Skip to content

Leaks security list rules on Service deletion and node port update #150

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
2 tasks done
prydie opened this issue Mar 19, 2018 · 0 comments
Closed
2 tasks done

Leaks security list rules on Service deletion and node port update #150

prydie opened this issue Mar 19, 2018 · 0 comments
Assignees
@prydie
Labels
bug
Milestone
0.3.0

Comments

@prydie
Copy link
Contributor

prydie commented Mar 19, 2018
edited
Loading

On master deleting a Service type=LoadBalancer or changing its NodePort(s) results in the CCM leaking security list rules.

  • Load balancer deletion (fixed in 75a2db5)
  • Changing the node port of a service

NodePort

Changes to a Servce's node port are converted into a BackendSetAction with an ActionType of "update". The BackendSetAction.BackendSet field is set to the new BackendSet and the Update() method on the security list manager is only provided the new (desired) state and has no logic for handling clearing up the old rules.

E2E tests

STEP: waiting for the TCP service to have a load balancer
Mar 19 16:37:22.245: INFO: Waiting up to 20m0s for service "basic-lb-test" to have a LoadBalancer
Mar 19 16:37:44.456: INFO: TCP node port: 31197
Mar 19 16:37:44.456: INFO: TCP load balancer: 129.213.12.8
STEP: hitting the TCP service's NodePort
Mar 19 16:37:44.456: INFO: Testing HTTP reachability of http://129.213.19.80:31197/echo?msg=hello
STEP: hitting the TCP service's LoadBalancer
Mar 19 16:37:44.997: INFO: Testing HTTP reachability of http://129.213.12.8:80/echo?msg=hello
STEP: changing the TCP service's NodePort
[Mar 19 16:37:45.426: INFO: TCP node port: 31198

CCM logs

I0319 16:37:45.610134   73013 load_balancer.go:422] Applying "update" action on backend set "TCP-80" for lb "ocid1.loadbalancer.oc1.iad.aaaaaaaatojhja24set4khbn2na2vsha4vej53qkepot6hjj4psajrjnluya"  (listenerPort=0 backendPort=31198 healthCheckPort=10256)
I0319 16:37:45.727281   73013 load_balancer_security_lists.go:348] Keeping security list rule; does not match port 31198: { Destination=10.0.40.0/24 Protocol=6 IcmpOptions=<nil> IsStateless=false TcpOptions={ DestinationPortRange={ Max=31197 Min=31197 } SourcePortRange=<nil> } UdpOptions=<nil> }
I0319 16:37:45.727298   73013 load_balancer_security_lists.go:348] Keeping security list rule; does not match port 31198: { Destination=10.0.41.0/24 Protocol=6 IcmpOptions=<nil> IsStateless=false TcpOptions={ DestinationPortRange={ Max=31197 Min=31197 } SourcePortRange=<nil> } UdpOptions=<nil> }
I0319 16:37:45.727325   73013 load_balancer_security_lists.go:348] Keeping security list rule; does not match port 31198: { Destination=10.0.42.0/24 Protocol=6 IcmpOptions=<nil> IsStateless=false TcpOptions={ DestinationPortRange={ Max=31197 Min=31197 } SourcePortRange=
@prydie prydie added the bug label Mar 19, 2018
@prydie prydie self-assigned this Mar 20, 2018
@prydie prydie added this to the 0.3.0 milestone Mar 20, 2018
@prydie prydie mentioned this issue Mar 20, 2018
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@prydie prydie

Labels
bug
Projects
None yet
Milestone
0.3.0
Development

No branches or pull requests
1 participant
@prydie