1660885 – Octavia lb SG rules are modified when namespace isolation is not used

Bug 1660885 - Octavia lb SG rules are modified when namespace isolation is not used

Summary: Octavia lb SG rules are modified when namespace isolation is not used

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-kuryr-kubernetes
Sub Component:
Version:	14.0 (Rocky)
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	z1
Target Release:	14.0 (Rocky)
Assignee:	Luis Tomas Bolivar
QA Contact:	Itzik Brown
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2018-12-19 14:11 UTC by Luis Tomas Bolivar
Modified:	2019-03-18 13:04 UTC (History)
CC List:	1 user (show)
Fixed In Version:	openstack-kuryr-kubernetes-0.5.3-0.20190121111334
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-03-18 13:04:08 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Launchpad	1809119	None	None	None	2018-12-19 14:11:06 UTC
OpenStack gerrit	626174	None	None	None	2018-12-19 14:11:51 UTC
OpenStack gerrit	626363	None	None	None	2018-12-20 06:57:15 UTC
Red Hat Product Errata	RHBA-2019:0591	None	None	None	2019-03-18 13:04:16 UTC

Description Luis Tomas Bolivar 2018-12-19 14:11:06 UTC

When using the kuryr namespace isolation there is a need for modifying the rules created by Octavia at the LoadBalancer SG. However, in the case namespace isolation is not enabled there is no need to try to change them. And by default, a normal tenant is not able to modify them (for the amphora driver), leading to the next error:

2018-12-19 11:32:52.765 1 ERROR kuryr_kubernetes.controller.drivers.lbaasv2 [-] Failed when creating security group rule to enable routes for listener test/demo:TCP:80.: NotFound: Security group 8a6d6559-ada4-4df0-abb0-b6780161378b does not exist
Neutron server returns request_ids: ['req-09e62506-87f8-4f8d-9328-c9ef8d39a773']
2018-12-19 11:32:52.765 1 ERROR kuryr_kubernetes.controller.drivers.lbaasv2 Traceback (most recent call last):
2018-12-19 11:32:52.765 1 ERROR kuryr_kubernetes.controller.drivers.lbaasv2 File "/usr/lib/python2.7/site-packages/kuryr_kubernetes/controller/drivers/lbaasv2.py", line 228, in _extend_lb_security_group_rules
2018-12-19 11:32:52.765 1 ERROR kuryr_kubernetes.controller.drivers.lbaasv2 'description': listener.name,
2018-12-19 11:32:52.765 1 ERROR kuryr_kubernetes.controller.drivers.lbaasv2 File "/usr/lib/python2.7/site-packages/neutronclient/v2_0/client.py", line 989, in create_security_group_rule
2018-12-19 11:32:52.765 1 ERROR kuryr_kubernetes.controller.drivers.lbaasv2 return self.post(self.security_group_rules_path, body=body)
2018-12-19 11:32:52.765 1 ERROR kuryr_kubernetes.controller.drivers.lbaasv2 File "/usr/lib/python2.7/site-packages/neutronclient/v2_0/client.py", line 359, in post
2018-12-19 11:32:52.765 1 ERROR kuryr_kubernetes.controller.drivers.lbaasv2 headers=headers, params=params)
2018-12-19 11:32:52.765 1 ERROR kuryr_kubernetes.controller.drivers.lbaasv2 File "/usr/lib/python2.7/site-packages/neutronclient/v2_0/client.py", line 294, in do_request
2018-12-19 11:32:52.765 1 ERROR kuryr_kubernetes.controller.drivers.lbaasv2 self._handle_fault_response(status_code, replybody, resp)
2018-12-19 11:32:52.765 1 ERROR kuryr_kubernetes.controller.drivers.lbaasv2 File "/usr/lib/python2.7/site-packages/neutronclient/v2_0/client.py", line 269, in _handle_fault_response
2018-12-19 11:32:52.765 1 ERROR kuryr_kubernetes.controller.drivers.lbaasv2 exception_handler_v20(status_code, error_body)
2018-12-19 11:32:52.765 1 ERROR kuryr_kubernetes.controller.drivers.lbaasv2 File "/usr/lib/python2.7/site-packages/neutronclient/v2_0/client.py", line 93, in exception_handler_v20
2018-12-19 11:32:52.765 1 ERROR kuryr_kubernetes.controller.drivers.lbaasv2 request_ids=request_ids)
2018-12-19 11:32:52.765 1 ERROR kuryr_kubernetes.controller.drivers.lbaasv2 NotFound: Security group 8a6d6559-ada4-4df0-abb0-b6780161378b does not exist
2018-12-19 11:32:52.765 1 ERROR kuryr_kubernetes.controller.drivers.lbaasv2 Neutron server returns request_ids: ['req-09e62506-87f8-4f8d-9328-c9ef8d39a773']
2018-12-19 11:32:52.765 1 ERROR kuryr_kubernetes.controller.drivers.lbaasv2

Comment 6 Itzik Brown 2019-03-04 11:45:32 UTC

Will verify when we have the proper image (https://bugzilla.redhat.com/show_bug.cgi?id=1673799)

Comment 9 Itzik Brown 2019-03-07 00:43:35 UTC

Checked with:
openstack-kuryr-kubernetes-controller-0.5.3-0.20190121111334.a895113.el7ost.noarch

Comment 11 errata-xmlrpc 2019-03-18 13:04:08 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:0591

Note You need to log in before you can comment on or make changes to this bug.