+++ This bug was initially created as a clone of Bug #1786299 +++ If a Network Policy is enforced, while a load balancer is finalizing the creation, the endpoints could be not yet annotated with the load balancer state and the update of the lb security group is ignored causing a security breach.
Hi, Please add information about how to verify.
Hi Itzik, The fix can be validated by verifying that the Upstream Network Policy test "should support a 'default-deny' policy [Feature:NetworkPolicy-01]" is green.
Cleaning up needinfo as Maysa already pointed out how to verify it
Verified in 4.3.0-0.nightly-2020-01-06-185654 build on top of OSP 13 2019-12-06.2 puddle. The OCP installer finishes successfully: $ oc get clusterversion NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.3.0-0.nightly-2020-01-06-185654 True False 175m Cluster version is 4.3.0-0.nightly-2020-01-06-185654 And "should support a 'default-deny' policy [Feature:NetworkPolicy-01]" test case from upstream K8s NP tests passed two times: •{"msg":"PASSED [sig-network] NetworkPolicy [LinuxOnly] NetworkPolicy between server and client should support a 'default-deny' policy [Feature:NetworkPolicy-01]","total":1,"completed":1,"skipped":2331,"failed":0} 10:49:32.171: INFO: Running AfterSuite actions on all nodes Jan 7 10:49:32.171: INFO: Running AfterSuite actions on node 1 {"msg":"Test Suite completed","total":1,"completed":1,"skipped":4839,"failed":0} Ran 1 of 4840 Specs in 224.777 seconds SUCCESS! -- 1 Passed | 0 Failed | 0 Pending | 4839 Skipped PASS
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:0062