Bug 2101366

Summary: [OVN] egress network policy to api server not properly taken into account by OVN
Product: OpenShift Container Platform Reporter: Franck Grosjean <fgrosjea>
Component: NetworkingAssignee: Surya Seetharaman <surya>
Networking sub component: ovn-kubernetes QA Contact: Anurag saxena <anusaxen>
Status: CLOSED WORKSFORME Docs Contact:
Severity: high    
Priority: high CC: akaris, jclaretm, sdodson, surya
Version: 4.10   
Target Milestone: ---   
Target Release: 4.10.z   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-07-29 12:48:05 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2101402    
Bug Blocks:    

Description Franck Grosjean 2022-06-27 10:06:08 UTC 
Description of problem:

We have a setup where all ingress & egress traffic is denied as default in our OCP clusters
We then add specific network policies to only allow expected traffic, including a default egress network policy to allow access to api server by referencing endpoints of Kubernetes service in default namespace
Strangely, this rule seems to be taken into account very sporadically, in the same namespace, without touching this policy, sometimes access to api is working, sometimes it is not, without any actions on the network policies.
When traffic is blocked, audit logs (ACL events) are clearly showing traffic to kubernetes api as dropped despite the existing network policy

Version-Release number of selected component (if applicable):
4.10.13

How reproducible:
Always

Steps to Reproduce:
1. setup ingress & egress traffic is denied as default
2. add specific network policies to only allow expected traffic, including a default egress network policy to allow access to api server by referencing endpoints of Kubernetes service in default namespace
3. rule seems to be taken into account very sporadically

Actual results:
rule seems to be taken into account very sporadically

OVN error
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x171a49d]

Expected results:
Network Policy would be added 

Additional info:
Comment 8 Andreas Karis 2022-06-27 12:30:16 UTC 

*** This bug has been marked as a duplicate of bug 2091238 ***
Comment 17 Red Hat Bugzilla 2023-09-15 01:56:21 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 365 days