Bug 1369750
Summary: | [networking_public_244] The egressnetworkpolicy can not block the endpoint which created before egressnetwork policy | ||
---|---|---|---|
Product: | OpenShift Container Platform | Reporter: | Yan Du <yadu> |
Component: | Networking | Assignee: | Dan Winship <danw> |
Status: | CLOSED ERRATA | QA Contact: | Meng Bo <bmeng> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 3.3.0 | CC: | aos-bugs, bbennett |
Target Milestone: | --- | Keywords: | Reopened |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | No Doc Update | |
Doc Text: |
undefined
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2016-09-27 09:45:48 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Yan Du
2016-08-24 10:09:18 UTC
This is the same underlying problem as bug 1367364; the proxy endpoint filterer doesn't get immediately rerun when the firewall rules change. It does *eventually* get updated (within a few minutes). Although theoretically security-problem-ish, I felt like this wasn't a big deal, because it's not the sort of thing that's going to be a problem in real-world use cases. (You would expect admins to set up firewalls for projects before any pods/services are created in the project, rather than letting the project admin go crazy for a bit and then belatedly boxing them in.) But it could be fixed. (Which would fix 1367364 too.) *** This bug has been marked as a duplicate of bug 1367364 *** Hi Ben, I think the bug may not same as #bug 1367364. In #bug 1367364, we could get the expected behavior after a few minutes. It may be a delay issue. But in #bug 1369750, even I wait for more than half an hour, the egressnetworkpolicy still can not block the endpoint which created before egressnetwork policy, we still could not get the expected behavior. this may be a function issue. Issue have been fixed on oc v3.3.0.27 kubernetes v1.3.0+507d3a7 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2016:1933 |