1910221 – kuryr tempest plugin test test_ipblock_network_policy_sg_rules fails

Bug 1910221 - kuryr tempest plugin test test_ipblock_network_policy_sg_rules fails

Summary: kuryr tempest plugin test test_ipblock_network_policy_sg_rules fails

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Networking
Sub Component:
Version:	4.5
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	high
Target Milestone:	---
Target Release:	4.4.z
Assignee:	Michał Dulko
QA Contact:	GenadiC
Docs Contact:
URL:
Whiteboard:
Depends On:	1901495
Blocks:
TreeView+	depends on / blocked

Reported:	2020-12-23 07:55 UTC by OpenShift BugZilla Robot
Modified:	2021-02-03 10:12 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	Cause: kuryr-controller was comparing the security groups related to network policies incorrectly. Consequence: All the security rules related to a network policy were recreated on every minor update of that network policy. Fix: The rules are now compared correctly. Result: On network policy update already existing rules are preserved and only additions or deletions are performed if needed.
Clone Of:
Environment:
Last Closed:	2021-02-03 10:11:43 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
NP test results (30.31 KB, application/zip) 2021-01-11 15:15 UTC, rlobillo	no flags	Details
tempest results with the fix (4.85 KB, application/zip) 2021-01-11 15:16 UTC, rlobillo	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	openshift kuryr-kubernetes pull 430	0	None	closed	[release-4.4] Bug 1910221: Correctly compare SG rules in NP code	2021-02-01 18:29:35 UTC
Red Hat Product Errata	RHSA-2021:0281	0	None	None	None	2021-02-03 10:12:10 UTC

Comment 2 rlobillo 2021-01-11 15:13:06 UTC

Verified on OCP4.4.0-0.nightly-2021-01-10-060925 over OSP16.1 (RHOS-16.1-RHEL-8-20201124.n.0).


# Setting up the scenario:

$ oc new-project test2
$ oc run --image kuryr/demo demo
$ oc run --image kuryr/demo demo-allowed-caller
$ oc run --image kuryr/demo demo-caller
$ oc expose pod/demo-1-plqwq --port 80 --target-port 8080

$ cat np_resource.yaml 
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: np
spec:
  podSelector:
    matchLabels:
      run: demo
  ingress:
  - from:
    - podSelector:
        matchLabels:
          run: demo-allowed-caller

$ oc apply -f np_resource.yaml 
networkpolicy.networking.k8s.io/np created

# Checking the setup before running the test:

$ oc get all
NAME                               READY   STATUS      RESTARTS   AGE
pod/demo-1-deploy                  0/1     Completed   0          7m9s
pod/demo-1-plqwq                   1/1     Running     0          6m46s
pod/demo-allowed-caller-1-deploy   0/1     Completed   0          6m57s
pod/demo-allowed-caller-1-l4mxd    1/1     Running     0          6m29s
pod/demo-caller-1-deploy           0/1     Completed   0          6m50s
pod/demo-caller-1-pn2t2            1/1     Running     0          6m44s

NAME                                          DESIRED   CURRENT   READY   AGE
replicationcontroller/demo-1                  1         1         1       7m10s
replicationcontroller/demo-allowed-caller-1   1         1         1       6m57s
replicationcontroller/demo-caller-1           1         1         1       6m50s

NAME                   TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)   AGE
service/demo-1-plqwq   ClusterIP   172.30.201.54   <none>        80/TCP    5m39s

NAME                                                     REVISION   DESIRED   CURRENT   TRIGGERED BY
deploymentconfig.apps.openshift.io/demo                  1          1         1         config
deploymentconfig.apps.openshift.io/demo-allowed-caller   1          1         1         config
deploymentconfig.apps.openshift.io/demo-caller           1          1         1         config


$ oc rsh pod/demo-allowed-caller-1-l4mxd curl 172.30.201.54
demo-1-plqwq: HELLO! I AM ALIVE!!!
$ oc rsh pod/demo-caller-1-pn2t2 curl 172.30.201.54
^Ccommand terminated with exit code 130

$ oc get knp
NAME    SG-ID                                  AGE
np-np   50b0755e-5e8f-43e0-a4ee-8ff619c39d6c   109s
(shiftstack) [stack@undercloud-0 ~]$ openstack security group rule list | grep -e ID -e 50b0755e-5e8f-43e0-a4ee-8ff619c39d6c
| ID                                   | IP Protocol | Ethertype | IP Range         | Port Range  | Remote Security Group                | Security Group                       |
| 2b38565c-58bd-4d6e-8c8a-050b10cd2930 | None        | IPv4      | 0.0.0.0/0        |             | None                                 | 50b0755e-5e8f-43e0-a4ee-8ff619c39d6c |
| 941a8786-5e8b-42cf-8666-af382a9f3b29 | None        | IPv4      | 10.196.0.0/16    |             | None                                 | 50b0755e-5e8f-43e0-a4ee-8ff619c39d6c |
| ab3cfc0c-068b-4910-b2a5-361ef07db6aa | tcp         | IPv4      | 10.128.114.47/32 | 1:65535     | None                                 | 50b0755e-5e8f-43e0-a4ee-8ff619c39d6c |


# Test - Adding an annotation is not provoking the recreation of the security group rule (The ID remains unchangeable):

$ oc annotate networkpolicy np bar=baz
networkpolicy.networking.k8s.io/np annotated

$ openstack security group rule list | grep -e ID -e 50b0755e-5e8f-43e0-a4ee-8ff619c39d6c
| ID                                   | IP Protocol | Ethertype | IP Range         | Port Range  | Remote Security Group                | Security Group                       |
| 2b38565c-58bd-4d6e-8c8a-050b10cd2930 | None        | IPv4      | 0.0.0.0/0        |             | None                                 | 50b0755e-5e8f-43e0-a4ee-8ff619c39d6c |
| 941a8786-5e8b-42cf-8666-af382a9f3b29 | None        | IPv4      | 10.196.0.0/16    |             | None                                 | 50b0755e-5e8f-43e0-a4ee-8ff619c39d6c |
| ab3cfc0c-068b-4910-b2a5-361ef07db6aa | tcp         | IPv4      | 10.128.114.47/32 | 1:65535     | None                                 | 50b0755e-5e8f-43e0-a4ee-8ff619c39d6c |


Furthermore, all tempest and NP tests passed. Logs attached.

Comment 3 rlobillo 2021-01-11 15:15:45 UTC

Created attachment 1746299 [details]
NP test results

Comment 4 rlobillo 2021-01-11 15:16:05 UTC

Created attachment 1746300 [details]
tempest results with the fix

Comment 7 errata-xmlrpc 2021-02-03 10:11:43 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: OpenShift Container Platform 4.4.33 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:0281

Note You need to log in before you can comment on or make changes to this bug.