Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1596678

Summary: Using permissive allow from default network policy blocks traffic
Product: OpenShift Container Platform Reporter: David Caldwell <dcaldwel>
Component: NetworkingAssignee: Casey Callendrello <cdc>
Networking sub component: openshift-sdn QA Contact: Meng Bo <bmeng>
Status: CLOSED NOTABUG Docs Contact:
Severity: high    
Priority: high CC: aos-bugs, bbennett, bjarolim, cdc, danw, dcaldwel, dmoessne, openshift-bugs-escalate, pasik, weliang
Version: 3.9.0   
Target Milestone: ---   
Target Release: 4.1.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-10-17 07:57:10 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Testing steps and logs none

Description David Caldwell 2018-06-29 12:35:58 UTC 
Description of problem:

Platform is AWS.

Network plugin is verified as redhat/openshift-ovs-networkpolicy.

Using either a template object or applying a network policy ad-hoc, when a permissive network policy is in place that is supposed to allow traffic from default namespace, traffic is blocked. 


Version-Release number of selected component (if applicable):
OCP 3.9.30


How reproducible:

Create a default template as described in https://docs.openshift.com/container-platform/3.9/admin_guide/managing_projects.html#modifying-the-template-for-new-projects.

Add this example networkpolicy to the new default template: https://docs.openshift.com/container-platform/3.9/admin_guide/managing_networking.html#admin-guide-networking-networkpolicy-setting-default

Create a new project and verify that it is using the networkpolicies from the default template.

Create a simple app in the new project that you can curl.

Enter the default router using oc rsh.

Curl the newly created app in the new project. This should fail as we haven't labelled default namespace yet.

Label the default project with 'name=default' (oc label namespace default name=default).

Curl again. This should now work does not.

Delete the networkpolicies and try the curl again. This should work and does.


Actual results:
Curl as described above times out when networkpolicies in place.

Expected results:
Curl and other traffic is allowed to flow according to networkpolicy rules.


Additional info:
There is an exception to the results above. If the router that you perform the test curl from happens to be on the same node as your test app your are curling to, this curl works with the networkpolicies applied and the default namespace correctly labelled.
Comment 2 Casey Callendrello 2018-07-02 09:53:05 UTC 
Does ordering matter? What if you create the network policy *after* labeling the namespace?
Comment 4 David Caldwell 2018-07-16 13:04:51 UTC 
Customer confirms that the order (comment #2) makes no difference.
Comment 8 Dan Winship 2018-07-17 14:53:37 UTC 
Can you attach the customer's default template object? And/or, attach the YAML of the NetworkPolicy that gets created as a result? I suspect that there's a bug in their policy.
Comment 9 Weibin Liang 2018-07-17 15:01:52 UTC 
Network policy will not take effect when both router pod and app pod located in the same node, this is the known issue:
https://bugzilla.redhat.com/show_bug.cgi?id=1576857
Comment 12 Weibin Liang 2018-07-17 18:48:38 UTC 
@David,

After customer modify projectRequestTemplate: "default/project-request" in master-config.yaml file to reference the loaded template in step 4, did customer restart master node?

Without restarting master, the networkpolicy added in template will not apply to namespace when creating a new project.

Restarting master node does not mentioned in the doc: https://docs.openshift.com/container-platform/3.9/admin_guide/managing_projects.html#modifying-the-template-for-new-projects

Just want to confirm it.
Comment 14 Weibin Liang 2018-07-18 18:58:29 UTC 
@David,
Without restarting master services, there is no output from 'oc get networkpolicy' when create a new project.


I can not see the difference in output form 'oc get networkpolicy -o yaml' between yours and mines.

Here is mine:
[root@ip-172-18-13-95 ~]# oc get networkpolicy -o yaml
apiVersion: v1
items:
- apiVersion: extensions/v1beta1
  kind: NetworkPolicy
  metadata:
    creationTimestamp: 2018-07-18T17:51:54Z
    generation: 1
    name: allow-from-default-namespace
    namespace: networkpolicy-testing
    resourceVersion: "15843"
    selfLink: /apis/extensions/v1beta1/namespaces/networkpolicy-testing/networkpolicies/allow-from-default-namespace
    uid: 42026a48-8ab3-11e8-8d83-0e65845d9478
  spec:
    ingress:
    - from:
      - namespaceSelector:
          matchLabels:
            name: default
    podSelector: {}
    policyTypes:
    - Ingress
kind: List
metadata:
  resourceVersion: ""
  selfLink: ""
Comment 26 Weibin Liang 2018-09-06 17:22:18 UTC 
Created attachment 1481386 [details]
Testing steps and logs