Description of problem: The following test fails kuryr_tempest_plugin.tests.scenario.test_network_policy.OldNetworkPolicyScenario.test_ipblock_network_policy_sg_rules Traceback (most recent call last): File "/home/stack/plugins/kuryr/kuryr_tempest_plugin/tests/scenario/base_network_policy.py", line 144, in test_ipblock_network_policy_sg_rules self.assertTrue(ingress_block_found) File "/home/stack/.virtualenvs/.tempest/lib64/python3.6/site-packages/unittest2/case.py", line 702, in assertTrue raise self.failureException(msg) AssertionError: False is not true It seems that it takes the security group rules to get created Version-Release number of selected component (if applicable): 4.5.0-0.nightly-2020-11-22-160319 RHOS-16.1-RHEL-8-20201110.n.1 How reproducible: ~1/3 of times Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
*** Bug 1901945 has been marked as a duplicate of this bug. ***
Verified on OCP4.5.0-0.nightly-2021-01-03-162026 over OSP16.1 (RHOS-16.1-RHEL-8-20201124.n.0). # Setting up the scenario: $ oc new-project test2 $ oc run --image kuryr/demo demo $ oc run --image kuryr/demo demo-allowed-caller $ oc run --image kuryr/demo demo-caller $ oc expose pod/demo --port 80 --target-port 8080 $ cat np_resource.yaml kind: NetworkPolicy apiVersion: networking.k8s.io/v1 metadata: name: np spec: podSelector: matchLabels: run: demo ingress: - from: - podSelector: matchLabels: run: demo-allowed-caller $ oc apply -f np_resource.yaml networkpolicy.networking.k8s.io/np created # Checking the setup before running the test: $ oc get all NAME READY STATUS RESTARTS AGE pod/demo 1/1 Running 0 3m6s pod/demo-allowed-caller 1/1 Running 0 3m2s pod/demo-caller 1/1 Running 0 2m57s NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE service/demo ClusterIP 172.30.64.131 <none> 80/TCP 2m52s $ oc rsh pod/demo-allowed-caller curl 172.30.64.131 demo: HELLO! I AM ALIVE!!! $ oc rsh pod/demo-caller curl 172.30.64.131 ^Ccommand terminated with exit code 130 $ oc get networkpolicy NAME POD-SELECTOR AGE np run=demo 34s $ oc get knp NAME SG-ID AGE np-np 0ca4f656-f095-466e-bb71-024319bfed41 36s $ openstack security group rule list | grep -e ID -e 0ca4f656-f095-466e-bb71-024319bfed41 | ID | IP Protocol | Ethertype | IP Range | Port Range | Remote Security Group | Security Group | | 1f727eca-eedc-4b14-ae39-645da6e8366e | None | IPv4 | 10.196.0.0/16 | | None | 0ca4f656-f095-466e-bb71-024319bfed41 | | 336bb42b-fc79-440c-a4f1-bc3cded57723 | tcp | IPv4 | 10.128.114.2/32 | 1:65535 | None | 0ca4f656-f095-466e-bb71-024319bfed41 | | a19a5865-7404-4438-ba46-941f6dd5c282 | None | IPv4 | 0.0.0.0/0 | | None | 0ca4f656-f095-466e-bb71-024319bfed41 | # Test - Adding an annotation is not provoking the recreation of the security group rule (The ID remains unchangeable): $ oc annotate networkpolicy np bar=baz networkpolicy.networking.k8s.io/np annotated $ openstack security group rule list | grep -e ID -e 0ca4f656-f095-466e-bb71-024319bfed41 | ID | IP Protocol | Ethertype | IP Range | Port Range | Remote Security Group | Security Group | | 1f727eca-eedc-4b14-ae39-645da6e8366e | None | IPv4 | 10.196.0.0/16 | | None | 0ca4f656-f095-466e-bb71-024319bfed41 | | 336bb42b-fc79-440c-a4f1-bc3cded57723 | tcp | IPv4 | 10.128.114.2/32 | 1:65535 | None | 0ca4f656-f095-466e-bb71-024319bfed41 | | a19a5865-7404-4438-ba46-941f6dd5c282 | None | IPv4 | 0.0.0.0/0 | | None | 0ca4f656-f095-466e-bb71-024319bfed41 |
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (OpenShift Container Platform 4.5.27 bug fix update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2021:0033