Bug 1818061 - Wrong attempt to delete sg rules owned by Octavia tenant
Summary: Wrong attempt to delete sg rules owned by Octavia tenant
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Networking
Version: 4.5
Hardware: Unspecified
OS: Unspecified
high
medium
Target Milestone: ---
: 4.5.0
Assignee: Maysa Macedo
QA Contact: Jon Uriarte
URL:
Whiteboard:
Depends On:
Blocks: 1818066 1824052
TreeView+ depends on / blocked
 
Reported: 2020-03-27 15:02 UTC by Jon Uriarte
Modified: 2020-08-04 18:07 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Clone Of:
: 1818066 1818067 (view as bug list)
Environment:
Last Closed: 2020-08-04 18:07:26 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift kuryr-kubernetes pull 200 0 None closed Bug 1818061: Ensure no attempt to deleted sg rules owned by Octavia happens 2020-06-19 11:04:46 UTC
Red Hat Product Errata RHBA-2020:2409 0 None None None 2020-08-04 18:07:32 UTC

Description Jon Uriarte 2020-03-27 15:02:56 UTC
Description of problem:

When updating the LB security group with only the rules applied
on a Network Policy we are also considering the sg rules owned by
octavia, this result on failure when trying to delete the rules
as this operation is not allowed.

