Created attachment 1247955 [details] openflow_rule_with_network_policy_applied Description of problem: Apply the allow-local network policy to the project, and access the pod/svc from inside the project. The service cannot be accessed. Version-Release number of selected component (if applicable): $ oc version oc v3.5.0.16+a26133a kubernetes v1.5.2+43a9be4 # ovs-vsctl --version ovs-vsctl (Open vSwitch) 2.5.0 Compiled Nov 22 2016 12:40:36 DB Schema 7.12.1 How reproducible: always Steps to Reproduce: 1. Setup multi-node env with the network plugin redhat/openshift-ovs-networkpolicy 2. Create project and pod/svc called u1p1 3. Add the annotation to the project u1p1 # oc annotate namespace u1p1 net.beta.kubernetes.io/network-policy='{"ingress":{"isolation":"DefaultDeny"}}' 4. Apply the 'allow-local' network policy to the project u1p1 # oc create -f networkpolicy.yaml -n u1p1 # cat networkpolicy.yaml kind: NetworkPolicy apiVersion: extensions/v1beta1 metadata: name: allow-local spec: ingress: - from: - podSelector: - {} podSelector: 5. Try to access the pod in u1p1 from other pod in u1p1 6. Try to access the svc in u1p1 from pod in u1p1 Actual results: 5. The pod can access the pod in the same project 6. The pod cannot access the service in the same project Expected results: Both service and pod can be accessed. Additional info: Full openflow rule attached.
Dan: Can you please comment on whether this is likely to make 3.5, and if it can't, what he implications will be. Thanks
It depends on "unknown unknowns", so it's hard to say how likely it is. I guess the safe answer would be "not likely to make 3.5". It's also possible that it could miss 3.5.0 and be fixed in 3.5.1. (It's also possible that it won't be possible to fix without bumping our OVS requirement to 2.6 and completely reimplementing the service proxy.) Implications for users who aren't trying out the tech-preview NetworkPolicy feature: absolutely none. Implications for users who are trying out the tech-preview NetworkPolicy feature: only policies that don't make use of PodSelectors work fully. This means the NetworkPolicy plugin still has a superset of functionality of the multitenant plugin, but doesn't have all of the functionality that it's *supposed* to have.
PR https://github.com/openshift/origin/pull/14466
The service part works well on OCP 3.6.133. Verify the bug.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2017:1716