Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1904129

Summary: kuryr tempest plugin test test_ipblock_network_policy_sg_rules fails
Product: OpenShift Container Platform Reporter: Michał Dulko <mdulko>
Component: NetworkingAssignee: Michał Dulko <mdulko>
Networking sub component: kuryr QA Contact: GenadiC <gcheresh>
Status: CLOSED ERRATA Docs Contact:
Severity: high    
Priority: medium CC: gcheresh, itbrown, ltomasbo, rlobillo
Version: 4.6Keywords: UpcomingSprint
Target Milestone: ---   
Target Release: 4.6.z   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1901495
: 1904131 (view as bug list) Environment:
Last Closed: 2020-12-14 13:51:28 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1904131    
Bug Blocks: 1901495    

Comment 2 Michał Dulko 2020-12-03 16:12:15 UTC 
Verifying this can be done as follows:

1. Create NP that will force creation of some SG rules.
2. List SG rules for that NP, note IDs of them.
3. Add some annotation to NP.
4. List SG rules for that NP, check if the IDs of them are the same as in 2.
Comment 3 rlobillo 2020-12-04 09:41:34 UTC 
Verified on OCP4.6.0-0.nightly-2020-12-02-035622 on OSP16.1 with OVN-Octavia provider (RHOS-16.1-RHEL-8-20201124.n.0)

# Setting up the scenario:

$ oc new-project test2
$ oc run --image kuryr/demo demo
$ oc run --image kuryr/demo demo-allowed-caller
$ oc run --image kuryr/demo demo-caller
$ oc expose pod/demo --port 80 --target-port 8080

$ cat np_resource.yaml 
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: np
spec:
  podSelector:
    matchLabels:
      run: demo
  ingress:
  - from:
    - podSelector:
        matchLabels:
          run: demo-allowed-caller

$ oc apply -f np_resource.yaml 
networkpolicy.networking.k8s.io/np created

# Checking the setup before running the test:

$ oc get all
NAME                      READY   STATUS    RESTARTS   AGE
pod/demo                  1/1     Running   0          6m59s
pod/demo-allowed-caller   1/1     Running   0          6m59s
pod/demo-caller           1/1     Running   0          6m58s

NAME           TYPE        CLUSTER-IP     EXTERNAL-IP   PORT(S)   AGE
service/demo   ClusterIP   172.30.76.59   <none>        80/TCP    6m58s

$ oc rsh pod/demo-allowed-caller curl 172.30.76.59
demo: HELLO! I AM ALIVE!!!

$ oc rsh pod/demo-caller curl 172.30.76.59
^Ccommand terminated with exit code 130

$ oc get networkpolicy 
NAME   POD-SELECTOR   AGE
np     run=demo       113s
$ oc get knp
NAME   SG-ID                                  AGE
np     fcd1cd03-8519-4019-9fd4-94838db808a5   64s

$ openstack security group rule list | grep -e ID -e fcd1cd03-8519-4019-9fd4-94838db808a5
| ID                                   | IP Protocol | Ethertype | IP Range          | Port Range  | Remote Security Group                | Security Group                       |
| 17461b55-945c-412d-85dc-2c95251a2a37 | tcp         | IPv4      | 10.128.121.147/32 | 1:65535     | None                                 | fcd1cd03-8519-4019-9fd4-94838db808a5 |
| 56da1cf6-cee5-4aa9-b65c-31fb6d4623d1 | None        | IPv4      | 0.0.0.0/0         |             | None                                 | fcd1cd03-8519-4019-9fd4-94838db808a5 |
| 9a841b90-bc89-4f82-b927-1a11c1c90fc8 | None        | IPv4      | 10.196.0.0/16     |             | None                                 | fcd1cd03-8519-4019-9fd4-94838db808a5 |
| 9c9c1dc2-d7f1-45fa-a8ad-99fd7331e866 | None        | IPv6      | ::/0              |             | None                                 | fcd1cd03-8519-4019-9fd4-94838db808a5 |

# Test - Adding an annotation is not provoking the recreation of the security group rule (The ID remains unchangeable):

$ oc annotate networkpolicy np bar=baz
networkpolicy.networking.k8s.io/np annotated

$ openstack security group rule list | grep -e ID -e fcd1cd03-8519-4019-9fd4-94838db808a5
| ID                                   | IP Protocol | Ethertype | IP Range          | Port Range  | Remote Security Group                | Security Group                       |
| 17461b55-945c-412d-85dc-2c95251a2a37 | tcp         | IPv4      | 10.128.121.147/32 | 1:65535     | None                                 | fcd1cd03-8519-4019-9fd4-94838db808a5 |
| 56da1cf6-cee5-4aa9-b65c-31fb6d4623d1 | None        | IPv4      | 0.0.0.0/0         |             | None                                 | fcd1cd03-8519-4019-9fd4-94838db808a5 |
| 9a841b90-bc89-4f82-b927-1a11c1c90fc8 | None        | IPv4      | 10.196.0.0/16     |             | None                                 | fcd1cd03-8519-4019-9fd4-94838db808a5 |
| 9c9c1dc2-d7f1-45fa-a8ad-99fd7331e866 | None        | IPv6      | ::/0              |             | None                                 | fcd1cd03-8519-4019-9fd4-94838db808a5 |

Behaviour is the expected one. The test test_ipblock_network_policy_sg_rules passed successfully on CI execution: https://rhos-ci-jenkins.lab.eng.tlv2.redhat.com/job/DFG-osasinfra-shiftstack_ci-ocp_verification-osp16.1-ocp4.6/3//artifact/tempest-results/tempest-results-kuryr.1.html
Comment 6 errata-xmlrpc 2020-12-14 13:51:28 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.6.8 security and bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:5259