Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1824258

Summary: OCP/OSP install (v16.1/v4.3.10) using kuryr to deploy octavia results in listeners starting in disabled state
Product: OpenShift Container Platform Reporter: milti leonard <mleonard>
Component: NetworkingAssignee: Maysa Macedo <mdemaced>
Networking sub component: kuryr QA Contact: Jon Uriarte <juriarte>
Status: CLOSED ERRATA Docs Contact:
Severity: urgent    
Priority: urgent CC: bbennett, juriarte, palonsor, rlobillo
Version: 4.3.zKeywords: AutomationBackLog
Target Milestone: ---   
Target Release: 4.5.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Cause: In order to enforce a Network Policy that blocks any traffic, the service matched by that policy should have the corresponding load balancer blocking the traffic, and the way Octavia provides this is by using ACLs and setting off the admin state on the load balancer listeners. Consequence: The mismatch of the security groups on the kuryr annotation for the openshift endpoints and the actual security group set for the pods made some load balancers to be considered for a network policy update, and so having the traffic blocked with the admin state disabled. Fix: The security groups field on the kuryr annotation for the endpoints matches the existent security groups of the selected pods. Result: All load balancer listeners have the admin state enabled if no network policy blocks it.
 Story Points: ---
Clone Of:
: 1826820 1829840 (view as bug list) Environment:
Last Closed: 2020-07-13 17:27:56 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1826820, 1839835    

Description milti leonard 2020-04-15 16:23:59 UTC 
Description of problem:

customer installation of openshift on openstack, using kuryr to deploy octavia, results in octavia listeners being started in disabled state

Version-Release number of selected component (if applicable):
OSPv16.1, OCPv4.3.10

How reproducible:


Steps to Reproduce:
1. no OSP access, cannot reproduce
2.
3.

Actual results:


Expected results:


Additional info:
upstream bug created: https://bugs.launchpad.net/kuryr-kubernetes/+bug/1872962
Comment 6 Luis Tomas Bolivar 2020-04-20 08:09:32 UTC 
This seems to be the culprit of the problem:

https://review.opendev.org/#/c/720817/
Comment 12 Jon Uriarte 2020-04-30 10:41:32 UTC 
Verified in 4.5.0-0.nightly-2020-04-29-144201 on top of RHOS_TRUNK-16.0-RHEL-8-20200427.n.0 OSP 16 compose.
OSP 16 deployment with OVS neutron backend.

Successfull OCP 4.5 installation.

time="2020-04-29T17:40:25Z" level=info msg="Install complete!"
...
time="2020-04-29T17:40:25Z" level=debug msg="Time elapsed per stage:"
time="2020-04-29T17:40:25Z" level=debug msg="    Infrastructure: 1m42s"
time="2020-04-29T17:40:25Z" level=debug msg="Bootstrap Complete: 18m20s"
time="2020-04-29T17:40:25Z" level=debug msg="               API: 4m37s"
time="2020-04-29T17:40:25Z" level=debug msg=" Bootstrap Destroy: 42s"
time="2020-04-29T17:40:25Z" level=debug msg=" Cluster Operators: 19m32s"
time="2020-04-29T17:40:25Z" level=info msg="Time elapsed: 47m35s"


$ openstack loadbalancer provider list
+---------+-------------------------------------------------+
| name    | description                                     |
+---------+-------------------------------------------------+
| amphora | The Octavia Amphora driver.                     |
| octavia | Deprecated alias of the Octavia Amphora driver. |
+---------+-------------------------------------------------+

$ oc get pods -n openshift-kuryr
NAME                                READY   STATUS    RESTARTS   AGE
kuryr-cni-9v7ps                     1/1     Running   1          16h
kuryr-cni-dc848                     1/1     Running   0          16h
kuryr-cni-g2d9b                     1/1     Running   0          16h
kuryr-cni-j24m9                     1/1     Running   0          16h
kuryr-cni-jn5mx                     1/1     Running   0          16h
kuryr-cni-sstkh                     1/1     Running   0          16h
kuryr-controller-74867c8fdd-m6z28   1/1     Running   1          16h

There are no disbaled LBs.

$ openstack loadbalancer listener list --disable -f value | wc -l
0

$ openstack loadbalancer listener list --enable -f value | wc -l
59
Comment 17 errata-xmlrpc 2020-07-13 17:27:56 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:2409
Comment 18 Red Hat Bugzilla 2023-09-14 05:55:31 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days