Bug 2040338 - Can not delete egressnetworkpolicy in Foreground propagation
Summary: Can not delete egressnetworkpolicy in Foreground propagation
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Networking
Version: 4.9
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: 4.9.z
Assignee: ffernand
QA Contact: huirwang
URL:
Whiteboard:
Depends On: 2042169
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-01-13 13:54 UTC by Chen
Modified: 2022-03-16 01:49 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 2042169 (view as bug list)
Environment:
Last Closed: 2022-02-10 06:33:21 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift kubernetes pull 1125 0 None open Bug 2040338: remove egressnetworkpolicies from gc ignored resources 2022-01-19 21:27:41 UTC
Red Hat Product Errata RHBA-2022:0340 0 None None None 2022-02-10 06:33:38 UTC

Description Chen 2022-01-13 13:54:18 UTC
Description of problem:

Can not delete egressnetworkpolicy in Foreground propagation

Version-Release number of selected component (if applicable):

OpenShift 4.8.18

How reproducible:

100%

Steps to Reproduce:
1. $ oc new-project test-ping
2. $ cat networkpolicy.yaml
apiVersion: network.openshift.io/v1
kind: EgressNetworkPolicy
metadata:
  name: deny-by-default
  namespace: test-ping
spec:
  egress:
    - to:
        cidrSelector: 0.0.0.0/0
      type: Deny

3. $ oc apply -f networkpolicy.yaml

4. $ oc delete --cascade=foreground egressnetworkpolicy deny-by-default

Actual results:

The deny-by-default EgressNetworkPolicy will exist forever

Expected results:

The dependents of the EgressNetworkPolicy CR should be deleted and EgressNetworkPolicy should disappear.

Additional info:

In GitOps by default it uses Foreground propagation policy so this is causing problems in OpenShift GitOps.

Comment 1 zhaozhanqi 2022-01-14 02:45:10 UTC
yes, I can reproduce this issue on 4.10 version also.  below is with loglevel=8


