Bug 1419393
Summary: | [networkpolicy] Pod in project which has the DefaultDeny policy cannot connect to the pod in other projects | ||||||
---|---|---|---|---|---|---|---|
Product: | OpenShift Container Platform | Reporter: | Meng Bo <bmeng> | ||||
Component: | Networking | Assignee: | Dan Winship <danw> | ||||
Status: | CLOSED ERRATA | QA Contact: | Meng Bo <bmeng> | ||||
Severity: | high | Docs Contact: | |||||
Priority: | high | ||||||
Version: | 3.5.0 | CC: | aos-bugs, bbennett, tdawson | ||||
Target Milestone: | --- | ||||||
Target Release: | --- | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | No Doc Update | |||||
Doc Text: |
undefined
|
Story Points: | --- | ||||
Clone Of: | Environment: | ||||||
Last Closed: | 2017-04-12 19:11:33 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
This has been merged into ocp and is in OCP v3.5.0.18 or newer. Verified on OCP build 3.5.0.18, works as expected. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:0884 |
Created attachment 1247930 [details] openflow_rules_after_annotation_added_to_project1 Description of problem: When the annotation DefaultDeny added to the project, pod in that project cannot access pods in other projects which does not have the annotation. Version-Release number of selected component (if applicable): oc v3.5.0.16+a26133a kubernetes v1.5.2+43a9be4 # ovs-vsctl --version ovs-vsctl (Open vSwitch) 2.5.0 Compiled Nov 22 2016 12:40:36 DB Schema 7.12.1 How reproducible: always Steps to Reproduce: 1. Setup multinode env with redhat/openshift-sdn-networkpolicy plugin 2. Create two projects and create pod/svc in each project called u1p1 and u2p1 3. Add the DefaultDeny networkpolicy to one of the projects # oc annotate namespace u1p1 net.beta.kubernetes.io/network-policy='{"ingress":{"isolation":"DefaultDeny"}}' 4. Try to access the pod/svc in u1p1 from the pod in u2p1 5. Try to access the pod/svc in u2p1 from the pod in u1p1 Actual results: 4. Cannot access successfully as expected. 5. Also cannot access. Expected results: 5. Should be able to access from pod in u1p1 to u2p1 Additional info: Openflow dump attached.