+++ This bug was initially created as a clone of Bug #1843813 +++ As openstacksdk 0.36.0 is needed on lower-constraints and it does not support allowed_cidrs field on the listener, we must ensure that field is present in order for the listeners ACLs to be properly updated and allow the traffic. This problem was not hit it before since there was a workaround to support tags until the openstacksdk version was recent enough and got dropped: https://github.com/openshift/kuryr-kubernetes/commit/b2146180ef93e60c665b2b890b063d19158a016b
Verified on OCP4.5.0-0.nightly-2020-06-09-223121 over OSP16 (RHOS_TRUNK-16.0-RHEL-8-20200513.n.1) with OVS. All 23 NP tests PASSED. Manual test: $ oc new-project test $ oc run --image kuryr/demo demo $ oc run --image kuryr/demo demo-allowed-caller $ oc run --image kuryr/demo demo-caller $ oc expose pod/demo --port 80 --target-port 8080 $ cat np_resource.yaml kind: NetworkPolicy apiVersion: networking.k8s.io/v1 metadata: name: np spec: podSelector: matchLabels: run: demo ingress: - from: - podSelector: matchLabels: run: demo-allowed-caller $ oc apply -f np_resource.yaml $ oc rsh pod/demo-allowed-caller curl 172.30.221.48 demo: HELLO! I AM ALIVE!!! $ oc rsh pod/demo-caller curl 172.30.221.48 ^Ccommand terminated with exit code 130 Allowed_cidr is successfully updated when network policy is applied: $ openstack loadbalancer show test/demo +---------------------+--------------------------------------+ | Field | Value | +---------------------+--------------------------------------+ | admin_state_up | True | | created_at | 2020-06-10T15:12:34 | | description | | | flavor_id | None | | id | e3b6e303-8634-46af-bd21-fc7d1609c009 | | listeners | 8d77e525-ac20-4e8f-874c-f28bae359819 | | name | test/demo | | operating_status | ONLINE | | pools | 5743b330-eb9e-49d4-a76f-464113ca9ba8 | | project_id | 1a5303153c4743d1b09d91bb3c14813f | | provider | amphora | | provisioning_status | ACTIVE | | updated_at | 2020-06-10T15:16:51 | | vip_address | 172.30.221.48 | | vip_network_id | ec582226-9f35-4b4f-9da4-07ea8a9cfea8 | | vip_port_id | 5f3908b3-2afc-4742-80ce-5fd411ba2d8c | | vip_qos_policy_id | None | | vip_subnet_id | a95ae91c-2f53-4784-bc53-8548e4d787be | +---------------------+--------------------------------------+ $ openstack loadbalancer listener show 8d77e525-ac20-4e8f-874c-f28bae359819 +-----------------------------+--------------------------------------+ | Field | Value | +-----------------------------+--------------------------------------+ | admin_state_up | True | | connection_limit | -1 | | created_at | 2020-06-10T15:14:03 | | default_pool_id | 5743b330-eb9e-49d4-a76f-464113ca9ba8 | | default_tls_container_ref | None | | description | | | id | 8d77e525-ac20-4e8f-874c-f28bae359819 | | insert_headers | None | | l7policies | | | loadbalancers | e3b6e303-8634-46af-bd21-fc7d1609c009 | | name | test/demo:TCP:80 | | operating_status | ONLINE | | project_id | 1a5303153c4743d1b09d91bb3c14813f | | protocol | TCP | | protocol_port | 80 | | provisioning_status | ACTIVE | | sni_container_refs | [] | | timeout_client_data | 50000 | | timeout_member_connect | 5000 | | timeout_member_data | 50000 | | timeout_tcp_inspect | 0 | | updated_at | 2020-06-10T15:16:51 | | client_ca_tls_container_ref | None | | client_authentication | NONE | | client_crl_container_ref | None | | allowed_cidrs | 10.128.114.57/32 | +-----------------------------+--------------------------------------+
when: $ oc get all -o wide NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES pod/demo 1/1 Running 0 14m 10.128.114.199 ostest-9d4zj-worker-vf5ck <none> <none> pod/demo-allowed-caller 1/1 Running 0 14m 10.128.114.57 ostest-9d4zj-worker-vf5ck <none> <none> pod/demo-caller 1/1 Running 0 14m 10.128.115.151 ostest-9d4zj-worker-xm9kh <none> <none> NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTOR service/demo ClusterIP 172.30.221.48 <none> 80/TCP 14m run=demo
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:2409