:51.484 1 ERROR kuryr_kubernetes.controller.drivers.lbaasv2     return self.post(self.security_group_rules_path, body=body)
2018-08-30 09:58:51.484 1 ERROR kuryr_kubernetes.controller.drivers.lbaasv2   File "/usr/lib/python2.7/site-packages/neutronclient/v2_0/client.py", line 359, in post
2018-08-30 09:58:51.484 1 ERROR kuryr_kubernetes.controller.drivers.lbaasv2     headers=headers, params=params)
2018-08-30 09:58:51.484 1 ERROR kuryr_kubernetes.controller.drivers.lbaasv2   File "/usr/lib/python2.7/site-packages/neutronclient/v2_0/client.py", line 294, in do_request
2018-08-30 09:58:51.484 1 ERROR kuryr_kubernetes.controller.drivers.lbaasv2     self._handle_fault_response(status_code, replybody, resp)
2018-08-30 09:58:51.484 1 ERROR kuryr_kubernetes.controller.drivers.lbaasv2   File "/usr/lib/python2.7/site-packages/neutronclient/v2_0/client.py", line 269, in _handle_fault_response
2018-08-30 09:58:51.484 1 ERROR kuryr_kubernetes.controller.drivers.lbaasv2     exception_handler_v20(status_code, error_body)
2018-08-30 09:58:51.484 1 ERROR kuryr_kubernetes.controller.drivers.lbaasv2   File "/usr/lib/python2.7/site-packages/neutronclient/v2_0/client.py", line 93, in exception_handler_v20
2018-08-30 09:58:51.484 1 ERROR kuryr_kubernetes.controller.drivers.lbaasv2     request_ids=request_ids)
2018-08-30 09:58:51.484 1 ERROR kuryr_kubernetes.controller.drivers.lbaasv2 NotFound: Security group 397abbf5-1106-4311-93a3-472f9bbcb9e9 does not exist
2018-08-30 09:58:51.484 1 ERROR kuryr_kubernetes.controller.drivers.lbaasv2 Neutron server returns request_ids: ['req-301617bf-51e3-4eed-b3d2-4788fb977fb3']


How reproducible:
100%


Steps to Reproduce:
1. Deploy with namespace isolation enabled
2. Create 2 projects and 1 deployments on each one
3. Create service for deployment on project 1
4. Curl service on project 1 from pod on project 2

Actual results:
Curl succeeds

Expected results:
Curl hangs as pod from one namespace/project is not supposed to be able to reach a service from another namespace/project

Comment 1 Luis Tomas Bolivar 2018-08-30 10:56:28 UTC

Not sure about the reasons behind creating the loadbalancer security group on the admin project instead of on the tenant that created the loadbalancer, but I see 2 possible options here:
1.- make Octavia create the security group within the tenant project instead of the admin one, or
2.- extend Octavia to permit specifying (restricting) the security group rules to be applied. For instance, from where it should be accessible, not just on what port.

Comment 5 Luis Tomas Bolivar 2019-01-17 12:48:56 UTC


*** This bug has been marked as a duplicate of bug 1626377 ***

Note You need to log in before you can comment on or make changes to this bug.