Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1419393 - [networkpolicy] Pod in project which has the DefaultDeny policy cannot connect to the pod in other projects
[networkpolicy] Pod in project which has the DefaultDeny policy cannot connec...
Status: CLOSED ERRATA
Product: OpenShift Container Platform
Classification: Red Hat
Component: Networking (Show other bugs)
3.5.0
Unspecified Unspecified
high Severity high
: ---
: ---
Assigned To: Dan Winship
Meng Bo
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-02-05 21:54 EST by Meng Bo
Modified: 2017-07-24 10 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: No Doc Update
Doc Text:
undefined
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-04-12 15:11:33 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
openflow_rules_after_annotation_added_to_project1 (7.98 KB, text/plain)
2017-02-05 21:54 EST, Meng Bo 		no flags Details
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Origin (Github) 12837 None None None 2017-02-07 09:19 EST
Red Hat Product Errata RHBA-2017:0884 normal SHIPPED_LIVE Red Hat OpenShift Container Platform 3.5 RPM Release Advisory 2017-04-12 18:50:07 EDT

  None (edit)
Description Meng Bo 2017-02-05 21:54:24 EST 
Created attachment 1247930 [details]
openflow_rules_after_annotation_added_to_project1

Description of problem:
When the annotation DefaultDeny added to the project, pod in that project cannot access pods in other projects which does not have the annotation.

Version-Release number of selected component (if applicable):
oc v3.5.0.16+a26133a
kubernetes v1.5.2+43a9be4

# ovs-vsctl --version
ovs-vsctl (Open vSwitch) 2.5.0
Compiled Nov 22 2016 12:40:36
DB Schema 7.12.1

How reproducible:
always

Steps to Reproduce:
1. Setup multinode env with redhat/openshift-sdn-networkpolicy plugin
2. Create two projects and create pod/svc in each project 
called u1p1 and u2p1
3. Add the DefaultDeny networkpolicy to one of the projects
# oc annotate namespace u1p1 net.beta.kubernetes.io/network-policy='{"ingress":{"isolation":"DefaultDeny"}}'
4. Try to access the pod/svc in u1p1 from the pod in u2p1
5. Try to access the pod/svc in u2p1 from the pod in u1p1

Actual results:
4. Cannot access successfully as expected.
5. Also cannot access.

Expected results:
5. Should be able to access from pod in u1p1 to u2p1

Additional info:
Openflow dump attached.
Comment 1 Troy Dawson 2017-02-08 17:26:23 EST 
This has been merged into ocp and is in OCP v3.5.0.18 or newer.
Comment 3 Meng Bo 2017-02-10 02:46:04 EST 
Verified on OCP build 3.5.0.18, works as expected.
Comment 5 errata-xmlrpc 2017-04-12 15:11:33 EDT 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:0884
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.