kuryr-kubernetes

SG rules not correctly update on service's targetPort update

Bug #1814920 reported by Maysa de Macedo Souza
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
kuryr-kubernetes
Fix Released
Undecided
Maysa de Macedo Souza

Bug Description

It's expected that one SG rule is created per each port declared in the SVC spec. And, if a policy is applied the SG rules must be removed when the 'targetPort' is not allowed by the policy or created with a 'remote_ip_prefix' in case is allowed. However, when a service is created, followed by a policy creation and a service targetPort is updated with a value allowed by the policy, the SG rule is not created with a 'remote_ip_prefix'. Also, if the service is once more updated with a port not allowed, the SG rule is not being removed, due to the previous wrong behavior.

Steps to reproduce:

1. Apply the following SVC spec:

apiVersion: v1
kind: Service
metadata:
  name: demo-test7
spec:
  ports:
  - port: 80
    name: port-80
    protocol: TCP
    targetPort: 8081
  - port: 443
    name: port-443
    protocol: TCP
    targetPort: 8080
  selector:
    app: demo
  type: ClusterIP

2. Apply the following NP spec:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: test-network-policy2
spec:
  podSelector:
    matchLabels:
      app: demo
  policyTypes:
  - Ingress
  ingress:
  - from:
    - podSelector:
        matchLabels:
          app: demo2
    ports:
    - protocol: TCP
      port: 8080

3. Update the SVC spec to match the following:

apiVersion: v1
kind: Service
metadata:
  name: demo-test7
spec:
  ports:
  - port: 80
    name: port-80
    protocol: TCP
    targetPort: 8080
  - port: 443
    name: port-443
    protocol: TCP
    targetPort: 8080
  selector:
    app: demo
  type: ClusterIP

Result:

openstack security group show <lb_sg_id>
+-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| created_at | 2019-02-06T14:56:48Z |
| description | |
| id | 0b898c37-277f-4c4e-a432-82d2573c1663 |
| location | None |
| name | lb-cc3b5023-997d-4f2b-a845-4aa05c10d70a |
| project_id | 3586d72867ec487cb2e972c1d11673e2 |
| revision_number | 11 |
| rules | created_at='2019-02-06T14:57:49Z', description='default/demo-test7:TCP:443', direction='ingress', ethertype='IPv4', id='2d95f664-976d-4a74-babd-5437754d29b6', port_range_max='443', port_range_min='443', protocol='tcp', remote_ip_prefix='10.0.1.57/32', updated_at='2019-02-06T14:57:49Z' |
| | created_at='2019-02-06T14:56:48Z', direction='egress', ethertype='IPv6', id='407f88e3-2b3d-44b5-960f-34370b3eb7a9', updated_at='2019-02-06T14:56:48Z' |
| | created_at='2019-02-06T14:58:25Z', description='default/demo-test7:TCP:80', direction='ingress', ethertype='IPv4', id='5cb4760f-b5a1-49bf-bfa2-74e1b1f7bf83', port_range_max='80', port_range_min='80', protocol='tcp', updated_at='2019-02-06T14:58:25Z' |
| | created_at='2019-02-06T14:56:48Z', direction='egress', ethertype='IPv4', id='e5cc1098-653d-4585-bddf-c4e149c73fa1', updated_at='2019-02-06T14:56:48Z' |
| tags | [] |
| updated_at | 2019-02-06T14:58:25Z |
+-----------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Expected Result:

openstack security group show <lb_sg_id>
+-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| created_at | 2019-02-06T14:48:05Z |
| description | |
| id | ffd22fe0-4fa8-48db-b6cf-52b9ca43df9a |
| location | None |
| name | lb-06fe632c-68ee-4b83-a32e-8fb5eee4536a |
| project_id | 3586d72867ec487cb2e972c1d11673e2 |
| revision_number | 13 |
| rules | created_at='2019-02-06T14:48:05Z', direction='egress', ethertype='IPv4', id='7c8b3cf5-0195-4ca7-8ccd-ab82086c1daf', updated_at='2019-02-06T14:48:05Z' |
| | created_at='2019-02-06T14:49:55Z', description='default/demo-test7:TCP:443', direction='ingress', ethertype='IPv4', id='8886c504-8185-46e1-976c-c6e51106d3fd', port_range_max='443', port_range_min='443', protocol='tcp', remote_ip_prefix='10.0.1.57/32', updated_at='2019-02-06T14:49:55Z' |
| | created_at='2019-02-06T14:51:54Z', description='default/demo-test7:TCP:80', direction='ingress', ethertype='IPv4', id='9d46c661-eff6-4e74-b75b-bca9be1d2355', port_range_max='80', port_range_min='80', protocol='tcp', remote_ip_prefix='10.0.1.57/32', updated_at='2019-02-06T14:51:54Z' |
| | created_at='2019-02-06T14:48:05Z', direction='egress', ethertype='IPv6', id='dfe8c411-699e-4af8-9096-e96d0367f33e', updated_at='2019-02-06T14:48:05Z' |
| tags | [] |
| updated_at | 2019-02-06T14:51:54Z |
+-----------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

