-
Bug
-
Resolution: Done
-
Normal
-
None
-
None
-
None
Steps to reproduce:
- Install the latest staging cert-manager 1.18.0 operator
- Enable the defaultNetworkPolicy through CertManager CR
- Configure multiple user-defined networkPolicies[]
- Delete any one of the user-defined networkpolicy object
- Check if the deleted networkpolicy being created again
oc patch certmanager.operator cluster --type=merge -p=' spec: defaultNetworkPolicy: "true" ' oc patch certmanager.operator cluster --type=merge -p=' spec: defaultNetworkPolicy: "true" networkPolicies: - componentName: CoreController egress: - ports: - port: 80 protocol: TCP - port: 443 protocol: TCP name: allow-egress-to-acme-server - componentName: CoreController egress: - ports: - port: 53 protocol: UDP - port: 53 protocol: TCP name: allow-egress-to-dns-service - componentName: CoreController egress: - ports: - port: 3128 protocol: TCP name: allow-egress-to-proxy - componentName: CoreController egress: - ports: - port: 8200 protocol: TCP name: allow-egress-to-vault-server ' $ oc delete netpol -n cert-manager cert-manager-user-allow-egress-to-acme-server # wait and check # first time $ oc get netpol -n cert-manager NAME POD-SELECTOR AGE cert-manager-allow-egress-to-api-server app.kubernetes.io/instance=cert-manager 102m cert-manager-allow-egress-to-dns app=cert-manager 102m cert-manager-allow-ingress-to-metrics app.kubernetes.io/instance=cert-manager 102m cert-manager-allow-ingress-to-webhook app=webhook 102m cert-manager-deny-all app.kubernetes.io/instance=cert-manager 102m cert-manager-user-allow-egress-to-dns-service app=cert-manager 100m cert-manager-user-allow-egress-to-proxy app=cert-manager 100m cert-manager-user-allow-egress-to-vault-server app=cert-manager 100m # 'cert-manager-user-allow-egress-to-acme-server'occur after ~8mins $ oc get netpol -n cert-manager NAME POD-SELECTOR AGE cert-manager-allow-egress-to-api-server app.kubernetes.io/instance=cert-manager 120m cert-manager-allow-egress-to-dns app=cert-manager 120m cert-manager-allow-ingress-to-metrics app.kubernetes.io/instance=cert-manager 120m cert-manager-allow-ingress-to-webhook app=webhook 120m cert-manager-deny-all app.kubernetes.io/instance=cert-manager 120m cert-manager-user-allow-egress-to-acme-server app=cert-manager 11m cert-manager-user-allow-egress-to-dns-service app=cert-manager 119m cert-manager-user-allow-egress-to-proxy app=cert-manager 119m cert-manager-user-allow-egress-to-vault-server app=cert-manager 119m
The "cert-manager-user-allow-egress-to-acme-server" was created after 8 mins, which is not a acceptable long interval.
Expected result: Deleted user-defined network policy object should be recreated successfully right after manual force deletion. For comparison, the NPs managed by the static resources controller would reconcile the deleted NP immediately.