Bug 1904957
| Summary: | OVNKube: egress firewall: ports field does not work unless protocol is explicitly specified | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | sasinha <sasinha> |
| Component: | Networking | Assignee: | Jacob Tanenbaum <jtanenba> |
| Networking sub component: | ovn-kubernetes | QA Contact: | Anurag saxena <anusaxen> |
| Status: | CLOSED NOTABUG | Docs Contact: | |
| Severity: | medium | ||
| Priority: | medium | CC: | aconstan, cbaus, danili, dslavens, lmcfadde, mtarsel, tdale |
| Version: | 4.7 | ||
| Target Milestone: | --- | ||
| Target Release: | 4.7.0 | ||
| Hardware: | ppc64le | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-12-18 18:04:26 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1903544 | ||
Hi networking team, after initial triage by the multi-arch team, we thought this problem may (or may not) occur on x86_64 as well. Would it be possible if you could take an evaluation of this bug and see if issue occurs on x86? If not, we can work on this from the multi-arch side. Thank you. Confirmed this issue also exists on OCP 4.6 s390x so seems to be across multiple platforms. If this is the way it is intended to work, protocol required if port specified, then a documentation change is needed. If docs are currently correct, appears to be a bug. jtanenba any updates on this one? The docs are the issue, this does appear on all architectures The doc changes are handled in https://github.com/openshift/openshift-docs/pull/28443 as per JIRA task, https://issues.redhat.com/projects/MULTIARCH/issues/MULTIARCH-664 |
Description of problem: while Configuring an egress firewall and trying to create an egress firewall rule object, ports field does not work unless protocol is explicitly specified, even though documentation states it's optional. Version-Release number of selected component (if applicable): OCP 4.7 How reproducible: Always Steps to Reproduce: 1. Configure an egress firewall 2. create an egress firewall rule object 3. mention port, omit protocol field Actual results: ports field does not work unless protocol is explicitly specified # oc create -f egress-firewall-power.yaml The EgressFirewall "default" is invalid: spec.egress.ports.protocol: Required value # cat egress-firewall-power.yaml apiVersion: k8s.ovn.org/v1 kind: EgressFirewall metadata: name: default spec: egress: - type: Deny to: cidrSelector: 0.0.0.0 ports: - port: 80 #protocol: TCP # cat egress-firewall-power.yaml apiVersion: k8s.ovn.org/v1 kind: EgressFirewall metadata: name: default spec: egress: - type: Deny to: cidrSelector: 0.0.0.0 ports: - port: 80 protocol: TCP # oc create -f egress-firewall-power.yaml egressfirewall.k8s.ovn.org/default created # oc get clusterversion NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.7.0-0.nightly-ppc64le-2020-11-13-081012 True False 23d Cluster version is 4.7.0-0.nightly-ppc64le-2020-11-13-081012 Expected results: Optional: A network protocol. If specified, the value must be either TCP, UDP, or SCTP. If not specified, the rule matches all TCP, UDP, and SCTP traffic Additional info: Ref-https://docs.openshift.com/container-platform/4.6/networking/ovn_kubernetes_network_provider/configuring-egress-firewall-ovn.html