kuryr-kubernetes

NP: services sg rules not updated when scaling deployments

Bug #1816015 reported by Luis Tomas Bolivar
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
kuryr-kubernetes
Fix Released
Undecided
Maysa de Macedo Souza

Bug Description

When NP policies are being used with podSelectors, for instance:
  ingress:
  - from:
    - podSelector:
        matchLabels:
          run: demo

If a service points to pods where the above defined policy applies, its sg rules should be updated when pods with label 'run: demo' are created/deleted so that their associated IPs are either accepted or rejected.

Right now, if there is a pod (demo-1) with label 'run: demo' belonging to a deployment (demo), and that pod is killed, a new pod gets created by the deployment (demo-2), however, the svc sg rules keep accepting demo-1 IP instead of demo-2. In addition, if this is used together with pools, it may lead to a security breach as other pod without the right label could get the IP belonging to demo-1 pod, and access the svc while it should not be able to do so.

Maysa de Macedo Souza (maysa)
Changed in kuryr-kubernetes:
assignee: nobody → Maysa de Macedo Souza (maysa)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to kuryr-kubernetes (master)

Fix proposed to branch: master
Review: https://review.openstack.org/637186

Changed in kuryr-kubernetes:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to kuryr-kubernetes (master)

Reviewed: https://review.openstack.org/637186
Committed: https://git.openstack.org/cgit/openstack/kuryr-kubernetes/commit/?id=ba89bd027f465cd69e9114b800e6fd077cd09b47
Submitter: Zuul
Branch: master

commit ba89bd027f465cd69e9114b800e6fd077cd09b47
Author: Maysa Macedo <email address hidden>
Date: Fri Feb 15 13:41:33 2019 +0000

    Fix LBaaS sg rules update on deployment scale

    When a service is created with a Network Policy applied and
    deployments are scaled up or down, the LBaaS SG rules should be
    updated accordindly. Right now, the LBaaS/Service do not react on
    deployment scales.
    This commit fixes the issue by ensuring that the LBaaS SG is updated
    on pod events.

    Also, when Pods, Network Policies and SVCs are created together it might
    happen that the LBaaS SG remains with default SG rules, even though
    the policy is being enforced. This commit ensures the right SG rules
    are applied on a LBaaS regardless the order of k8s resources creation.
    This happens by setting the LBaaS Spec annotation whenever a request
    to update the SG rules has been made and retrieving the Spec again
    whenever a LBaaS member is created.

    Change-Id: I1c54d17a5fcff5387ffae2b132f5036ee9bf07ca
    Closes-Bug: 1816015

Changed in kuryr-kubernetes:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/kuryr-kubernetes 1.0.0

This issue was fixed in the openstack/kuryr-kubernetes 1.0.0 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.