Bug 1901495
| Summary: | kuryr tempest plugin test test_ipblock_network_policy_sg_rules fails | |||
|---|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Itzik Brown <itbrown> | |
| Component: | Networking | Assignee: | MichaĆ Dulko <mdulko> | |
| Networking sub component: | kuryr | QA Contact: | Itzik Brown <itbrown> | |
| Status: | CLOSED ERRATA | Docs Contact: | ||
| Severity: | high | |||
| Priority: | medium | CC: | ltomasbo, rlobillo | |
| Version: | 4.5 | |||
| Target Milestone: | --- | |||
| Target Release: | 4.5.z | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | Doc Type: | Bug Fix | ||
| Doc Text: |
Cause: kuryr-controller was comparing the security groups related to network policies incorrectly.
Consequence: All the security rules related to a network policy were recreated on every minor update of that network policy.
Fix: The rules are now compared correctly.
Result: On network policy update already existing rules are preserved and only additions or deletions are performed if needed.
|
Story Points: | --- | |
| Clone Of: | ||||
| : | 1904129 (view as bug list) | Environment: | ||
| Last Closed: | 2021-01-20 05:49:27 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | 1904129 | |||
| Bug Blocks: | 1910221 | |||
*** Bug 1901945 has been marked as a duplicate of this bug. *** Verified on OCP4.5.0-0.nightly-2021-01-03-162026 over OSP16.1 (RHOS-16.1-RHEL-8-20201124.n.0).
# Setting up the scenario:
$ oc new-project test2
$ oc run --image kuryr/demo demo
$ oc run --image kuryr/demo demo-allowed-caller
$ oc run --image kuryr/demo demo-caller
$ oc expose pod/demo --port 80 --target-port 8080
$ cat np_resource.yaml
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: np
spec:
podSelector:
matchLabels:
run: demo
ingress:
- from:
- podSelector:
matchLabels:
run: demo-allowed-caller
$ oc apply -f np_resource.yaml
networkpolicy.networking.k8s.io/np created
# Checking the setup before running the test:
$ oc get all
NAME READY STATUS RESTARTS AGE
pod/demo 1/1 Running 0 3m6s
pod/demo-allowed-caller 1/1 Running 0 3m2s
pod/demo-caller 1/1 Running 0 2m57s
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/demo ClusterIP 172.30.64.131 <none> 80/TCP 2m52s
$ oc rsh pod/demo-allowed-caller curl 172.30.64.131
demo: HELLO! I AM ALIVE!!!
$ oc rsh pod/demo-caller curl 172.30.64.131
^Ccommand terminated with exit code 130
$ oc get networkpolicy
NAME POD-SELECTOR AGE
np run=demo 34s
$ oc get knp
NAME SG-ID AGE
np-np 0ca4f656-f095-466e-bb71-024319bfed41 36s
$ openstack security group rule list | grep -e ID -e 0ca4f656-f095-466e-bb71-024319bfed41
| ID | IP Protocol | Ethertype | IP Range | Port Range | Remote Security Group | Security Group |
| 1f727eca-eedc-4b14-ae39-645da6e8366e | None | IPv4 | 10.196.0.0/16 | | None | 0ca4f656-f095-466e-bb71-024319bfed41 |
| 336bb42b-fc79-440c-a4f1-bc3cded57723 | tcp | IPv4 | 10.128.114.2/32 | 1:65535 | None | 0ca4f656-f095-466e-bb71-024319bfed41 |
| a19a5865-7404-4438-ba46-941f6dd5c282 | None | IPv4 | 0.0.0.0/0 | | None | 0ca4f656-f095-466e-bb71-024319bfed41 |
# Test - Adding an annotation is not provoking the recreation of the security group rule (The ID remains unchangeable):
$ oc annotate networkpolicy np bar=baz
networkpolicy.networking.k8s.io/np annotated
$ openstack security group rule list | grep -e ID -e 0ca4f656-f095-466e-bb71-024319bfed41
| ID | IP Protocol | Ethertype | IP Range | Port Range | Remote Security Group
| Security Group |
| 1f727eca-eedc-4b14-ae39-645da6e8366e | None | IPv4 | 10.196.0.0/16 | | None
| 0ca4f656-f095-466e-bb71-024319bfed41 |
| 336bb42b-fc79-440c-a4f1-bc3cded57723 | tcp | IPv4 | 10.128.114.2/32 | 1:65535 | None
| 0ca4f656-f095-466e-bb71-024319bfed41 |
| a19a5865-7404-4438-ba46-941f6dd5c282 | None | IPv4 | 0.0.0.0/0 | | None
| 0ca4f656-f095-466e-bb71-024319bfed41 |
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (OpenShift Container Platform 4.5.27 bug fix update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2021:0033 |
Description of problem: The following test fails kuryr_tempest_plugin.tests.scenario.test_network_policy.OldNetworkPolicyScenario.test_ipblock_network_policy_sg_rules Traceback (most recent call last): File "/home/stack/plugins/kuryr/kuryr_tempest_plugin/tests/scenario/base_network_policy.py", line 144, in test_ipblock_network_policy_sg_rules self.assertTrue(ingress_block_found) File "/home/stack/.virtualenvs/.tempest/lib64/python3.6/site-packages/unittest2/case.py", line 702, in assertTrue raise self.failureException(msg) AssertionError: False is not true It seems that it takes the security group rules to get created Version-Release number of selected component (if applicable): 4.5.0-0.nightly-2020-11-22-160319 RHOS-16.1-RHEL-8-20201110.n.1 How reproducible: ~1/3 of times Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info: