Bug 1895332 - NP CRD unable to be patched because of missing sg rule ID
Summary: NP CRD unable to be patched because of missing sg rule ID
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Networking
Version: 4.5
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: 4.4.z
Assignee: Maysa Macedo
QA Contact: GenadiC
Depends On: 1893996
TreeView+ depends on / blocked
Reported: 2020-11-06 11:23 UTC by OpenShift BugZilla Robot
Modified: 2021-02-03 10:12 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Clone Of:
Last Closed: 2021-02-03 10:11:43 UTC
Target Upstream Version:

Attachments (Terms of Use)
NP test results with the fix (30.31 KB, application/zip)
2021-01-11 13:33 UTC, rlobillo
no flags Details
tempest results with the fix (4.85 KB, application/zip)
2021-01-11 13:34 UTC, rlobillo
no flags Details

System ID Private Priority Status Summary Last Updated
Github openshift kuryr-kubernetes pull 396 0 None closed [release-4.4] Bug 1895332: Fix duplicated sg rules on NP crd 2021-02-01 18:29:27 UTC
Red Hat Product Errata RHSA-2021:0281 0 None None None 2021-02-03 10:12:28 UTC

Comment 1 Maysa Macedo 2020-11-20 09:06:49 UTC
Only bug with severity high/urgent are being merged on 4.4. If this bug turn out be have that severity we can re-open it.

Comment 2 Michał Dulko 2020-12-21 15:01:11 UTC
This was a complicated set of coincidences found when debugging NP tests failures that QE were seeing. We need this patch to fix that in 4.4, so I'm raising the severity of this one. This is because this can potentially cause kuryr-controller to restart constantly when a specific NP is existing on the system, effectively preventing it from doing anything and causing a periodic denial of service during crashloops. The only workaround would be to remove that network policy. IMO this does fulfill the "blocking functionality from succeeding" bar that "high" severity has.

Comment 4 rlobillo 2021-01-11 13:33:43 UTC
Verified on OCP4.4.0-0.nightly-2021-01-09-151918 on OSP16.1 with OVN-Octavia (RHOS-16.1-RHEL-8-20201214.n.3) with UPI installation.

CI job passed successfully: https://rhos-ci-jenkins.lab.eng.tlv2.redhat.com/view/DFG/view/osasinfra/view/shiftstack_ci/job/DFG-osasinfra-shiftstack_ci-ocp_verification-osp16.1-ocp4.4-upi/11/

All NP passed without restarts:

# Kuryr pods before running NP tests - ANSIBLE MANAGED BLOCK
NAME                               READY   STATUS    RESTARTS   AGE
kuryr-cni-47td5                    1/1     Running   0          80m
kuryr-cni-4vvz9                    1/1     Running   0          78m
kuryr-cni-7vcwg                    1/1     Running   0          79m
kuryr-cni-kmbgs                    1/1     Running   0          77m
kuryr-cni-pzmkw                    1/1     Running   0          79m
kuryr-cni-t9kh2                    1/1     Running   0          81m
kuryr-controller-5d46cb9b5-zlc8j   1/1     Running   0          43m
# Kuryr pods after running NP tests - ANSIBLE MANAGED BLOCK
NAME                               READY   STATUS    RESTARTS   AGE
kuryr-cni-47td5                    1/1     Running   0          3h
kuryr-cni-4vvz9                    1/1     Running   0          178m
kuryr-cni-7vcwg                    1/1     Running   0          179m
kuryr-cni-kmbgs                    1/1     Running   0          177m
kuryr-cni-pzmkw                    1/1     Running   0          179m
kuryr-cni-t9kh2                    1/1     Running   0          3h1m
kuryr-controller-5d46cb9b5-zlc8j   1/1     Running   0          144m

All tempest tests passed. Attaching test results.

Comment 5 rlobillo 2021-01-11 13:33:45 UTC
Created attachment 1746260 [details]
NP test results with the fix

Comment 6 rlobillo 2021-01-11 13:34:07 UTC
Created attachment 1746261 [details]
tempest results with the fix

Comment 9 errata-xmlrpc 2021-02-03 10:11:43 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: OpenShift Container Platform 4.4.33 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.