1643303 – Provisioning two APB services temporarily broke networking in the namespace

Bug 1643303 - Provisioning two APB services temporarily broke networking in the namespace

Summary: Provisioning two APB services temporarily broke networking in the namespace

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Service Broker
Sub Component:
Version:	3.9.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	---
Target Release:	4.2.0
Assignee:	Jesus M. Rodriguez
QA Contact:	Zhang Cheng
Docs Contact:
URL:
Whiteboard:
Depends On:	1613280
Blocks:	1643300 1643301
TreeView+	depends on / blocked

Reported:	2018-10-25 21:09 UTC by Jesus M. Rodriguez
Modified:	2019-11-13 09:51 UTC (History)
CC List:	9 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	Cause: The Automation Broker always created a network policy to give the transient namespace access to the target namespace. Consequence: Adding a network policy to a namespace that does not have any other network policies in place causes the namespace to be locked down to the newly created policy. Before the network policy, everything was open and namespaces could communicate with each other. Fix: The Automation Broker looks to see if there are any network policies in place for the target namespace. If there are none, the broker will not create a new network policy. The broker will assume that things are open enough to allow the transient namespace we create to communicate with the target namespace. The broker will still create a network policy giving the transient namespace access to the target namespace, if there are other network policies in place for the target namespace. Result: The fix allows the broker to perform the APB actions without affecting existing services running on the target namespace.
Clone Of:	1613280
Environment:
Last Closed:	2019-10-16 06:27:40 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2019:2922	0	None	None	None	2019-10-16 06:27:56 UTC

Comment 2 Zihan Tang 2018-12-04 09:15:47 UTC

Verify with asb: 1.4.2,
when provision and deprovision, it'll not create new networkpolicy,  and the network connection between pods is still work.
But when the provision and deprovision succeed, it will try to delete networkpolicy which is not created, and report error:

time="2018-12-04T09:11:43Z" level=error msg="unable to delete the network policy object - networkpolicies.networking.k8s.io \"bundle-e4c1e666-dcce-434c-9331-825f4d88f7d2\" not found"

It's confused for users, it's better to check existence before deleting or downgrade log level. I move back to ASSIGNED.

Comment 3 Jesus M. Rodriguez 2019-02-01 20:30:40 UTC

Fixed by PR https://github.com/openshift/ansible-service-broker/pull/1177 for OpenShift 3.9 (Broker 1.1.19+)

Comment 4 Jesus M. Rodriguez 2019-02-12 16:45:48 UTC

* OpenShift 4.0 (Broker 1.4.x)

Fixed by broker PR https://github.com/openshift/ansible-service-broker/pull/1180 and by bundle-lib PR https://github.com/automationbroker/bundle-lib/pull/178

* OpenShift 3.11 (Broker 1.3.x)

Fixed by broker PR https://github.com/openshift/ansible-service-broker/pull/1181 and by bundle-lib PR https://github.com/automationbroker/bundle-lib/pull/178

* OpenShift 3.10 (Broker 1.2.x)

Fixed by broker PR https://github.com/openshift/ansible-service-broker/pull/1185 and by bundle-lib PR https://github.com/automationbroker/bundle-lib/pull/180

Comment 5 Zihan Tang 2019-03-04 10:06:12 UTC

PR is merged in v1.4.5.
the lastest image in downstream is still 1.4.4. Move to Modified.

docker run --entrypoint=asbd reg-aws..../ose-ansible-service-broker:v4.0 --version
1.4.4

Comment 12 Zihan Tang 2019-04-12 02:35:59 UTC

According to #comment 10, Move back to modified.

Comment 16 Shawn Hurley 2019-06-21 14:32:55 UTC

PR: https://github.com/openshift/ansible-service-broker/pull/1220

Comment 18 Zihan Tang 2019-06-25 08:48:47 UTC

The target release is 4.2, but there's not ose-ansible-service-broker  v4.2 image in brew registry. 

when using: oc image info ..../openshift/ose-ansible-service-broker:v4.1 --insecure=true, 
no commit info for asb

do we still using `asbd --version` to trace code change in asb image?

asb operator image code change can be traced by `oc image info` like:
$ oc image info .../openshift/ose-ansible-service-broker-operator:v4.1 --insecure=true | grep commit
               io.openshift.build.commit.id=156c29309ae3951ed11d60e13616de49537ee5b8
               io.openshift.build.commit.url=https://github.com/openshift/ansible-service-broker/commit/156c29309ae3951ed11d60e13616de49537ee5b8

Comment 19 Shawn Hurley 2019-06-25 12:46:09 UTC

I believe this is the build that you are looking for: 

https://brewweb.engineering.redhat.com/brew/buildinfo?buildID=917197

Comment 20 Zihan Tang 2019-06-27 02:51:44 UTC

Verified: 
ose-ansible-service-broker:v4.2.0-201906240232 
asb version:1.4.5

when provision and deprovision, no new networkpolicy created, and no errors when no networkpolicy to delete.

Comment 23 errata-xmlrpc 2019-10-16 06:27:40 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:2922

Note You need to log in before you can comment on or make changes to this bug.