Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-5835

OVN-Kubernetes fails to apply NetworkPolicy if duplicate entries are created

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done-Errata
    • Icon: Normal Normal
    • None
    • 4.10.z
    • Networking / ovn-kubernetes
    • None

      Description of problem:

      If user creates two NetworkPolicies of type 'egress' with the same IPBlock, then restart leader ovnkube-master, OVN-Kubernetes cannot properly process further changes in NetworkPolicies in that namespace

      Version-Release number of selected component (if applicable):

       

      How reproducible:

      In-house reproducer at Quicklab

      Steps to Reproduce:

      1. Deploy httpd-example application in namespace 'demo', with pod label 'name=httpd-example'
2. Create two NetworkPolicies resources:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: np1
  namespace: demo
spec:
  egress:
  - to:
    - ipBlock:
        cidr: 88.221.185.21/32
  ingress:
  - {}
  podSelector:
    matchLabels:
      name: httpd-example
  policyTypes:
  - Ingress
  - EgressapiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: np2
  namespace: demo
spec:
  egress:
  - to:
    - ipBlock:
        cidr: 88.221.185.21/32
  ingress:
  - {}
  podSelector:
    matchLabels:
      name: httpd-example
  policyTypes:
  - Ingress
  - Egress
 3. Check that NetworkPolicies are applied correctly, so only specified host is accessible from test pod.
 4. Restart leader ovnkube-master pod
 5. Delete those NetworkPolicies from the namespace
 6. Check egress connectivity from test pod

      Actual results:

      Changes in NetworkPolicies are not applied. OVNKube-master throws errors like:

I0113 17:06:36.652127       1 policy_retry.go:65] Network Policy Retry create failed for demo/np1, will try again later: failed to create Network Policy: demo/np1, error: failed to create ACL ops: unexpectedly found multiple equivalent ACLs: [{UUID:5ae67ade-988f-4d0d-86fc-765ee43e61b1 Action:allow-related Direction:from-lport ExternalIDs:map[Egress_num:0 ipblock_cidr:true l4Match:None namespace:demo policy:np1 policy_type:Egress] Label:0 Log:false Match:ip4.dst == 88.221.185.21/32 && inport == @a8572847446897012548 Meter:0xc00065c1b0 Name:0xc00065c1d0 Options:map[apply-after-lb:true] Priority:1001 Severity:0xc00065c200} {UUID:4d3e9615-ee22-4ad5-85a0-7426e510eba1 Action:allow-related Direction:from-lport ExternalIDs:map[Egress_num:0 ipblock_cidr:2 l4Match:None namespace:demo policy:np1 policy_type:Egress] Label:0 Log:false Match:ip4.dst == 88.221.185.21/32 && inport == @a8572847446897012548 Meter:0xc00065c6d0 Name:0xc00065c6f0 Options:map[apply-after-lb:true] Priority:1001 Severity:0xc00065c710}]

      Expected results:

      OVN should correctly process added and removed NetworkPolicies even for duplicate destination hosts

      Additional info:

      Checked on the cluster deployed as 4.8, then upgraded to 4.10.46. In-house reproducer is present.

       

              npinaeva@redhat.com Nadia Pinaeva
              rhn-support-ltitov Leonid Titov
              Arti Sood Arti Sood
              Arti Sood
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

                Created:
                Updated:
                Resolved: