Description of problem: Define a network policy that includes PodSelection based on labels and there is no affect. Version-Release number of selected component (if applicable): $ openshift version openshift v3.5.5.26 kubernetes v1.5.2+43a9be4 etcd 3.1.0 How reproducible: easy Steps to Reproduce: Look at the instructions for the bug https://bugzilla.redhat.com/show_bug.cgi?id=1464250 There is no difference in behavior between the two network policies below although the matchLabels are different. =========== kind: NetworkPolicy apiVersion: extensions/v1beta1 metadata: name: allow-3306 spec: podSelector: ingress: - from: - podSelector: matchLabels: app: frontend - ports: - protocol: TCP port: 3306 ============== kind: NetworkPolicy apiVersion: extensions/v1beta1 metadata: name: allow-3306 spec: podSelector: ingress: - from: - podSelector: matchLabels: app: askdjflsdjfljsd - ports: - protocol: TCP port: 3306 Actual results:pod selection criteria in the network policy does not work Expected results: should work Additional info: https://bugzilla.redhat.com/show_bug.cgi?id=1464250 and the two videos here https://bluejeans.com/s/URf12
Can you please provide details of where you are running the tests from (i.e. what are the labels on the pod, and what namespace are they in) and how you are doing the test, whether a service is involved, and whether the rules allow too much, or too little.
(In reply to Ben Bennett from comment #1) > Can you please provide details of where you are running the tests from (i.e. > what are the labels on the pod, and what namespace are they in) and how you > are doing the test, whether a service is involved, and whether the rules > allow too much, or too little. Ben, I recorded the entire thing in bluejeans the two videos here https://bluejeans.com/s/URf12 I posted the steps to create here https://bugzilla.redhat.com/show_bug.cgi?id=1464250
Per Veer on IRC: "Direct pod to pod in the same project. pod1 can always reach pod2 regardless of whether there is a from rule that matches."
The NetworkPolicy is incorrect: ingress: - from: - podSelector: matchLabels: app: frontend - ports: - protocol: TCP port: 3306 The mistake is slightly more obvious in JSON form: "spec": { "ingress": [ { "from": [ { "podSelector": { "matchLabels": { "app": "frontend" } } } ] }, { "ports": [ { "port": 3306, "protocol": "TCP" } ] } ], That is, this policy specifies two separate rules: 1. Traffic from pods with the label app=frontend is allowed (on all ports) 2. Traffic to TCP 3306 is allowed (from any source) What you meant was: ingress: - from: - podSelector: matchLabels: app: frontend ports: - protocol: TCP port: 3306 (with no "-" before "ports"), which translates to "ingress": [ { "from": [ { "podSelector": { "matchLabels": { "app": "frontend" } } } ], "ports": [ { "port": 3306, "protocol": "TCP" } ] } ], A single ingress rule saying traffic from pods with the label app=frontend is allowed to TCP 3306. Unfortunately NetworkPolicy's syntax and semantics are full of gotchas like this. :-/ There's work upstream to improve "kubectl describe networkpolicy ...". Maybe we can pull that into 3.6. (https://github.com/kubernetes/kubernetes/issues/46951)