Bug 1828387

Summary: NPs on svc not enforced when exposed port and target are different
Product: OpenShift Container Platform Reporter: Luis Tomas Bolivar <ltomasbo>
Component: NetworkingAssignee: Luis Tomas Bolivar <ltomasbo>
Networking sub component: kuryr QA Contact: Jon Uriarte <juriarte>
Status: CLOSED ERRATA Docs Contact:
Severity: urgent    
Priority: urgent CC: juriarte, rlobillo
Version: 4.4Keywords: AutomationBackLog
Target Milestone: ---   
Target Release: 4.5.0   
Hardware: Unspecified   
OS: Unspecified   
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of:
: 1828388 (view as bug list) Environment:
Last Closed: 2020-07-13 17:31:52 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1828388    

Description Luis Tomas Bolivar 2020-04-27 16:05:03 UTC
NP rules are not properly updated on LoadBalancer security groups when the exposed port and the target port does not match

Comment 3 Jon Uriarte 2020-05-07 13:49:17 UTC
Verified in 4.5.0-0.nightly-2020-05-06-003431 on top of OSP 16 compose RHOS_TRUNK-16.0-RHEL-8-20200427.n.0 (with OVS and amphora-driver).

After creating a service that exposes a different port than the one in the pod behind, if a network policy is created for blocking the ingress
traffic to the pod, the security rules are now applied in the load balancer and the service is not reachable.

Comment 4 errata-xmlrpc 2020-07-13 17:31:52 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.