Bug 1985512

Summary: allow-from-router feature doesn't work on v6 only single stack cluster
Product: OpenShift Container Platform Reporter: Aniket Bhat <anbhat>
Component: NetworkingAssignee: Aniket Bhat <anbhat>
Networking sub component: ovn-kubernetes QA Contact: zhaozhanqi <zzhao>
Status: CLOSED ERRATA Docs Contact:
Severity: high    
Priority: high CC: mifiedle, weliang, zzhao
Version: 4.8Keywords: FastFix
Target Milestone: ---Flags: mifiedle: needinfo? (zzhao)
Target Release: 4.9.0   
Hardware: Unspecified   
OS: Unspecified   
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1985514 (view as bug list) Environment:
Last Closed: 2021-10-18 17:40:56 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1985514    

Description Aniket Bhat 2021-07-23 19:02:35 UTC
Description of problem:

In a v6 only ovn-k cluster, the management interface IP is not added to the address set used for classifying host network traffic. This causes the allow-from-router network policy to not work correctly on platforms where the endpoint publishing strategy is "HostNetwork"

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1.Create a single stack v6 cluster on vsphere or a platform where the endpoint publishing strategy is HostNetwork
2.Create allow from ingress network policy
3.try external access to service in the cluster that is v6

Actual results:
service is not reliably accessible since the v6 management IP is not added to the address set for classifying host network traffic

Expected results:
External access to a service in a single stack v6 cluster works reliably. 

Additional info:

Comment 1 Mike Fiedler 2021-07-23 21:52:55 UTC
@weliang or @zzhao   Please verify FastFix bz

Comment 3 Weibin Liang 2021-07-26 18:29:44 UTC
Tested and verified in 4.9.0-0.nightly-2021-07-26-071921

[root@ocp-edge50 auth]# oc get networkpolicy
NAME                POD-SELECTOR   AGE
allow-from-router   <none>         44m
deny-by-default     <none>         45m
[root@ocp-edge50 auth]# oc describe networkpolicy deny-by-default 
Name:         deny-by-default
Namespace:    test
Created on:   2021-07-26 20:38:15 +0300 IDT
Labels:       <none>
Annotations:  <none>
  PodSelector:     <none> (Allowing the specific traffic to all pods in this namespace)
  Allowing ingress traffic:
    <none> (Selected pods are isolated for ingress connectivity)
  Not affecting egress traffic
  Policy Types: Ingress
[root@ocp-edge50 auth]# oc describe networkpolicy allow-from-router
Name:         allow-from-router
Namespace:    test
Created on:   2021-07-26 20:38:39 +0300 IDT
Labels:       <none>
Annotations:  <none>
  PodSelector:     <none> (Allowing the specific traffic to all pods in this namespace)
  Allowing ingress traffic:
    To Port: <any> (traffic allowed to all ports)
      NamespaceSelector: policy-group.network.openshift.io/ingress=
  Not affecting egress traffic
  Policy Types: Ingress
[root@ocp-edge50 auth]# oc get svc
NAME                   TYPE        CLUSTER-IP   EXTERNAL-IP   PORT(S)    AGE
default-svc            ClusterIP   fd02::12fe   <none>        8080/TCP   24m
singlestack-ipv6-svc   ClusterIP   fd02::9969   <none>        8080/TCP   24m
[root@ocp-edge50 auth]# oc get route
NAME                   HOST/PORT                                                             PATH   SERVICES               PORT   TERMINATION   WILDCARD
default-svc            default-svc-test.apps.ocp-edge-cluster-0.qe.lab.redhat.com                   default-svc            8080                 None
singlestack-ipv6-svc   singlestack-ipv6-svc-test.apps.ocp-edge-cluster-0.qe.lab.redhat.com          singlestack-ipv6-svc   8080                 None

[root@ocp-edge50 auth]# nslookup -type=AAAA singlestack-ipv6-svc-test.apps.ocp-edge-cluster-0.qe.lab.redhat.com 

Name:	singlestack-ipv6-svc-test.apps.ocp-edge-cluster-0.qe.lab.redhat.com
Address: fd2e:6f44:5dd8::a

[root@ocp-edge50 auth]# curl -gv nslookup -type=AAAA singlestack-ipv6-svc-test.apps.ocp-edge-cluster-0.qe.lab.redhat.com 
* Rebuilt URL to: nslookup/
* Could not resolve host: nslookup
* Closing connection 0
curl: (6) Could not resolve host: nslookup
* Rebuilt URL to: singlestack-ipv6-svc-test.apps.ocp-edge-cluster-0.qe.lab.redhat.com/
*   Trying fd2e:6f44:5dd8::a...
* Connected to singlestack-ipv6-svc-test.apps.ocp-edge-cluster-0.qe.lab.redhat.com (fd2e:6f44:5dd8::a) port 80 (#1)
> GET / HTTP/1.1
> Host: singlestack-ipv6-svc-test.apps.ocp-edge-cluster-0.qe.lab.redhat.com
> User-Agent: curl/7.61.1
> Accept: */*
< HTTP/1.1 200 OK
< date: Mon, 26 Jul 2021 18:25:47 GMT
< content-length: 14
< content-type: text/plain; charset=utf-8
< set-cookie: 988aee3ad24dc23f66048dc9bc1ee617=9abde5a59a9399cf873ec25ec3ff79ec; path=/; HttpOnly
< cache-control: private
* Connection #1 to host singlestack-ipv6-svc-test.apps.ocp-edge-cluster-0.qe.lab.redhat.com left intact
[root@ocp-edge50 auth]#

Comment 4 Weibin Liang 2021-07-26 20:09:53 UTC
Tried two labels in the policies and both worked fine:

          policy-group.network.openshift.io/ingress: ""

          network.openshift.io/policy-group: ingress

Comment 7 errata-xmlrpc 2021-10-18 17:40:56 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.9.0 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.