Bug 2011861 - MTC - Exclusion of networkpolicy doesn't work
Summary: MTC - Exclusion of networkpolicy doesn't work
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Migration Toolkit for Containers
Classification: Red Hat
Component: Operator
Version: 1.4.3
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: ---
Assignee: Jason Montleon
QA Contact: Xin jiang
Avital Pinnick
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-10-07 14:38 UTC by Danila Kiselev
Modified: 2021-10-29 15:45 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-10-29 15:45:23 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Danila Kiselev 2021-10-07 14:38:41 UTC 
Description of problem:
Exclusion of networkpolicy doesn't work.

Version-Release number of selected component (if applicable):
OCP 3.11 to OCP 4.6

How reproducible:
Very.

Steps to Reproduce:
Edit config to exclude networkpolicy:

~~~
spec:
  azure_resource_group: ""
  cluster_name: host
  excludedResources:
  - networkpolicies
...
~~~

Actual results:

Migration controller is checking the network policies in destination:

~~~
host/namespaces/openshift-migration/pods/migration-controller-54c5d5fd67-8cptk/mtc/mtc/logs/current.log:2021-09-30T14:37:08.333165477Z 
2021-09-30T14:37:08.333165477Z {"level":"info","ts":1633012628333,"logger":"migration|fz87j","msg":"Rollback: Searching destination cluster namespace for resources with migrated-by label.","migMigration":"d173ae10-21fb-11ec-b6f0-a9f7b0ef8f58","phase":"DeleteMigrated","namespace":"test-mtc-pv-small","gvk":"networking.k8s.io/v1/networkpolicies","label":"migration.openshift.io/migrated-by-migplan:2f842f08-1782-446a-bd50-7302cdf24b3d"}
2021-09-30T14:38:00.633300295Z {"level":"info","ts":1633012680633,"logger":"migration|w4qtd","msg":"Rollback: Checking for leftover resources in destination cluster","migMigration":"d173ae10-21fb-11ec-b6f0-a9f7b0ef8f58","gvk":"networking.k8s.io/v1/networkpolicies","namespace":"test-mtc-pv-small"}
~~~

migration controller pod does not seem to be updated correctly, it is still pointing to default excluded resources and not including networkpolicies:

~~~
spec:
  containers:

command:

/manager
env:

name: EXCLUDED_RESOURCES
value: imagetags,templateinstances,clusterserviceversions,packagemanifests,subscriptions,servicebrokers,servicebindings,serviceclasses,serviceinstances,serviceplans,operatorgroups,events
~~~

Expected results:
Network policy successfully excluded.
Comment 8 Jason Montleon 2021-10-29 15:40:44 UTC 
This is an override so you probably want:


  excluded_resources:
  - networkpolicies
  - imagetags
  - templateinstances
  - clusterserviceversions
  - packagemanifests
  - subscriptions
  - servicebrokers
  - servicebindings
  - serviceclasses
  - serviceinstances
  - serviceplans
  - operatorgroups
  - events
  - events.events.k8s.io
  - rolebindings.authorization.openshift.io

    - name: EXCLUDED_RESOURCES
      value: networkpolicies,imagetags,templateinstances,clusterserviceversions,packagemanifests,subscriptions,servicebrokers,servicebindings,serviceclasses,serviceinstances,serviceplans,operatorgroups,events,events.events.k8s.io,rolebindings.authorization.openshift.io



That aside I can't reproduce this. With:

  excludedResources:
  - networkpolicies

I have:

$ oc get po -o yaml migration-controller-65c77c495d-2lkhg | grep EXCLUDED_RESOURCES -A1
    - name: EXCLUDED_RESOURCES
      value: networkpolicies

I didn't see any container logs from must-gather. Do you see any errors in the operator log? It's possible a task is failing before it's reaching the controller configuration.
Comment 9 Erik Nelson 2021-10-29 15:45:23 UTC 
Closing as not reproducible on 1.6. If the issue persists and is observed on the most recent version of MTC, please reopen this BZ.
Note You need to log in before you can comment on or make changes to this bug.