Bug 1741477
| Summary: | [3.11] EgressIP doesn't work with NetworkPolicy unless traffic from default project is allowed | |||
|---|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | K Chandra Sekar <csekar> | |
| Component: | Networking | Assignee: | Casey Callendrello <cdc> | |
| Networking sub component: | openshift-sdn | QA Contact: | zhaozhanqi <zzhao> | |
| Status: | CLOSED ERRATA | Docs Contact: | ||
| Severity: | low | |||
| Priority: | unspecified | CC: | acai, aos-bugs, csekar, danw, huirwang, jdesousa, piqin, rvanderp, travi, zzhao | |
| Version: | 3.11.0 | Keywords: | NeedsTestCase | |
| Target Milestone: | --- | |||
| Target Release: | 3.11.z | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | Doc Type: | Bug Fix | ||
| Doc Text: |
Cause: Egress IPs did not work correctly in namespaces with restrictive NetworkPolicies.
Consequence: Pods that accepted traffic only from specific sources would not be able to send egress traffic via egress IPs, because the response from the external server would be mistakenly rejected by their NetworkPolicies.
Fix: Replies from egress traffic are now correctly recognized as replies rather than as new connections.
Result: Egress IPs and NetworkPolicy work together.
|
Story Points: | --- | |
| Clone Of: | 1700431 | |||
| : | 1766583 (view as bug list) | Environment: | ||
| Last Closed: | 2019-09-24 08:08:08 UTC | Type: | --- | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | 1700431, 1741499 | |||
| Bug Blocks: | 1766583 | |||
|
Comment 1
Casey Callendrello
2019-08-26 11:26:21 UTC
Verified in version: v3.11.146 Steps: 1. Create a project p1 using egressIP 2. Add egressIP to node A 3. Create a pod in project p1 which is *not* running on node A. 4. Create a networkPolicy which only allows traffic from itself. Used the file in "Steps to Reproduce :step4" Go to the pod in project p1 and try to reach a resource outside OpenShift. / # ping www.google.com PING www.google.com (172.217.13.228) 56(84) bytes of data. 64 bytes from iad23s61-in-f4.1e100.net (172.217.13.228): icmp_seq=1 ttl=48 time=287 ms 64 bytes from iad23s61-in-f4.1e100.net (172.217.13.228): icmp_seq=2 ttl=48 time=286 ms 64 bytes from iad23s61-in-f4.1e100.net (172.217.13.228): icmp_seq=3 ttl=48 time=285 ms 64 bytes from iad23s61-in-f4.1e100.net (172.217.13.228): icmp_seq=4 ttl=48 time=286 ms Result: it works. 5. Create a rule that allows traffic from the default project. Used the file in "Steps to Reproduce :step6" Result: it works, traffic goes through. 6. Completely remove every networkPolicy. Traffic also works Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:2816 |