Verifying this can be done as follows: 1. Create NP that will force creation of some SG rules. 2. List SG rules for that NP, note IDs of them. 3. Add some annotation to NP. 4. List SG rules for that NP, check if the IDs of them are the same as in 2.
Verified on OCP4.7.0-0.nightly-2020-12-04-013308 on OSP13 with Amphora provider (2020-11-13.1) # Setting up the scenario: $ oc new-project test $ oc run --image kuryr/demo demo $ oc run --image kuryr/demo demo-allowed-caller $ oc run --image kuryr/demo demo-caller $ oc expose pod/demo --port 80 --target-port 8080 $ cat np_resource.yaml kind: NetworkPolicy apiVersion: networking.k8s.io/v1 metadata: name: np spec: podSelector: matchLabels: run: demo ingress: - from: - podSelector: matchLabels: run: demo-allowed-caller $ oc apply -f np_resource.yaml networkpolicy.networking.k8s.io/np created # Checking the setup before running the test: $ oc get all NAME READY STATUS RESTARTS AGE pod/demo 1/1 Running 0 6m23s pod/demo-allowed-caller 1/1 Running 0 6m22s pod/demo-caller 1/1 Running 0 6m22s NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE service/demo ClusterIP 172.30.4.107 <none> 80/TCP 6m13s $ oc rsh pod/demo-allowed-caller curl 172.30.4.107 demo: HELLO! I AM ALIVE!!! $ oc rsh pod/demo-caller curl 172.30.4.107 ^Ccommand terminated with exit code 130 $ oc get networkpolicy NAME POD-SELECTOR AGE np run=demo 113s $ oc get knp NAME SG-ID AGE np 9fda470d-48ce-4d81-af3a-8c70ad219e88 6m55s $ openstack security group rule list | grep -e ID -e 9fda470d-48ce-4d81-af3a-8c70ad219e88 | ID | IP Protocol | IP Range | Port Range | Remote Security Group | Security Group | | 0abaf9c2-9f9e-48cc-a1cc-cc43e3a9d48e | None | None | | None | 9fda470d-48ce-4d81-af3a-8c70ad219e88 | | 2acd3c37-f162-4e85-8ef3-45c6fbcf2014 | None | 10.196.0.0/16 | | None | 9fda470d-48ce-4d81-af3a-8c70ad219e88 | | 6f7c483d-d685-47c6-9009-67ac473179b2 | None | None | | None | 9fda470d-48ce-4d81-af3a-8c70ad219e88 | | 9817c27d-4fa2-4b51-8602-b6615c0e2ca7 | None | 172.30.0.0/15 | | None | 9fda470d-48ce-4d81-af3a-8c70ad219e88 | | d44f899b-74ac-44ec-bf5f-d77d82c0b4fd | tcp | 10.128.121.209/32 | 1:65535 | None | 9fda470d-48ce-4d81-af3a-8c70ad219e88 | # Test - Adding an annotation is not provoking the recreation of the security group rule (The ID remains unchangeable): $ oc annotate networkpolicy np bar=baz networkpolicy.networking.k8s.io/np annotated $ openstack security group rule list | grep -e ID -e 9fda470d-48ce-4d81-af3a-8c70ad219e88 | ID | IP Protocol | IP Range | Port Range | Remote Security Group | Security Group | | 0abaf9c2-9f9e-48cc-a1cc-cc43e3a9d48e | None | None | | None | 9fda470d-48ce-4d81-af3a-8c70ad219e88 | | 2acd3c37-f162-4e85-8ef3-45c6fbcf2014 | None | 10.196.0.0/16 | | None | 9fda470d-48ce-4d81-af3a-8c70ad219e88 | | 6f7c483d-d685-47c6-9009-67ac473179b2 | None | None | | None | 9fda470d-48ce-4d81-af3a-8c70ad219e88 | | 9817c27d-4fa2-4b51-8602-b6615c0e2ca7 | None | 172.30.0.0/15 | | None | 9fda470d-48ce-4d81-af3a-8c70ad219e88 | | d44f899b-74ac-44ec-bf5f-d77d82c0b4fd | tcp | 10.128.121.209/32 | 1:65535 | None | 9fda470d-48ce-4d81-af3a-8c70ad219e88 | Behaviour is the expected one. The test test_ipblock_network_policy_sg_rules passed successfully on: https://rhos-ci-staging-jenkins.lab.eng.tlv2.redhat.com/job/DFG-osasinfra-shiftstack_ci-ocp_verification-osp13-ocp4.7/1//artifact/tempest-results/tempest-results-kuryr.1.html
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.7.0 security, bug fix, and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2020:5633