1419430 – [networkpolicy] The service which matches the network policy rule cannot be accessed

Bug 1419430 - [networkpolicy] The service which matches the network policy rule cannot be accessed

Summary: [networkpolicy] The service which matches the network policy rule cannot be a...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Networking
Sub Component:
Version:	3.5.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	low
Severity:	low
Target Milestone:	---
Target Release:	---
Assignee:	Dan Winship
QA Contact:	Meng Bo
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-02-06 06:43 UTC by Meng Bo
Modified:	2017-08-16 19:51 UTC (History)
CC List:	9 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	Cause: The (Tech Preview) NetworkPolicy plugin in OCP 3.5 did not implement all features of NetworkPolicy. Consequence: When using certain NetworkPolicy resources that used PodSelectors, pods would be accessible by pod IP, but not by service IP. Fix: The underlying issues preventing NetworkPolicy from working correctly have been addressed. Result: All connections that should be allowed by a NetworkPolicy are now allowed whether made directly (pod-to-pod) or indirectly via a service IP.
Clone Of:
Environment:
Last Closed:	2017-08-10 05:17:28 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
openflow_rule_with_network_policy_applied (7.29 KB, text/plain) 2017-02-06 06:43 UTC, Meng Bo	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Origin (Github)	14466	0	None	None	None	2017-06-22 21:32:52 UTC
Red Hat Product Errata	RHEA-2017:1716	0	normal	SHIPPED_LIVE	Red Hat OpenShift Container Platform 3.6 RPM Release Advisory	2017-08-10 09:02:50 UTC

Description Meng Bo 2017-02-06 06:43:41 UTC

Created attachment 1247955 [details]
openflow_rule_with_network_policy_applied

Description of problem:
Apply the allow-local network policy to the project, and access the pod/svc from inside the project. The service cannot be accessed.

Version-Release number of selected component (if applicable):
$ oc version
oc v3.5.0.16+a26133a
kubernetes v1.5.2+43a9be4

# ovs-vsctl --version
ovs-vsctl (Open vSwitch) 2.5.0
Compiled Nov 22 2016 12:40:36
DB Schema 7.12.1

How reproducible:
always

Steps to Reproduce:
1. Setup multi-node env with the network plugin redhat/openshift-ovs-networkpolicy

2. Create project and pod/svc
called u1p1

3. Add the annotation to the project u1p1
# oc annotate namespace u1p1 net.beta.kubernetes.io/network-policy='{"ingress":{"isolation":"DefaultDeny"}}'

4. Apply the 'allow-local' network policy to the project u1p1
# oc create -f networkpolicy.yaml -n u1p1
# cat networkpolicy.yaml
kind: NetworkPolicy
apiVersion: extensions/v1beta1
metadata:
  name: allow-local
spec:
  ingress:
  - from:
    - podSelector: 
      - {}
  podSelector:

5. Try to access the pod in u1p1 from other pod in u1p1
6. Try to access the svc in u1p1 from pod in u1p1


Actual results:
5. The pod can access the pod in the same project
6. The pod cannot access the service in the same project

Expected results:
Both service and pod can be accessed.

Additional info:
Full openflow rule attached.

Comment 1 Ben Bennett 2017-02-08 17:13:50 UTC

Dan: Can you please comment on whether this is likely to make 3.5, and if it can't, what he implications will be.  Thanks

Comment 2 Dan Winship 2017-02-10 15:03:15 UTC

It depends on "unknown unknowns", so it's hard to say how likely it is. I guess the safe answer would be "not likely to make 3.5". It's also possible that it could miss 3.5.0 and be fixed in 3.5.1. (It's also possible that it won't be possible to fix without bumping our OVS requirement to 2.6 and completely reimplementing the service proxy.)

Implications for users who aren't trying out the tech-preview NetworkPolicy feature: absolutely none.

Implications for users who are trying out the tech-preview NetworkPolicy feature: only policies that don't make use of PodSelectors work fully. This means the NetworkPolicy plugin still has a superset of functionality of the multitenant plugin, but doesn't have all of the functionality that it's *supposed* to have.

Comment 4 Ben Bennett 2017-06-22 21:32:25 UTC

PR https://github.com/openshift/origin/pull/14466

Comment 6 Meng Bo 2017-07-05 06:58:30 UTC

The service part works well on OCP 3.6.133.

Verify the bug.

Comment 8 errata-xmlrpc 2017-08-10 05:17:28 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:1716

Note You need to log in before you can comment on or make changes to this bug.