Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1843839

Summary:	Octavia Listeners are not updated to account for allow_cidrs restrictions on Network Policies.
Product:	OpenShift Container Platform	Reporter:	OpenShift BugZilla Robot <openshift-bugzilla-robot>
Component:	Networking	Assignee:	Maysa Macedo <mdemaced>
Networking sub component:	kuryr	QA Contact:	GenadiC <gcheresh>
Status:	CLOSED ERRATA	Docs Contact:
Severity:	urgent
Priority:	urgent	CC:	rlobillo
Version:	4.5
Target Milestone:	---
Target Release:	4.5.0
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:		Doc Type:	No Doc Update
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2020-07-13 17:43:10 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:	1843813
Bug Blocks:

Description OpenShift BugZilla Robot 2020-06-04 09:33:48 UTC

+++ This bug was initially created as a clone of Bug #1843813 +++

As openstacksdk 0.36.0 is needed on lower-constraints and it does not support allowed_cidrs field on the listener, we must ensure that field is present in order for the listeners ACLs to be properly updated and allow the traffic.

This problem was not hit it before since there was a workaround to support tags until the openstacksdk version was recent enough and got dropped: https://github.com/openshift/kuryr-kubernetes/commit/b2146180ef93e60c665b2b890b063d19158a016b

Comment 3 rlobillo 2020-06-10 15:25:55 UTC

Verified on OCP4.5.0-0.nightly-2020-06-09-223121 over OSP16 (RHOS_TRUNK-16.0-RHEL-8-20200513.n.1) with OVS.

All 23 NP tests PASSED.

Manual test:

$ oc new-project test
$ oc run --image kuryr/demo demo
$ oc run --image kuryr/demo demo-allowed-caller
$ oc run --image kuryr/demo demo-caller
$ oc expose pod/demo --port 80 --target-port 8080
$ cat np_resource.yaml 
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: np
spec:
  podSelector:
    matchLabels:
      run: demo
  ingress:
  - from:
    - podSelector:
        matchLabels:
          run: demo-allowed-caller
$ oc apply -f np_resource.yaml
$ oc rsh pod/demo-allowed-caller curl 172.30.221.48
demo: HELLO! I AM ALIVE!!!
$ oc rsh pod/demo-caller curl 172.30.221.48
^Ccommand terminated with exit code 130

Allowed_cidr is successfully updated when network policy is applied:

$ openstack loadbalancer show test/demo
+---------------------+--------------------------------------+
| Field               | Value                                |
+---------------------+--------------------------------------+
| admin_state_up      | True                                 |
| created_at          | 2020-06-10T15:12:34                  |
| description         |                                      |
| flavor_id           | None                                 |
| id                  | e3b6e303-8634-46af-bd21-fc7d1609c009 |
| listeners           | 8d77e525-ac20-4e8f-874c-f28bae359819 |
| name                | test/demo                            |
| operating_status    | ONLINE                               |
| pools               | 5743b330-eb9e-49d4-a76f-464113ca9ba8 |
| project_id          | 1a5303153c4743d1b09d91bb3c14813f     |
| provider            | amphora                              |
| provisioning_status | ACTIVE                               |
| updated_at          | 2020-06-10T15:16:51                  |
| vip_address         | 172.30.221.48                        |
| vip_network_id      | ec582226-9f35-4b4f-9da4-07ea8a9cfea8 |
| vip_port_id         | 5f3908b3-2afc-4742-80ce-5fd411ba2d8c |
| vip_qos_policy_id   | None                                 |
| vip_subnet_id       | a95ae91c-2f53-4784-bc53-8548e4d787be |
+---------------------+--------------------------------------+
$ openstack loadbalancer listener show 8d77e525-ac20-4e8f-874c-f28bae359819
+-----------------------------+--------------------------------------+
| Field                       | Value                                |
+-----------------------------+--------------------------------------+
| admin_state_up              | True                                 |
| connection_limit            | -1                                   |
| created_at                  | 2020-06-10T15:14:03                  |
| default_pool_id             | 5743b330-eb9e-49d4-a76f-464113ca9ba8 |
| default_tls_container_ref   | None                                 |
| description                 |                                      |
| id                          | 8d77e525-ac20-4e8f-874c-f28bae359819 |
| insert_headers              | None                                 |
| l7policies                  |                                      |
| loadbalancers               | e3b6e303-8634-46af-bd21-fc7d1609c009 |
| name                        | test/demo:TCP:80                     |
| operating_status            | ONLINE                               |
| project_id                  | 1a5303153c4743d1b09d91bb3c14813f     |
| protocol                    | TCP                                  |
| protocol_port               | 80                                   |
| provisioning_status         | ACTIVE                               |
| sni_container_refs          | []                                   |
| timeout_client_data         | 50000                                |
| timeout_member_connect      | 5000                                 |
| timeout_member_data         | 50000                                |
| timeout_tcp_inspect         | 0                                    |
| updated_at                  | 2020-06-10T15:16:51                  |
| client_ca_tls_container_ref | None                                 |
| client_authentication       | NONE                                 |
| client_crl_container_ref    | None                                 |
| allowed_cidrs               | 10.128.114.57/32                     |
+-----------------------------+--------------------------------------+

Comment 4 rlobillo 2020-06-10 15:27:13 UTC

when:

$ oc get all -o wide
NAME                      READY   STATUS    RESTARTS   AGE   IP               NODE                        NOMINATED NODE   READINESS GATES
pod/demo                  1/1     Running   0          14m   10.128.114.199   ostest-9d4zj-worker-vf5ck   <none>           <none>
pod/demo-allowed-caller   1/1     Running   0          14m   10.128.114.57    ostest-9d4zj-worker-vf5ck   <none>           <none>
pod/demo-caller           1/1     Running   0          14m   10.128.115.151   ostest-9d4zj-worker-xm9kh   <none>           <none>

NAME           TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)   AGE   SELECTOR
service/demo   ClusterIP   172.30.221.48   <none>        80/TCP    14m   run=demo

Comment 5 errata-xmlrpc 2020-07-13 17:43:10 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:2409