Description of problem: Service is not blocked by dns egress policy rule Version-Release number of selected component (if applicable): oc v3.6.76 kubernetes v1.6.1+5115d708d7 How reproducible: Every time. Steps to Reproduce: #oc create -f https://raw.githubusercontent.com/weliang1/Openshift_Networking/master/dns-egresspolicy/endpoint.json #oc create -f https://raw.githubusercontent.com/weliang1/Openshift_Networking/master/dns-egresspolicy/service.json #oc expose svc mysvc #curl --resolve mysvc-p1.router.default.svc.cluster.local:80:192.168.122.82 http://mysvc-p1.router.default.svc.cluster.local <html> <head><title>302 Found</title></head> <body bgcolor="white"> <center><h1>302 Found</h1></center> <hr><center>nginx/1.11.13</center> </body> </html> # curl 172.30.91.13:80 <html> <head><title>302 Found</title></head> <body bgcolor="white"> <center><h1>302 Found</h1></center> <hr><center>nginx/1.11.13</center> </body> </html> #oc create -f https://raw.githubusercontent.com/weliang1/Openshift_Networking/master/dns-egresspolicy/dns-egresspolicy1.json # oc describe egressnetworkpolicy Name: policy-test Namespace: p1 Created: 21 minutes ago Labels: <none> Annotations: <none> Rule: Deny to www.test.com Rule: Allow to 0.0.0.0/0 #curl --resolve mysvc-p1.router.default.svc.cluster.local:80:192.168.122.82 http://mysvc-p1.router.default.svc.cluster.local <html> <head><title>302 Found</title></head> <body bgcolor="white"> <center><h1>302 Found</h1></center> <hr><center>nginx/1.11.13</center> </body> </html> # oc get svc mysvc NAME CLUSTER-IP EXTERNAL-IP PORT(S) AGE mysvc 172.30.91.13 <none> 80/TCP 37m # curl 172.30.91.13:80 curl: (7) Failed connect to 172.30.91.13:80; Connection refused Actual results: #curl --resolve mysvc-p1.router.default.svc.cluster.local:80:192.168.122.82 http://mysvc-p1.router.default.svc.cluster.local <html> <head><title>302 Found</title></head> <body bgcolor="white"> <center><h1>302 Found</h1></center> <hr><center>nginx/1.11.13</center> </body> </html> Expected results: #curl --resolve mysvc-p1.router.default.svc.cluster.local:80:192.168.122.82 http://mysvc-p1.router.default.svc.cluster.local curl: (7) Failed connect to 172.30.91.13:80; Connection refused Additional info:
In order to reproduce above issue, router need to be created first.
We do egress network policy service endpoint filtering at node kubeproxy and when router is involved kubeproxy is bypassed and egress enforcement is not applied. This applied to both dnsName and cidrSelector fields in egress network policy. May be we should also do egress service endpoint filtering at the router level.
Clayton and I are in agreement that we can document that if you want to protect against people with permission to make routes and services, you need to restrict their ability to make endpoints. If we put that documentation in the egress firewall section, that is acceptable.
Docs pr: https://github.com/openshift/openshift-docs/pull/4630
Commit pushed to master at https://github.com/openshift/openshift-docs https://github.com/openshift/openshift-docs/commit/9add5ecccd34bc9027325373a90d920b97865bd9 Merge pull request #4630 from pravisankar/egress-policy-limitation Bug 1451910 - Caution about egress network policy limitation
The Caution part about the egressnetworkpolicy looks good and have been merged. Move the bug to verified.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2017:3188