Created attachment 1247930 [details] openflow_rules_after_annotation_added_to_project1 Description of problem: When the annotation DefaultDeny added to the project, pod in that project cannot access pods in other projects which does not have the annotation. Version-Release number of selected component (if applicable): oc v3.5.0.16+a26133a kubernetes v1.5.2+43a9be4 # ovs-vsctl --version ovs-vsctl (Open vSwitch) 2.5.0 Compiled Nov 22 2016 12:40:36 DB Schema 7.12.1 How reproducible: always Steps to Reproduce: 1. Setup multinode env with redhat/openshift-sdn-networkpolicy plugin 2. Create two projects and create pod/svc in each project called u1p1 and u2p1 3. Add the DefaultDeny networkpolicy to one of the projects # oc annotate namespace u1p1 net.beta.kubernetes.io/network-policy='{"ingress":{"isolation":"DefaultDeny"}}' 4. Try to access the pod/svc in u1p1 from the pod in u2p1 5. Try to access the pod/svc in u2p1 from the pod in u1p1 Actual results: 4. Cannot access successfully as expected. 5. Also cannot access. Expected results: 5. Should be able to access from pod in u1p1 to u2p1 Additional info: Openflow dump attached.
This has been merged into ocp and is in OCP v3.5.0.18 or newer.
Verified on OCP build 3.5.0.18, works as expected.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:0884