startCount': 0, 'image': 'docker.io/library/busybox:1.29-glibc', 'imageID': '', 'started': False}], 'qosClass': 'BestEffort'}}}: openstack.exceptions.HttpException: HttpException: 403: Client Error for url: http://10.0.0.102:9696/v2.0/sec
urity-group-rules/bcf9a113-1014-4ba8-b337-e76cec8ec2df, rule:delete_security_group_rule is disallowed by policy
2020-03-25 16:26:44.780 1 ERROR kuryr_kubernetes.handlers.logging Traceback (most recent call last):
2020-03-25 16:26:44.780 1 ERROR kuryr_kubernetes.handlers.logging File "/usr/lib/python3.6/site-packages/kuryr_kubernetes/handlers/logging.py", line 37, in __call__
2020-03-25 16:26:44.780 1 ERROR kuryr_kubernetes.handlers.logging self._handler(event)
2020-03-25 16:26:44.780 1 ERROR kuryr_kubernetes.handlers.logging File "/usr/lib/python3.6/site-packages/kuryr_kubernetes/handlers/retry.py", line 79, in __call__
2020-03-25 16:26:44.780 1 ERROR kuryr_kubernetes.handlers.logging self._handler(event)
2020-03-25 16:26:44.780 1 ERROR kuryr_kubernetes.handlers.logging File "/usr/lib/python3.6/site-packages/kuryr_kubernetes/handlers/k8s_base.py", line 72, in __call__
2020-03-25 16:26:44.780 1 ERROR kuryr_kubernetes.handlers.logging self.on_present(obj)
2020-03-25 16:26:44.780 1 ERROR kuryr_kubernetes.handlers.logging File "/usr/lib/python3.6/site-packages/kuryr_kubernetes/controller/handlers/vif.py", line 155, in on_present
2020-03-25 16:26:44.780 1 ERROR kuryr_kubernetes.handlers.logging services, crd_pod_selectors, project_id)
2020-03-25 16:26:44.780 1 ERROR kuryr_kubernetes.handlers.logging File "/usr/lib/python3.6/site-packages/kuryr_kubernetes/controller/handlers/vif.py", line 253, in _update_services
2020-03-25 16:26:44.780 1 ERROR kuryr_kubernetes.handlers.logging self._drv_lbaas.update_lbaas_sg(service, sgs)
2020-03-25 16:26:44.780 1 ERROR kuryr_kubernetes.handlers.logging File "/usr/lib/python3.6/site-packages/kuryr_kubernetes/controller/drivers/lbaasv2.py", line 1092, in update_lbaas_sg
2020-03-25 16:26:44.780 1 ERROR kuryr_kubernetes.handlers.logging sg_rule_name, listener_id, sgs)
2020-03-25 16:26:44.780 1 ERROR kuryr_kubernetes.handlers.logging File "/usr/lib/python3.6/site-packages/kuryr_kubernetes/controller/drivers/lbaasv2.py", line 339, in _apply_members_security_groups
2020-03-25 16:26:44.780 1 ERROR kuryr_kubernetes.handlers.logging os_net.delete_security_group_rule(rule.id)
2020-03-25 16:26:44.780 1 ERROR kuryr_kubernetes.handlers.logging File "/usr/lib/python3.6/site-packages/openstack/network/v2/_proxy.py", line 3126, in delete_security_group_rule
2020-03-25 16:26:44.780 1 ERROR kuryr_kubernetes.handlers.logging security_group_rule, ignore_missing=ignore_missing)
2020-03-25 16:26:44.780 1 ERROR kuryr_kubernetes.handlers.logging File "/usr/lib/python3.6/site-packages/openstack/proxy.py", line 46, in check
2020-03-25 16:26:44.780 1 ERROR kuryr_kubernetes.handlers.logging return method(self, expected, actual, *args, **kwargs)
2020-03-25 16:26:44.780 1 ERROR kuryr_kubernetes.handlers.logging File "/usr/lib/python3.6/site-packages/openstack/proxy.py", line 362, in _delete
2020-03-25 16:26:44.780 1 ERROR kuryr_kubernetes.handlers.logging rv = res.delete(self)
2020-03-25 16:26:44.780 1 ERROR kuryr_kubernetes.handlers.logging File "/usr/lib/python3.6/site-packages/openstack/resource.py", line 1522, in delete
2020-03-25 16:26:44.780 1 ERROR kuryr_kubernetes.handlers.logging self._translate_response(response, has_body=False, **kwargs)
2020-03-25 16:26:44.780 1 ERROR kuryr_kubernetes.handlers.logging File "/usr/lib/python3.6/site-packages/openstack/resource.py", line 1107, in _translate_response
2020-03-25 16:26:44.780 1 ERROR kuryr_kubernetes.handlers.logging exceptions.raise_from_response(response, error_message=error_message)
2020-03-25 16:26:44.780 1 ERROR kuryr_kubernetes.handlers.logging File "/usr/lib/python3.6/site-packages/openstack/exceptions.py", line 229, in raise_from_response
2020-03-25 16:26:44.780 1 ERROR kuryr_kubernetes.handlers.logging http_status=http_status, request_id=request_id
2020-03-25 16:26:44.780 1 ERROR kuryr_kubernetes.handlers.logging openstack.exceptions.HttpException: HttpException: 403: Client Error for url: http://10.0.0.102:9696/v2.0/security-group-rules/bcf9a113-1014-4ba8-b337-e76cec8ec2df, rule:de
lete_security_group_rule is disallowed by policy
2020-03-25 16:26:44.780 1 ERROR kuryr_kubernetes.handlers.logging
2020-03-25 16:26:46.662 1 WARNING kuryr_kubernetes.k8s_client [-] 60s without data received from watching /api/v1/namespaces. Retrying the connection with resourceVersion=219366.: ssl.SSLError: ('timed out',)
2020-03-25 16:26:54.246 1 INFO werkzeug [-] 10.196.0.14 - - [25/Mar/2020 16:26:54] "GET /alive HTTP/1.1" 500 -


Steps to Reproduce:
1. Deploy OSP
2. Deploy OCP
3. Run K8s NP tests

Actual results: NP tests fail

Expected results: NP tests pass

Comment 3 Jon Uriarte 2020-04-08 17:01:57 UTC
Verified in 4.5.0-0.nightly-2020-04-08-045556 on OSP 13 2020-04-01.3 puddle.

Could not find the error described in this BZ after running K8s Network Policy tests.

All the tests passed except the "should enforce policy based on PodSelector or NamespaceSelector [Feature:NetworkPolicy-06]" one,
but another BZ will be raised for that if needed as it's being analysed at this moment.

Comment 5 errata-xmlrpc 2020-08-04 18:07:26 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.5 image release advisory), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:2409


Note You need to log in before you can comment on or make changes to this bug.