Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1516228 - Normal user can delete networkpolicy in cli but cannot in web console
Summary: Normal user can delete networkpolicy in cli but cannot in web console
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Networking
Version: 3.7.0
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: 3.7.z
Assignee: jtanenba
QA Contact: Meng Bo
Depends On:
TreeView+ depends on / blocked
Reported: 2017-11-22 10:16 UTC by shahan
Modified: 2018-04-05 09:32 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2018-04-05 09:32:08 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:0636 None None None 2018-04-05 09:32:45 UTC

Description shahan 2017-11-22 10:16:40 UTC
Description of problem:
 Normal user can delete networkpolicy in cli but cannot in web console

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. $ cat allow-all.yaml
kind: NetworkPolicy
apiVersion: extensions/v1beta1
  name: allow-all
  - {}
oc create -f allow-all.yaml
2. Login in web console, goto 'Other resources' page, select NetworkPolicy in dropdown list and try delete it.
3. oc get NetworkPolicy
4. oc delete NetworkPolicy allow-all
5, oc get NetworkPolicy

Actual results:
3. After very long time, the allow-all networkpolicy still exists 
5. CLI could be deleted successfully.
Expected results:
Should delete it immediately.

Additional info:
CLi and web should be consistent with delete network policy

Comment 1 Jessica Forrester 2017-11-22 12:20:32 UTC
This appears to be an issue with the garbage collector and NetworkPolicy because the console does foreground deletion of resources by default and the CLI defaults to no garbage collection policy. I can see the resource getting marked with the deletionTimestamp and the finalizer:

apiVersion: extensions/v1beta1
kind: NetworkPolicy
  creationTimestamp: '2017-11-22T12:15:02Z'
  deletionGracePeriodSeconds: 0
  deletionTimestamp: '2017-11-22T12:15:19Z'
    - foregroundDeletion
  generation: 2
  name: allow-all
  namespace: jwforres
  resourceVersion: '65432501'
  selfLink: /apis/extensions/v1beta1/namespaces/jwforres/networkpolicies/allow-all
  uid: c465ede7-cf7e-11e7-89cc-02306c0cdc4b
    - {}
  podSelector: {}

Comment 3 David Eads 2017-11-22 16:02:10 UTC

Comment 4 jtanenba 2017-12-14 19:54:55 UTC
Is this still an issue? I can't reproduce I think the above PR fixed the issue

Comment 5 shahan 2017-12-15 02:32:58 UTC
This bug has been fixed by that PR, could you help change to ON_QA?

Comment 6 shahan 2017-12-18 02:47:38 UTC
Check this issue with the OCP v3.7.14, this bug has been fixed. Could delete networkpolicy on web console.

Comment 10 errata-xmlrpc 2018-04-05 09:32:08 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

Note You need to log in before you can comment on or make changes to this bug.