$ oc delete --cascade=foreground egressnetworkpolicy deny-by-default --loglevel=8
I0114 10:14:25.132918    9584 loader.go:372] Config loaded from file:  /home/zzhao/kubeconfig
I0114 10:14:25.143425    9584 request.go:1181] Request Body: {"propagationPolicy":"Foreground"}
I0114 10:14:25.143508    9584 round_trippers.go:432] DELETE https://api.zzhaom112.qe.devcluster.openshift.com:6443/apis/network.openshift.io/v1/namespaces/test-ping/egressnetworkpolicies/deny-by-default
I0114 10:14:25.143522    9584 round_trippers.go:438] Request Headers:
I0114 10:14:25.143531    9584 round_trippers.go:442]     Content-Type: application/json
I0114 10:14:25.143539    9584 round_trippers.go:442]     User-Agent: oc/4.9.0 (linux/amd64) kubernetes/c456714
I0114 10:14:25.143550    9584 round_trippers.go:442]     Accept: application/json
I0114 10:14:25.921836    9584 round_trippers.go:457] Response Status: 200 OK in 778 milliseconds
I0114 10:14:25.921871    9584 round_trippers.go:460] Response Headers:
I0114 10:14:25.921892    9584 round_trippers.go:463]     Audit-Id: 43b10172-e748-4910-b435-a0d4380e1dff
I0114 10:14:25.921901    9584 round_trippers.go:463]     Cache-Control: no-cache, private
I0114 10:14:25.921910    9584 round_trippers.go:463]     Content-Type: application/json
I0114 10:14:25.921920    9584 round_trippers.go:463]     X-Kubernetes-Pf-Flowschema-Uid: ee106863-987a-4e4a-b750-8afb91a7f1ef
I0114 10:14:25.921929    9584 round_trippers.go:463]     X-Kubernetes-Pf-Prioritylevel-Uid: 2697f45c-769c-4c1e-89e1-733b4722acf4
I0114 10:14:25.921939    9584 round_trippers.go:463]     Content-Length: 648
I0114 10:14:25.921946    9584 round_trippers.go:463]     Date: Fri, 14 Jan 2022 02:14:25 GMT
I0114 10:14:25.921983    9584 request.go:1181] Response Body: {"apiVersion":"network.openshift.io/v1","kind":"EgressNetworkPolicy","metadata":{"creationTimestamp":"2022-01-14T02:14:03Z","deletionGracePeriodSeconds":0,"deletionTimestamp":"2022-01-14T02:14:25Z","finalizers":["foregroundDeletion"],"generation":2,"managedFields":[{"apiVersion":"network.openshift.io/v1","fieldsType":"FieldsV1","fieldsV1":{"f:spec":{".":{},"f:egress":{}}},"manager":"kubectl-create","operation":"Update","time":"2022-01-14T02:14:03Z"}],"name":"deny-by-default","namespace":"test-ping","resourceVersion":"355923","uid":"141c5c67-9fd9-45ed-adce-49a10d89c40a"},"spec":{"egress":[{"to":{"cidrSelector":"0.0.0.0/0"},"type":"Deny"}]}}
egressnetworkpolicy.network.openshift.io "deny-by-default" deleted
I0114 10:14:25.922258    9584 round_trippers.go:432] GET https://api.zzhaom112.qe.devcluster.openshift.com:6443/apis/network.openshift.io/v1/namespaces/test-ping/egressnetworkpolicies?fieldSelector=metadata.name%3Ddeny-by-default
I0114 10:14:25.922272    9584 round_trippers.go:438] Request Headers:
I0114 10:14:25.922293    9584 round_trippers.go:442]     Accept: application/json
I0114 10:14:25.922302    9584 round_trippers.go:442]     User-Agent: oc/4.9.0 (linux/amd64) kubernetes/c456714
I0114 10:14:26.173413    9584 round_trippers.go:457] Response Status: 200 OK in 251 milliseconds
I0114 10:14:26.173435    9584 round_trippers.go:460] Response Headers:
I0114 10:14:26.173443    9584 round_trippers.go:463]     Audit-Id: 3fcde551-b2b8-411a-ae2c-6362d1886079
I0114 10:14:26.173450    9584 round_trippers.go:463]     Cache-Control: no-cache, private
I0114 10:14:26.173455    9584 round_trippers.go:463]     Content-Type: application/json
I0114 10:14:26.173461    9584 round_trippers.go:463]     X-Kubernetes-Pf-Flowschema-Uid: ee106863-987a-4e4a-b750-8afb91a7f1ef
I0114 10:14:26.173485    9584 round_trippers.go:463]     X-Kubernetes-Pf-Prioritylevel-Uid: 2697f45c-769c-4c1e-89e1-733b4722acf4
I0114 10:14:26.173508    9584 round_trippers.go:463]     Content-Length: 786
I0114 10:14:26.173518    9584 round_trippers.go:463]     Date: Fri, 14 Jan 2022 02:14:26 GMT
I0114 10:14:26.173571    9584 request.go:1181] Response Body: {"apiVersion":"network.openshift.io/v1","items":[{"apiVersion":"network.openshift.io/v1","kind":"EgressNetworkPolicy","metadata":{"creationTimestamp":"2022-01-14T02:14:03Z","deletionGracePeriodSeconds":0,"deletionTimestamp":"2022-01-14T02:14:25Z","finalizers":["foregroundDeletion"],"generation":2,"managedFields":[{"apiVersion":"network.openshift.io/v1","fieldsType":"FieldsV1","fieldsV1":{"f:spec":{".":{},"f:egress":{}}},"manager":"kubectl-create","operation":"Update","time":"2022-01-14T02:14:03Z"}],"name":"deny-by-default","namespace":"test-ping","resourceVersion":"355923","uid":"141c5c67-9fd9-45ed-adce-49a10d89c40a"},"spec":{"egress":[{"to":{"cidrSelector":"0.0.0.0/0"},"type":"Deny"}]}}],"kind":"EgressNetworkPolicyList","metadata":{"continue":"","resourceVersion":"355926"}}
I0114 10:14:26.173955    9584 round_trippers.go:432] GET https://api.zzhaom112.qe.devcluster.openshift.com:6443/apis/network.openshift.io/v1/namespaces/test-ping/egressnetworkpolicies?fieldSelector=metadata.name%3Ddeny-by-default&resourceVersion=355926&watch=true
I0114 10:14:26.173981    9584 round_trippers.go:438] Request Headers:
I0114 10:14:26.173995    9584 round_trippers.go:442]     Accept: application/json
I0114 10:14:26.174007    9584 round_trippers.go:442]     User-Agent: oc/4.9.0 (linux/amd64) kubernetes/c456714
I0114 10:14:26.436456    9584 round_trippers.go:457] Response Status: 200 OK in 262 milliseconds
I0114 10:14:26.436478    9584 round_trippers.go:460] Response Headers:
I0114 10:14:26.436499    9584 round_trippers.go:463]     Date: Fri, 14 Jan 2022 02:14:26 GMT
I0114 10:14:26.436513    9584 round_trippers.go:463]     Audit-Id: d438d0ad-e43c-4c38-b85a-bacc0629d496
I0114 10:14:26.436527    9584 round_trippers.go:463]     Cache-Control: no-cache, private
I0114 10:14:26.436540    9584 round_trippers.go:463]     Content-Type: application/json
I0114 10:14:26.436554    9584 round_trippers.go:463]     X-Kubernetes-Pf-Flowschema-Uid: ee106863-987a-4e4a-b750-8afb91a7f1ef
I0114 10:14:26.436569    9584 round_trippers.go:463]     X-Kubernetes-Pf-Prioritylevel-Uid: 2697f45c-769c-4c1e-89e1-733b4722acf4

Comment 13 errata-xmlrpc 2022-02-10 06:33:21 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.9.19 bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:0340


Note You need to log in before you can comment on or make changes to this bug.