Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be available on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.
Bug 1419430 - [networkpolicy] The service which matches the network policy rule cannot be accessed
Summary: [networkpolicy] The service which matches the network policy rule cannot be a...
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Networking
Version: 3.5.0
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: ---
Assignee: Dan Winship
QA Contact: Meng Bo
Depends On:
TreeView+ depends on / blocked
Reported: 2017-02-06 06:43 UTC by Meng Bo
Modified: 2017-08-16 19:51 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: The (Tech Preview) NetworkPolicy plugin in OCP 3.5 did not implement all features of NetworkPolicy. Consequence: When using certain NetworkPolicy resources that used PodSelectors, pods would be accessible by pod IP, but not by service IP. Fix: The underlying issues preventing NetworkPolicy from working correctly have been addressed. Result: All connections that should be allowed by a NetworkPolicy are now allowed whether made directly (pod-to-pod) or indirectly via a service IP.
Clone Of:
Last Closed: 2017-08-10 05:17:28 UTC
Target Upstream Version:

Attachments (Terms of Use)
openflow_rule_with_network_policy_applied (7.29 KB, text/plain)
2017-02-06 06:43 UTC, Meng Bo
no flags Details

System ID Private Priority Status Summary Last Updated
Origin (Github) 14466 0 None None None 2017-06-22 21:32:52 UTC
Red Hat Product Errata RHEA-2017:1716 0 normal SHIPPED_LIVE Red Hat OpenShift Container Platform 3.6 RPM Release Advisory 2017-08-10 09:02:50 UTC

Description Meng Bo 2017-02-06 06:43:41 UTC
Created attachment 1247955 [details]

Description of problem:
Apply the allow-local network policy to the project, and access the pod/svc from inside the project. The service cannot be accessed.

Version-Release number of selected component (if applicable):
$ oc version
oc v3.5.0.16+a26133a
kubernetes v1.5.2+43a9be4

# ovs-vsctl --version
ovs-vsctl (Open vSwitch) 2.5.0
Compiled Nov 22 2016 12:40:36
DB Schema 7.12.1

How reproducible:

Steps to Reproduce:
1. Setup multi-node env with the network plugin redhat/openshift-ovs-networkpolicy

2. Create project and pod/svc
called u1p1

3. Add the annotation to the project u1p1
# oc annotate namespace u1p1 net.beta.kubernetes.io/network-policy='{"ingress":{"isolation":"DefaultDeny"}}'

4. Apply the 'allow-local' network policy to the project u1p1
# oc create -f networkpolicy.yaml -n u1p1
# cat networkpolicy.yaml
kind: NetworkPolicy
apiVersion: extensions/v1beta1
  name: allow-local
  - from:
    - podSelector: 
      - {}

5. Try to access the pod in u1p1 from other pod in u1p1
6. Try to access the svc in u1p1 from pod in u1p1

Actual results:
5. The pod can access the pod in the same project
6. The pod cannot access the service in the same project

Expected results:
Both service and pod can be accessed.

Additional info:
Full openflow rule attached.

Comment 1 Ben Bennett 2017-02-08 17:13:50 UTC
Dan: Can you please comment on whether this is likely to make 3.5, and if it can't, what he implications will be.  Thanks

Comment 2 Dan Winship 2017-02-10 15:03:15 UTC
It depends on "unknown unknowns", so it's hard to say how likely it is. I guess the safe answer would be "not likely to make 3.5". It's also possible that it could miss 3.5.0 and be fixed in 3.5.1. (It's also possible that it won't be possible to fix without bumping our OVS requirement to 2.6 and completely reimplementing the service proxy.)

Implications for users who aren't trying out the tech-preview NetworkPolicy feature: absolutely none.

Implications for users who are trying out the tech-preview NetworkPolicy feature: only policies that don't make use of PodSelectors work fully. This means the NetworkPolicy plugin still has a superset of functionality of the multitenant plugin, but doesn't have all of the functionality that it's *supposed* to have.

Comment 4 Ben Bennett 2017-06-22 21:32:25 UTC
PR https://github.com/openshift/origin/pull/14466

Comment 6 Meng Bo 2017-07-05 06:58:30 UTC
The service part works well on OCP 3.6.133.

Verify the bug.

Comment 8 errata-xmlrpc 2017-08-10 05:17:28 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.