4. Apply the following SVC spec:

apiVersion: v1
kind: Service
metadata:
  name: demo-test7
spec:
  ports:
  - port: 80
    name: port-80
    protocol: TCP
    targetPort: 8080
  - port: 443
    name: port-443
    protocol: TCP
    targetPort: 8081
  selector:
    app: demo
  type: ClusterIP

Result (No rules deleted):

openstack security group show <lb_sg_id>
+-----------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+-----------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| created_at | 2019-02-06T15:28:21Z |
| description | |
| id | 8453fffe-32b3-42a9-8409-7f9d292bf2b7 |
| location | None |
| name | lb-f5928527-75a3-4978-bc39-61de8f52a0ff |
| project_id | 3586d72867ec487cb2e972c1d11673e2 |
| revision_number | 13 |
| rules | created_at='2019-02-06T15:28:21Z', direction='egress', ethertype='IPv6', id='1ead8df6-b31b-4f7e-807f-84052fafe8b4', updated_at='2019-02-06T15:28:21Z' |
| | created_at='2019-02-06T15:29:36Z', description='default/demo-test7:TCP:80', direction='ingress', ethertype='IPv4', id='30d4681a-432d-4d86-99ab-d154d583a740', port_range_max='80', port_range_min='80', protocol='tcp', updated_at='2019-02-06T15:29:36Z' |
| | created_at='2019-02-06T15:30:04Z', description='default/demo-test7:TCP:443', direction='ingress', ethertype='IPv4', id='777bac39-06ec-4714-8877-69ef108ad79e', port_range_max='443', port_range_min='443', protocol='tcp', updated_at='2019-02-06T15:30:04Z' |
| | created_at='2019-02-06T15:28:21Z', direction='egress', ethertype='IPv4', id='78849796-752f-48bf-bbd7-4dd823138eed', updated_at='2019-02-06T15:28:21Z' |
| tags | [] |
| updated_at | 2019-02-06T15:30:04Z |
+-----------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Maysa de Macedo Souza (maysa)
Changed in kuryr-kubernetes:
assignee: nobody → Maysa de Macedo Souza (maysa)
OpenStack Infra (hudson-openstack)
Changed in kuryr-kubernetes:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to kuryr-kubernetes (master)

Reviewed: https://review.openstack.org/635039
Committed: https://git.openstack.org/cgit/openstack/kuryr-kubernetes/commit/?id=9c2fcbc3e3e72954b0e095e3fc5af46a6f678901
Submitter: Zuul
Branch: master

commit 9c2fcbc3e3e72954b0e095e3fc5af46a6f678901
Author: Maysa Macedo <email address hidden>
Date: Tue Feb 5 20:49:08 2019 +0000

    Fix SG rules on targetPort update

    After applying a Network Policy and updating an existent Service so that
    all 'targetPorts' are allowed by the policy, the SG rules are not being
    created with the required 'remote_ip_prefix'. Also, when the service is
    again updated with a 'targetPort' that is not allowed by the policy the
    respective SG rule is not deleted.
    This commit fixes the issue by associating 'targetPort' field to the
    'LBaaSPortSpec' versioned object, which allows Kuryr to accounts for
    changes in not only 'name', 'port' and 'protocol' Kubernetes services'
    fields, but also 'targetPorts'. In addition, the LBaaS SG from the
    LBaaS state annotation is updated to match the SG stated in the
    LBaaS spec annotation, which has the updated SG to be applied.

    Closes-Bug: #1814920
    Change-Id: Ifcdd1889a813c1eb078064facfb2ede83a179887

Changed in kuryr-kubernetes:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/kuryr-kubernetes 1.0.0

This issue was fixed in the openstack/kuryr-kubernetes 1.0.0 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.