Description of problem: This issue is already fixed in 4.7, it was first fixed in upstream in https://github.com/openshift/kuryr-kubernetes/commit/cae194972a8f82a3c9029db71b2ec428992f848c via https://bugs.launchpad.net/kuryr-kubernetes/+bug/1888407 Since the code in 4.7 is way too different to backport to 4.6 we chose a different approach to fix this in 4.6. This BZ is for QE to verify that that indeed this bug no longer exists in 4.7 so we can fix it in 4.6. Version-Release number of selected component (if applicable): 4.7.z How reproducible: To be consistent across these two BZs, please follow the exact same steps from https://bugzilla.redhat.com/show_bug.cgi?id=1967540 Expected results: There should be no duplicated SG Egress rules in the knp object. Additional info:
OpenShift engineering has decided to NOT ship 4.8.6 on 8/23 due to the following issue. https://bugzilla.redhat.com/show_bug.cgi?id=1995785 All the fixes part will be now included in 4.8.7 on 8/30.
OpenShift engineering has decided to NOT ship 4.7.25 on 8/24 due to the following issue. https://bugzilla.redhat.com/show_bug.cgi?id=1995785 All the fixes part will be now included in 4.7.26 on 8/31.
Verified successfully on the platform: OpenShift on OpenStack with Kuryr. Using the following versions: OSP: RHOS-16.1-RHEL-8-20210804.n.0 OCP: 4.7.0-0.nightly-2021-08-16-204701 Verification description: 1. Created two projects both with kuryr/demo pod exposed by a service on port 80: >(shiftstack) [stack@undercloud-0 ~]$ oc new-project test >(shiftstack) [stack@undercloud-0 ~]$ oc run --image quay.io/kuryr/demo demo >(shiftstack) [stack@undercloud-0 ~]$ oc new-project test2 >(shiftstack) [stack@undercloud-0 ~]$ oc run --image quay.io/kuryr/demo demo2 >(shiftstack) [stack@undercloud-0 ~]$ oc expose pod/demo2 --port 80 --target-port 8080 >(shiftstack) [stack@undercloud-0 ~]$ oc project test >(shiftstack) [stack@undercloud-0 ~]$ oc expose pod/demo --port 80 --target-port 8080 >(shiftstack) [stack@undercloud-0 ~]$ oc -n test get all -o wide >NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES >pod/demo 1/1 Running 0 5m4s 10.128.127.5 ostest-rqbxq-worker-0-h6mvf <none> <none> > >NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTOR >service/demo ClusterIP 172.30.83.147 <none> 80/TCP 13s run=demo >(shiftstack) [stack@undercloud-0 ~]$ oc -n test2 get all -o wide >NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES >pod/demo2 1/1 Running 0 3m27s 10.128.128.124 ostest-rqbxq-worker-0-h6mvf <none> <none> > >NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTOR >service/demo2 ClusterIP 172.30.72.68 <none> 80/TCP 2m45s run=demo2 2. Applied NetworkPolicy: >(shiftstack) [stack@undercloud-0 ~]$ cat np.yaml >kind: NetworkPolicy >apiVersion: networking.k8s.io/v1 >metadata: > name: np-bz >spec: > podSelector: > matchLabels: > run: demo > policyTypes: > - Egress > - Ingress > ingress: > - from: > - podSelector: {} > egress: > - to: > - namespaceSelector: {} >(shiftstack) [stack@undercloud-0 ~]$ oc apply -f np.yaml >networkpolicy.networking.k8s.io/np-bz created 3. There are not duplicated egress rules: >(shiftstack) [stack@undercloud-0 ~]$ oc get knp/np-bz -o json | jq .spec >{ > "egressSgRules": [ > { > "sgRule": { > "description": "Kuryr-Kubernetes NetPolicy SG rule", > "direction": "egress", > "ethertype": "IPv4", > "remote_ip_prefix": "10.128.0.0/14" > } > }, > { > "sgRule": { > "description": "Kuryr-Kubernetes NetPolicy SG rule", > "direction": "egress", > "ethertype": "IPv4", > "remote_ip_prefix": "172.30.0.0/15" > } > } > ], > "ingressSgRules": [ > { > "namespace": "test", > "sgRule": { > "description": "Kuryr-Kubernetes NetPolicy SG rule", > "direction": "ingress", > "ethertype": "IPv4", > "remote_ip_prefix": "10.128.126.0/23" > } > }, > { > "sgRule": { > "description": "Kuryr-Kubernetes NetPolicy SG rule", > "direction": "ingress", > "ethertype": "IPv4", > "remote_ip_prefix": "10.196.0.0/16" > } > }, > { > "sgRule": { > "description": "Allow traffic from local namespace service demo", > "direction": "ingress", > "ethertype": "IPv4", > "remote_ip_prefix": "172.30.83.147" > } > } > ], > "podSelector": { > "matchLabels": { > "run": "demo" > } > }, > "policyTypes": [ > "Egress", > "Ingress" > ] >}
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Important: OpenShift Container Platform 4.7.28 security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:3262