Removing network policy from namespace causes inability to access pods through loadbalancer.
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
kuryr-kubernetes |
Fix Released
|
High
|
Roman Dobosz |
Bug Description
This issue only applies for the Octavia with Amphora.
Creating a NetworkPolicy which have no selectors, which deny all the traffic on the specified namespace, and removing it afterwards will leave loadbalancer listener in offline state.
Steps to reproduce:
1. kubectl create namespace foo
2. kubectl run --image kuryr/demo -n foo server
3. kubectl expose pod/server -n foo --port 80 --target-port 8080
4. kubectl run --image kuryr/demo -n foo client
5. kubectl exec -ti -n foo client -- curl <server-pod-ip>
(should display: server: HELLO! I AM ALIVE!!!)
6. cat > policy_
apiVersion: networking.
kind: NetworkPolicy
metadata:
name: deny-all
namespace: foo
spec:
podSelector: {}
policyTypes:
- Ingress
NIL
kubectl apply -f policy_
7. kubectl exec -ti -n foo client -- curl <server-pod-ip>
(should display: curl: (7) Failed to connect to <server-pod-ip> port 80: Connection refused)
8. kubectl delete -n foo networkpolicies deny-all
9. kubectl exec -ti -n foo client -- curl <server-pod-ip>
(should display: server: HELLO! I AM ALIVE!!!, but it is not!)
Examining Octavia listener for this loadbalancer reveals it is in OFFLINE state and admin_state_up is false:
$ openstack loadbalancer listener show 6ce5cdb5-
+------
| Field | Value |
+------
| admin_state_up | False |
| connection_limit | -1 |
| created_at | 2020-10-08T12:41:30 |
| default_pool_id | 737f2de9-
| default_
| description | |
| id | 6ce5cdb5-
| insert_headers | None |
| l7policies | |
| loadbalancers | ca14d544-
| name | foo/foosrvr:TCP:80 |
| operating_status | OFFLINE |
| project_id | 510c39a72a1d420
| protocol | TCP |
| protocol_port | 80 |
| provisioning_status | ACTIVE |
| sni_container_refs | [] |
| timeout_client_data | 50000 |
| timeout_
| timeout_member_data | 50000 |
| timeout_tcp_inspect | 0 |
| updated_at | 2020-10-09T10:02:59 |
| client_
| client_
| client_
| allowed_cidrs | None |
| tls_ciphers | None |
| tls_versions | None |
| alpn_protocols | None |
+------
while it should be up, and online.
Changed in kuryr-kubernetes: | |
assignee: | nobody → Roman Dobosz (roman-dobosz) |
Changed in kuryr-kubernetes: | |
importance: | Undecided → High |
Fix proposed to branch: master /review. opendev. org/757077
Review: https:/