Bug 1419469 - [networkpolicy] The port specified in spec.ingress.ports cannot be accepted when accessing
Summary: [networkpolicy] The port specified in spec.ingress.ports cannot be accepted w...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Networking
Version: 3.5.0
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: ---
Assignee: Dan Winship
QA Contact: Meng Bo
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-02-06 09:30 UTC by Meng Bo
Modified: 2017-07-24 14:11 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
undefined
Clone Of:
Environment:
Last Closed: 2017-04-12 19:11:37 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)
openflow_rules_with_port_policy (8.09 KB, text/plain)
2017-02-06 09:30 UTC, Meng Bo
no flags Details


Links
System ID Private Priority Status Summary Last Updated
Origin (Github) 12837 0 None None None 2017-02-07 14:19:16 UTC
Red Hat Product Errata RHBA-2017:0884 0 normal SHIPPED_LIVE Red Hat OpenShift Container Platform 3.5 RPM Release Advisory 2017-04-12 22:50:07 UTC

Description Meng Bo 2017-02-06 09:30:05 UTC
Created attachment 1247978 [details]
openflow_rules_with_port_policy

Description of problem:
All the specific port to be open in the project for all pods via network policy, the specific port cannot be accessed via other pods inside or outside the project.

Version-Release number of selected component (if applicable):
# oc version
oc v3.5.0.16+a26133a
kubernetes v1.5.2+43a9be4

# ovs-vsctl --version
ovs-vsctl (Open vSwitch) 2.5.0
Compiled Nov 22 2016 12:40:36
DB Schema 7.12.1

How reproducible:
always

Steps to Reproduce:
1. Setup multinode env with openshift-ovs-networkpolicy plugin
2. Create two projects with pod
3. Add the annotation to project 1
# oc annotate namespace u1p1 net.beta.kubernetes.io/network-policy='{"ingress":{"isolation":"DefaultDeny"}}'
4. Apply the network policy to allow the specific port to be accessed
# oc create -f networkpolicy.yaml
cat networkpolicy.yaml
kind: NetworkPolicy
apiVersion: extensions/v1beta1
metadata:
  name: allow-8080
spec:
  podSelector:
  ingress:
  - ports:
    - protocol: tcp
      port: 8080

5. Try to access the pod with port 8080 via other pod in project u1p1
6. Try to access the pod with port 8080 via pod in other project

Actual results:
Both step 5 and 6 failed.

Expected results:
The pod in project u1p1 should be able to access via port 8080.

Additional info:
Openflow rule attached.

Comment 1 Troy Dawson 2017-02-08 22:25:38 UTC
This has been merged into ocp and is in OCP v3.5.0.18 or newer.

Comment 3 Meng Bo 2017-02-10 09:20:57 UTC
Tested on OCP build 3.5.0.18
Still have the same problem.

Comment 4 Meng Bo 2017-02-10 09:37:50 UTC
Sorry, I was using a wrong policy file, it should work well on 3.5.0.18.

Comment 6 errata-xmlrpc 2017-04-12 19:11:37 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:0884


Note You need to log in before you can comment on or make changes to this bug.