Uploaded image for project: 'Maistra'
  1. Maistra
  2. MAISTRA-2521

OVNKubernetes network OSSM Authorization Policy Failed in applying Allow GET HTTP methods

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Major
    • None
    • maistra-1.1.16.2
    • None
    • None
    • False
    • False
    • qa_ack
    • Undefined

    Description

      OVNKubernetes network OSSM Authorization Policy Failed in applying Allow GET HTTP methods

      When we test the OSSM 1.1.16.2 in an OVNKubernetes network OCP environment, we see a random failure in OSSM Authorization Policy for HTTP traffic case. The Authorization Policy was not always applied properly.

      We tested the same test case and does not see any failure in an OpenShiftSDN network OCP environment.

      ovn-kubenode Pod ovn-kubenode Container log:

      2904 ovs.go:168] exec(27): stderr: "Error: ipv4: FIB table does not exist.\nDump terminated\n"

      ovs-node pod log:
      2021-07-21T15:44:11.368Z|00127|bridge|ERR|interface br-ex: ignoring mac in Interface record (use Bridge record to set local port's mac)
      2021-07-21T15:44:11.374Z|00128|bridge|ERR|interface br-ex: ignoring mac in Interface record (use Bridge record to set local port's mac)

      Build Info:
      OCP version:   4.6.39 
      network:           OVNKubernetes
      ovn rpm version:
      ovn2.13-20.12.0-24.el8fdp.x86_64
      ovn2.13-vtep-20.12.0-24.el8fdp.x86_64
      ovn2.13-host-20.12.0-24.el8fdp.x86_64
      ovn2.13-central-20.12.0-24.el8fdp.x86_64

      OSSM operator version:  2.0.6.2
      SMCP version: 1.1.16.2

      Test case :
      https://istio.io/v1.6/docs/tasks/security/authorization/authz-http/
      https://github.com/maistra/maistra-test-tool/blob/maistra-2.0/tests/task_security_authorization_http_test.go
      https://polarion.engineering.redhat.com/polarion/#/project/MaistraIstio/workitem?id=MAIST-456

      How to reproduce:
      1. Create an OCP cluster with OVNKubernetes network type in install-config.yaml
      2. Deploy OSSM 2.0.6.2 operator and create SMCP 1.1.16.2
      3. Follow the Test case steps above and check sample application Bookinfo productpage after each Authoriation Policy configuration.
      4. Check RBAC access denied response as expected after applying RBAC denied policy
      5. Check productpage response failed after applying Allow HTTP GET policy

      Attachments

        Issue Links

          is cloned by

          Bug - A problem that impairs or prevents the functions of the product. MAISTRA-2679 OSSM 2.1 200+ members Authorization Policy Failed in applying Allow GET HTTP methods

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed
          is related to

          Story - Created by Jira Software - do not edit or delete. Issue type for a user story. OSSM-282 Add ServiceMesh GA support for OVN networking

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Activity

            People

              yuaxu@redhat.com Yuanlin Xu
              yuaxu@redhat.com Yuanlin Xu
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: