SG rules not correctly update on service's targetPort update
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
kuryr-kubernetes |
Fix Released
|
Undecided
|
Maysa de Macedo Souza |
Bug Description
It's expected that one SG rule is created per each port declared in the SVC spec. And, if a policy is applied the SG rules must be removed when the 'targetPort' is not allowed by the policy or created with a 'remote_ip_prefix' in case is allowed. However, when a service is created, followed by a policy creation and a service targetPort is updated with a value allowed by the policy, the SG rule is not created with a 'remote_ip_prefix'. Also, if the service is once more updated with a port not allowed, the SG rule is not being removed, due to the previous wrong behavior.
Steps to reproduce:
1. Apply the following SVC spec:
apiVersion: v1
kind: Service
metadata:
name: demo-test7
spec:
ports:
- port: 80
name: port-80
protocol: TCP
targetPort: 8081
- port: 443
name: port-443
protocol: TCP
targetPort: 8080
selector:
app: demo
type: ClusterIP
2. Apply the following NP spec:
apiVersion: networking.
kind: NetworkPolicy
metadata:
name: test-network-
spec:
podSelector:
matchLabels:
app: demo
policyTypes:
- Ingress
ingress:
- from:
- podSelector:
app: demo2
ports:
- protocol: TCP
port: 8080
3. Update the SVC spec to match the following:
apiVersion: v1
kind: Service
metadata:
name: demo-test7
spec:
ports:
- port: 80
name: port-80
protocol: TCP
targetPort: 8080
- port: 443
name: port-443
protocol: TCP
targetPort: 8080
selector:
app: demo
type: ClusterIP
Result:
openstack security group show <lb_sg_id>
+------
| Field | Value |
+------
| created_at | 2019-02-
| description | |
| id | 0b898c37-
| location | None |
| name | lb-cc3b5023-
| project_id | 3586d72867ec487
| revision_number | 11 |
| rules | created_
| | created_
| | created_
| | created_
| tags | [] |
| updated_at | 2019-02-
+------
Expected Result:
openstack security group show <lb_sg_id>
+------
| Field | Value |
+------
| created_at | 2019-02-
| description | |
| id | ffd22fe0-
| location | None |
| name | lb-06fe632c-
| project_id | 3586d72867ec487
| revision_number | 13 |
| rules | created_
| | created_
| | created_
| | created_
| tags | [] |
| updated_at | 2019-02-
+------
4. Apply the following SVC spec:
apiVersion: v1
kind: Service
metadata:
name: demo-test7
spec:
ports:
- port: 80
name: port-80
protocol: TCP
targetPort: 8080
- port: 443
name: port-443
protocol: TCP
targetPort: 8081
selector:
app: demo
type: ClusterIP
Result (No rules deleted):
openstack security group show <lb_sg_id>
+------
| Field | Value |
+------
| created_at | 2019-02-
| description | |
| id | 8453fffe-
| location | None |
| name | lb-f5928527-
| project_id | 3586d72867ec487
| revision_number | 13 |
| rules | created_
| | created_
| | created_
| | created_
| tags | [] |
| updated_at | 2019-02-
+------
Changed in kuryr-kubernetes: | |
assignee: | nobody → Maysa de Macedo Souza (maysa) |
Changed in kuryr-kubernetes: | |
status: | New → In Progress |
Reviewed: https:/ /review. openstack. org/635039 /git.openstack. org/cgit/ openstack/ kuryr-kubernete s/commit/ ?id=9c2fcbc3e3e 72954b0e095e3fc 5af46a6f678901
Committed: https:/
Submitter: Zuul
Branch: master
commit 9c2fcbc3e3e7295 4b0e095e3fc5af4 6a6f678901
Author: Maysa Macedo <email address hidden>
Date: Tue Feb 5 20:49:08 2019 +0000
Fix SG rules on targetPort update
After applying a Network Policy and updating an existent Service so that
all 'targetPorts' are allowed by the policy, the SG rules are not being
created with the required 'remote_ip_prefix'. Also, when the service is
again updated with a 'targetPort' that is not allowed by the policy the
respective SG rule is not deleted.
This commit fixes the issue by associating 'targetPort' field to the
'LBaaSPortSpec' versioned object, which allows Kuryr to accounts for
changes in not only 'name', 'port' and 'protocol' Kubernetes services'
fields, but also 'targetPorts'. In addition, the LBaaS SG from the
LBaaS state annotation is updated to match the SG stated in the
LBaaS spec annotation, which has the updated SG to be applied.
Closes-Bug: #1814920 eb078064facfb2e de83a179887
Change-Id: Ifcdd1889a813c1