Bug 1700431
Summary: | EgressIP doesn't work with NetworkPolicy unless traffic from default project is allowed | |||
---|---|---|---|---|
Product: | OpenShift Container Platform | Reporter: | Juan Luis de Sousa-Valadas <jdesousa> | |
Component: | Networking | Assignee: | Dan Winship <danw> | |
Status: | CLOSED ERRATA | QA Contact: | Weibin Liang <weliang> | |
Severity: | low | Docs Contact: | ||
Priority: | unspecified | |||
Version: | 3.11.0 | CC: | aos-bugs, csekar, danw, piqin, travi, zzhao | |
Target Milestone: | --- | Keywords: | Reopened | |
Target Release: | 4.2.0 | |||
Hardware: | Unspecified | |||
OS: | Unspecified | |||
Whiteboard: | ||||
Fixed In Version: | Doc Type: | Bug Fix | ||
Doc Text: |
Cause: Egress IPs did not work correctly in namespaces with restrictive NetworkPolicies.
Consequence: Pods that accepted traffic only from specific sources would not be able to send egress traffic via egress IPs, because the response from the external server would be mistakenly rejected by their NetworkPolicies.
Fix: Replies from egress traffic are now correctly recognized as replies rather than as new connections.
Result: Egress IPs and NetworkPolicy work together.
|
Story Points: | --- | |
Clone Of: | ||||
: | 1741477 1741499 (view as bug list) | Environment: | ||
Last Closed: | 2019-10-16 06:28:06 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 1741477, 1741499, 1766583 |
Description
Juan Luis de Sousa-Valadas
2019-04-16 14:36:59 UTC
Software versions: atomic-openshift-node-3.11.88-1.git.0.47f4e98.el7.x86_64 registry.redhat.io/openshift3/ose-node v3.11.16 074bf04571e2 6 months ago 1.15 GB Yeah, can confirm that this is happening... it's not supposed to; conntrack should be recognizing the return traffic as being a reply to the outbound connection, and so it should be accepted regardless of policies. But that's not working. I tried this on 4.2 version 4.2.0-0.nightly-2019-08-22-043819.it's working well, see below. so it's not an issue for 4.2. close this bug #oc get netnamespaces z1 NAME NETID EGRESS IPS z1 3625249 [139.178.76.100] #oc get hostsubnet control-plane-0 NAME HOST HOST IP SUBNET EGRESS CIDRS EGRESS IPS control-plane-0 control-plane-0 139.178.76.22 10.128.0.0/23 [139.178.76.100] $ oc get networkpolicy -n z1 -o yaml apiVersion: v1 items: - apiVersion: extensions/v1beta1 kind: NetworkPolicy metadata: creationTimestamp: "2019-08-23T02:08:49Z" generation: 1 name: deny-ingress-from-other-namespaces namespace: z1 resourceVersion: "241251" selfLink: /apis/extensions/v1beta1/namespaces/z1/networkpolicies/deny-ingress-from-other-namespaces uid: f25ab63b-c54a-11e9-951d-0050568b11fb spec: ingress: - from: - podSelector: {} podSelector: {} policyTypes: - Ingress kind: List metadata: resourceVersion: "" selfLink: "" $ oc get pod -n z1 NAME READY STATUS RESTARTS AGE test-rc-4j2hk 1/1 Running 0 14m test-rc-5rhqn 1/1 Running 0 14m $ oc rsh test-rc-4j2hk ~ $ ping 8.8.8.8 PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data. 64 bytes from 8.8.8.8: icmp_seq=1 ttl=54 time=1.97 ms 64 bytes from 8.8.8.8: icmp_seq=2 ttl=54 time=1.33 ms 64 bytes from 8.8.8.8: icmp_seq=3 ttl=54 time=1.41 ms 64 bytes from 8.8.8.8: icmp_seq=4 ttl=54 time=1.38 ms 64 bytes from 8.8.8.8: icmp_seq=5 ttl=54 time=1.37 ms @zhaozhanqi FYI the new github bugzilla-checking automation is picky about bugzilla statuses and will only let me backport this if it's "CLOSED ERRATA" or "VERIFIED". Fixing that... Hm... but it won't let me go right from CLOSED to VERIFIED... Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:2922 |