Verifying this can be done as follows: 1. Create NP that will force creation of some SG rules. 2. List SG rules for that NP, note IDs of them. 3. Add some annotation to NP. 4. List SG rules for that NP, check if the IDs of them are the same as in 2.
Verified on OCP4.6.0-0.nightly-2020-12-02-035622 on OSP16.1 with OVN-Octavia provider (RHOS-16.1-RHEL-8-20201124.n.0) # Setting up the scenario: $ oc new-project test2 $ oc run --image kuryr/demo demo $ oc run --image kuryr/demo demo-allowed-caller $ oc run --image kuryr/demo demo-caller $ oc expose pod/demo --port 80 --target-port 8080 $ cat np_resource.yaml kind: NetworkPolicy apiVersion: networking.k8s.io/v1 metadata: name: np spec: podSelector: matchLabels: run: demo ingress: - from: - podSelector: matchLabels: run: demo-allowed-caller $ oc apply -f np_resource.yaml networkpolicy.networking.k8s.io/np created # Checking the setup before running the test: $ oc get all NAME READY STATUS RESTARTS AGE pod/demo 1/1 Running 0 6m59s pod/demo-allowed-caller 1/1 Running 0 6m59s pod/demo-caller 1/1 Running 0 6m58s NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE service/demo ClusterIP 172.30.76.59 <none> 80/TCP 6m58s $ oc rsh pod/demo-allowed-caller curl 172.30.76.59 demo: HELLO! I AM ALIVE!!! $ oc rsh pod/demo-caller curl 172.30.76.59 ^Ccommand terminated with exit code 130 $ oc get networkpolicy NAME POD-SELECTOR AGE np run=demo 113s $ oc get knp NAME SG-ID AGE np fcd1cd03-8519-4019-9fd4-94838db808a5 64s $ openstack security group rule list | grep -e ID -e fcd1cd03-8519-4019-9fd4-94838db808a5 | ID | IP Protocol | Ethertype | IP Range | Port Range | Remote Security Group | Security Group | | 17461b55-945c-412d-85dc-2c95251a2a37 | tcp | IPv4 | 10.128.121.147/32 | 1:65535 | None | fcd1cd03-8519-4019-9fd4-94838db808a5 | | 56da1cf6-cee5-4aa9-b65c-31fb6d4623d1 | None | IPv4 | 0.0.0.0/0 | | None | fcd1cd03-8519-4019-9fd4-94838db808a5 | | 9a841b90-bc89-4f82-b927-1a11c1c90fc8 | None | IPv4 | 10.196.0.0/16 | | None | fcd1cd03-8519-4019-9fd4-94838db808a5 | | 9c9c1dc2-d7f1-45fa-a8ad-99fd7331e866 | None | IPv6 | ::/0 | | None | fcd1cd03-8519-4019-9fd4-94838db808a5 | # Test - Adding an annotation is not provoking the recreation of the security group rule (The ID remains unchangeable): $ oc annotate networkpolicy np bar=baz networkpolicy.networking.k8s.io/np annotated $ openstack security group rule list | grep -e ID -e fcd1cd03-8519-4019-9fd4-94838db808a5 | ID | IP Protocol | Ethertype | IP Range | Port Range | Remote Security Group | Security Group | | 17461b55-945c-412d-85dc-2c95251a2a37 | tcp | IPv4 | 10.128.121.147/32 | 1:65535 | None | fcd1cd03-8519-4019-9fd4-94838db808a5 | | 56da1cf6-cee5-4aa9-b65c-31fb6d4623d1 | None | IPv4 | 0.0.0.0/0 | | None | fcd1cd03-8519-4019-9fd4-94838db808a5 | | 9a841b90-bc89-4f82-b927-1a11c1c90fc8 | None | IPv4 | 10.196.0.0/16 | | None | fcd1cd03-8519-4019-9fd4-94838db808a5 | | 9c9c1dc2-d7f1-45fa-a8ad-99fd7331e866 | None | IPv6 | ::/0 | | None | fcd1cd03-8519-4019-9fd4-94838db808a5 | Behaviour is the expected one. The test test_ipblock_network_policy_sg_rules passed successfully on CI execution: https://rhos-ci-jenkins.lab.eng.tlv2.redhat.com/job/DFG-osasinfra-shiftstack_ci-ocp_verification-osp16.1-ocp4.6/3//artifact/tempest-results/tempest-results-kuryr.1.html
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.6.8 security and bug fix update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2020:5259