Description of problem: When updating the LB security group with only the rules applied on a Network Policy we are also considering the sg rules owned by octavia, this result on failure when trying to delete the rules as this operation is not allowed. startCount': 0, 'image': 'docker.io/library/busybox:1.29-glibc', 'imageID': '', 'started': False}], 'qosClass': 'BestEffort'}}}: openstack.exceptions.HttpException: HttpException: 403: Client Error for url: http://10.0.0.102:9696/v2.0/sec urity-group-rules/bcf9a113-1014-4ba8-b337-e76cec8ec2df, rule:delete_security_group_rule is disallowed by policy 2020-03-25 16:26:44.780 1 ERROR kuryr_kubernetes.handlers.logging Traceback (most recent call last): 2020-03-25 16:26:44.780 1 ERROR kuryr_kubernetes.handlers.logging File "/usr/lib/python3.6/site-packages/kuryr_kubernetes/handlers/logging.py", line 37, in __call__ 2020-03-25 16:26:44.780 1 ERROR kuryr_kubernetes.handlers.logging self._handler(event) 2020-03-25 16:26:44.780 1 ERROR kuryr_kubernetes.handlers.logging File "/usr/lib/python3.6/site-packages/kuryr_kubernetes/handlers/retry.py", line 79, in __call__ 2020-03-25 16:26:44.780 1 ERROR kuryr_kubernetes.handlers.logging self._handler(event) 2020-03-25 16:26:44.780 1 ERROR kuryr_kubernetes.handlers.logging File "/usr/lib/python3.6/site-packages/kuryr_kubernetes/handlers/k8s_base.py", line 72, in __call__ 2020-03-25 16:26:44.780 1 ERROR kuryr_kubernetes.handlers.logging self.on_present(obj) 2020-03-25 16:26:44.780 1 ERROR kuryr_kubernetes.handlers.logging File "/usr/lib/python3.6/site-packages/kuryr_kubernetes/controller/handlers/vif.py", line 155, in on_present 2020-03-25 16:26:44.780 1 ERROR kuryr_kubernetes.handlers.logging services, crd_pod_selectors, project_id) 2020-03-25 16:26:44.780 1 ERROR kuryr_kubernetes.handlers.logging File "/usr/lib/python3.6/site-packages/kuryr_kubernetes/controller/handlers/vif.py", line 253, in _update_services 2020-03-25 16:26:44.780 1 ERROR kuryr_kubernetes.handlers.logging self._drv_lbaas.update_lbaas_sg(service, sgs) 2020-03-25 16:26:44.780 1 ERROR kuryr_kubernetes.handlers.logging File "/usr/lib/python3.6/site-packages/kuryr_kubernetes/controller/drivers/lbaasv2.py", line 1092, in update_lbaas_sg 2020-03-25 16:26:44.780 1 ERROR kuryr_kubernetes.handlers.logging sg_rule_name, listener_id, sgs) 2020-03-25 16:26:44.780 1 ERROR kuryr_kubernetes.handlers.logging File "/usr/lib/python3.6/site-packages/kuryr_kubernetes/controller/drivers/lbaasv2.py", line 339, in _apply_members_security_groups 2020-03-25 16:26:44.780 1 ERROR kuryr_kubernetes.handlers.logging os_net.delete_security_group_rule(rule.id) 2020-03-25 16:26:44.780 1 ERROR kuryr_kubernetes.handlers.logging File "/usr/lib/python3.6/site-packages/openstack/network/v2/_proxy.py", line 3126, in delete_security_group_rule 2020-03-25 16:26:44.780 1 ERROR kuryr_kubernetes.handlers.logging security_group_rule, ignore_missing=ignore_missing) 2020-03-25 16:26:44.780 1 ERROR kuryr_kubernetes.handlers.logging File "/usr/lib/python3.6/site-packages/openstack/proxy.py", line 46, in check 2020-03-25 16:26:44.780 1 ERROR kuryr_kubernetes.handlers.logging return method(self, expected, actual, *args, **kwargs) 2020-03-25 16:26:44.780 1 ERROR kuryr_kubernetes.handlers.logging File "/usr/lib/python3.6/site-packages/openstack/proxy.py", line 362, in _delete 2020-03-25 16:26:44.780 1 ERROR kuryr_kubernetes.handlers.logging rv = res.delete(self) 2020-03-25 16:26:44.780 1 ERROR kuryr_kubernetes.handlers.logging File "/usr/lib/python3.6/site-packages/openstack/resource.py", line 1522, in delete 2020-03-25 16:26:44.780 1 ERROR kuryr_kubernetes.handlers.logging self._translate_response(response, has_body=False, **kwargs) 2020-03-25 16:26:44.780 1 ERROR kuryr_kubernetes.handlers.logging File "/usr/lib/python3.6/site-packages/openstack/resource.py", line 1107, in _translate_response 2020-03-25 16:26:44.780 1 ERROR kuryr_kubernetes.handlers.logging exceptions.raise_from_response(response, error_message=error_message) 2020-03-25 16:26:44.780 1 ERROR kuryr_kubernetes.handlers.logging File "/usr/lib/python3.6/site-packages/openstack/exceptions.py", line 229, in raise_from_response 2020-03-25 16:26:44.780 1 ERROR kuryr_kubernetes.handlers.logging http_status=http_status, request_id=request_id 2020-03-25 16:26:44.780 1 ERROR kuryr_kubernetes.handlers.logging openstack.exceptions.HttpException: HttpException: 403: Client Error for url: http://10.0.0.102:9696/v2.0/security-group-rules/bcf9a113-1014-4ba8-b337-e76cec8ec2df, rule:de lete_security_group_rule is disallowed by policy 2020-03-25 16:26:44.780 1 ERROR kuryr_kubernetes.handlers.logging 2020-03-25 16:26:46.662 1 WARNING kuryr_kubernetes.k8s_client [-] 60s without data received from watching /api/v1/namespaces. Retrying the connection with resourceVersion=219366.: ssl.SSLError: ('timed out',) 2020-03-25 16:26:54.246 1 INFO werkzeug [-] 10.196.0.14 - - [25/Mar/2020 16:26:54] "GET /alive HTTP/1.1" 500 - Steps to Reproduce: 1. Deploy OSP 2. Deploy OCP 3. Run K8s NP tests Actual results: NP tests fail Expected results: NP tests pass
Verified in 4.5.0-0.nightly-2020-04-08-045556 on OSP 13 2020-04-01.3 puddle. Could not find the error described in this BZ after running K8s Network Policy tests. All the tests passed except the "should enforce policy based on PodSelector or NamespaceSelector [Feature:NetworkPolicy-06]" one, but another BZ will be raised for that if needed as it's being analysed at this moment.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (OpenShift Container Platform 4.5 image release advisory), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:2409