Bug 1787343 - Deletion of Network Policies enforced on same pod cause controller restart
Summary: Deletion of Network Policies enforced on same pod cause controller restart
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Networking
Version: 4.4
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: 4.3.z
Assignee: Maysa Macedo
QA Contact: GenadiC
URL:
Whiteboard:
Depends On: 1787341
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-01-02 13:29 UTC by Maysa Macedo
Modified: 2020-02-19 05:40 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1787341
Environment:
Last Closed: 2020-02-19 05:39:53 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift kuryr-kubernetes pull 129 0 None closed [release-4.3] Bug 1787343: Protect from sg Not Found on multiple np enforcement 2020-02-13 20:56:58 UTC
Red Hat Product Errata RHBA-2020:0492 0 None None None 2020-02-19 05:40:03 UTC

Description Maysa Macedo 2020-01-02 13:29:56 UTC
+++ This bug was initially created as a clone of Bug #1787341 +++

Description of problem:

When multiple Network policies deletion affecting the
same pod happens at the same time, a Not Found exception
can be raised causing a Kuryr Controller restart.

2019-12-17 01:47:47.588 1 DEBUG kuryr_kubernetes.handlers.asynchronous [-] Asynchronous handler stopped processing group 05e19cdf-206e-11ea-9993-fa163e044615 _done /usr/local/lib/python3.6/site-packages/kuryr_kubernetes/handlers/asynchron
ous.py:102
2019-12-17 01:47:47.749 1 DEBUG kuryr_kubernetes.controller.drivers.network_policy [-] Deleting KuryrNetPolicy CRD np-allow-pod-a-to-pod-b-using-pod-selector _del_kuryrnetpolicy_crd /usr/local/lib/python3.6/site-packages/kuryr_kubernetes/
controller/drivers/network_policy.py:740
2019-12-17 01:47:47.749 1 DEBUG kuryr_kubernetes.k8s_client [-] Delete /apis/openstack.org/v1/namespaces/network-policy-9919/kuryrnetpolicies/np-allow-pod-a-to-pod-b-using-pod-selector delete /usr/local/lib/python3.6/site-packages/kuryr_k
ubernetes/k8s_client.py:185
2019-12-17 01:47:47.878 1 DEBUG kuryr_kubernetes.handlers.asynchronous [-] Asynchronous handler started processing f5f9040f-206e-11ea-9993-fa163e044615 _run /usr/local/lib/python3.6/site-packages/kuryr_kubernetes/handlers/asynchronous.py:
64
2019-12-17 01:47:47.906 1 DEBUG neutronclient.v2_0.client [-] Error message: {"NeutronError": {"message": "Security group 669aff8c-852b-4260-b04c-95ccbfb1a998 does not exist", "type": "SecurityGroupNotFound", "detail": ""}} _handle_fault_
response /usr/local/lib/python3.6/site-packages/neutronclient/v2_0/client.py:259
2019-12-17 01:47:47.908 1 ERROR kuryr_kubernetes.handlers.retry [-] Report handler unhealthy NetworkPolicyHandler: neutronclient.common.exceptions.NotFound: Security group 669aff8c-852b-4260-b04c-95ccbfb1a998 does not exist
Neutron server returns request_ids: ['req-b90ea3f9-3ee3-46a8-b526-3fccce6494f8']
2019-12-17 01:47:47.908 1 ERROR kuryr_kubernetes.handlers.retry Traceback (most recent call last):
2019-12-17 01:47:47.908 1 ERROR kuryr_kubernetes.handlers.retry File "/usr/local/lib/python3.6/site-packages/kuryr_kubernetes/handlers/retry.py", line 78, in __call__
2019-12-17 01:47:47.908 1 ERROR kuryr_kubernetes.handlers.retry self._handler(event)
2019-12-17 01:47:47.908 1 ERROR kuryr_kubernetes.handlers.retry File "/usr/local/lib/python3.6/site-packages/kuryr_kubernetes/handlers/k8s_base.py", line 77, in __call__
2019-12-17 01:47:47.908 1 ERROR kuryr_kubernetes.handlers.retry self.on_deleted(obj)
2019-12-17 01:47:47.908 1 ERROR kuryr_kubernetes.handlers.retry File "/usr/local/lib/python3.6/site-packages/kuryr_kubernetes/controller/handlers/policy.py", line 119, in on_deleted
2019-12-17 01:47:47.908 1 ERROR kuryr_kubernetes.handlers.retry self._drv_vif_pool.update_vif_sgs(pod, pod_sgs)
2019-12-17 01:47:47.908 1 ERROR kuryr_kubernetes.handlers.retry File "/usr/local/lib/python3.6/site-packages/kuryr_kubernetes/controller/drivers/vif_pool.py", line 1131, in update_vif_sgs
