1824258 – OCP/OSP install (v16.1/v4.3.10) using kuryr to deploy octavia results in listeners starting in disabled state

Bug 1824258 - OCP/OSP install (v16.1/v4.3.10) using kuryr to deploy octavia results in listeners starting in disabled state

Summary: OCP/OSP install (v16.1/v4.3.10) using kuryr to deploy octavia results in list...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Networking
Sub Component:
Version:	4.3.z
Hardware:	Unspecified
OS:	Unspecified
Priority:	urgent
Severity:	urgent
Target Milestone:	---
Target Release:	4.5.0
Assignee:	Maysa Macedo
QA Contact:	Jon Uriarte
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1826820 1839835
TreeView+	depends on / blocked

Reported:	2020-04-15 16:23 UTC by milti leonard
Modified:	2023-10-06 19:40 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	Cause: In order to enforce a Network Policy that blocks any traffic, the service matched by that policy should have the corresponding load balancer blocking the traffic, and the way Octavia provides this is by using ACLs and setting off the admin state on the load balancer listeners. Consequence: The mismatch of the security groups on the kuryr annotation for the openshift endpoints and the actual security group set for the pods made some load balancers to be considered for a network policy update, and so having the traffic blocked with the admin state disabled. Fix: The security groups field on the kuryr annotation for the endpoints matches the existent security groups of the selected pods. Result: All load balancer listeners have the admin state enabled if no network policy blocks it.
Clone Of:
Clones:	1826820 1829840 (view as bug list)
Environment:
Last Closed:	2020-07-13 17:27:56 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Github	openshift kuryr-kubernetes pull 215	None	closed	Bug 1824258: Ensure LB state annotation sg matches the SG on the LB	2020-11-09 06:20:09 UTC
Github	openstack/kuryr-kubernetes/commit/0e581caa2dfd8d2a8d88b0e480e5e5289f0d5454	None	None	None	2020-09-23 08:40:48 UTC
Launchpad	1872962	None	None	None	2020-04-15 16:23:59 UTC
OpenStack gerrit	720817	None	MERGED	Ensure LB state annotation sg matches the SG on the LB	2020-11-09 06:20:08 UTC
Red Hat Knowledge Base (Solution)	5038951	None	None	None	2020-04-30 15:24:14 UTC
Red Hat Product Errata	RHBA-2020:2409	None	None	None	2020-07-13 17:28:28 UTC

Description milti leonard 2020-04-15 16:23:59 UTC

Description of problem:

customer installation of openshift on openstack, using kuryr to deploy octavia, results in octavia listeners being started in disabled state

Version-Release number of selected component (if applicable):
OSPv16.1, OCPv4.3.10

How reproducible:


Steps to Reproduce:
1. no OSP access, cannot reproduce
2.
3.

Actual results:


Expected results:


Additional info:
upstream bug created: https://bugs.launchpad.net/kuryr-kubernetes/+bug/1872962

Comment 6 Luis Tomas Bolivar 2020-04-20 08:09:32 UTC

This seems to be the culprit of the problem:

https://review.opendev.org/#/c/720817/

Comment 12 Jon Uriarte 2020-04-30 10:41:32 UTC

Verified in 4.5.0-0.nightly-2020-04-29-144201 on top of RHOS_TRUNK-16.0-RHEL-8-20200427.n.0 OSP 16 compose.
OSP 16 deployment with OVS neutron backend.

Successfull OCP 4.5 installation.

time="2020-04-29T17:40:25Z" level=info msg="Install complete!"
...
time="2020-04-29T17:40:25Z" level=debug msg="Time elapsed per stage:"
time="2020-04-29T17:40:25Z" level=debug msg="    Infrastructure: 1m42s"
time="2020-04-29T17:40:25Z" level=debug msg="Bootstrap Complete: 18m20s"
time="2020-04-29T17:40:25Z" level=debug msg="               API: 4m37s"
time="2020-04-29T17:40:25Z" level=debug msg=" Bootstrap Destroy: 42s"
time="2020-04-29T17:40:25Z" level=debug msg=" Cluster Operators: 19m32s"
time="2020-04-29T17:40:25Z" level=info msg="Time elapsed: 47m35s"


$ openstack loadbalancer provider list
+---------+-------------------------------------------------+
| name    | description                                     |
+---------+-------------------------------------------------+
| amphora | The Octavia Amphora driver.                     |
| octavia | Deprecated alias of the Octavia Amphora driver. |
+---------+-------------------------------------------------+

$ oc get pods -n openshift-kuryr
NAME                                READY   STATUS    RESTARTS   AGE
kuryr-cni-9v7ps                     1/1     Running   1          16h
kuryr-cni-dc848                     1/1     Running   0          16h
kuryr-cni-g2d9b                     1/1     Running   0          16h
kuryr-cni-j24m9                     1/1     Running   0          16h
kuryr-cni-jn5mx                     1/1     Running   0          16h
kuryr-cni-sstkh                     1/1     Running   0          16h
kuryr-controller-74867c8fdd-m6z28   1/1     Running   1          16h

There are no disbaled LBs.

$ openstack loadbalancer listener list --disable -f value | wc -l
0

$ openstack loadbalancer listener list --enable -f value | wc -l
59

Comment 17 errata-xmlrpc 2020-07-13 17:27:56 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:2409

Comment 18 Red Hat Bugzilla 2023-09-14 05:55:31 UTC

The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days

Note You need to log in before you can comment on or make changes to this bug.