Bug 1419469

Summary: [networkpolicy] The port specified in spec.ingress.ports cannot be accepted when accessing
Product: OpenShift Container Platform Reporter: Meng Bo <bmeng>
Component: NetworkingAssignee: Dan Winship <danw>
Status: CLOSED ERRATA QA Contact: Meng Bo <bmeng>
Severity: medium Docs Contact:
Priority: medium    
Version: 3.5.0CC: aos-bugs, bbennett, tdawson
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
undefined
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-04-12 19:11:37 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Attachments:
Description Flags
openflow_rules_with_port_policy none

Description Meng Bo 2017-02-06 09:30:05 UTC
Created attachment 1247978 [details]
openflow_rules_with_port_policy

Description of problem:
All the specific port to be open in the project for all pods via network policy, the specific port cannot be accessed via other pods inside or outside the project.

Version-Release number of selected component (if applicable):
# oc version
oc v3.5.0.16+a26133a
kubernetes v1.5.2+43a9be4

# ovs-vsctl --version
ovs-vsctl (Open vSwitch) 2.5.0
Compiled Nov 22 2016 12:40:36
DB Schema 7.12.1

How reproducible:
always

Steps to Reproduce:
1. Setup multinode env with openshift-ovs-networkpolicy plugin
2. Create two projects with pod
3. Add the annotation to project 1
# oc annotate namespace u1p1 net.beta.kubernetes.io/network-policy='{"ingress":{"isolation":"DefaultDeny"}}'
4. Apply the network policy to allow the specific port to be accessed
# oc create -f networkpolicy.yaml
cat networkpolicy.yaml
kind: NetworkPolicy
apiVersion: extensions/v1beta1
metadata:
  name: allow-8080
spec:
  podSelector:
  ingress:
  - ports:
    - protocol: tcp
      port: 8080

5. Try to access the pod with port 8080 via other pod in project u1p1
6. Try to access the pod with port 8080 via pod in other project

Actual results:
Both step 5 and 6 failed.

Expected results:
The pod in project u1p1 should be able to access via port 8080.

Additional info:
Openflow rule attached.

Comment 1 Troy Dawson 2017-02-08 22:25:38 UTC
This has been merged into ocp and is in OCP v3.5.0.18 or newer.

Comment 3 Meng Bo 2017-02-10 09:20:57 UTC
Tested on OCP build 3.5.0.18
Still have the same problem.

Comment 4 Meng Bo 2017-02-10 09:37:50 UTC
Sorry, I was using a wrong policy file, it should work well on 3.5.0.18.

Comment 6 errata-xmlrpc 2017-04-12 19:11:37 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:0884