1843813 – Octavia Listeners are not updated to account for allow_cidrs restrictions on Network Policies.

Bug 1843813 - Octavia Listeners are not updated to account for allow_cidrs restrictions on Network Policies.

Summary: Octavia Listeners are not updated to account for allow_cidrs restrictions on ...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Networking
Sub Component:
Version:	4.5
Hardware:	Unspecified
OS:	Unspecified
Priority:	urgent
Severity:	urgent
Target Milestone:	---
Target Release:	4.6.0
Assignee:	Maysa Macedo
QA Contact:	GenadiC
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1843839
TreeView+	depends on / blocked

Reported:	2020-06-04 08:32 UTC by Luis Tomas Bolivar
Modified:	2020-10-27 16:05 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-10-27 16:04:47 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Github	openshift kuryr-kubernetes pull 261	None	closed	Bug 1843813: Ensure allowed_cidrs field is present on older openstacksdk versions	2020-08-03 10:50:07 UTC
Launchpad	1881914	None	None	None	2020-06-04 08:32:11 UTC
OpenStack gerrit	733148	None	MERGED	Ensure allowed_cidrs field is present on older openstacksdk versions	2020-08-03 10:50:07 UTC
Red Hat Product Errata	RHBA-2020:4196	None	None	None	2020-10-27 16:05:14 UTC

Description Luis Tomas Bolivar 2020-06-04 08:32:11 UTC

As openstacksdk 0.36.0 is needed on lower-constraints and it does not support allowed_cidrs field on the listener, we must ensure that field is present in order for the listeners ACLs to be properly updated and allow the traffic.

This problem was not hit it before since there was a workaround to support tags until the openstacksdk version was recent enough and got dropped: https://github.com/openshift/kuryr-kubernetes/commit/b2146180ef93e60c665b2b890b063d19158a016b

Comment 3 rlobillo 2020-08-07 11:26:03 UTC

Verified on OCP4.6.0-0.nightly-2020-07-25-065959 over OSP16 (RHOS_TRUNK-16.0-RHEL-8-20200804.n.0) with OVS.

All 23 NP tests PASSED.

Manual test:

$ oc new-project test
$ oc run --image kuryr/demo demo
$ oc run --image kuryr/demo demo-allowed-caller
$ oc run --image kuryr/demo demo-caller
$ oc expose pod/demo --port 80 --target-port 8080
$ cat np_resource.yaml 
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: np
spec:
  podSelector:
    matchLabels:
      run: demo
  ingress:
  - from:
    - podSelector:
        matchLabels:
          run: demo-allowed-caller
$ oc apply -f np_resource.yaml

$ oc get all
NAME                      READY   STATUS    RESTARTS   AGE
pod/demo                  1/1     Running   0          112m
pod/demo-allowed-caller   1/1     Running   0          112m
pod/demo-caller           1/1     Running   0          111m

NAME           TYPE        CLUSTER-IP     EXTERNAL-IP   PORT(S)   AGE
service/demo   ClusterIP   172.30.74.20   <none>        80/TCP    111m


(overcloud) [stack@undercloud-0 np_results]$ oc rsh pod/demo-allowed-caller curl 172.30.74.20
demo: HELLO! I AM ALIVE!!!
(overcloud) [stack@undercloud-0 np_results]$ oc rsh pod/demo-caller curl 172.30.74.20
^Ccommand terminated with exit code 130

Allowed_cidr is successfully updated when network policy is applied:

(overcloud) [stack@undercloud-0 ~]$ openstack loadbalancer show test/demo
+---------------------+--------------------------------------+
| Field               | Value                                |
+---------------------+--------------------------------------+
| admin_state_up      | True                                 |
| created_at          | 2020-08-07T09:08:28                  |
| description         |                                      |
| flavor_id           | None                                 |
| id                  | 9fd1e5f4-6527-497e-bab8-acdd570cf5d3 |
| listeners           | e5e2c6c9-efa7-41cf-873a-73176c07e8b4 |
| name                | test/demo                            |
| operating_status    | ONLINE                               |
| pools               | 05e329f0-f4e6-43aa-9690-444dcf139bec |
| project_id          | b1cd8a4ae3d240a9a0be3120cbe10917     |
| provider            | amphora                              |
| provisioning_status | ACTIVE                               |
| updated_at          | 2020-08-07T11:07:31                  |
| vip_address         | 172.30.74.20                         |
| vip_network_id      | efb2317f-f550-4fa2-b427-63c85dbbdc69 |
| vip_port_id         | 9b50a053-3ddb-4cf8-9d99-eebf504d43ed |
| vip_qos_policy_id   | None                                 |
| vip_subnet_id       | ff8cb1e4-b21d-464f-b553-10923c059328 |
+---------------------+--------------------------------------+

(overcloud) [stack@undercloud-0 ~]$ openstack loadbalancer listener show e5e2c6c9-efa7-41cf-873a-73176c07e8b4
+-----------------------------+--------------------------------------+
| Field                       | Value                                |
+-----------------------------+--------------------------------------+
| admin_state_up              | True                                 |
| connection_limit            | -1                                   |
| created_at                  | 2020-08-07T09:09:54                  |
| default_pool_id             | 05e329f0-f4e6-43aa-9690-444dcf139bec |
| default_tls_container_ref   | None                                 |
| description                 |                                      |
| id                          | e5e2c6c9-efa7-41cf-873a-73176c07e8b4 |
| insert_headers              | None                                 |
| l7policies                  |                                      |
| loadbalancers               | 9fd1e5f4-6527-497e-bab8-acdd570cf5d3 |
| name                        | test/demo:TCP:80                     |
| operating_status            | ONLINE                               |
| project_id                  | b1cd8a4ae3d240a9a0be3120cbe10917     |
| protocol                    | TCP                                  |
| protocol_port               | 80                                   |
| provisioning_status         | ACTIVE                               |
| sni_container_refs          | []                                   |
| timeout_client_data         | 50000                                |
| timeout_member_connect      | 5000                                 |
| timeout_member_data         | 50000                                |
| timeout_tcp_inspect         | 0                                    |
| updated_at                  | 2020-08-07T11:05:32                  |
| client_ca_tls_container_ref | None                                 |
| client_authentication       | NONE                                 |
| client_crl_container_ref    | None                                 |
| allowed_cidrs               | 10.128.113.123/32                    |
+-----------------------------+--------------------------------------+

Comment 5 errata-xmlrpc 2020-10-27 16:04:47 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.6 GA Images), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:4196

Note You need to log in before you can comment on or make changes to this bug.