Bug 1795631 - Failure updating security group rules from network policy
Summary: Failure updating security group rules from network policy
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Networking
Version: 4.4
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ---
: 4.4.0
Assignee: Maysa Macedo
QA Contact: Jon Uriarte
URL:
Whiteboard:
Depends On:
Blocks: 1799401
TreeView+ depends on / blocked
 
Reported: 2020-01-28 14:01 UTC by Jon Uriarte
Modified: 2020-05-04 11:27 UTC (History)
0 users

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1799401 (view as bug list)
Environment:
Last Closed: 2020-05-04 11:27:25 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Github openshift kuryr-kubernetes pull 158 None closed Bug 1795631: Ensure no sg rule is repeated on the Network Policy CRD 2020-03-30 09:37:37 UTC
OpenStack gerrit 705243 None MERGED Ensure no sg rule is repeated on the Network Policy CRD 2020-03-30 09:37:36 UTC
Red Hat Product Errata RHBA-2020:0581 None None None 2020-05-04 11:27:50 UTC

Description Jon Uriarte 2020-01-28 14:01:52 UTC
Description of problem:

When running K8s NP tests in parallel (in different terminal), the Kuryr controller restarts due to the next error:

(
kubetest --provider=local  --check-version-skew=false --test --test_args="--ginkgo.focus=\[Feature:NetworkPolicy-0 --host=https://api.ostest.shiftstack.com:6443"
kubetest --provider=local  --check-version-skew=false --test --test_args="--ginkgo.focus=\[Feature:NetworkPolicy-1 --host=https://api.ostest.shiftstack.com:6443"
)

ERROR kuryr_kubernetes.handlers.logging [-] Failed to handle event {'type': 'ADDED', 'object': {'kind': 'NetworkPolicy', 'apiVersion': 'networking.k8s.io/v1', 'metadata': {'name': 'allow-from-client-b-pod-selector', 'namespace': 'network-policy-9108', 'selfLink': '/apis/networking.k8s.io/v1/namespaces/network-policy-9108/networkpolicies/allow-from-client-b-pod-selector', 'uid': '3f9a4598-4c48-44ed-8ff8-fb8ac56622b5', 'resourceVersion': '656984', 'generation': 1, 'creationTimestamp': '2020-01-28T10:54:23Z', 'annotations': {'kuryrnetpolicy_selfLink': '/apis/openstack.org/v1/namespaces/network-policy-9108/kuryrnetpolicies/np-allow-from-client-b-pod-selector'}}, 'spec': {'podSelector': {'matchLabels': {'pod-name': 'server'}}, 'ingress': [{'from': [{'podSelector': {'matchLabels': {'pod-name': 'client-b'}}}]}], 'policyTypes': ['Ingress']}}}: kuryr_kubernetes.exceptions.K8sClientException: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"KuryrNetPolicy.openstack.org \"np-allow-from-client-b-pod-selector\" is invalid: spec.ingressSgRules.security_group_rule.id: Required value","reason":"Invalid","details":{"name":"np-allow-from-client-b-pod-selector","group":"openstack.org","kind":"KuryrNetPolicy","causes":[{"reason":"FieldValueRequired","message":"Required value","field":"spec.ingressSgRules.security_group_rule.id"}]},"code":422}
ERROR kuryr_kubernetes.handlers.logging Traceback (most recent call last):
ERROR kuryr_kubernetes.handlers.logging   File "/usr/lib/python3.6/site-packages/kuryr_kubernetes/handlers/logging.py", line 37, in __call__
ERROR kuryr_kubernetes.handlers.logging     self._handler(event)
ERROR kuryr_kubernetes.handlers.logging   File "/usr/lib/python3.6/site-packages/kuryr_kubernetes/handlers/retry.py", line 78, in __call__
ERROR kuryr_kubernetes.handlers.logging     self._handler(event)
ERROR kuryr_kubernetes.handlers.logging   File "/usr/lib/python3.6/site-packages/kuryr_kubernetes/handlers/k8s_base.py", line 75, in __call__
ERROR kuryr_kubernetes.handlers.logging     self.on_present(obj)
ERROR kuryr_kubernetes.handlers.logging   File "/usr/lib/python3.6/site-packages/kuryr_kubernetes/controller/handlers/policy.py", line 70, in on_present
ERROR kuryr_kubernetes.handlers.logging     project_id)
ERROR kuryr_kubernetes.handlers.logging   File "/usr/lib/python3.6/site-packages/kuryr_kubernetes/controller/drivers/network_policy.py", line 59, in ensure_network_policy
ERROR kuryr_kubernetes.handlers.logging     self.update_security_group_rules_from_network_policy(policy))
ERROR kuryr_kubernetes.handlers.logging   File "/usr/lib/python3.6/site-packages/kuryr_kubernetes/controller/drivers/network_policy.py", line 123, in update_security_group_rules_from_network_policy
     np_spec=policy['spec'])
   File "/usr/lib/python3.6/site-packages/kuryr_kubernetes/controller/drivers/utils.py", line 245, in patch_kuryrnetworkpolicy_crd
     'networkpolicy_spec': np_spec})
   File "/usr/lib/python3.6/site-packages/kuryr_kubernetes/k8s_client.py", line 137, in patch_crd
     raise exc.K8sClientException(response.text)
 kuryr_kubernetes.exceptions.K8sClientException: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"KuryrNetPolicy.openstack.org \"np-allow-from-client-b-pod-selector\" is invalid: spec.ingressSgRules.security_group_rule.id: Required value","reason":"Invalid","details":{"name":"np-allow-from-client-b-pod-selector","group":"openstack.org","kind":"KuryrNetPolicy","causes":[{"reason":"FieldValueRequired","message":"Required value","field":"spec.ingressSgRules.security_group_rule.id"}]},"code":422}


