Bug 1464251
| Summary: | Pod Selection criteria has no effect in a Network Policy within a namespace | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Veer Muchandi <veer> |
| Component: | Networking | Assignee: | Dan Winship <danw> |
| Status: | CLOSED NOTABUG | QA Contact: | Meng Bo <bmeng> |
| Severity: | high | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 3.5.0 | CC: | aloughla, aos-bugs, veer |
| Target Milestone: | --- | Keywords: | UpcomingRelease |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-06-23 16:11:33 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Veer Muchandi
2017-06-22 19:44:45 UTC
Can you please provide details of where you are running the tests from (i.e. what are the labels on the pod, and what namespace are they in) and how you are doing the test, whether a service is involved, and whether the rules allow too much, or too little. (In reply to Ben Bennett from comment #1) > Can you please provide details of where you are running the tests from (i.e. > what are the labels on the pod, and what namespace are they in) and how you > are doing the test, whether a service is involved, and whether the rules > allow too much, or too little. Ben, I recorded the entire thing in bluejeans the two videos here https://bluejeans.com/s/URf12 I posted the steps to create here https://bugzilla.redhat.com/show_bug.cgi?id=1464250 Per Veer on IRC: "Direct pod to pod in the same project. pod1 can always reach pod2 regardless of whether there is a from rule that matches." The NetworkPolicy is incorrect:
ingress:
- from:
- podSelector:
matchLabels:
app: frontend
- ports:
- protocol: TCP
port: 3306
The mistake is slightly more obvious in JSON form:
"spec": {
"ingress": [
{
"from": [
{
"podSelector": {
"matchLabels": {
"app": "frontend"
}
}
}
]
},
{
"ports": [
{
"port": 3306,
"protocol": "TCP"
}
]
}
],
That is, this policy specifies two separate rules:
1. Traffic from pods with the label app=frontend is allowed (on all ports)
2. Traffic to TCP 3306 is allowed (from any source)
What you meant was:
ingress:
- from:
- podSelector:
matchLabels:
app: frontend
ports:
- protocol: TCP
port: 3306
(with no "-" before "ports"), which translates to
"ingress": [
{
"from": [
{
"podSelector": {
"matchLabels": {
"app": "frontend"
}
}
}
],
"ports": [
{
"port": 3306,
"protocol": "TCP"
}
]
}
],
A single ingress rule saying traffic from pods with the label app=frontend is allowed to TCP 3306.
Unfortunately NetworkPolicy's syntax and semantics are full of gotchas like this. :-/
There's work upstream to improve "kubectl describe networkpolicy ...". Maybe we can pull that into 3.6. (https://github.com/kubernetes/kubernetes/issues/46951)
|