Bug 1677556 - NP: services sg rules not updated when scaling deployments
Summary: NP: services sg rules not updated when scaling deployments
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-kuryr-kubernetes
Version: 15.0 (Stein)
Hardware: Unspecified
OS: Unspecified
urgent
urgent
Target Milestone: Upstream M3
: 15.0 (Stein)
Assignee: Maysa Macedo
QA Contact: GenadiC
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-02-15 08:47 UTC by Luis Tomas Bolivar
Modified: 2019-09-26 10:48 UTC (History)
2 users (show)

Fixed In Version: openstack-kuryr-kubernetes-0.6.2-0.20190305141049.a019712.el8ost
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-09-21 11:20:21 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Launchpad 1816015 0 None None None 2019-02-15 08:46:59 UTC
OpenStack gerrit 637186 0 None None None 2019-02-26 13:25:42 UTC
Red Hat Product Errata RHEA-2019:2811 0 None None None 2019-09-21 11:20:38 UTC

Description Luis Tomas Bolivar 2019-02-15 08:47:00 UTC
When NP policies are being used with podSelectors, for instance:
  ingress:
  - from:
    - podSelector:
        matchLabels:
          run: demo

If a service points to pods where the above defined policy applies, its sg rules should be updated when pods with label 'run: demo' are created/deleted so that their associated IPs are either accepted or rejected.

Right now, if there is a pod (demo-1) with label 'run: demo' belonging to a deployment (demo), and that pod is killed, a new pod gets created by the deployment (demo-2), however, the svc sg rules keep accepting demo-1 IP instead of demo-2. Similarly for scaling actions.

In addition, if this is used together with pools, it may lead to a security breach as other pod without the right label could get the IP belonging to demo-1 pod, and access the svc while it should not be able to do so.

Comment 5 Maysa Macedo 2019-09-09 11:52:55 UTC
Previously, when a Network Policy was enforced on pods pointed by a Service and a pod matching the Network Policy rules specification got created,
only the Pods security groups got updated, when the Load Balancer security groups should also be updated. Now, whenever a pod event is triggered
and the pod matches the Network Policy rule, both the set of pods pointed by the Network Policy and the Load Balancer get the security groups updated.
Furthermore, it's also ensured that regardless of the order of Kubernetes resource creation the Load Balancer security group is updated accordingly.

Comment 7 errata-xmlrpc 2019-09-21 11:20:21 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2019:2811


Note You need to log in before you can comment on or make changes to this bug.