Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be unavailable on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.
Bug 1419393 - [networkpolicy] Pod in project which has the DefaultDeny policy cannot connect to the pod in other projects
Summary: [networkpolicy] Pod in project which has the DefaultDeny policy cannot connec...
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Networking
Version: 3.5.0
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: ---
Assignee: Dan Winship
QA Contact: Meng Bo
Depends On:
TreeView+ depends on / blocked
Reported: 2017-02-06 02:54 UTC by Meng Bo
Modified: 2017-07-24 14:11 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Clone Of:
Last Closed: 2017-04-12 19:11:33 UTC
Target Upstream Version:

Attachments (Terms of Use)
openflow_rules_after_annotation_added_to_project1 (7.98 KB, text/plain)
2017-02-06 02:54 UTC, Meng Bo
no flags Details

System ID Private Priority Status Summary Last Updated
Origin (Github) 12837 0 None None None 2017-02-07 14:19:09 UTC
Red Hat Product Errata RHBA-2017:0884 0 normal SHIPPED_LIVE Red Hat OpenShift Container Platform 3.5 RPM Release Advisory 2017-04-12 22:50:07 UTC

Description Meng Bo 2017-02-06 02:54:24 UTC
Created attachment 1247930 [details]

Description of problem:
When the annotation DefaultDeny added to the project, pod in that project cannot access pods in other projects which does not have the annotation.

Version-Release number of selected component (if applicable):
oc v3.5.0.16+a26133a
kubernetes v1.5.2+43a9be4

# ovs-vsctl --version
ovs-vsctl (Open vSwitch) 2.5.0
Compiled Nov 22 2016 12:40:36
DB Schema 7.12.1

How reproducible:

Steps to Reproduce:
1. Setup multinode env with redhat/openshift-sdn-networkpolicy plugin
2. Create two projects and create pod/svc in each project 
called u1p1 and u2p1
3. Add the DefaultDeny networkpolicy to one of the projects
# oc annotate namespace u1p1 net.beta.kubernetes.io/network-policy='{"ingress":{"isolation":"DefaultDeny"}}'
4. Try to access the pod/svc in u1p1 from the pod in u2p1
5. Try to access the pod/svc in u2p1 from the pod in u1p1

Actual results:
4. Cannot access successfully as expected.
5. Also cannot access.

Expected results:
5. Should be able to access from pod in u1p1 to u2p1

Additional info:
Openflow dump attached.

Comment 1 Troy Dawson 2017-02-08 22:26:23 UTC
This has been merged into ocp and is in OCP v3.5.0.18 or newer.

Comment 3 Meng Bo 2017-02-10 07:46:04 UTC
Verified on OCP build, works as expected.

Comment 5 errata-xmlrpc 2017-04-12 19:11:33 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.