Bug 1451910

Summary: [doc] Service is not blocked by dns egress policy rule
Product: OpenShift Container Platform Reporter: Weibin Liang <weliang>
Component: NetworkingAssignee: Ravi Sankar <rpenta>
Status: CLOSED ERRATA QA Contact: Meng Bo <bmeng>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 3.6.0CC: aos-bugs, bbennett, rpenta, yadu
Target Milestone: ---   
Target Release: 3.7.0   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Documentation PR was provided.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2017-11-28 21:55:46 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Weibin Liang 2017-05-17 20:17:56 UTC 
Description of problem:
Service is not blocked by dns egress policy rule

Version-Release number of selected component (if applicable):
oc v3.6.76
kubernetes v1.6.1+5115d708d7

How reproducible:
Every time.

Steps to Reproduce:
#oc create -f https://raw.githubusercontent.com/weliang1/Openshift_Networking/master/dns-egresspolicy/endpoint.json
#oc create -f https://raw.githubusercontent.com/weliang1/Openshift_Networking/master/dns-egresspolicy/service.json
#oc expose svc mysvc
#curl --resolve mysvc-p1.router.default.svc.cluster.local:80:192.168.122.82 http://mysvc-p1.router.default.svc.cluster.local
<html>
<head><title>302 Found</title></head>
<body bgcolor="white">
<center><h1>302 Found</h1></center>
<hr><center>nginx/1.11.13</center>
</body>
</html>
# curl 172.30.91.13:80
<html>
<head><title>302 Found</title></head>
<body bgcolor="white">
<center><h1>302 Found</h1></center>
<hr><center>nginx/1.11.13</center>
</body>
</html>
#oc create -f https://raw.githubusercontent.com/weliang1/Openshift_Networking/master/dns-egresspolicy/dns-egresspolicy1.json
# oc describe egressnetworkpolicy 
Name:		policy-test
Namespace:	p1
Created:	21 minutes ago
Labels:		<none>
Annotations:	<none>
Rule:		Deny to www.test.com
Rule:		Allow to 0.0.0.0/0
#curl --resolve mysvc-p1.router.default.svc.cluster.local:80:192.168.122.82 http://mysvc-p1.router.default.svc.cluster.local
<html>
<head><title>302 Found</title></head>
<body bgcolor="white">
<center><h1>302 Found</h1></center>
<hr><center>nginx/1.11.13</center>
</body>
</html>
# oc get svc mysvc
NAME      CLUSTER-IP     EXTERNAL-IP   PORT(S)   AGE
mysvc     172.30.91.13   <none>        80/TCP    37m
# curl 172.30.91.13:80
curl: (7) Failed connect to 172.30.91.13:80; Connection refused


Actual results:
#curl --resolve mysvc-p1.router.default.svc.cluster.local:80:192.168.122.82 http://mysvc-p1.router.default.svc.cluster.local
<html>
<head><title>302 Found</title></head>
<body bgcolor="white">
<center><h1>302 Found</h1></center>
<hr><center>nginx/1.11.13</center>
</body>
</html>
Expected results:
#curl --resolve mysvc-p1.router.default.svc.cluster.local:80:192.168.122.82 http://mysvc-p1.router.default.svc.cluster.local
curl: (7) Failed connect to 172.30.91.13:80; Connection refused

Additional info:
Comment 1 Weibin Liang 2017-05-18 20:51:15 UTC 
In order to reproduce above issue, router need to be created first.
Comment 2 Ravi Sankar 2017-05-18 21:45:40 UTC 
We do egress network policy service endpoint filtering at node kubeproxy and when router is involved kubeproxy is bypassed and egress enforcement is not applied. This applied to both dnsName and cidrSelector fields in egress network policy.

May be we should also do egress service endpoint filtering at the router level.
Comment 3 Ben Bennett 2017-05-19 18:50:23 UTC 
Clayton and I are in agreement that we can document that if you want to protect against people with permission to make routes and services, you need to restrict their ability to make endpoints.  If we put that documentation in the egress firewall section, that is acceptable.
Comment 4 Ravi Sankar 2017-06-21 17:07:54 UTC 
Docs pr: https://github.com/openshift/openshift-docs/pull/4630
Comment 5 openshift-github-bot 2017-06-22 18:38:56 UTC 
Commit pushed to master at https://github.com/openshift/openshift-docs

https://github.com/openshift/openshift-docs/commit/9add5ecccd34bc9027325373a90d920b97865bd9
Merge pull request #4630 from pravisankar/egress-policy-limitation

Bug 1451910 - Caution about egress network policy limitation
Comment 6 Yan Du 2017-07-06 07:51:34 UTC 
The Caution part about the egressnetworkpolicy looks good and have been merged. Move the bug to verified.
Comment 10 errata-xmlrpc 2017-11-28 21:55:46 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2017:3188