Bug 1661983

Summary: The scope of egressnetworkpolicy is 'Cluster' other than 'namespace'
Product: OpenShift Container Platform Reporter: zhaozhanqi <zzhao>
Component: NetworkingAssignee: Casey Callendrello <cdc>
Status: CLOSED ERRATA QA Contact: Meng Bo <bmeng>
Severity: high Docs Contact:
Priority: high    
Version: 4.1.0CC: aos-bugs, bbennett
Target Milestone: ---   
Target Release: 4.1.0   
Hardware: All   
OS: All   
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-04 10:41:27 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description zhaozhanqi 2018-12-25 06:40:42 UTC
Description of problem:
Check the egressnetworkpolicy crd the 'scope' is Cluster, that means the egressnetworkpolicy is for whole cluster. it caused we cannot create same 

In openshift 3 version. it is only namespaces level. see the 3.11 docs description: "EgressNetworkPolicy describes the current egress network policy for a Namespace"

Version-Release number of selected component (if applicable):
oc v4.0.0-alpha.0+62de992-802
kubernetes v1.11.0+62de992
features: Basic-Auth GSSAPI Kerberos SPNEGO

How reproducible:

Steps to Reproduce:
1. Create one namespaces and create one egressnetworkpolicy
   oc create -f https://raw.githubusercontent.com/openshift-qe/v3-testfiles/master/networking/egress-ingress/dns-egresspolicy2.json -n test1

2. Create same one in namespaces test2
  oc create -f https://raw.githubusercontent.com/openshift-qe/v3-testfiles/master/networking/egress-ingress/dns-egresspolicy2.json -n test2

3. Check the egressnetworkpolicy crd 
   $ oc get crd egressnetworkpolicies.network.openshift.io -o yaml | grep scope
  scope: Cluster

Actual results:

step2. Cannot be created since step 1 had been created one already
step3. the scope is Cluster

$ oc get crd egressnetworkpolicies.network.openshift.io -o yaml
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
  creationTimestamp: 2018-12-20T10:22:56Z
  generation: 1
  name: egressnetworkpolicies.network.openshift.io
  - apiVersion: networkoperator.openshift.io/v1
    blockOwnerDeletion: true
    controller: true
    kind: NetworkConfig
    name: default
    uid: 124d5cf2-0441-11e9-804c-0a4124e70182
  resourceVersion: "964"
  selfLink: /apis/apiextensions.k8s.io/v1beta1/customresourcedefinitions/egressnetworkpolicies.network.openshift.io
  uid: 37f41df0-0441-11e9-804c-0a4124e70182
  - JSONPath: .metadata.creationTimestamp
    description: |-
      CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.

      Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
    name: Age
    type: date
  group: network.openshift.io
    kind: EgressNetworkPolicy
    listKind: EgressNetworkPolicyList
    plural: egressnetworkpolicies
    singular: egressnetworkpolicy
  scope: Cluster
                    maxProperties: 1
                    minProperties: 1
                        pattern: ^(([0-9]|[0-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[0-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])/([1-9]|[12][0-9]|3[0-2])$
                        type: string
                        pattern: ^([A-Za-z0-9-]+\.)*[A-Za-z0-9-]+\.?$
                        type: string
                    type: object
                    pattern: ^Allow|Deny$
                    type: string
                type: object
              maxItems: 50
              type: array
          type: object
  version: v1
  - name: v1
    served: true
    storage: true
    kind: EgressNetworkPolicy
    listKind: EgressNetworkPolicyList
    plural: egressnetworkpolicies
    singular: egressnetworkpolicy
  - lastTransitionTime: 2018-12-20T10:22:56Z
    message: no conflicts found
    reason: NoConflicts
    status: "True"
    type: NamesAccepted
  - lastTransitionTime: null
    message: the initial names have been accepted
    reason: InitialNamesAccepted
    status: "True"
    type: Established
  - v1

Expected results:

the scope for egressnetworkpolicy should be namespaces level.

Additional info:

Comment 1 Casey Callendrello 2019-01-21 13:22:06 UTC
Fixed in https://github.com/openshift/cluster-network-operator/pull/67

Comment 2 zhaozhanqi 2019-01-28 10:14:34 UTC
check this bug on payload 4.0.0-0.nightly-2019-01-25-214846

the issue had been fixed.

Comment 5 zhaozhanqi 2019-03-27 02:21:03 UTC
Verified this bug according to comment 2

Comment 7 errata-xmlrpc 2019-06-04 10:41:27 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.