Description of problem: When a OpenShift service is deleted all the load balancer resources that were created for that service, must also be deleted. Right now, in case the load balancer was created with ovn-octavia provider, the load balancer security group is not been deleted. Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
Verified on 4.5.0-0.nightly-2020-06-01-043833 on top of OSP16 RHOS_TRUNK-16.0-RHEL-8-20200513.n.1 with OVN-Octavia. SG is not associated to VIP port when OVN-Octavia is used. 1. Create project pods and svc: oc new-project test oc run --image kuryr/demo demo-caller oc run --image kuryr/demo demo oc expose pod/demo --port 80 --target-port 8080 (overcloud) [stack@undercloud-0 ~]$ oc get pods,svc -o wide --show-labels NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES LABELS pod/demo 1/1 Running 0 63m 10.128.115.234 ostest-k7pdd-worker-8cf4l <none> <none> run=demo pod/demo-allowed-caller 1/1 Running 0 63m 10.128.114.205 ostest-k7pdd-worker-8cf4l <none> <none> run=demo-allowed-caller pod/demo-caller 1/1 Running 0 63m 10.128.115.247 ostest-k7pdd-worker-jpsbt <none> <none> run=demo-caller NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTOR LABELS service/demo ClusterIP 172.30.6.14 <none> 80/TCP 2m27s run=demo run=demo 2. Check Openstack resources created. No security_group_ids linked to VIP port: (overcloud) [stack@undercloud-0 ~]$ openstack port list | grep 172.30.6.14 | 79b451c2-f4b9-4761-a987-a751b0bb3cd7 | ovn-lb-vip-6e2effc9-1600-4dba-8d50-158ac002b732 | fa:16:3e:37:9a:29 | ip_address='172.30.6.14', subnet_id='27dec9e5-623f-499d-a62d-512759da16cd' | DOWN | (overcloud) [stack@undercloud-0 ~]$ openstack port show 79b451c2-f4b9-4761-a987-a751b0bb3cd7 +-------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------+ | Field | Value | +-------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------+ | admin_state_up | UP | | allowed_address_pairs | | | binding_host_id | | | binding_profile | | | binding_vif_details | | | binding_vif_type | unbound | | binding_vnic_type | normal | | created_at | 2020-06-01T15:26:34Z | | data_plane_status | None | | description | | | device_id | | | device_owner | | | dns_assignment | fqdn='host-172-30-6-14.shiftstack.com.', hostname='host-172-30-6-14', ip_address='172.30.6.14' | | dns_domain | | | dns_name | | | extra_dhcp_opts | | | fixed_ips | ip_address='172.30.6.14', subnet_id='27dec9e5-623f-499d-a62d-512759da16cd' | | id | 79b451c2-f4b9-4761-a987-a751b0bb3cd7 | | location | cloud='', project.domain_id=, project.domain_name=, project.id='758d38e2352449eaa9d6ae554d0650e9', project.name=, region_name='regionOne', zone= | | mac_address | fa:16:3e:37:9a:29 | | name | ovn-lb-vip-6e2effc9-1600-4dba-8d50-158ac002b732 | | network_id | 0adf99a6-4b4e-4909-9537-680d4031de65 | | port_security_enabled | True | | project_id | 758d38e2352449eaa9d6ae554d0650e9 | | propagate_uplink_status | None | | qos_policy_id | None | | resource_request | None | | revision_number | 2 | | security_group_ids | | | status | DOWN | | tags | | | trunk_details | None | | updated_at | 2020-06-01T15:26:49Z | +-------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------+ (overcloud) [stack@undercloud-0 ~]$ openstack loadbalancer show 6e2effc9-1600-4dba-8d50-158ac002b732 +---------------------+--------------------------------------+ | Field | Value | +---------------------+--------------------------------------+ | admin_state_up | True | | created_at | 2020-06-01T15:26:34 | | description | | | flavor_id | None | | id | 6e2effc9-1600-4dba-8d50-158ac002b732 | | listeners | 4814733f-9cfe-40e3-94a3-2d54f70f8517 | | name | test/demo | | operating_status | ONLINE | | pools | f1aaae01-1774-4cb3-8ba3-aa7a1c03bea3 | | project_id | 758d38e2352449eaa9d6ae554d0650e9 | | provider | ovn | | provisioning_status | ACTIVE | | updated_at | 2020-06-01T15:26:51 | | vip_address | 172.30.6.14 | | vip_network_id | 0adf99a6-4b4e-4909-9537-680d4031de65 | | vip_port_id | 79b451c2-f4b9-4761-a987-a751b0bb3cd7 | | vip_qos_policy_id | None | | vip_subnet_id | 27dec9e5-623f-499d-a62d-512759da16cd | +---------------------+--------------------------------------+ 3. Delete svc: (overcloud) [stack@undercloud-0 ~]$ oc delete svc demo -n test service "demo" deleted 4. Confirm that resources are destroyed: (overcloud) [stack@undercloud-0 ~]$ openstack loadbalancer show 6e2effc9-1600-4dba-8d50-158ac002b732 Unable to locate 6e2effc9-1600-4dba-8d50-158ac002b732 in loadbalancers (overcloud) [stack@undercloud-0 ~]$ openstack loadbalancer listener show 4814733f-9cfe-40e3-94a3-2d54f70f8517 Unable to locate 4814733f-9cfe-40e3-94a3-2d54f70f8517 in listeners (overcloud) [stack@undercloud-0 ~]$ openstack loadbalancer pool show f1aaae01-1774-4cb3-8ba3-aa7a1c03bea3 Unable to locate f1aaae01-1774-4cb3-8ba3-aa7a1c03bea3 in pools 5. Run NP: Results: passed 13, failed 10. Failures are related to known issue: https://bugzilla.redhat.com/show_bug.cgi?id=1841846 PASSED [sig-network] NetworkPolicy [LinuxOnly] NetworkPolicy between server and client should enforce egress policy allowing traffic to a server in a different namespace based on PodSelector and NamespaceSelector [Feature:NetworkPolicy-18] PASSED [sig-network] NetworkPolicy [LinuxOnly] NetworkPolicy between server and client should enforce policies to check ingress and egress policies can be controlled independently based on PodSelector [Feature:NetworkPolicy-23] PASSED [sig-network] NetworkPolicy [LinuxOnly] NetworkPolicy between server and client should allow egress access on one named port [Feature:NetworkPolicy-14] PASSED [sig-network] NetworkPolicy [LinuxOnly] NetworkPolicy between server and client should allow ingress access from updated namespace [Feature:NetworkPolicy-16] PASSED [sig-network] NetworkPolicy [LinuxOnly] NetworkPolicy between server and client should enforce updated policy [Feature:NetworkPolicy-15] PASSED [sig-network] NetworkPolicy [LinuxOnly] NetworkPolicy between server and client should support a 'default-deny' policy [Feature:NetworkPolicy-01] PASSED [sig-network] NetworkPolicy [LinuxOnly] NetworkPolicy between server and client should enforce policy based on Ports [Feature:NetworkPolicy-09] PASSED [sig-network] NetworkPolicy [LinuxOnly] NetworkPolicy between server and client should enforce policy based on PodSelector or NamespaceSelector [Feature:NetworkPolicy-06] PASSED [sig-network] NetworkPolicy [LinuxOnly] NetworkPolicy between server and client should allow ingress access on one named port [Feature:NetworkPolicy-12] PASSED [sig-network] NetworkPolicy [LinuxOnly] NetworkPolicy between server and client should enforce multiple, stacked policies with overlapping podSelectors [Feature:NetworkPolicy-10] PASSED [sig-network] NetworkPolicy [LinuxOnly] NetworkPolicy between server and client should allow ingress access from namespace on one named port [Feature:NetworkPolicy-13] PASSED [sig-network] NetworkPolicy [LinuxOnly] NetworkPolicy between server and client should allow ingress access from updated pod [Feature:NetworkPolicy-17] PASSED [sig-network] NetworkPolicy [LinuxOnly] NetworkPolicy between server and client should enforce policy to allow traffic only from a different namespace, based on NamespaceSelector [Feature:NetworkPolicy-03]
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:2409