NP: services sg rules not updated when scaling deployments
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
kuryr-kubernetes |
Fix Released
|
Undecided
|
Maysa de Macedo Souza |
Bug Description
When NP policies are being used with podSelectors, for instance:
ingress:
- from:
- podSelector:
run: demo
If a service points to pods where the above defined policy applies, its sg rules should be updated when pods with label 'run: demo' are created/deleted so that their associated IPs are either accepted or rejected.
Right now, if there is a pod (demo-1) with label 'run: demo' belonging to a deployment (demo), and that pod is killed, a new pod gets created by the deployment (demo-2), however, the svc sg rules keep accepting demo-1 IP instead of demo-2. In addition, if this is used together with pools, it may lead to a security breach as other pod without the right label could get the IP belonging to demo-1 pod, and access the svc while it should not be able to do so.
Changed in kuryr-kubernetes: | |
assignee: | nobody → Maysa de Macedo Souza (maysa) |
Fix proposed to branch: master /review. openstack. org/637186
Review: https:/