Version-Release number of selected component (if applicable):

OCP: 4.4.0-0.nightly-2020-01-24-141203
OSP: RHOS_TRUNK-16.0-RHEL-8-20191224.n.0

Using Octavia amphora driver.

$ openstack loadbalancer provider list
+---------+-------------------------------------------------+
| name    | description                                     |
+---------+-------------------------------------------------+
| amphora | The Octavia Amphora driver.                     |
| octavia | Deprecated alias of the Octavia Amphora driver. |
+---------+-------------------------------------------------+

Comment 2 Jon Uriarte 2020-02-13 15:56:29 UTC
Verified in 4.4.0-0.nightly-2020-02-10-234204 on top of OSP 13 2020-01-15.3 puddle.

After running K8s NP tests in parallel (in different terminal), the Kuryr controller doesn't show the next error:

ERROR kuryr_kubernetes.handlers.logging [-] Failed to handle event {'type': 'ADDED', 'object': {'kind': 'NetworkPolicy', 'apiVersion': 'networking.k8s.io/v1', 'metadata': {'name': 'allow-from-client-b-pod-selector', 'namespace': 'network-policy-9108', 'selfLink': '/apis/networking.k8s.io/v1/namespaces/network-policy-9108/networkpolicies/allow-from-client-b-pod-selector', 'uid': '3f9a4598-4c48-44ed-8ff8-fb8ac56622b5', 'resourceVersion': '656984', 'generation': 1, 'creationTimestamp': '2020-01-28T10:54:23Z', 'annotations': {'kuryrnetpolicy_selfLink': '/apis/openstack.org/v1/namespaces/network-policy-9108/kuryrnetpolicies/np-allow-from-client-b-pod-selector'}}, 'spec': {'podSelector': {'matchLabels': {'pod-name': 'server'}}, 'ingress': [{'from': [{'podSelector': {'matchLabels': {'pod-name': 'client-b'}}}]}], 'policyTypes': ['Ingress']}}}: kuryr_kubernetes.exceptions.K8sClientException: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"KuryrNetPolicy.openstack.org \"np-allow-from-client-b-pod-selector\" is invalid: spec.ingressSgRules.security_group_rule.id: Required value","reason":"Invalid","details":{"name":"np-allow-from-client-b-pod-selector","group":"openstack.org","kind":"KuryrNetPolicy","causes":[{"reason":"FieldValueRequired","message":"Required value","field":"spec.ingressSgRules.security_group_rule.id"}]},"code":422}

Comment 4 errata-xmlrpc 2020-05-04 11:27:25 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:0581


Note You need to log in before you can comment on or make changes to this bug.