Bug 1964319

Summary: Network policy "deny all" interpreted as "allow all" in description page
Product: OpenShift Container Platform Reporter: Joel Takvorian <jtakvori>
Component: Management ConsoleAssignee: Joel Takvorian <jtakvori>
Status: CLOSED ERRATA QA Contact: Yadan Pei <yapei>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 4.7CC: aos-bugs, jhadvig, jokerman, spadgett, yapei
Target Milestone: ---   
Target Release: 4.8.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-07-27 23:10:05 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Joel Takvorian 2021-05-25 08:15:32 UTC 
Description of problem:

When a "deny all" policy is created (this is done by having empty ingress rules), in the policy details page it is interpreted as the opposite, alleging all is allowed.

The spec states explicitly: "If this field [ingress] is empty then this NetworkPolicy does not allow any traffic (and serves solely to ensure that the pods it selects are isolated by default)" ( https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.21/#networkpolicy-v1-networking-k8s-io )

Having tested the actual behaviour (with CNI OpenShiftSDN), I can confirm that traffic is blocked when this deny-all rule is set.


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. Create a network policy using sample n.2 "Deny all non-whitelisted traffic in the current namespace"
2. Check network policy details, under "Ingress rules" it states "All traffic is allowed to Pods in default".

Optionally, create a pod and a service to expose it under the same namespace to ensure connectivity is actually denied.

Actual results:

Text says traffic is allowed


Expected results:

Text should say traffic is denied

Additional info:
Comment 1 Joel Takvorian 2021-05-26 07:50:51 UTC 
Bug is fixed via https://github.com/openshift/console/pull/9032 (for bug https://bugzilla.redhat.com/show_bug.cgi?id=1962569 )
Comment 2 Yadan Pei 2021-05-26 09:18:37 UTC 
1. Create two NetworkPolicies, one denies all ingress the other denies all egress
deny all ingress
....
spec:
  policyTypes:
    - Ingress


deny all egress
....
spec:
  policyTypes:
    - Egress


2. Check NetworkPolicy details page -> Ingress rules table
For deny all ingress networkpolicy, it shows `All incoming traffic is denied to Pods in yapei`
For deny all egress networkpolicy, it shows `All outgoing traffic is denied from Pods in yapei`

the text is showing correct meaning

Verified on 4.8.0-0.nightly-2021-05-26-021757
Comment 5 errata-xmlrpc 2021-07-27 23:10:05 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.8.2 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:2438