Bug 1904129 - kuryr tempest plugin test test_ipblock_network_policy_sg_rules fails
Summary: kuryr tempest plugin test test_ipblock_network_policy_sg_rules fails
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Networking
Version: 4.6
Hardware: Unspecified
OS: Unspecified
medium
high
Target Milestone: ---
: 4.6.z
Assignee: Michał Dulko
QA Contact: GenadiC
URL:
Whiteboard:
Depends On: 1904131
Blocks: 1901495
TreeView+ depends on / blocked
 
Reported: 2020-12-03 15:59 UTC by Michał Dulko
Modified: 2020-12-14 13:51 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1901495
: 1904131 (view as bug list)
Environment:
Last Closed: 2020-12-14 13:51:28 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:5259 0 None None None 2020-12-14 13:51:41 UTC

Comment 2 Michał Dulko 2020-12-03 16:12:15 UTC 
Verifying this can be done as follows:

1. Create NP that will force creation of some SG rules.
2. List SG rules for that NP, note IDs of them.
3. Add some annotation to NP.
4. List SG rules for that NP, check if the IDs of them are the same as in 2.
Comment 3 rlobillo 2020-12-04 09:41:34 UTC 
Verified on OCP4.6.0-0.nightly-2020-12-02-035622 on OSP16.1 with OVN-Octavia provider (RHOS-16.1-RHEL-8-20201124.n.0)

# Setting up the scenario:

$ oc new-project test2
$ oc run --image kuryr/demo demo
$ oc run --image kuryr/demo demo-allowed-caller
$ oc run --image kuryr/demo demo-caller
$ oc expose pod/demo --port 80 --target-port 8080

$ cat np_resource.yaml 
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: np
spec:
  podSelector:
    matchLabels:
      run: demo
  ingress:
  - from:
    - podSelector:
        matchLabels:
          run: demo-allowed-caller

$ oc apply -f np_resource.yaml 
networkpolicy.networking.k8s.io/np created

# Checking the setup before running the test:

$ oc get all
NAME                      READY   STATUS    RESTARTS   AGE
pod/demo                  1/1     Running   0          6m59s
pod/demo-allowed-caller   1/1     Running   0          6m59s
pod/demo-caller           1/1     Running   0          6m58s

NAME           TYPE        CLUSTER-IP     EXTERNAL-IP   PORT(S)   AGE
service/demo   ClusterIP   172.30.76.59   <none>        80/TCP    6m58s

$ oc rsh pod/demo-allowed-caller curl 172.30.76.59
demo: HELLO! I AM ALIVE!!!

$ oc rsh pod/demo-caller curl 172.30.76.59
^Ccommand terminated with exit code 130

$ oc get networkpolicy 
NAME   POD-SELECTOR   AGE
np     run=demo       113s
$ oc get knp
NAME   SG-ID                                  AGE
np     fcd1cd03-8519-4019-9fd4-94838db808a5   64s

$ openstack security group rule list | grep -e ID -e fcd1cd03-8519-4019-9fd4-94838db808a5
| ID                                   | IP Protocol | Ethertype | IP Range          | Port Range  | Remote Security Group                | Security Group                       |
| 17461b55-945c-412d-85dc-2c95251a2a37 | tcp         | IPv4      | 10.128.121.147/32 | 1:65535     | None                                 | fcd1cd03-8519-4019-9fd4-94838db808a5 |
| 56da1cf6-cee5-4aa9-b65c-31fb6d4623d1 | None        | IPv4      | 0.0.0.0/0         |             | None                                 | fcd1cd03-8519-4019-9fd4-94838db808a5 |
| 9a841b90-bc89-4f82-b927-1a11c1c90fc8 | None        | IPv4      | 10.196.0.0/16     |             | None                                 | fcd1cd03-8519-4019-9fd4-94838db808a5 |
| 9c9c1dc2-d7f1-45fa-a8ad-99fd7331e866 | None        | IPv6      | ::/0              |             | None                                 | fcd1cd03-8519-4019-9fd4-94838db808a5 |

# Test - Adding an annotation is not provoking the recreation of the security group rule (The ID remains unchangeable):

$ oc annotate networkpolicy np bar=baz
networkpolicy.networking.k8s.io/np annotated

$ openstack security group rule list | grep -e ID -e fcd1cd03-8519-4019-9fd4-94838db808a5
| ID                                   | IP Protocol | Ethertype | IP Range          | Port Range  | Remote Security Group                | Security Group                       |
| 17461b55-945c-412d-85dc-2c95251a2a37 | tcp         | IPv4      | 10.128.121.147/32 | 1:65535     | None                                 | fcd1cd03-8519-4019-9fd4-94838db808a5 |
| 56da1cf6-cee5-4aa9-b65c-31fb6d4623d1 | None        | IPv4      | 0.0.0.0/0         |             | None                                 | fcd1cd03-8519-4019-9fd4-94838db808a5 |
| 9a841b90-bc89-4f82-b927-1a11c1c90fc8 | None        | IPv4      | 10.196.0.0/16     |             | None                                 | fcd1cd03-8519-4019-9fd4-94838db808a5 |
| 9c9c1dc2-d7f1-45fa-a8ad-99fd7331e866 | None        | IPv6      | ::/0              |             | None                                 | fcd1cd03-8519-4019-9fd4-94838db808a5 |

Behaviour is the expected one. The test test_ipblock_network_policy_sg_rules passed successfully on CI execution: https://rhos-ci-jenkins.lab.eng.tlv2.redhat.com/job/DFG-osasinfra-shiftstack_ci-ocp_verification-osp16.1-ocp4.6/3//artifact/tempest-results/tempest-results-kuryr.1.html
Comment 6 errata-xmlrpc 2020-12-14 13:51:28 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.6.8 security and bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:5259
Note You need to log in before you can comment on or make changes to this bug.