Bug 1839180 - [Kuryr] LB sgs are left behind upon LB deletion
Summary: [Kuryr] LB sgs are left behind upon LB deletion
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Networking
Version: 4.5
Hardware: Unspecified
OS: Unspecified
urgent
urgent
Target Milestone: ---
: 4.5.0
Assignee: Maysa Macedo
QA Contact: GenadiC
URL:
Whiteboard:
Depends On:
Blocks: 1841493
TreeView+ depends on / blocked
 
Reported: 2020-05-22 16:20 UTC by Maysa Macedo
Modified: 2020-07-13 17:41 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1841493 (view as bug list)
Environment:
Last Closed: 2020-07-13 17:41:26 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift kuryr-kubernetes pull 249 0 None closed Bug 1839180: Remove lb sg creation when octavia provider is ovn-octavia 2020-07-05 09:38:58 UTC
OpenStack gerrit 730372 0 None MERGED Remove lb sg creation when octavia provider is ovn-octavia 2020-07-05 09:38:56 UTC
Red Hat Product Errata RHBA-2020:2409 0 None None None 2020-07-13 17:41:39 UTC

Description Maysa Macedo 2020-05-22 16:20:08 UTC
Description of problem:

When a OpenShift service is deleted all the load balancer resources that were created for that service, must also be deleted. Right now, in case the load balancer was created with ovn-octavia provider, the load balancer security group is not been deleted.


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Comment 3 rlobillo 2020-06-02 08:48:57 UTC
Verified on 4.5.0-0.nightly-2020-06-01-043833 on top of OSP16 RHOS_TRUNK-16.0-RHEL-8-20200513.n.1 with OVN-Octavia.

SG is not associated to VIP port when OVN-Octavia is used.

1. Create project pods and svc:

oc new-project test
oc run --image kuryr/demo demo-caller
oc run --image kuryr/demo demo
oc expose pod/demo --port 80 --target-port 8080

(overcloud) [stack@undercloud-0 ~]$ oc get pods,svc -o wide --show-labels
NAME                      READY   STATUS    RESTARTS   AGE   IP               NODE                        NOMINATED NODE   READINESS GATES   LABELS
pod/demo                  1/1     Running   0          63m   10.128.115.234   ostest-k7pdd-worker-8cf4l   <none>           <none>            run=demo
pod/demo-allowed-caller   1/1     Running   0          63m   10.128.114.205   ostest-k7pdd-worker-8cf4l   <none>           <none>            run=demo-allowed-caller
pod/demo-caller           1/1     Running   0          63m   10.128.115.247   ostest-k7pdd-worker-jpsbt   <none>           <none>            run=demo-caller

NAME           TYPE        CLUSTER-IP    EXTERNAL-IP   PORT(S)   AGE     SELECTOR   LABELS
service/demo   ClusterIP   172.30.6.14   <none>        80/TCP    2m27s   run=demo   run=demo

2. Check Openstack resources created. No security_group_ids linked to VIP port:

(overcloud) [stack@undercloud-0 ~]$ openstack port list | grep 172.30.6.14
| 79b451c2-f4b9-4761-a987-a751b0bb3cd7 | ovn-lb-vip-6e2effc9-1600-4dba-8d50-158ac002b732              | fa:16:3e:37:9a:29 | ip_address='172.30.6.14', subnet_id='27dec9e5-623f-499d-a62d-512759da16cd'    | DOWN   |

(overcloud) [stack@undercloud-0 ~]$ openstack port show 79b451c2-f4b9-4761-a987-a751b0bb3cd7
+-------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------+
| Field                   | Value                                                                                                                                            |
+-------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------+
| admin_state_up          | UP                                                                                                                                               |
| allowed_address_pairs   |                                                                                                                                                  |
| binding_host_id         |                                                                                                                                                  |
| binding_profile         |                                                                                                                                                  |
| binding_vif_details     |                                                                                                                                                  |
| binding_vif_type        | unbound                                                                                                                                          |
| binding_vnic_type       | normal                                                                                                                                           |
| created_at              | 2020-06-01T15:26:34Z                                                                                                                             |
| data_plane_status       | None                                                                                                                                             |
| description             |                                                                                                                                                  |
| device_id               |                                                                                                                                                  |
| device_owner            |                                                                                                                                                  |
| dns_assignment          | fqdn='host-172-30-6-14.shiftstack.com.', hostname='host-172-30-6-14', ip_address='172.30.6.14'                                                   |
| dns_domain              |                                                                                                                                                  |
| dns_name                |                                                                                                                                                  |
| extra_dhcp_opts         |                                                                                                                                                  |
| fixed_ips               | ip_address='172.30.6.14', subnet_id='27dec9e5-623f-499d-a62d-512759da16cd'                                                                       |
| id                      | 79b451c2-f4b9-4761-a987-a751b0bb3cd7                                                                                                             |
| location                | cloud='', project.domain_id=, project.domain_name=, project.id='758d38e2352449eaa9d6ae554d0650e9', project.name=, region_name='regionOne', zone= |
| mac_address             | fa:16:3e:37:9a:29                                                                                                                                |
| name                    | ovn-lb-vip-6e2effc9-1600-4dba-8d50-158ac002b732                                                                                                  |
| network_id              | 0adf99a6-4b4e-4909-9537-680d4031de65                                                                                                             |
| port_security_enabled   | True                                                                                                                                             |
| project_id              | 758d38e2352449eaa9d6ae554d0650e9                                                                                                                 |
| propagate_uplink_status | None                                                                                                                                             |
| qos_policy_id           | None                                                                                                                                             |
| resource_request        | None                                                                                                                                             |
| revision_number         | 2                                                                                                                                                |
| security_group_ids      |                                                                                                                                                  |
| status                  | DOWN                                                                                                                                             |
| tags                    |                                                                                                                                                  |
| trunk_details           | None                                                                                                                                             |
| updated_at              | 2020-06-01T15:26:49Z                                                                                                                             |
+-------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------+

(overcloud) [stack@undercloud-0 ~]$ openstack loadbalancer show 6e2effc9-1600-4dba-8d50-158ac002b732
+---------------------+--------------------------------------+
| Field               | Value                                |
+---------------------+--------------------------------------+
| admin_state_up      | True                                 |
| created_at          | 2020-06-01T15:26:34                  |
| description         |                                      |
| flavor_id           | None                                 |
| id                  | 6e2effc9-1600-4dba-8d50-158ac002b732 |
| listeners           | 4814733f-9cfe-40e3-94a3-2d54f70f8517 |
| name                | test/demo                            |
| operating_status    | ONLINE                               |
| pools               | f1aaae01-1774-4cb3-8ba3-aa7a1c03bea3 |
| project_id          | 758d38e2352449eaa9d6ae554d0650e9     |
| provider            | ovn                                  |
| provisioning_status | ACTIVE                               |
| updated_at          | 2020-06-01T15:26:51                  |
| vip_address         | 172.30.6.14                          |
| vip_network_id      | 0adf99a6-4b4e-4909-9537-680d4031de65 |
| vip_port_id         | 79b451c2-f4b9-4761-a987-a751b0bb3cd7 |
| vip_qos_policy_id   | None                                 |
| vip_subnet_id       | 27dec9e5-623f-499d-a62d-512759da16cd |
+---------------------+--------------------------------------+

3. Delete svc:

(overcloud) [stack@undercloud-0 ~]$ oc delete svc demo -n test
service "demo" deleted

4. Confirm that resources are destroyed:

(overcloud) [stack@undercloud-0 ~]$ openstack loadbalancer show 6e2effc9-1600-4dba-8d50-158ac002b732
Unable to locate 6e2effc9-1600-4dba-8d50-158ac002b732 in loadbalancers
(overcloud) [stack@undercloud-0 ~]$ openstack loadbalancer listener show 4814733f-9cfe-40e3-94a3-2d54f70f8517                                                                                 
Unable to locate 4814733f-9cfe-40e3-94a3-2d54f70f8517 in listeners
(overcloud) [stack@undercloud-0 ~]$ openstack loadbalancer pool show f1aaae01-1774-4cb3-8ba3-aa7a1c03bea3
Unable to locate f1aaae01-1774-4cb3-8ba3-aa7a1c03bea3 in pools

5. Run NP: Results: passed 13, failed 10. Failures are related to known issue: https://bugzilla.redhat.com/show_bug.cgi?id=1841846

PASSED [sig-network] NetworkPolicy [LinuxOnly] NetworkPolicy between server and client should enforce egress policy allowing traffic to a server in a different namespace based on PodSelector and NamespaceSelector [Feature:NetworkPolicy-18]
PASSED [sig-network] NetworkPolicy [LinuxOnly] NetworkPolicy between server and client should enforce policies to check ingress and egress policies can be controlled independently based on PodSelector [Feature:NetworkPolicy-23]
PASSED [sig-network] NetworkPolicy [LinuxOnly] NetworkPolicy between server and client should allow egress access on one named port [Feature:NetworkPolicy-14]
PASSED [sig-network] NetworkPolicy [LinuxOnly] NetworkPolicy between server and client should allow ingress access from updated namespace [Feature:NetworkPolicy-16]
PASSED [sig-network] NetworkPolicy [LinuxOnly] NetworkPolicy between server and client should enforce updated policy [Feature:NetworkPolicy-15]
PASSED [sig-network] NetworkPolicy [LinuxOnly] NetworkPolicy between server and client should support a 'default-deny' policy [Feature:NetworkPolicy-01]
PASSED [sig-network] NetworkPolicy [LinuxOnly] NetworkPolicy between server and client should enforce policy based on Ports [Feature:NetworkPolicy-09]
PASSED [sig-network] NetworkPolicy [LinuxOnly] NetworkPolicy between server and client should enforce policy based on PodSelector or NamespaceSelector [Feature:NetworkPolicy-06]
PASSED [sig-network] NetworkPolicy [LinuxOnly] NetworkPolicy between server and client should allow ingress access on one named port [Feature:NetworkPolicy-12]
PASSED [sig-network] NetworkPolicy [LinuxOnly] NetworkPolicy between server and client should enforce multiple, stacked policies with overlapping podSelectors [Feature:NetworkPolicy-10]
PASSED [sig-network] NetworkPolicy [LinuxOnly] NetworkPolicy between server and client should allow ingress access from namespace on one named port [Feature:NetworkPolicy-13]
PASSED [sig-network] NetworkPolicy [LinuxOnly] NetworkPolicy between server and client should allow ingress access from updated pod [Feature:NetworkPolicy-17]
PASSED [sig-network] NetworkPolicy [LinuxOnly] NetworkPolicy between server and client should enforce policy to allow traffic only from a different namespace, based on NamespaceSelector [Feature:NetworkPolicy-03]

Comment 4 errata-xmlrpc 2020-07-13 17:41:26 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:2409


Note You need to log in before you can comment on or make changes to this bug.