Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1443765

Summary: Unable to reach to internet from the pods when the cluster is deployed with network policy
Product: OpenShift Container Platform Reporter: Veer Muchandi <veer>
Component: NetworkingAssignee: Dan Winship <danw>
Status: CLOSED ERRATA QA Contact: Meng Bo <bmeng>
Severity: high Docs Contact:
Priority: unspecified    
Version: 3.5.0CC: aos-bugs, bbennett, smunilla
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Cause: Cluster-external traffic was handled incorrectly when using the Tech Preview NetworkPolicy plugin. Consequence: When using the Tech Preview NetworkPolicy plugin, pods could not connect to IP addresses outside the cluster. Fix: The bug was fixed. Result: External traffic now works correctly.
 Story Points: ---
Clone Of:
: 1445500 (view as bug list) Environment:
Last Closed: 2017-08-10 05:20:02 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1445500    

Description Veer Muchandi 2017-04-19 23:11:16 UTC 
Description of problem:
Builds don't run as GitHub.com is unreachable when you deploy a cluster with ovs-networkpolicy

Version-Release number of selected component (if applicable):
3.5

How reproducible:
can be reproduced

Steps to Reproduce:
1.Set up a cluster with networkPluginName: redhat/openshift-ovs-networkpolicy
2.Start a new build. 


Actual results:
Build doesn't run. It waits and fails
Cloning "https://github.com/VeerMuchandi/kitchensink-example" ...
WARNING: timed out waiting for git server, will wait 1m4s
WARNING: timed out waiting for git server, will wait 4m16s
error: build error: fatal: unable to access 'https://github.com/VeerMuchandi/kitchensink-example/': Failed connect to github.com:443; Operation now in progress


Expected results:
Builds are successful



Additional info:

Also tested by running a pod with RHEL Test Tools. Here are the results

sh-4.2$ cat /etc/resolv.conf                                                                                                                                      
search first.svc.cluster.local svc.cluster.local cluster.local igyiwpfqdeaepnzehgzpbz3i4a.xx.internal.cloudapp.net                                                
nameserver 10.0.0.10                                                                                                                                              
nameserver 10.0.0.10                                                                                                                                              
options ndots:5                                                                                                                                                   
sh-4.2$ dig www.github.com @10.0.0.10                                                                                                                             
                                                                                                                                                                  
; <<>> DiG 9.9.4-RedHat-9.9.4-38.el7_3.2 <<>> www.github.com @10.0.0.10                                                                                           
;; global options: +cmd                                                                                                                                           
;; Got answer:                                                                                                                                                    
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18195                                                                                                         
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1                                                                                              
                                                                                                                                                                  
;; OPT PSEUDOSECTION:                                                                                                                                             
; EDNS: version: 0, flags:; udp: 1280                                                                                                                             
;; QUESTION SECTION:                                                                                                                                              
;www.github.com.                        IN      A                                                                                                                 
                                                                                                                                                                  
;; ANSWER SECTION:                                                                                                                                                
www.github.com.         3600    IN      CNAME   github.com.                                                                                                       
github.com.             29      IN      A       192.30.255.113                                                                                                    
github.com.             29      IN      A       192.30.255.112                                                                                                    
                                                                                                                                                                  
;; Query time: 83 msec                                                                                                                                            
;; SERVER: 10.0.0.10#53(10.0.0.10)                                                                                                                                
;; WHEN: Wed Apr 19 23:09:17 UTC 2017                                                                                                                             
;; MSG SIZE  rcvd: 89                                                                                                                                             
                                                                                                                                                                  
sh-4.2$ curl www.github.com
^C
Comment 1 Meng Bo 2017-04-20 11:06:43 UTC 
I can reproduce this on 3.6 env. 
Pod in the cluster does not have access to the external network.
Comment 2 Ben Bennett 2017-04-24 14:57:06 UTC 
*** Bug 1443766 has been marked as a duplicate of this bug. ***
Comment 3 Dan Winship 2017-06-01 11:48:06 UTC 
https://github.com/openshift/origin/pull/13877
Comment 4 Dan Winship 2017-06-02 13:57:22 UTC 
oops, wrong PR link:
https://github.com/openshift/ose/pull/723
Comment 6 Meng Bo 2017-06-05 09:31:35 UTC 
Tested on OCP v3.6.94, issue has been fixed.

/ # ping www.baidu.com
PING www.baidu.com (119.75.213.51): 56 data bytes
64 bytes from 119.75.213.51: seq=0 ttl=49 time=3.335 ms
64 bytes from 119.75.213.51: seq=1 ttl=49 time=3.247 ms
64 bytes from 119.75.213.51: seq=2 ttl=49 time=3.260 ms
^C
--- www.baidu.com ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 3.247/3.280/3.335 ms
Comment 8 errata-xmlrpc 2017-08-10 05:20:02 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:1716