Bug 1547284 – Do not allow 'default' project to be isolated using 'oc adm pod-network' cmd

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1547284 - Do not allow 'default' project to be isolated using 'oc adm pod-network' cmd

Summary:	Do not allow 'default' project to be isolated using 'oc adm pod-network' cmd

Status:	CLOSED ERRATA

Aliases:	None

Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Networking (Show other bugs)
Sub Component:
Version:	3.9.0
Hardware:	All All

Priority	low Severity low
Target Milestone:	---
Target Release:	3.9.0
Assigned To:	Ravi Sankar
QA Contact:	Meng Bo
Docs Contact:

URL:
Whiteboard:
Keywords:

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2018-02-20 19:03 EST by Ravi Sankar
Modified:	2018-07-11 05:22 EDT (History)
CC List:	2 users (show)

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	Cause: We allow isolation of 'default' project which is global (VNID=0) Consequence: Once it is isolated, other namespaces won't be able to reach the kube api. Fix: Forbid isolation of 'default' project Result: Other namespaces will always be able to reach kube api which is expected.
Story Points:	---
Clone Of:
Environment:
Last Closed:	2018-03-28 10:29:21 EDT
Type:	Bug
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2018:0489	None	None	None	2018-03-28 10:29 EDT

Groups: None (edit)

Description Ravi Sankar 2018-02-20 19:03:14 EST

Description of problem:
OpenShift by default deploys 'kubernetes' svc in 'default' namespace so that anyone can access the service. Allowing project isolation on 'default' namespace will break this behavior.

Version-Release number of selected component (if applicable):
oc v3.9.0-alpha.4+2a97048-409-dirty (also valid for older releases)
kubernetes v1.9.1+a0ce1bc657

How reproducible:
Always

Steps to Reproduce:
1. Launch openshift cluster with multitenant openshift sdn plugin
2. oc adm pod-network isolate-projects default


Actual results:
'default' project is isolated (VNID != 0)

Expected results:
'default' project is not allowed to be isolated (VNID = 0)


Additional info:

Comment 1 Ravi Sankar 2018-02-20 19:54:21 EST

Fixed by https://github.com/openshift/origin/pull/18687

Comment 2 openshift-github-bot 2018-02-24 03:08:32 EST

Commit pushed to master at https://github.com/openshift/origin

https://github.com/openshift/origin/commit/0ad3c112b6cce72fb4192b48b132491e60eb45b0
Merge pull request #18687 from pravisankar/fix-isolate-projects

Automatic merge from submit-queue.

Bug 1547284 - Do not allow 'default' project to be isolated using 'oc adm pod-network'

Comment 4 hongli 2018-02-27 05:40:40 EST

verified in atomic-openshift-3.9.0-0.53.0.git.0.3b81e2d.el7.x86_64 and issue has been fixed. "default" project is not allowed to be isolated now. 

# oc adm pod-network isolate-projects default
error: network isolation for project "default" is forbidden

# oc get netnamespace 
NAME                                NETID      EGRESS IPS
default                             0          []

Comment 7 errata-xmlrpc 2018-03-28 10:29:21 EDT

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0489

Note You need to log in before you can comment on or make changes to this bug.