Red Hat Bugzilla – Bug 1445500
[3.5] Unable to reach to internet from the pods when the cluster is deployed with network policy
Last modified: 2017-06-15 14:38:00 EDT
+++ This bug was initially created as a clone of Bug #1443765 +++ Description of problem: Builds don't run as GitHub.com is unreachable when you deploy a cluster with ovs-networkpolicy Version-Release number of selected component (if applicable): 3.5 How reproducible: can be reproduced Steps to Reproduce: 1.Set up a cluster with networkPluginName: redhat/openshift-ovs-networkpolicy 2.Start a new build. Actual results: Build doesn't run. It waits and fails Cloning "https://github.com/VeerMuchandi/kitchensink-example" ... WARNING: timed out waiting for git server, will wait 1m4s WARNING: timed out waiting for git server, will wait 4m16s error: build error: fatal: unable to access 'https://github.com/VeerMuchandi/kitchensink-example/': Failed connect to github.com:443; Operation now in progress Expected results: Builds are successful Additional info: Also tested by running a pod with RHEL Test Tools. Here are the results sh-4.2$ cat /etc/resolv.conf search first.svc.cluster.local svc.cluster.local cluster.local igyiwpfqdeaepnzehgzpbz3i4a.xx.internal.cloudapp.net nameserver 10.0.0.10 nameserver 10.0.0.10 options ndots:5 sh-4.2$ dig www.github.com @10.0.0.10 ; <<>> DiG 9.9.4-RedHat-9.9.4-38.el7_3.2 <<>> www.github.com @10.0.0.10 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18195 ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1280 ;; QUESTION SECTION: ;www.github.com. IN A ;; ANSWER SECTION: www.github.com. 3600 IN CNAME github.com. github.com. 29 IN A 192.30.255.113 github.com. 29 IN A 192.30.255.112 ;; Query time: 83 msec ;; SERVER: 10.0.0.10#53(10.0.0.10) ;; WHEN: Wed Apr 19 23:09:17 UTC 2017 ;; MSG SIZE rcvd: 89 sh-4.2$ curl www.github.com ^C --- Additional comment from Meng Bo on 2017-04-20 07:06:43 EDT --- I can reproduce this on 3.6 env. Pod in the cluster does not have access to the external network. --- Additional comment from Ben Bennett on 2017-04-24 10:57:06 EDT ---
Checked on OCP build v3.5.5.23 issue has been fixed. Pod can reach the network outside when using network policy plugin. / # ping www.github.com PING www.github.com (192.30.253.112): 56 data bytes 64 bytes from 192.30.253.112: seq=0 ttl=49 time=11.644 ms 64 bytes from 192.30.253.112: seq=1 ttl=49 time=11.444 ms 64 bytes from 192.30.253.112: seq=2 ttl=49 time=11.429 ms ^C --- www.github.com ping statistics --- 3 packets transmitted, 3 packets received, 0% packet loss round-trip min/avg/max = 11.429/11.505/11.644 ms
https://github.com/openshift/ose/pull/722
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:1425