-
Bug
-
Resolution: Unresolved
-
Undefined
-
None
-
Logging 6.4.0
-
None
-
Incidents & Support
-
False
-
-
False
-
NEW
-
NEW
-
Bug Fix
-
-
-
Important
Description of problem:
When there are multiple outputs or inputs.receiver in the CLF, after enabling `RestrictIngressEgress` networkpolicy ruleSet, the CLO keeps updating the order of ingress/egress ports in the networkpolicy/collector-xxxx.
CLF:
apiVersion: observability.openshift.io/v1 kind: ClusterLogForwarder metadata: creationTimestamp: "2025-11-21T07:25:22Z" generation: 1 name: forward-to-http-85490 namespace: e2e-test-logging-np-5fdlb resourceVersion: "51665" uid: f6158938-8bc3-43cf-ac2f-1f4dc77b47e2 spec: collector: networkPolicy: ruleSet: RestrictIngressEgress managementState: Managed outputs: - http: headers: h1: v1 h2: v2 method: POST url: https://http-to-splunk-85465-httpserver1.e2e-test-logging-np-5fdlb.svc:8081 name: httpout-app tls: ca: key: tls.crt secretName: http-to-splunk-85465-httpserver1 type: http - http: headers: h1: v1 h2: v2 method: POST url: https://http-to-splunk-85465-httpserver2.e2e-test-logging-np-5fdlb.svc:8082 name: httpout-infra tls: ca: key: tls.crt secretName: http-to-splunk-85465-httpserver2 type: http - http: headers: h1: v1 h2: v2 method: POST url: https://http-to-splunk-85465-httpserver3.e2e-test-logging-np-5fdlb.svc:8083 name: httpout-audit tls: ca: key: tls.crt secretName: http-to-splunk-85465-httpserver3 type: http pipelines: - inputRefs: - application name: app-logs outputRefs: - httpout-app - inputRefs: - infrastructure name: infra-logs outputRefs: - httpout-infra - inputRefs: - audit name: audit-logs outputRefs: - httpout-audit serviceAccount: name: test-clf-6dyik7l2
Networkpolicy:
$ oc get networkpolicies.networking.k8s.io collector-forward-to-http-85490 -w NAME POD-SELECTOR AGE collector-forward-to-http-85490 app.kubernetes.io/component=collector,app.kubernetes.io/instance=forward-to-http-85490,app.kubernetes.io/managed-by=cluster-logging-operator,app.kubernetes.io/name=vector,app.kubernetes.io/part-of=cluster-logging 38m collector-forward-to-http-85490 app.kubernetes.io/component=collector,app.kubernetes.io/instance=forward-to-http-85490,app.kubernetes.io/managed-by=cluster-logging-operator,app.kubernetes.io/name=vector,app.kubernetes.io/part-of=cluster-logging 39m collector-forward-to-http-85490 app.kubernetes.io/component=collector,app.kubernetes.io/instance=forward-to-http-85490,app.kubernetes.io/managed-by=cluster-logging-operator,app.kubernetes.io/name=vector,app.kubernetes.io/part-of=cluster-logging 39m collector-forward-to-http-85490 app.kubernetes.io/component=collector,app.kubernetes.io/instance=forward-to-http-85490,app.kubernetes.io/managed-by=cluster-logging-operator,app.kubernetes.io/name=vector,app.kubernetes.io/part-of=cluster-logging 39m collector-forward-to-http-85490 app.kubernetes.io/component=collector,app.kubernetes.io/instance=forward-to-http-85490,app.kubernetes.io/managed-by=cluster-logging-operator,app.kubernetes.io/name=vector,app.kubernetes.io/part-of=cluster-logging 39m $ oc get networkpolicies.networking.k8s.io collector-forward-to-http-85490 -oyaml -w apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: creationTimestamp: "2025-11-21T07:25:27Z" generation: 167 labels: app.kubernetes.io/component: collector app.kubernetes.io/instance: forward-to-http-85490 app.kubernetes.io/managed-by: cluster-logging-operator app.kubernetes.io/name: vector app.kubernetes.io/part-of: cluster-logging app.kubernetes.io/version: 6.4.0 name: collector-forward-to-http-85490 namespace: e2e-test-logging-np-5fdlb ownerReferences: - apiVersion: