Bug 1464251 - Pod Selection criteria has no effect in a Network Policy within a namespace
Pod Selection criteria has no effect in a Network Policy within a namespace
Status: CLOSED NOTABUG
Product: OpenShift Container Platform
Classification: Red Hat
Component: Networking (Show other bugs)
3.5.0
Unspecified Unspecified
unspecified Severity high
: ---
: ---
Assigned To: Dan Winship
Meng Bo
: UpcomingRelease
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-06-22 15:44 EDT by Veer Muchandi
Modified: 2017-06-23 12:11 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-06-23 12:11:33 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Veer Muchandi 2017-06-22 15:44:45 EDT
Description of problem:
Define a network policy that includes PodSelection based on labels and there is no affect.

Version-Release number of selected component (if applicable):
 $ openshift version
   openshift v3.5.5.26
   kubernetes v1.5.2+43a9be4
   etcd 3.1.0

How reproducible:
easy

Steps to Reproduce:
Look at the instructions for the bug https://bugzilla.redhat.com/show_bug.cgi?id=1464250

There is no difference in behavior between the two network policies below although the matchLabels are different.

=========== 
kind: NetworkPolicy
apiVersion: extensions/v1beta1
metadata:
  name: allow-3306
spec:
 podSelector:
 ingress:
 - from: 
   - podSelector:
       matchLabels:
         app: frontend
 - ports:
   - protocol: TCP
     port: 3306

============== 
kind: NetworkPolicy
apiVersion: extensions/v1beta1
metadata:
  name: allow-3306
spec:
 podSelector:
 ingress:
 - from: 
   - podSelector:
       matchLabels:
         app: askdjflsdjfljsd
 - ports:
   - protocol: TCP
     port: 3306

Actual results:pod selection criteria in the network policy does not work

Expected results:
should work

Additional info:
https://bugzilla.redhat.com/show_bug.cgi?id=1464250
and 
the two videos here
https://bluejeans.com/s/URf12
Comment 1 Ben Bennett 2017-06-23 09:13:13 EDT
Can you please provide details of where you are running the tests from (i.e. what are the labels on the pod, and what namespace are they in) and how you are doing the test, whether a service is involved, and whether the rules allow too much, or too little.
Comment 2 Veer Muchandi 2017-06-23 10:26:27 EDT
(In reply to Ben Bennett from comment #1)
> Can you please provide details of where you are running the tests from (i.e.
> what are the labels on the pod, and what namespace are they in) and how you
> are doing the test, whether a service is involved, and whether the rules
> allow too much, or too little.

Ben, I recorded the entire thing in bluejeans

the two videos here
https://bluejeans.com/s/URf12

I posted the steps to create here https://bugzilla.redhat.com/show_bug.cgi?id=1464250
Comment 3 Ben Bennett 2017-06-23 10:37:54 EDT
Per Veer on IRC:

"Direct pod to pod in the same project. pod1 can always reach pod2 regardless of whether there is a from rule that matches."
Comment 4 Dan Winship 2017-06-23 12:11:33 EDT
The NetworkPolicy is incorrect:

 ingress:
 - from: 
   - podSelector:
       matchLabels:
         app: frontend
 - ports:
   - protocol: TCP
     port: 3306

The mistake is slightly more obvious in JSON form:

    "spec": {
        "ingress": [
            {
                "from": [
                    {
                        "podSelector": {
                            "matchLabels": {
                                "app": "frontend"
                            }
                        }
                    }
                ]
            },
            {
                "ports": [
                    {
                        "port": 3306,
                        "protocol": "TCP"
                    }
                ]
            }
        ],

That is, this policy specifies two separate rules:

  1. Traffic from pods with the label app=frontend is allowed (on all ports)
  2. Traffic to TCP 3306 is allowed (from any source)

What you meant was:

 ingress:
 - from: 
   - podSelector:
       matchLabels:
         app: frontend
   ports:
   - protocol: TCP
     port: 3306

(with no "-" before "ports"), which translates to

        "ingress": [
            {
                "from": [
                    {
                        "podSelector": {
                            "matchLabels": {
                                "app": "frontend"
                            }
                        }
                    }
                ],
                "ports": [
                    {
                        "port": 3306,
                        "protocol": "TCP"
                    }
                ]
            }
        ],

A single ingress rule saying traffic from pods with the label app=frontend is allowed to TCP 3306.


Unfortunately NetworkPolicy's syntax and semantics are full of gotchas like this. :-/

There's work upstream to improve "kubectl describe networkpolicy ...". Maybe we can pull that into 3.6. (https://github.com/kubernetes/kubernetes/issues/46951)

Note You need to log in before you can comment on or make changes to this bug.