Bug 1930017

Summary: [kuryr] Egress network policy with namespaceSelector in Kuryr behaves differently than in OVN-Kubernetes
Product: OpenShift Container Platform Reporter: rdobosz
Component: NetworkingAssignee: rdobosz
Networking sub component: kuryr QA Contact: GenadiC <gcheresh>
Status: CLOSED DUPLICATE Docs Contact:
Severity: medium    
Priority: high CC: bbennett, cmarches, gcheresh, ltomasbo, mdulko, rdobosz, rlobillo
Version: 4.7   
Target Milestone: ---   
Target Release: 4.7.z   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: 1921878
: 1941941 (view as bug list) Environment:
Last Closed: 2021-03-23 08:46:25 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1921878    
Bug Blocks:    

Comment 3 rlobillo 2021-03-15 14:45:47 UTC 
Failed on 4.7.0-0.nightly-2021-03-14-223051 over OSP16.1 (RHOS-16.1-RHEL-8-20201214.n.3) using OVN-Octavia.


$ oc new-project test
$ oc run --image kuryr/demo demo
$ oc expose pod/demo --port 80 --target-port 8080
$ oc new-project test2
$ oc run --image kuryr/demo demo2
$ oc expose pod/demo2 --port 80 --target-port 8080

Loading below manifest on test project:

kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: np-bz1921878
spec:
  podSelector:
    matchLabels:
      run: demo
  policyTypes:
  - Egress
  - Ingress
  ingress:
  - from:
    - podSelector: {}
  egress:
  - to:
    - namespaceSelector: {}

np shows below:
$ oc get knp/np-bz1921878 -o json | jq .spec
{
  "egressSgRules": [
    {
      "sgRule": {
        "description": "Kuryr-Kubernetes NetPolicy SG rule",
        "direction": "egress",
        "ethertype": "IPv4",
        "port_range_max": 65535,
        "port_range_min": 1,
        "protocol": "tcp",
        "remote_ip_prefix": "10.128.0.0/14"
      }
    }
  ],
  "ingressSgRules": [
    {
      "namespace": "default",
      "sgRule": {
        "description": "Kuryr-Kubernetes NetPolicy SG rule",
        "direction": "ingress",
        "ethertype": "IPv4",
        "port_range_max": 65535,
        "port_range_min": 1,
        "protocol": "tcp",
        "remote_ip_prefix": "10.128.76.0/23"
      }
    },
    {
      "sgRule": {
        "description": "Kuryr-Kubernetes NetPolicy SG rule",
        "direction": "ingress",
        "ethertype": "IPv4",
        "remote_ip_prefix": "10.196.0.0/16"
      }
    }
  ],
  "podSelector": {
    "matchLabels": {
      "run": "demo"
    }
  },
  "policyTypes": [
    "Egress",
    "Ingress"
  ]
}

^ missing the svc network (172.30.0.0/15).

As a consequence, pod on project test cannot reach the service on project test2:

$ oc get all -n test
NAME       READY   STATUS    RESTARTS   AGE
pod/demo   1/1     Running   0          53m
NAME           TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)   AGE
service/demo   ClusterIP   172.30.120.87   <none>        80/TCP    53m
$ oc get all -n test2 -o wide
NAME        READY   STATUS    RESTARTS   AGE   IP              NODE                          NOMINATED NODE   READINESS GATES
pod/demo2   1/1     Running   0          52m   10.128.128.99   ostest-858gf-worker-0-w6psd   <none>           <none>
NAME            TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)   AGE   SELECTOR
service/demo2   ClusterIP   172.30.120.252   <none>        80/TCP    52m   run=demo2
$ oc rsh -n test pod/demo
~ $ curl 10.128.128.99:8080
demo2: HELLO! I AM ALIVE!!!
~ $ curl 172.30.120.252
<NOT WORKING>
Comment 6 MichaƂ Dulko 2021-03-23 08:46:25 UTC 
I need to close this due to procedural reasons, see https://issues.redhat.com/browse/ART-2801.

*** This bug has been marked as a duplicate of bug 1941941 ***