2019-12-17 01:47:47.908 1 ERROR kuryr_kubernetes.handlers.retry self._vif_drvs[pod_vif_type].update_vif_sgs(pod, sgs)
2019-12-17 01:47:47.908 1 ERROR kuryr_kubernetes.handlers.retry File "/usr/local/lib/python3.6/site-packages/kuryr_kubernetes/controller/drivers/vif_pool.py", line 173, in update_vif_sgs
2019-12-17 01:47:47.908 1 ERROR kuryr_kubernetes.handlers.retry self._drv_vif.update_vif_sgs(pod, sgs)
2019-12-17 01:47:47.908 1 ERROR kuryr_kubernetes.handlers.retry File "/usr/local/lib/python3.6/site-packages/kuryr_kubernetes/controller/drivers/neutron_vif.py", line 112, in update_vif_sgs
2019-12-17 01:47:47.908 1 ERROR kuryr_kubernetes.handlers.retry security_groups)
2019-12-17 01:47:47.908 1 ERROR kuryr_kubernetes.handlers.retry File "/usr/local/lib/python3.6/site-packages/neutronclient/v2_0/client.py", line 808, in update_port
2019-12-17 01:47:47.908 1 ERROR kuryr_kubernetes.handlers.retry revision_number=revision_number)
2019-12-17 01:47:47.908 1 ERROR kuryr_kubernetes.handlers.retry File "/usr/local/lib/python3.6/site-packages/neutronclient/v2_0/client.py", line 2399, in _update_resource
2019-12-17 01:47:47.908 1 ERROR kuryr_kubernetes.handlers.retry return self.put(path, **kwargs)
2019-12-17 01:47:47.908 1 ERROR kuryr_kubernetes.handlers.retry File "/usr/local/lib/python3.6/site-packages/neutronclient/v2_0/client.py", line 363, in put
2019-12-17 01:47:47.908 1 ERROR kuryr_kubernetes.handlers.retry headers=headers, params=params)
2019-12-17 01:47:47.908 1 ERROR kuryr_kubernetes.handlers.retry File "/usr/local/lib/python3.6/site-packages/neutronclient/v2_0/client.py", line 331, in retry_request
2019-12-17 01:47:47.908 1 ERROR kuryr_kubernetes.handlers.retry headers=headers, params=params)
2019-12-17 01:47:47.908 1 ERROR kuryr_kubernetes.handlers.retry File "/usr/local/lib/python3.6/site-packages/neutronclient/v2_0/client.py", line 294, in do_request
2019-12-17 01:47:47.908 1 ERROR kuryr_kubernetes.handlers.retry self._handle_fault_response(status_code, replybody, resp)
2019-12-17 01:47:47.908 1 ERROR kuryr_kubernetes.handlers.retry File "/usr/local/lib/python3.6/site-packages/neutronclient/v2_0/client.py", line 269, in _handle_fault_response
2019-12-17 01:47:47.908 1 ERROR kuryr_kubernetes.handlers.retry exception_handler_v20(status_code, error_body)
2019-12-17 01:47:47.908 1 ERROR kuryr_kubernetes.handlers.retry File "/usr/local/lib/python3.6/site-packages/neutronclient/v2_0/client.py", line 93, in exception_handler_v20
2019-12-17 01:47:47.908 1 ERROR kuryr_kubernetes.handlers.retry request_ids=request_ids)
2019-12-17 01:47:47.908 1 ERROR kuryr_kubernetes.handlers.retry neutronclient.common.exceptions.NotFound: Security group 669aff8c-852b-4260-b04c-95ccbfb1a998 does not exist
2019-12-17 01:47:47.908 1 ERROR kuryr_kubernetes.handlers.retry Neutron server returns request_ids: ['req-b90ea3f9-3ee3-46a8-b526-3fccce6494f8']

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. Run the following Kubernetes Network Policy test: "should enforce policies to check ingress and egress policies can be controlled independently based on PodSelector"
2.
3.

Actual results:

Kuryr Controller restarted

Expected results:

Both Network Policies and respective security groups are deleted with no controller restart.
 
Additional info:

Comment 2 Itzik Brown 2020-02-06 16:07:23 UTC
OCP 4.3.0-0.nightly-2020-02-06-035100
OSP RHOS_TRUNK-16.0-RHEL-8-20200131.n.0

The K8s Network Policy test "should enforce policies to check ingress and egress policies can be controlled independently based on PodSelector [Feature:NetworkPolicy-23]" has passed
two times and Kuryr controller has not been restarted

Comment 4 errata-xmlrpc 2020-02-19 05:39:53 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:0492


Note You need to log in before you can comment on or make changes to this bug.