Bug 1910221 - kuryr tempest plugin test test_ipblock_network_policy_sg_rules fails
Summary: kuryr tempest plugin test test_ipblock_network_policy_sg_rules fails
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Networking
Version: 4.5
Hardware: Unspecified
OS: Unspecified
medium
high
Target Milestone: ---
: 4.4.z
Assignee: Michał Dulko
QA Contact: GenadiC
URL:
Whiteboard:
Depends On: 1901495
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-12-23 07:55 UTC by OpenShift BugZilla Robot
Modified: 2021-02-03 10:12 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: kuryr-controller was comparing the security groups related to network policies incorrectly. Consequence: All the security rules related to a network policy were recreated on every minor update of that network policy. Fix: The rules are now compared correctly. Result: On network policy update already existing rules are preserved and only additions or deletions are performed if needed.
Clone Of:
Environment:
Last Closed: 2021-02-03 10:11:43 UTC
Target Upstream Version:


Attachments (Terms of Use)
NP test results (30.31 KB, application/zip)
2021-01-11 15:15 UTC, rlobillo
no flags Details
tempest results with the fix (4.85 KB, application/zip)
2021-01-11 15:16 UTC, rlobillo
no flags Details


Links
System ID Private Priority Status Summary Last Updated
Github openshift kuryr-kubernetes pull 430 0 None closed [release-4.4] Bug 1910221: Correctly compare SG rules in NP code 2021-02-01 18:29:35 UTC
Red Hat Product Errata RHSA-2021:0281 0 None None None 2021-02-03 10:12:10 UTC

Comment 2 rlobillo 2021-01-11 15:13:06 UTC
Verified on OCP4.4.0-0.nightly-2021-01-10-060925 over OSP16.1 (RHOS-16.1-RHEL-8-20201124.n.0).


# Setting up the scenario:

$ oc new-project test2
$ oc run --image kuryr/demo demo
$ oc run --image kuryr/demo demo-allowed-caller
$ oc run --image kuryr/demo demo-caller
$ oc expose pod/demo-1-plqwq --port 80 --target-port 8080

$ cat np_resource.yaml 
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: np
spec:
  podSelector:
    matchLabels:
      run: demo
  ingress:
  - from:
    - podSelector:
        matchLabels:
          run: demo-allowed-caller

$ oc apply -f np_resource.yaml 
networkpolicy.networking.k8s.io/np created

# Checking the setup before running the test:

$ oc get all
NAME                               READY   STATUS      RESTARTS   AGE
pod/demo-1-deploy                  0/1     Completed   0          7m9s
pod/demo-1-plqwq                   1/1     Running     0          6m46s
pod/demo-allowed-caller-1-deploy   0/1     Completed   0          6m57s
pod/demo-allowed-caller-1-l4mxd    1/1     Running     0          6m29s
pod/demo-caller-1-deploy           0/1     Completed   0          6m50s
pod/demo-caller-1-pn2t2            1/1     Running     0          6m44s

NAME                                          DESIRED   CURRENT   READY   AGE
replicationcontroller/demo-1                  1         1         1       7m10s
replicationcontroller/demo-allowed-caller-1   1         1         1       6m57s
replicationcontroller/demo-caller-1           1         1         1       6m50s

NAME                   TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)   AGE
service/demo-1-plqwq   ClusterIP   172.30.201.54   <none>        80/TCP    5m39s

NAME                                                     REVISION   DESIRED   CURRENT   TRIGGERED BY
deploymentconfig.apps.openshift.io/demo                  1          1         1         config
deploymentconfig.apps.openshift.io/demo-allowed-caller   1          1         1         config
deploymentconfig.apps.openshift.io/demo-caller           1          1         1         config


$ oc rsh pod/demo-allowed-caller-1-l4mxd curl 172.30.201.54
demo-1-plqwq: HELLO! I AM ALIVE!!!
$ oc rsh pod/demo-caller-1-pn2t2 curl 172.30.201.54
^Ccommand terminated with exit code 130

$ oc get knp
NAME    SG-ID                                  AGE
np-np   50b0755e-5e8f-43e0-a4ee-8ff619c39d6c   109s
(shiftstack) [stack@undercloud-0 ~]$ openstack security group rule list | grep -e ID -e 50b0755e-5e8f-43e0-a4ee-8ff619c39d6c
| ID                                   | IP Protocol | Ethertype | IP Range         | Port Range  | Remote Security Group                | Security Group                       |
| 2b38565c-58bd-4d6e-8c8a-050b10cd2930 | None        | IPv4      | 0.0.0.0/0        |             | None                                 | 50b0755e-5e8f-43e0-a4ee-8ff619c39d6c |
| 941a8786-5e8b-42cf-8666-af382a9f3b29 | None        | IPv4      | 10.196.0.0/16    |             | None                                 | 50b0755e-5e8f-43e0-a4ee-8ff619c39d6c |
| ab3cfc0c-068b-4910-b2a5-361ef07db6aa | tcp         | IPv4      | 10.128.114.47/32 | 1:65535     | None                                 | 50b0755e-5e8f-43e0-a4ee-8ff619c39d6c |


# Test - Adding an annotation is not provoking the recreation of the security group rule (The ID remains unchangeable):

$ oc annotate networkpolicy np bar=baz
networkpolicy.networking.k8s.io/np annotated

$ openstack security group rule list | grep -e ID -e 50b0755e-5e8f-43e0-a4ee-8ff619c39d6c
| ID                                   | IP Protocol | Ethertype | IP Range         | Port Range  | Remote Security Group                | Security Group                       |
| 2b38565c-58bd-4d6e-8c8a-050b10cd2930 | None        | IPv4      | 0.0.0.0/0        |             | None                                 | 50b0755e-5e8f-43e0-a4ee-8ff619c39d6c |
| 941a8786-5e8b-42cf-8666-af382a9f3b29 | None        | IPv4      | 10.196.0.0/16    |             | None                                 | 50b0755e-5e8f-43e0-a4ee-8ff619c39d6c |
| ab3cfc0c-068b-4910-b2a5-361ef07db6aa | tcp         | IPv4      | 10.128.114.47/32 | 1:65535     | None                                 | 50b0755e-5e8f-43e0-a4ee-8ff619c39d6c |


Furthermore, all tempest and NP tests passed. Logs attached.

Comment 3 rlobillo 2021-01-11 15:15:45 UTC
Created attachment 1746299 [details]
NP test results

Comment 4 rlobillo 2021-01-11 15:16:05 UTC
Created attachment 1746300 [details]
tempest results with the fix

Comment 7 errata-xmlrpc 2021-02-03 10:11:43 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: OpenShift Container Platform 4.4.33 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:0281


Note You need to log in before you can comment on or make changes to this bug.