Description of problem: knp object has a duplicated entry for the service network: "egressSgRules": [ { "sgRule": { "description": "Kuryr-Kubernetes NetPolicy SG rule", "direction": "egress", "ethertype": "IPv4", "remote_ip_prefix": "10.128.0.0/14" } }, { "sgRule": { "description": "Kuryr-Kubernetes NetPolicy SG rule", "direction": "egress", "ethertype": "IPv4", "remote_ip_prefix": "172.30.0.0/15" } }, { "sgRule": { "description": "Kuryr-Kubernetes NetPolicy SG rule", "direction": "egress", "ethertype": "IPv4", "remote_ip_prefix": "172.30.0.0/15" } } The security group has one rule instead for the service network. | description='Kuryr-Kubernetes NetPolicy SG rule', direction='egress', ethertype='IPv4', id='51b6190a-e15b-44ff-8309-684b390ecd28', remote_ip_prefix='172.30.0.0/15', updated_at='2021-06-02T12:38:20Z' | | description='Kuryr-Kubernetes NetPolicy SG rule', direction='egress', ethertype='IPv4', id='d739b543-14d5-43b2-9413-f3b8eaafe132', remote_ip_prefix='10.128.0.0/14', updated_at='2021-06-02T12:38:20Z' Version-Release number of selected component (if applicable): OCP 4.6.0-0.nightly-2021-05-31-074224 OSP: · 13.0.15 (2021-03-24.1) with amphora provider · 16.1.5 (RHOS-16.1-RHEL-8-20210323.n.0) with ovn octavia provider How reproducible: always Steps to Reproduce: 1. Create test and test2 projects both with kuryr/demo pod exposed by a service on port 80: $ oc new-project test $ oc run --image quay.io/kuryr/demo demo $ oc expose pod/demo --port 80 --target-port 8080 $ oc new-project test2 $ oc run --image quay.io/kuryr/demo demo2 $ oc expose pod/demo2 --port 80 --target-port 8080 $ oc -n test get all -o wide NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES pod/demo 1/1 Running 0 39s 10.128.117.184 ostest-q5lcm-worker-0-qnktl <none> <none> NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTOR service/demo ClusterIP 172.30.224.192 <none> 80/TCP 5s run=demo $ oc -n test2 get all -o wide NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES pod/demo2 1/1 Running 0 43s 10.128.119.134 ostest-q5lcm-worker-0-26xt2 <none> <none> NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTOR service/demo2 ClusterIP 172.30.70.197 <none> 80/TCP 5s run=demo2 2. Apply the next NP: $ cat np-bz.yaml kind: NetworkPolicy apiVersion: networking.k8s.io/v1 metadata: name: np-bz spec: podSelector: matchLabels: run: demo policyTypes: - Egress - Ingress ingress: - from: - podSelector: {} egress: - to: - namespaceSelector: {} $ oc project test $ oc apply -f np.yaml 3. Check knp resource: $ oc get knp/np-bz -o json | jq .spec Actual results (in OSP 13): { "egressSgRules": [ { "sgRule": { "description": "Kuryr-Kubernetes NetPolicy SG rule", "direction": "egress", "ethertype": "IPv4", "remote_ip_prefix": "10.128.0.0/14" } }, { "sgRule": { "description": "Kuryr-Kubernetes NetPolicy SG rule", "direction": "egress", "ethertype": "IPv4", "remote_ip_prefix": "172.30.0.0/15" } }, { "sgRule": { "description": "Kuryr-Kubernetes NetPolicy SG rule", "direction": "egress", "ethertype": "IPv4", "remote_ip_prefix": "172.30.0.0/15" } } ], "ingressSgRules": [ { "namespace": "test", "sgRule": { "description": "Kuryr-Kubernetes NetPolicy SG rule", "direction": "ingress", "ethertype": "IPv4", "remote_ip_prefix": "10.128.116.0/23" } }, { "sgRule": { "description": "Kuryr-Kubernetes NetPolicy SG rule", "direction": "ingress", "ethertype": "IPv4", "remote_ip_prefix": "172.30.0.0/15" } }, { "sgRule": { "description": "Kuryr-Kubernetes NetPolicy SG rule", "direction": "ingress", "ethertype": "IPv4", "remote_ip_prefix": "10.196.0.0/16" } } ], "podSelector": { "matchLabels": { "run": "demo" } }, "policyTypes": [ "Egress", "Ingress" ] } Actual results (in OSP 16.1): { "egressSgRules": [ { "sgRule": { "description": "Kuryr-Kubernetes NetPolicy SG rule", "direction": "egress", "ethertype": "IPv4", "remote_ip_prefix": "10.128.0.0/14" } }, { "sgRule": { "description": "Kuryr-Kubernetes NetPolicy SG rule", "direction": "egress", "ethertype": "IPv4", "remote_ip_prefix": "172.30.0.0/15" } }, { "sgRule": { "description": "Kuryr-Kubernetes NetPolicy SG rule", "direction": "egress", "ethertype": "IPv4", "remote_ip_prefix": "172.30.0.0/15" } } ], "ingressSgRules": [ { "namespace": "test", "sgRule": { "description": "Kuryr-Kubernetes NetPolicy SG rule", "direction": "ingress", "ethertype": "IPv4", "remote_ip_prefix": "10.128.116.0/23" } }, { "sgRule": { "description": "Kuryr-Kubernetes NetPolicy SG rule", "direction": "ingress", "ethertype": "IPv4", "remote_ip_prefix": "10.196.0.0/16" } }, { "sgRule": { "description": "Allow traffic from local namespace service demo", "direction": "ingress", "ethertype": "IPv4", "remote_ip_prefix": "172.30.232.18" } } ], "podSelector": { "matchLabels": { "run": "demo" } }, "policyTypes": [ "Egress", "Ingress" ] } } There is a duplicated egress rule for "172.30.0.0/15" Expected results: no duplicated entries Additional info: Pod's security group rules (in OSP16.1): +-----------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Field | Value | +-----------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | created_at | 2021-06-02T12:38:18Z | | description | Kuryr-Kubernetes Network Policy test/np-bz1958103 SG | | id | 3e682ad5-b8d3-4200-af16-6424acca3c1c | | location | cloud='', project.domain_id=, project.domain_name='Default', project.id='61014a8af2ed4a7e86269fe991821a55', project.name='shiftstack', region_name='regionOne', zone= | | name | sg-test-np-bz1958103 | | project_id | 61014a8af2ed4a7e86269fe991821a55 | | revision_number | 9 | | rules | created_at='2021-06-02T12:38:19Z', description='Kuryr-Kubernetes NetPolicy SG rule', direction='ingress', ethertype='IPv4', id='48b581db-1138-448c-973a-e234410d5c0c', remote_ip_prefix='10.128.116.0/23', updated_at='2021-06-02T12:38:19Z' | | | created_at='2021-06-02T12:38:20Z', description='Kuryr-Kubernetes NetPolicy SG rule', direction='egress', ethertype='IPv4', id='51b6190a-e15b-44ff-8309-684b390ecd28', remote_ip_prefix='172.30.0.0/15', updated_at='2021-06-02T12:38:20Z' | | | created_at='2021-06-02T12:38:19Z', description='Allow traffic from local namespace service demo', direction='ingress', ethertype='IPv4', id='5e10934a-1f52-40c7-9463-9f802a091c2a', remote_ip_prefix='172.30.232.18/32', updated_at='2021-06-02T12:38:19Z' | | | created_at='2021-06-02T12:38:20Z', description='Kuryr-Kubernetes NetPolicy SG rule', direction='egress', ethertype='IPv4', id='d739b543-14d5-43b2-9413-f3b8eaafe132', remote_ip_prefix='10.128.0.0/14', updated_at='2021-06-02T12:38:20Z' | | | created_at='2021-06-02T12:38:19Z', description='Kuryr-Kubernetes NetPolicy SG rule', direction='ingress', ethertype='IPv4', id='e60452c2-1921-49a6-aef8-2a50ccb0c4db', remote_ip_prefix='10.196.0.0/16', updated_at='2021-06-02T12:38:19Z' | | tags | ['openshiftClusterID=ostest-slbx7'] | | updated_at | 2021-06-02T12:38:20Z | +-----------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
Message from the Patch Manager: "4.6 is only open for bugs of >= high severity."