Bug 1905196
Summary: | Inconsistent behavior of NetworkPolicies | ||
---|---|---|---|
Product: | OpenShift Container Platform | Reporter: | Roman Bobek <rbobek> |
Component: | Networking | Assignee: | Dan Winship <danw> |
Networking sub component: | openshift-sdn | QA Contact: | zhaozhanqi <zzhao> |
Status: | CLOSED NOTABUG | Docs Contact: | |
Severity: | unspecified | ||
Priority: | unspecified | CC: | aconstan, danw |
Version: | 3.11.0 | Keywords: | Reopened |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2021-01-05 21:38:38 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Roman Bobek
2020-12-07 17:29:55 UTC
> - When using the NetworkPolicy networking plugin, customer set a NetId for a namespace to the value of '0'.
You cannot do this. Users cannot manually edit openshift-sdn's internal objects and expect things to keep working.
They need to revert any changes they made to NetNamespaces (ensuring that the namespace `default` has NetId 0, and every other namespace has a unique NetId), and then reboot all of the masters and nodes. That should be enough to make things start working again.
(In reply to Dan Winship from comment #1) > > - When using the NetworkPolicy networking plugin, customer set a NetId for a namespace to the value of '0'. > > You cannot do this. Users cannot manually edit openshift-sdn's internal > objects and expect things to keep working. > > They need to revert any changes they made to NetNamespaces (ensuring that > the namespace `default` has NetId 0, and every other namespace has a unique > NetId), and then reboot all of the masters and nodes. That should be enough > to make things start working again. Hello Dan, the customer is not changing internal objects. This is just a dump of the tables showing the network policy rules are not written into ovs, which causes OpenShift rejecting the traffic to the particular namespace. What should be collected in such cases so we can have a better look into it? -Roman So it turns out that what the customer was doing was that they were trying to manually create NetNamespaces with pre-assigned EgressIPs. This doesn't work (though the documentation gives no hint of that fact); you have to create the Project/Namespace, then *wait for openshift-sdn to create the NetNamespace object itself*, and then you can assign the EgressIPs to the NetNamespace once it has been created. I've filed bug 1928851 about making openshift-sdn at least not break if you get this wrong. It's possible we could actually make this work the way the customer expected it would. If not we'll at least document the restriction better. (For now, the workaround is that you have to let openshift-sdn create the NetNamespace and then modify it afterward, not create it yourself.) |