Bug 1661983 - The scope of egressnetworkpolicy is 'Cluster' other than 'namespace'
Summary: The scope of egressnetworkpolicy is 'Cluster' other than 'namespace'
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Networking
Version: 4.1.0
Hardware: All
OS: All
high
high
Target Milestone: ---
: 4.1.0
Assignee: Casey Callendrello
QA Contact: Meng Bo
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-12-25 06:40 UTC by zhaozhanqi
Modified: 2019-06-04 10:41 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-06-04 10:41:27 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:0758 None None None 2019-06-04 10:41:33 UTC

Description zhaozhanqi 2018-12-25 06:40:42 UTC
Description of problem:
Check the egressnetworkpolicy crd the 'scope' is Cluster, that means the egressnetworkpolicy is for whole cluster. it caused we cannot create same 


In openshift 3 version. it is only namespaces level. see the 3.11 docs description: "EgressNetworkPolicy describes the current egress network policy for a Namespace"



Version-Release number of selected component (if applicable):
oc v4.0.0-alpha.0+62de992-802
kubernetes v1.11.0+62de992
features: Basic-Auth GSSAPI Kerberos SPNEGO


How reproducible:
always

Steps to Reproduce:
1. Create one namespaces and create one egressnetworkpolicy
   
   oc create -f https://raw.githubusercontent.com/openshift-qe/v3-testfiles/master/networking/egress-ingress/dns-egresspolicy2.json -n test1

2. Create same one in namespaces test2
  oc create -f https://raw.githubusercontent.com/openshift-qe/v3-testfiles/master/networking/egress-ingress/dns-egresspolicy2.json -n test2

3. Check the egressnetworkpolicy crd 
  
   $ oc get crd egressnetworkpolicies.network.openshift.io -o yaml | grep scope
  scope: Cluster


Actual results:

step2. Cannot be created since step 1 had been created one already
step3. the scope is Cluster

$ oc get crd egressnetworkpolicies.network.openshift.io -o yaml
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  creationTimestamp: 2018-12-20T10:22:56Z
  generation: 1
  name: egressnetworkpolicies.network.openshift.io
  ownerReferences:
  - apiVersion: networkoperator.openshift.io/v1
    blockOwnerDeletion: true
    controller: true
    kind: NetworkConfig
    name: default
    uid: 124d5cf2-0441-11e9-804c-0a4124e70182
  resourceVersion: "964"
  selfLink: /apis/apiextensions.k8s.io/v1beta1/customresourcedefinitions/egressnetworkpolicies.network.openshift.io
  uid: 37f41df0-0441-11e9-804c-0a4124e70182
spec:
  additionalPrinterColumns:
  - JSONPath: .metadata.creationTimestamp
    description: |-
      CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.

      Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
    name: Age
    type: date
  group: network.openshift.io
  names:
    kind: EgressNetworkPolicy
    listKind: EgressNetworkPolicyList
    plural: egressnetworkpolicies
    singular: egressnetworkpolicy
  scope: Cluster
  validation:
    openAPIV3Schema:
      properties:
        spec:
          properties:
            egress:
              items:
                properties:
                  to:
                    maxProperties: 1
                    minProperties: 1
                    properties:
                      cidrSelector:
                        pattern: ^(([0-9]|[0-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[0-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])/([1-9]|[12][0-9]|3[0-2])$
                        type: string
                      dnsName:
                        pattern: ^([A-Za-z0-9-]+\.)*[A-Za-z0-9-]+\.?$
                        type: string
                    type: object
                  type:
                    pattern: ^Allow|Deny$
                    type: string
                type: object
              maxItems: 50
              type: array
          type: object
  version: v1
  versions:
  - name: v1
    served: true
    storage: true
status:
  acceptedNames:
    kind: EgressNetworkPolicy
    listKind: EgressNetworkPolicyList
    plural: egressnetworkpolicies
    singular: egressnetworkpolicy
  conditions:
  - lastTransitionTime: 2018-12-20T10:22:56Z
    message: no conflicts found
    reason: NoConflicts
    status: "True"
    type: NamesAccepted
  - lastTransitionTime: null
    message: the initial names have been accepted
    reason: InitialNamesAccepted
    status: "True"
    type: Established
  storedVersions:
  - v1



Expected results:

the scope for egressnetworkpolicy should be namespaces level.

Additional info:

Comment 1 Casey Callendrello 2019-01-21 13:22:06 UTC
Fixed in https://github.com/openshift/cluster-network-operator/pull/67

Comment 2 zhaozhanqi 2019-01-28 10:14:34 UTC
check this bug on payload 4.0.0-0.nightly-2019-01-25-214846

the issue had been fixed.

Comment 5 zhaozhanqi 2019-03-27 02:21:03 UTC
Verified this bug according to comment 2

Comment 7 errata-xmlrpc 2019-06-04 10:41:27 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:0758


Note You need to log in before you can comment on or make changes to this bug.