Bug 1419469
| Summary: | [networkpolicy] The port specified in spec.ingress.ports cannot be accepted when accessing | ||||||
|---|---|---|---|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Meng Bo <bmeng> | ||||
| Component: | Networking | Assignee: | Dan Winship <danw> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Meng Bo <bmeng> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | medium | ||||||
| Version: | 3.5.0 | CC: | aos-bugs, bbennett, tdawson | ||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | No Doc Update | |||||
| Doc Text: |
undefined
|
Story Points: | --- | ||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2017-04-12 19:11:37 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
This has been merged into ocp and is in OCP v3.5.0.18 or newer. Tested on OCP build 3.5.0.18 Still have the same problem. Sorry, I was using a wrong policy file, it should work well on 3.5.0.18. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:0884 |
Created attachment 1247978 [details] openflow_rules_with_port_policy Description of problem: All the specific port to be open in the project for all pods via network policy, the specific port cannot be accessed via other pods inside or outside the project. Version-Release number of selected component (if applicable): # oc version oc v3.5.0.16+a26133a kubernetes v1.5.2+43a9be4 # ovs-vsctl --version ovs-vsctl (Open vSwitch) 2.5.0 Compiled Nov 22 2016 12:40:36 DB Schema 7.12.1 How reproducible: always Steps to Reproduce: 1. Setup multinode env with openshift-ovs-networkpolicy plugin 2. Create two projects with pod 3. Add the annotation to project 1 # oc annotate namespace u1p1 net.beta.kubernetes.io/network-policy='{"ingress":{"isolation":"DefaultDeny"}}' 4. Apply the network policy to allow the specific port to be accessed # oc create -f networkpolicy.yaml cat networkpolicy.yaml kind: NetworkPolicy apiVersion: extensions/v1beta1 metadata: name: allow-8080 spec: podSelector: ingress: - ports: - protocol: tcp port: 8080 5. Try to access the pod with port 8080 via other pod in project u1p1 6. Try to access the pod with port 8080 via pod in other project Actual results: Both step 5 and 6 failed. Expected results: The pod in project u1p1 should be able to access via port 8080. Additional info: Openflow rule attached.