Bug 1949105

Summary: NetworkPolicy ... should enforce ingress policy allowing any port traffic to a server on a specific protocol
Product: OpenShift Container Platform Reporter: Dan Winship <danw>
Component: NetworkingAssignee: Mohamed Mahmoud <mmahmoud>
Networking sub component: openshift-sdn QA Contact: zhaozhanqi <zzhao>
Status: CLOSED ERRATA Docs Contact:
Severity: low    
Priority: low CC: aconstan, astoycos, mmahmoud
Version: 4.8   
Target Milestone: ---   
Target Release: 4.8.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-07-27 23:00:08 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Dan Winship 2021-04-13 12:53:17 UTC 
New e2e test in 4.8:

[sig-network] Netpol [LinuxOnly] NetworkPolicy between server and client should enforce ingress policy allowing any port traffic to a server on a specific protocol [Feature:NetworkPolicy] [Feature:UDP] [Suite:openshift/conformance/parallel] [Suite:k8s]

This tests that

  kind: NetworkPolicy
  apiVersion: networking/v1
  metadata:
    name: allow-tcp
  spec:
    podSelector: {}
    ingress:
    - ports:
      - protocol: TCP

works. ie, "allow ingress on all TCP ports but not UDP"

This is a dumb feature and we never bothered to implement it in either openshift-sdn or ovn-kubernetes but there's a test for it now and it's easy to fix so it's better to implement it than to keep skipping the test.

(This needs to be fixed in both openshift-sdn and ovn-kubernetes, and then the e2e skip rules will need to updated in openshift/origin (for ovn-kubernetes) and openshift/kubernetes (for openshift-sdn).)
Comment 1 zhaozhanqi 2021-05-12 07:48:30 UTC 
Verified this bug from https://gcsweb-ci.apps.ci.l2s4.p1.openshiftapps.com/gcs/origin-ci-test/pr-logs/pull/openshift_kubernetes/741/pull-ci-openshift-kubernetes-master-k8s-e2e-gcp/1392208012696883200/artifacts/k8s-e2e-gcp/openshift-kubernetes-e2e-test/build-log.txt
Comment 4 errata-xmlrpc 2021-07-27 23:00:08 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.8.2 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:2438