Bug 1985512
Summary: | allow-from-router feature doesn't work on v6 only single stack cluster | |||
---|---|---|---|---|
Product: | OpenShift Container Platform | Reporter: | Aniket Bhat <anbhat> | |
Component: | Networking | Assignee: | Aniket Bhat <anbhat> | |
Networking sub component: | ovn-kubernetes | QA Contact: | zhaozhanqi <zzhao> | |
Status: | CLOSED ERRATA | Docs Contact: | ||
Severity: | high | |||
Priority: | high | CC: | mifiedle, weliang, zzhao | |
Version: | 4.8 | Keywords: | FastFix | |
Target Milestone: | --- | |||
Target Release: | 4.9.0 | |||
Hardware: | Unspecified | |||
OS: | Unspecified | |||
Whiteboard: | ||||
Fixed In Version: | Doc Type: | If docs needed, set a value | ||
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 1985514 (view as bug list) | Environment: | ||
Last Closed: | 2021-10-18 17:40:56 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 1985514 |
Description
Aniket Bhat
2021-07-23 19:02:35 UTC
@weliang or @zzhao Please verify FastFix bz Tested and verified in 4.9.0-0.nightly-2021-07-26-071921
[root@ocp-edge50 auth]# oc get networkpolicy
NAME POD-SELECTOR AGE
allow-from-router <none> 44m
deny-by-default <none> 45m
[root@ocp-edge50 auth]# oc describe networkpolicy deny-by-default
Name: deny-by-default
Namespace: test
Created on: 2021-07-26 20:38:15 +0300 IDT
Labels: <none>
Annotations: <none>
Spec:
PodSelector: <none> (Allowing the specific traffic to all pods in this namespace)
Allowing ingress traffic:
<none> (Selected pods are isolated for ingress connectivity)
Not affecting egress traffic
Policy Types: Ingress
[root@ocp-edge50 auth]# oc describe networkpolicy allow-from-router
Name: allow-from-router
Namespace: test
Created on: 2021-07-26 20:38:39 +0300 IDT
Labels: <none>
Annotations: <none>
Spec:
PodSelector: <none> (Allowing the specific traffic to all pods in this namespace)
Allowing ingress traffic:
To Port: <any> (traffic allowed to all ports)
From:
NamespaceSelector: policy-group.network.openshift.io/ingress=
Not affecting egress traffic
Policy Types: Ingress
[root@ocp-edge50 auth]# oc get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
default-svc ClusterIP fd02::12fe <none> 8080/TCP 24m
singlestack-ipv6-svc ClusterIP fd02::9969 <none> 8080/TCP 24m
[root@ocp-edge50 auth]# oc get route
NAME HOST/PORT PATH SERVICES PORT TERMINATION WILDCARD
default-svc default-svc-test.apps.ocp-edge-cluster-0.qe.lab.redhat.com default-svc 8080 None
singlestack-ipv6-svc singlestack-ipv6-svc-test.apps.ocp-edge-cluster-0.qe.lab.redhat.com singlestack-ipv6-svc 8080 None
[root@ocp-edge50 auth]# nslookup -type=AAAA singlestack-ipv6-svc-test.apps.ocp-edge-cluster-0.qe.lab.redhat.com
Server: 127.0.0.1
Address: 127.0.0.1#53
Name: singlestack-ipv6-svc-test.apps.ocp-edge-cluster-0.qe.lab.redhat.com
Address: fd2e:6f44:5dd8::a
[root@ocp-edge50 auth]# curl -gv nslookup -type=AAAA singlestack-ipv6-svc-test.apps.ocp-edge-cluster-0.qe.lab.redhat.com
* Rebuilt URL to: nslookup/
* Could not resolve host: nslookup
* Closing connection 0
curl: (6) Could not resolve host: nslookup
* Rebuilt URL to: singlestack-ipv6-svc-test.apps.ocp-edge-cluster-0.qe.lab.redhat.com/
* Trying fd2e:6f44:5dd8::a...
* TCP_NODELAY set
* Connected to singlestack-ipv6-svc-test.apps.ocp-edge-cluster-0.qe.lab.redhat.com (fd2e:6f44:5dd8::a) port 80 (#1)
> GET / HTTP/1.1
> Host: singlestack-ipv6-svc-test.apps.ocp-edge-cluster-0.qe.lab.redhat.com
> User-Agent: curl/7.61.1
> Accept: */*
>
< HTTP/1.1 200 OK
< date: Mon, 26 Jul 2021 18:25:47 GMT
< content-length: 14
< content-type: text/plain; charset=utf-8
< set-cookie: 988aee3ad24dc23f66048dc9bc1ee617=9abde5a59a9399cf873ec25ec3ff79ec; path=/; HttpOnly
< cache-control: private
<
dualstack-pod
* Connection #1 to host singlestack-ipv6-svc-test.apps.ocp-edge-cluster-0.qe.lab.redhat.com left intact
[root@ocp-edge50 auth]#
Tried two labels in the policies and both worked fine: matchLabels: policy-group.network.openshift.io/ingress: "" matchLabels: network.openshift.io/policy-group: ingress Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.9.0 bug fix and security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:3759 The needinfo request[s] on this closed bug have been removed as they have been unresolved for 500 days |