Bug 1824258 - OCP/OSP install (v16.1/v4.3.10) using kuryr to deploy octavia results in listeners starting in disabled state [NEEDINFO]
Summary: OCP/OSP install (v16.1/v4.3.10) using kuryr to deploy octavia results in list...
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Networking
Version: 4.3.z
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: 4.5.0
Assignee: Maysa Macedo
QA Contact: Jon Uriarte
Depends On:
Blocks: 1826820 1839835
TreeView+ depends on / blocked
Reported: 2020-04-15 16:23 UTC by milti leonard
Modified: 2020-07-13 17:28 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: In order to enforce a Network Policy that blocks any traffic, the service matched by that policy should have the corresponding load balancer blocking the traffic, and the way Octavia provides this is by using ACLs and setting off the admin state on the load balancer listeners. Consequence: The mismatch of the security groups on the kuryr annotation for the openshift endpoints and the actual security group set for the pods made some load balancers to be considered for a network policy update, and so having the traffic blocked with the admin state disabled. Fix: The security groups field on the kuryr annotation for the endpoints matches the existent security groups of the selected pods. Result: All load balancer listeners have the admin state enabled if no network policy blocks it.
Clone Of:
: 1826820 1829840 (view as bug list)
Last Closed: 2020-07-13 17:27:56 UTC
Target Upstream Version:
ltomasbo: needinfo? (mleonard)

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
Github openshift kuryr-kubernetes pull 215 None closed Bug 1824258: Ensure LB state annotation sg matches the SG on the LB 2020-08-10 09:45:54 UTC
Github openstack/kuryr-kubernetes/commit/0e581caa2dfd8d2a8d88b0e480e5e5289f0d5454 None None None 2020-08-10 09:45:54 UTC
Launchpad 1872962 None None None 2020-04-15 16:23:59 UTC
OpenStack gerrit 720817 None MERGED Ensure LB state annotation sg matches the SG on the LB 2020-08-10 09:45:54 UTC
Red Hat Knowledge Base (Solution) 5038951 None None None 2020-04-30 15:24:14 UTC
Red Hat Product Errata RHBA-2020:2409 None None None 2020-07-13 17:28:28 UTC

Description milti leonard 2020-04-15 16:23:59 UTC
Description of problem:

customer installation of openshift on openstack, using kuryr to deploy octavia, results in octavia listeners being started in disabled state

Version-Release number of selected component (if applicable):
OSPv16.1, OCPv4.3.10

How reproducible:

Steps to Reproduce:
1. no OSP access, cannot reproduce

Actual results:

Expected results:

Additional info:
upstream bug created: https://bugs.launchpad.net/kuryr-kubernetes/+bug/1872962

Comment 6 Luis Tomas Bolivar 2020-04-20 08:09:32 UTC
This seems to be the culprit of the problem:


Comment 12 Jon Uriarte 2020-04-30 10:41:32 UTC
Verified in 4.5.0-0.nightly-2020-04-29-144201 on top of RHOS_TRUNK-16.0-RHEL-8-20200427.n.0 OSP 16 compose.
OSP 16 deployment with OVS neutron backend.

Successfull OCP 4.5 installation.

time="2020-04-29T17:40:25Z" level=info msg="Install complete!"
time="2020-04-29T17:40:25Z" level=debug msg="Time elapsed per stage:"
time="2020-04-29T17:40:25Z" level=debug msg="    Infrastructure: 1m42s"
time="2020-04-29T17:40:25Z" level=debug msg="Bootstrap Complete: 18m20s"
time="2020-04-29T17:40:25Z" level=debug msg="               API: 4m37s"
time="2020-04-29T17:40:25Z" level=debug msg=" Bootstrap Destroy: 42s"
time="2020-04-29T17:40:25Z" level=debug msg=" Cluster Operators: 19m32s"
time="2020-04-29T17:40:25Z" level=info msg="Time elapsed: 47m35s"

$ openstack loadbalancer provider list
| name    | description                                     |
| amphora | The Octavia Amphora driver.                     |
| octavia | Deprecated alias of the Octavia Amphora driver. |

$ oc get pods -n openshift-kuryr
NAME                                READY   STATUS    RESTARTS   AGE
kuryr-cni-9v7ps                     1/1     Running   1          16h
kuryr-cni-dc848                     1/1     Running   0          16h
kuryr-cni-g2d9b                     1/1     Running   0          16h
kuryr-cni-j24m9                     1/1     Running   0          16h
kuryr-cni-jn5mx                     1/1     Running   0          16h
kuryr-cni-sstkh                     1/1     Running   0          16h
kuryr-controller-74867c8fdd-m6z28   1/1     Running   1          16h

There are no disbaled LBs.

$ openstack loadbalancer listener list --disable -f value | wc -l

$ openstack loadbalancer listener list --enable -f value | wc -l

Comment 17 errata-xmlrpc 2020-07-13 17:27:56 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.