Bug 2212143

Summary: preserveDefaultVlan should be set to False to filter undesired VLAN tags
Product: Red Hat Enterprise Linux 9 Reporter: Yossi Segev <ysegev>
Component: containernetworking-pluginsAssignee: Jindrich Novy <jnovy>
Status: CLOSED ERRATA QA Contact: Yuhui Jiang <yujiang>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 9.2CC: ajia, awax, jnovy, mduarted, phoracek, tsweeney
Target Milestone: rcKeywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: containernetworking-plugins-1.3.0-4.el9 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-11-07 08:30:31 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Yossi Segev 2023-06-04 10:19:25 UTC 
Description of problem:
In addition to the fix for https://bugzilla.redhat.com/show_bug.cgi?id=2179333, the used should also explicitly set `preserveDefaultVlan`, which is default True, to False in the NetworkAttachmentDefinition.
This should be documented in https://github.com/containernetworking/cni.dev (in content/plugins/current/main/bridge.md).
Comment 6 Petr Horáček 2023-06-15 11:30:38 UTC 
I know this request comes in quite late, but is there any chance we could change the default of the CNI instead of just documenting it? Having preserveDefaultVlan True by default is IMO unsafe and counterintuitive.

My worry is that today, users of the bridge CNI are requesting a VLAN with the expectation that their Pods will be fully isolated to this VLAN. That is however not not the case since by default their Pods would be also exposed to VLAN 1 which may contain sensitive management traffic. While this new preserveDefaultVlan attribute allows them to fix that gap in isolation, it is suboptimal since they need to change their existing configuration.

While theoretically there may have been users who relied on the VLAN 1 to be exposed in addition to the requested VLAN ID, I would argue that they would be the exception (if they exist at all).
Comment 17 errata-xmlrpc 2023-11-07 08:30:31 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: containernetworking-plugins security and bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2023:6402