Bug 2104825 - Installer creates unnecessary master_ingress_cluster_policy_controller security group rule
Summary: Installer creates unnecessary master_ingress_cluster_policy_controller securi...
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Installer
Version: 4.11
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: 4.11.z
Assignee: Martin André
QA Contact: Itay Matza
Depends On: 2104578
TreeView+ depends on / blocked
Reported: 2022-07-07 08:47 UTC by OpenShift BugZilla Robot
Modified: 2022-09-20 16:35 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Clone Of:
Last Closed: 2022-09-20 16:34:44 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Github openshift installer pull 6092 0 None open [release-4.11] Bug 2104825: Remove unnecessary SG rule 2022-07-07 08:48:02 UTC
Red Hat Product Errata RHSA-2022:6536 0 None None None 2022-09-20 16:35:00 UTC

Description OpenShift BugZilla Robot 2022-07-07 08:47:23 UTC
+++ This bug was initially created as a clone of Bug #2104578 +++

The installer on openstack platform creates a security group rule that it does not need.

The master_ingress_cluster_policy_controller security group rule was initially introduced with 2636aef [1] but later reverted with a7040d4 [2]. It was then re-introduced by mistake with 40febcf [3].

We should remove the unneeded rule.

[1] https://github.com/openshift/installer/commit/2636aef6cdf0f897f98446e29c969d61b6b009a7
[2] https://github.com/openshift/installer/commit/a7040d40041941cd4a649e7c5caf98c26cfbbb90
[3] https://github.com/openshift/installer/commit/40febcfdace6795ab661a17d59fe5882d1a12890

Comment 1 ShiftStack Bugwatcher 2022-07-08 07:14:48 UTC
Removing the Triaged keyword because:
* the QE automation assessment (flag qe_test_coverage) is missing

Comment 4 Itay Matza 2022-09-12 11:28:12 UTC
Verified on 4.11.0-0.nightly-2022-09-10-020349 on top of RHOS-16.2-RHEL-8-20220804.n.1

(shiftstack) [stack@undercloud-0 ~]$ oc get clusterversion
NAME      VERSION                              AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.11.0-0.nightly-2022-09-10-020349   True        False         43m     Cluster version is 4.11.0-0.nightly-2022-09-10-020349

(shiftstack) [stack@undercloud-0 ~]$ openstack security group list
| ID                                   | Name                | Description                    | Project                          | Tags                                |
| cc6d1357-53d2-42bf-8012-3a347422988d | ostest-x7mj2-master | Created By OpenShift Installer | 40c2d3e4846c483896ac824f7d437e7d | ['openshiftClusterID=ostest-x7mj2'] |
| ebc0ece1-4779-4a33-b315-601b7f37246c | default             | Default security group         | 40c2d3e4846c483896ac824f7d437e7d | []                                  |
| fe2a3b75-ba7e-46c0-9039-ddded3fa9553 | ostest-x7mj2-worker | Created By OpenShift Installer | 40c2d3e4846c483896ac824f7d437e7d | ['openshiftClusterID=ostest-x7mj2'] |

The security group rule does not exist:
(shiftstack) [stack@undercloud-0 ~]$ openstack security group show ostest-x7mj2-master -c rules -f json | jq '.rules[] | select(.port_range_min==10357)'
(shiftstack) [stack@undercloud-0 ~]$

Comment 7 errata-xmlrpc 2022-09-20 16:34:44 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.11.5 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.