Bug 1901495 - kuryr tempest plugin test test_ipblock_network_policy_sg_rules fails
Summary: kuryr tempest plugin test test_ipblock_network_policy_sg_rules fails
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Networking
Version: 4.5
Hardware: Unspecified
OS: Unspecified
medium
high
Target Milestone: ---
: 4.5.z
Assignee: Michał Dulko
QA Contact: Itzik Brown
URL:
Whiteboard:
: 1901945 (view as bug list)
Depends On: 1904129
Blocks: 1910221
TreeView+ depends on / blocked
 
Reported: 2020-11-25 12:27 UTC by Itzik Brown
Modified: 2021-01-20 05:49 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: kuryr-controller was comparing the security groups related to network policies incorrectly. Consequence: All the security rules related to a network policy were recreated on every minor update of that network policy. Fix: The rules are now compared correctly. Result: On network policy update already existing rules are preserved and only additions or deletions are performed if needed.
Clone Of:
: 1904129 (view as bug list)
Environment:
Last Closed: 2021-01-20 05:49:27 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift kuryr-kubernetes pull 429 0 None closed Bug 1901495: Correctly compare SG rules in NP code 2021-02-01 18:55:53 UTC
Red Hat Product Errata RHBA-2021:0033 0 None None None 2021-01-20 05:49:51 UTC

Description Itzik Brown 2020-11-25 12:27:40 UTC
Description of problem:
The following test fails
kuryr_tempest_plugin.tests.scenario.test_network_policy.OldNetworkPolicyScenario.test_ipblock_network_policy_sg_rules

Traceback (most recent call last):
  File "/home/stack/plugins/kuryr/kuryr_tempest_plugin/tests/scenario/base_network_policy.py", line 144, in test_ipblock_network_policy_sg_rules
    self.assertTrue(ingress_block_found)
  File "/home/stack/.virtualenvs/.tempest/lib64/python3.6/site-packages/unittest2/case.py", line 702, in assertTrue
    raise self.failureException(msg)
AssertionError: False is not true

It seems that it takes the security group rules to get created

Version-Release number of selected component (if applicable):
4.5.0-0.nightly-2020-11-22-160319
RHOS-16.1-RHEL-8-20201110.n.1

How reproducible:
~1/3 of times

Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Comment 3 rdobosz 2020-12-18 08:02:34 UTC
*** Bug 1901945 has been marked as a duplicate of this bug. ***

Comment 6 rlobillo 2021-01-04 14:00:29 UTC
Verified on OCP4.5.0-0.nightly-2021-01-03-162026 over OSP16.1 (RHOS-16.1-RHEL-8-20201124.n.0).

# Setting up the scenario:

$ oc new-project test2
$ oc run --image kuryr/demo demo
$ oc run --image kuryr/demo demo-allowed-caller
$ oc run --image kuryr/demo demo-caller
$ oc expose pod/demo --port 80 --target-port 8080

$ cat np_resource.yaml 
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: np
spec:
  podSelector:
    matchLabels:
      run: demo
  ingress:
  - from:
    - podSelector:
        matchLabels:
          run: demo-allowed-caller

$ oc apply -f np_resource.yaml 
networkpolicy.networking.k8s.io/np created

# Checking the setup before running the test:

$ oc get all
NAME                      READY   STATUS    RESTARTS   AGE
pod/demo                  1/1     Running   0          3m6s
pod/demo-allowed-caller   1/1     Running   0          3m2s
pod/demo-caller           1/1     Running   0          2m57s

NAME           TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)   AGE
service/demo   ClusterIP   172.30.64.131   <none>        80/TCP    2m52s

$ oc rsh pod/demo-allowed-caller curl 172.30.64.131
demo: HELLO! I AM ALIVE!!!
$ oc rsh pod/demo-caller curl 172.30.64.131                                                
^Ccommand terminated with exit code 130
$  oc get networkpolicy 
NAME   POD-SELECTOR   AGE
np     run=demo       34s
$ oc get knp
NAME    SG-ID                                  AGE
np-np   0ca4f656-f095-466e-bb71-024319bfed41   36s

$ openstack security group rule list | grep -e ID -e 0ca4f656-f095-466e-bb71-024319bfed41
| ID                                   | IP Protocol | Ethertype | IP Range        | Port Range  | Remote Security Group                | Security Group                       |
| 1f727eca-eedc-4b14-ae39-645da6e8366e | None        | IPv4      | 10.196.0.0/16   |             | None                                 | 0ca4f656-f095-466e-bb71-024319bfed41 |
| 336bb42b-fc79-440c-a4f1-bc3cded57723 | tcp         | IPv4      | 10.128.114.2/32 | 1:65535     | None                                 | 0ca4f656-f095-466e-bb71-024319bfed41 |
| a19a5865-7404-4438-ba46-941f6dd5c282 | None        | IPv4      | 0.0.0.0/0       |             | None                                 | 0ca4f656-f095-466e-bb71-024319bfed41 |

# Test - Adding an annotation is not provoking the recreation of the security group rule (The ID remains unchangeable):

$ oc annotate networkpolicy np bar=baz
networkpolicy.networking.k8s.io/np annotated


$ openstack security group rule list | grep -e ID -e 0ca4f656-f095-466e-bb71-024319bfed41
| ID                                   | IP Protocol | Ethertype | IP Range        | Port Range  | Remote Security Group      
          | Security Group                       |
| 1f727eca-eedc-4b14-ae39-645da6e8366e | None        | IPv4      | 10.196.0.0/16   |             | None                       
          | 0ca4f656-f095-466e-bb71-024319bfed41 |
| 336bb42b-fc79-440c-a4f1-bc3cded57723 | tcp         | IPv4      | 10.128.114.2/32 | 1:65535     | None                       
          | 0ca4f656-f095-466e-bb71-024319bfed41 |
| a19a5865-7404-4438-ba46-941f6dd5c282 | None        | IPv4      | 0.0.0.0/0       |             | None                       
          | 0ca4f656-f095-466e-bb71-024319bfed41 |

Comment 9 errata-xmlrpc 2021-01-20 05:49:27 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.5.27 bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:0033


Note You need to log in before you can comment on or make changes to this bug.