Bug 1421091
Summary: | [networkpolicy] Add both allow-to and allow-from policies to a single project will make the project works as flat network | ||||||
---|---|---|---|---|---|---|---|
Product: | OpenShift Container Platform | Reporter: | Meng Bo <bmeng> | ||||
Component: | Networking | Assignee: | Dan Winship <danw> | ||||
Status: | CLOSED ERRATA | QA Contact: | Meng Bo <bmeng> | ||||
Severity: | low | Docs Contact: | |||||
Priority: | low | ||||||
Version: | 3.5.0 | CC: | aos-bugs, bbennett, eparis, tdawson, xtian | ||||
Target Milestone: | --- | ||||||
Target Release: | --- | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | No Doc Update | |||||
Doc Text: |
undefined
|
Story Points: | --- | ||||
Clone Of: | Environment: | ||||||
Last Closed: | 2017-04-12 19:12:23 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
This has been merged into ocp and is in OCP v3.5.0.34 or newer. Tested on OCP v3.5.0.35, the issue fixed and all the policies works as expected. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:0884 |
Created attachment 1249013 [details] openflow_rule Description of problem: Apply both allow-to and allow-from policies to a single project, it will make the pods in the project accept all the traffics. Version-Release number of selected component (if applicable): oc v3.5.0.18+9a5d1aa kubernetes v1.5.2+43a9be4 ovs 2.5.0 How reproducible: always Steps to Reproduce: 1. Setup multinode env with openshift-ovs-networkpolicy plugin 2. Create two projects with pod 3. Add the annotation to project 1 # oc annotate namespace u1p1 net.beta.kubernetes.io/network-policy='{"ingress":{"isolation":"DefaultDeny"}}' 4. Apply the allow-to and allow-from policy to the project separately. # oc get networkpolicy -n u1p1 -o yaml apiVersion: v1 items: - apiVersion: extensions/v1beta1 kind: NetworkPolicy metadata: creationTimestamp: 2017-02-10T10:08:06Z generation: 1 name: allow-from-red namespace: u1p1 resourceVersion: "22126" selfLink: /apis/extensions/v1beta1/namespaces/u1p1/networkpolicies/allow-from-red uid: d1602670-ef78-11e6-b7b7-525400dd3698 spec: ingress: - from: - podSelector: matchLabels: type: red podSelector: {} - apiVersion: extensions/v1beta1 kind: NetworkPolicy metadata: creationTimestamp: 2017-02-10T10:08:01Z generation: 1 name: allow-to-blue namespace: u1p1 resourceVersion: "22123" selfLink: /apis/extensions/v1beta1/namespaces/u1p1/networkpolicies/allow-to-blue uid: ce14914f-ef78-11e6-b7b7-525400dd3698 spec: ingress: - {} podSelector: matchLabels: type: blue kind: List metadata: {} resourceVersion: "" selfLink: "" 5. Try to access any pod in the project from inside or outside the project Actual results: 5. All can access. Expected results: Only the pod with label type=red can be accessed via pod inside the project and pod with label type=blue can be accessed globally. Additional info: Full openflow rules attached.