Red Hat Bugzilla – Bug 1443765
Unable to reach to internet from the pods when the cluster is deployed with network policy
Last modified: 2017-08-16 15:51 EDT
Description of problem: Builds don't run as GitHub.com is unreachable when you deploy a cluster with ovs-networkpolicy Version-Release number of selected component (if applicable): 3.5 How reproducible: can be reproduced Steps to Reproduce: 1.Set up a cluster with networkPluginName: redhat/openshift-ovs-networkpolicy 2.Start a new build. Actual results: Build doesn't run. It waits and fails Cloning "https://github.com/VeerMuchandi/kitchensink-example" ... WARNING: timed out waiting for git server, will wait 1m4s WARNING: timed out waiting for git server, will wait 4m16s error: build error: fatal: unable to access 'https://github.com/VeerMuchandi/kitchensink-example/': Failed connect to github.com:443; Operation now in progress Expected results: Builds are successful Additional info: Also tested by running a pod with RHEL Test Tools. Here are the results sh-4.2$ cat /etc/resolv.conf search first.svc.cluster.local svc.cluster.local cluster.local igyiwpfqdeaepnzehgzpbz3i4a.xx.internal.cloudapp.net nameserver 10.0.0.10 nameserver 10.0.0.10 options ndots:5 sh-4.2$ dig www.github.com @10.0.0.10 ; <<>> DiG 9.9.4-RedHat-9.9.4-38.el7_3.2 <<>> www.github.com @10.0.0.10 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18195 ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1280 ;; QUESTION SECTION: ;www.github.com. IN A ;; ANSWER SECTION: www.github.com. 3600 IN CNAME github.com. github.com. 29 IN A 192.30.255.113 github.com. 29 IN A 192.30.255.112 ;; Query time: 83 msec ;; SERVER: 10.0.0.10#53(10.0.0.10) ;; WHEN: Wed Apr 19 23:09:17 UTC 2017 ;; MSG SIZE rcvd: 89 sh-4.2$ curl www.github.com ^C
I can reproduce this on 3.6 env. Pod in the cluster does not have access to the external network.
*** Bug 1443766 has been marked as a duplicate of this bug. ***
https://github.com/openshift/origin/pull/13877
oops, wrong PR link: https://github.com/openshift/ose/pull/723
Tested on OCP v3.6.94, issue has been fixed. / # ping www.baidu.com PING www.baidu.com (119.75.213.51): 56 data bytes 64 bytes from 119.75.213.51: seq=0 ttl=49 time=3.335 ms 64 bytes from 119.75.213.51: seq=1 ttl=49 time=3.247 ms 64 bytes from 119.75.213.51: seq=2 ttl=49 time=3.260 ms ^C --- www.baidu.com ping statistics --- 3 packets transmitted, 3 packets received, 0% packet loss round-trip min/avg/max = 3.247/3.280/3.335 ms
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2017:1716