Description of problem: When you connect from a pod to a service, the connection doesn't go through. Version-Release number of selected component (if applicable): $ openshift version openshift v3.5.5.26 kubernetes v1.5.2+43a9be4 etcd 3.1.0 How reproducible: can be reproduced Steps to Reproduce: 1. Deploy a multi-tiered application. As an example I have used the lab and code from here https://github.com/RedHatWorkshops/openshiftv3-workshop/blob/master/5_Using_templates.md My intent is add a network policy to allow connects to mysql pod from the frontend pod. 2. Add network policies a) oc annotate namespace ${ns} 'net.beta.kubernetes.io/network-policy={"ingress":{"isolation":"DefaultDeny"}}' b) allow router to connect to your frontend pod by allowing traffic on port 8080 # cat allow-8080.yaml kind: NetworkPolicy apiVersion: extensions/v1beta1 metadata: name: allow-8080-and-8443 spec: podSelector: ingress: - ports: - protocol: TCP port: 8080 c) allow your mysql pod connections from the frontend pod. Remember to replace the frontend pod's label for app: <<your label>> # cat allow-3306.yaml kind: NetworkPolicy apiVersion: extensions/v1beta1 metadata: name: allow-3306 spec: podSelector: ingress: - from: - podSelector: matchLabels: app: <<your label>> - ports: - protocol: TCP port: 3306 3. If you try to call the application URL. In my case it was http://frontend-networkpolicy.apps.devday.ocpcloud.com/, that would work But if you try http://frontend-networkpolicy.apps.devday.ocpcloud.com/dbtest.php which connects to the database (via MYSQL service that proxies the pod), it won't work 4. Now find the pod's ip address (run oc get pods -o wide) and change the code for dbtest.php by getting into the terminal for the frontend pod to connect to the pod directly. And then test the <<yoururl>>/dbtest.php The the call will go through Actual results: connection via service doesn't work. But connection directly to the pod works Expected results: connections via service should work Additional info: Look at the recordings to see how I tested it. Note there are 2 chapters. See the first 6 mins in Chapter1 and then Chapter 2. https://bluejeans.com/s/URf12
This is fixed in 3.6 by https://github.com/openshift/origin/pull/14466 We aren't back-porting the fix because network policy is in tech preview in 3.5 (and there are some hairy technical problems that make it risky).
(In reply to Ben Bennett from comment #1) > This is fixed in 3.6 by https://github.com/openshift/origin/pull/14466 The documented limitation in 3.5 is that service IPs did not work if they were only allowed by a NetworkPolicy whose spec.podSelector was non-empty. That's not the case here. This bug may end up also being fixed by the same change but it's not the known bug that that change was fixing.
OK, we can reproduce the bug on 3.5, but it works fine in 3.6. (In 3.5, the packets make it from the php pod to the mysql pod, but the response packets get dropped, presumably due to conntrack not working the way we wanted it to. Anyway, the conntrack-related rules are totally redone in 3.6, and we have regression tests that should cover this case now too.)