Verified on OCP4.4.0-0.nightly-2021-01-10-060925 over OSP16.1 (RHOS-16.1-RHEL-8-20201124.n.0). # Setting up the scenario: $ oc new-project test2 $ oc run --image kuryr/demo demo $ oc run --image kuryr/demo demo-allowed-caller $ oc run --image kuryr/demo demo-caller $ oc expose pod/demo-1-plqwq --port 80 --target-port 8080 $ cat np_resource.yaml kind: NetworkPolicy apiVersion: networking.k8s.io/v1 metadata: name: np spec: podSelector: matchLabels: run: demo ingress: - from: - podSelector: matchLabels: run: demo-allowed-caller $ oc apply -f np_resource.yaml networkpolicy.networking.k8s.io/np created # Checking the setup before running the test: $ oc get all NAME READY STATUS RESTARTS AGE pod/demo-1-deploy 0/1 Completed 0 7m9s pod/demo-1-plqwq 1/1 Running 0 6m46s pod/demo-allowed-caller-1-deploy 0/1 Completed 0 6m57s pod/demo-allowed-caller-1-l4mxd 1/1 Running 0 6m29s pod/demo-caller-1-deploy 0/1 Completed 0 6m50s pod/demo-caller-1-pn2t2 1/1 Running 0 6m44s NAME DESIRED CURRENT READY AGE replicationcontroller/demo-1 1 1 1 7m10s replicationcontroller/demo-allowed-caller-1 1 1 1 6m57s replicationcontroller/demo-caller-1 1 1 1 6m50s NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE service/demo-1-plqwq ClusterIP 172.30.201.54 <none> 80/TCP 5m39s NAME REVISION DESIRED CURRENT TRIGGERED BY deploymentconfig.apps.openshift.io/demo 1 1 1 config deploymentconfig.apps.openshift.io/demo-allowed-caller 1 1 1 config deploymentconfig.apps.openshift.io/demo-caller 1 1 1 config $ oc rsh pod/demo-allowed-caller-1-l4mxd curl 172.30.201.54 demo-1-plqwq: HELLO! I AM ALIVE!!! $ oc rsh pod/demo-caller-1-pn2t2 curl 172.30.201.54 ^Ccommand terminated with exit code 130 $ oc get knp NAME SG-ID AGE np-np 50b0755e-5e8f-43e0-a4ee-8ff619c39d6c 109s (shiftstack) [stack@undercloud-0 ~]$ openstack security group rule list | grep -e ID -e 50b0755e-5e8f-43e0-a4ee-8ff619c39d6c | ID | IP Protocol | Ethertype | IP Range | Port Range | Remote Security Group | Security Group | | 2b38565c-58bd-4d6e-8c8a-050b10cd2930 | None | IPv4 | 0.0.0.0/0 | | None | 50b0755e-5e8f-43e0-a4ee-8ff619c39d6c | | 941a8786-5e8b-42cf-8666-af382a9f3b29 | None | IPv4 | 10.196.0.0/16 | | None | 50b0755e-5e8f-43e0-a4ee-8ff619c39d6c | | ab3cfc0c-068b-4910-b2a5-361ef07db6aa | tcp | IPv4 | 10.128.114.47/32 | 1:65535 | None | 50b0755e-5e8f-43e0-a4ee-8ff619c39d6c | # Test - Adding an annotation is not provoking the recreation of the security group rule (The ID remains unchangeable): $ oc annotate networkpolicy np bar=baz networkpolicy.networking.k8s.io/np annotated $ openstack security group rule list | grep -e ID -e 50b0755e-5e8f-43e0-a4ee-8ff619c39d6c | ID | IP Protocol | Ethertype | IP Range | Port Range | Remote Security Group | Security Group | | 2b38565c-58bd-4d6e-8c8a-050b10cd2930 | None | IPv4 | 0.0.0.0/0 | | None | 50b0755e-5e8f-43e0-a4ee-8ff619c39d6c | | 941a8786-5e8b-42cf-8666-af382a9f3b29 | None | IPv4 | 10.196.0.0/16 | | None | 50b0755e-5e8f-43e0-a4ee-8ff619c39d6c | | ab3cfc0c-068b-4910-b2a5-361ef07db6aa | tcp | IPv4 | 10.128.114.47/32 | 1:65535 | None | 50b0755e-5e8f-43e0-a4ee-8ff619c39d6c | Furthermore, all tempest and NP tests passed. Logs attached.
Created attachment 1746299 [details] NP test results
Created attachment 1746300 [details] tempest results with the fix
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Important: OpenShift Container Platform 4.4.33 bug fix and security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:0281