Bug 1942555

Summary: Network policies in ovn-kubernetes don't support external traffic from router when the endpoint publishing strategy is HostNetwork
Product: OpenShift Container Platform Reporter: Aniket Bhat <anbhat>
Component: NetworkingAssignee: Aniket Bhat <anbhat>
Networking sub component: ovn-kubernetes QA Contact: Arti Sood <asood>
Status: CLOSED ERRATA Docs Contact:
Severity: medium    
Priority: medium CC: aconstan, memodi, trozet, zzhao
Version: 4.7   
Target Milestone: ---   
Target Release: 4.8.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1942603 (view as bug list) Environment:
Last Closed: 2021-07-27 22:55:12 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1942603    

Description Aniket Bhat 2021-03-24 14:32:56 UTC 
Description of problem:
Network policies in ovn-kubernetes don't support external traffic from router when the endpoint publishing strategy is HostNetwork

Version-Release number of selected component (if applicable):
OCP with ovn-kubernetes (all versions of ovn-k).

How reproducible:
Always

Steps to Reproduce:
1. Create a cluster with default router's endpoint publishing strategy as HostNetwork
2. Create an application with a route in a test namespace
3. Try reaching the application using a route from outside.

Actual results:
Access will be denied with the default network policies in place. 

Expected results:
External traffic should be allowed to reach the application if the publishing strategy is host network.

Additional info:
Comment 2 Alexander Constantinescu 2021-04-14 14:45:52 UTC 
Hi Aniket

We know you have created and merged the dependent ovn-kube and CNO PRs..this bug is still in ASSIGNED, do we need an update here? 

/Alex
Comment 8 Arti Sood 2021-04-19 19:30:13 UTC 
Was unable to revive the cluster created with image registry.build01.ci.openshift.org/ci-ln-igjdgk2/release:latest.

Build another image registry.build01.ci.openshift.org/ci-ln-b0mrw5k/release:latest and installed cluster. (https://mastern-jenkins-csb-openshift-qe.apps.ocp4.prod.psi.redhat.com/job/ocp-common/job/Flexy-install/14282/) 

Was successfully able to access the service with network policy applied on the namespace.

1.Create a namespace arti-test
2.Deploy the service and expose it.
oc create -f https://raw.githubusercontent.com/openshift/verification-tests/master/testdata/networking/list_for_pods.json
oc expose service <service name>
oc get route

3. Access the service
curl test-service-arti-test.apps.asood-dev-build.qe.devcluster.openshift.com
Hello OpenShift!

 
4. oc create -f ~/Documents/test-yaml/SDN-1340/AllFromRouterNew.yaml 
networkpolicy.networking.k8s.io/deny-by-default created
networkpolicy.networking.k8s.io/allow-from-router created
networkpolicy.networking.k8s.io/allow-from-openshift-monitoring created
networkpolicy.networking.k8s.io/allow-same-namespace created

5. Access the service
curl test-service-arti-test.apps.asood-dev-build.qe.devcluster.openshift.com
Hello OpenShift!

Looks good.
Comment 14 errata-xmlrpc 2021-07-27 22:55:12 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.8.2 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:2438
Comment 15 Mehul Modi 2021-09-27 18:56:10 UTC 
Arti Sood confirmed testcase already added in polarian and test is automated.