-
Bug
-
Resolution: Done
-
Minor
-
None
-
4.12
-
None
-
Low
-
No
-
False
-
Description of problem:
When two IngressNodeFirewalls apply to a node (e.g. via matching node selector labels), if one of these labels is removed the corresponding IngressNodeFirewall is not removed from the node and all firewall rules remain applied to that node.
Version-Release number of selected component (if applicable):
4.12.0-202309181625
How reproducible:
Reliable
Steps to Reproduce:
1. Create "base" and "overlay" IngressNodeFirewall objects where each has a unique label in the node selector field
2. Apply the label for the "base" IngressNodeFirewall to a target node. The "base" IngressNodeFirewall is applied to the target node as expected.
3. Apply the label for the "overlay" IngressNodeFirewall to a target node. The "overlay" IngressNodeFirewall is also applied to the target node in combination with the "base" firewall as expected.
4. Remove the label for the "base" IngressNodeFirewall from the target node.
Actual results:
The firewall applied to the target node is unchanged from the state at the end of step 3.
Expected results:
The "base" firewall rules are removed from the target node, leaving the "overlay" firewall rules only
Additional info:
The IngressNodeFirewallState object shows it is owned by the "base" IngressNodeFirewall object. I suspect the order of the steps above is very important to reproducing the issue i.e. repeating steps 1-3 and then removing the "overlay" label will likely produce the expected results