observability.openshift.io/v1 controller: true kind: ClusterLogForwarder name: forward-to-http-85490 uid: f6158938-8bc3-43cf-ac2f-1f4dc77b47e2 resourceVersion: "51859" uid: 5b876fcb-6e3b-4407-ba7c-764cad42fc90 spec: egress: - ports: - port: dns protocol: UDP - port: 6443 protocol: TCP - port: 8081 protocol: TCP - port: 8082 protocol: TCP - port: 8083 protocol: TCP ingress: - ports: - port: metrics protocol: TCP podSelector: matchLabels: app.kubernetes.io/component: collector app.kubernetes.io/instance: forward-to-http-85490 app.kubernetes.io/managed-by: cluster-logging-operator app.kubernetes.io/name: vector app.kubernetes.io/part-of: cluster-logging policyTypes: - Ingress - Egress --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: creationTimestamp: "2025-11-21T07:25:27Z" generation: 168 labels: app.kubernetes.io/component: collector app.kubernetes.io/instance: forward-to-http-85490 app.kubernetes.io/managed-by: cluster-logging-operator app.kubernetes.io/name: vector app.kubernetes.io/part-of: cluster-logging app.kubernetes.io/version: 6.4.0 name: collector-forward-to-http-85490 namespace: e2e-test-logging-np-5fdlb ownerReferences: - apiVersion: observability.openshift.io/v1 controller: true kind: ClusterLogForwarder name: forward-to-http-85490 uid: f6158938-8bc3-43cf-ac2f-1f4dc77b47e2 resourceVersion: "52163" uid: 5b876fcb-6e3b-4407-ba7c-764cad42fc90 spec: egress: - ports: - port: dns protocol: UDP - port: 6443 protocol: TCP - port: 8083 protocol: TCP - port: 8081 protocol: TCP - port: 8082 protocol: TCP ingress: - ports: - port: metrics protocol: TCP podSelector: matchLabels: app.kubernetes.io/component: collector app.kubernetes.io/instance: forward-to-http-85490 app.kubernetes.io/managed-by: cluster-logging-operator app.kubernetes.io/name: vector app.kubernetes.io/part-of: cluster-logging policyTypes: - Ingress - Egress --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: creationTimestamp: "2025-11-21T07:25:27Z" generation: 169 labels: app.kubernetes.io/component: collector app.kubernetes.io/instance: forward-to-http-85490 app.kubernetes.io/managed-by: cluster-logging-operator app.kubernetes.io/name: vector app.kubernetes.io/part-of: cluster-logging app.kubernetes.io/version: 6.4.0 name: collector-forward-to-http-85490 namespace: e2e-test-logging-np-5fdlb ownerReferences: - apiVersion: observability.openshift.io/v1 controller: true kind: ClusterLogForwarder name: forward-to-http-85490 uid: f6158938-8bc3-43cf-ac2f-1f4dc77b47e2 resourceVersion: "52176" uid: 5b876fcb-6e3b-4407-ba7c-764cad42fc90 spec: egress: - ports: - port: dns protocol: UDP - port: 6443 protocol: TCP - port: 8081 protocol: TCP - port: 8082 protocol: TCP - port: 8083 protocol: TCP ingress: - ports: - port: metrics protocol: TCP podSelector: matchLabels: app.kubernetes.io/component: collector app.kubernetes.io/instance: forward-to-http-85490 app.kubernetes.io/managed-by: cluster-logging-operator app.kubernetes.io/name: vector app.kubernetes.io/part-of: cluster-logging policyTypes: - Ingress - Egress
Version-Release number of selected component (if applicable):
cluster-logging.v6.4.0
How reproducible:
Always
Steps to Reproduce:
- Create CLF with multiple outputs or inputs.receiver, and enable `RestrictIngressEgress` networkpolicy
- Don't change anything in CLF, watch the networkpolicy
Actual results:
The CLO keeps updating the networkpolicy resource
Expected results:
CLO should update the networkpolicy only when there are some changes in CLF's inputs.receiver, outputs or ruleSet.
Additional info:
No issue when there is only 1 output and/or 1 inputs.receiver.