Loading...

XML

Word

Printable

Type: Bug
Resolution: Won't Do
Priority: Normal
Fix Version/s: None
Affects Version/s: 4.10
Component/s: Networking / ovn-kubernetes
Labels:
- OVN-Kubernetes

Severity:
Moderate
Regression:
No
Sprint:
SDN Sprint 240
sprint_count:
1
Release Blocker:
Rejected
Blocked:
False
Blocked Reason:

Hide

None

Show
None

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

PX Impact Score:
PX Priority Data:

Description of problem:

OVN doesn't fix the issue by itself when wrong EgressFirewall is created and afterwards it's deleted and re-created by correct one.

Version-Release number of selected component (if applicable):

OCP 4.13 and older versions

How reproducible:

Everytime

Steps to Reproduce:

$ oc project test

$ cat egress-firewall 
kind: EgressFirewall
apiVersion: k8s.ovn.org/v1
metadata:
  name: default
spec:
  egress:
  - type: Deny
    to:
      cidrSelector: 8.8.8.8      <-------


$ oc create -f egress-firewall 
egressfirewall.k8s.ovn.org/default created


$ oc get EgressFirewall
NAME      EGRESSFIREWALL STATUS
default

--> I have created an EgressFirewall in "test" namespace to Deny traffic to IP address "8.8.8.8" and intentionally didn't specify the correct CIDR which was "8.8.8.8/32". Due to which the EgressFirewall wasn't applied as mentioned above.

$ oc project ayush-nad

$ cat new-egressfirewall 
kind: EgressFirewall
apiVersion: k8s.ovn.org/v1
metadata:
  name: default
spec:
  egress:
  - ports:
    - port: 8080
      protocol: TCP
    to:
      cidrSelector: 167.211.174.23/32
    type: Allow
  - ports:
    - port: 443
      protocol: TCP
    to:
      cidrSelector: 10.222.210.146/32
...

$ oc create -f new-egressfirewall 
egressfirewall.k8s.ovn.org/default created


$ oc get EgressFirewall
NAME      EGRESSFIREWALL STATUS
default   

$ oc get EgressFirewall -A
NAMESPACE   NAME      EGRESSFIREWALL STATUS
ayush-nad   default   
test        default

--> Now, I tried to create the correct EgressFirewall which was provided by you in other namespace which also got stuck. I believe now it's happening due to that earlier wrong EgressFirewall maybe it's an OVN behaviour not allowing to create new EgressFirewall if any wrong EgressFirewall stuck already.

$ oc project ayush-nad
$ oc create -f new-egressfirewall 
egressfirewall.k8s.ovn.org/default created

$ oc project test
$ oc delete -f egress-firewall 
egressfirewall.k8s.ovn.org "default" deleted

$ oc get EgressFirewall -A
No resources found

$ oc create -f new-egressfirewall 
egressfirewall.k8s.ovn.org/default created

$ oc get EgressFirewall
NAME      EGRESSFIREWALL STATUS
default   

$ oc get EgressFirewall -A
NAMESPACE   NAME      EGRESSFIREWALL STATUS
test        default

--> Further on, I deleted both the EgressFirewall and created the correct EgressFirewall but somehow it was stuck even when there was no pending EgressFirewall in cluster.

I was able to resolve the issue after deleting the pods from "openshift-ovn-kubernetes" namespace.

$ oc get EgressFirewall -A
NAMESPACE   NAME      EGRESSFIREWALL STATUS
ayush-nad   default   EgressFirewall Rules not correctly added
test        default   EgressFirewall Rules applied

--> Just to verify once more, I tried the same use case again by creating the wrong EgressFirewall first and afterward the correct one. What I observed was this time the wrong one showed the correct message and was not applied while the correct one got applied.

Actual results:

ACLs for EgressFirewall aren't there as expected.

Expected results:

ACLs for EgressFirewall should be re-created and deleted automatically by OVN without manual intervention.

relates to

OCPBUGS-15719 [4.12] Cannot fix a misconfigured Egress Firewall

Closed

Assignee:: Nadia Pinaeva

Reporter:: Ayush Garg

QA Contact:: Huiran Wang

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Created:: 2023/08/09 6:15 AM

Updated:: 2023/08/14 10:02 AM

Resolved:: 2023/08/09 6:46 PM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates