Hide Forgot
Description of problem: Check the egressnetworkpolicy crd the 'scope' is Cluster, that means the egressnetworkpolicy is for whole cluster. it caused we cannot create same In openshift 3 version. it is only namespaces level. see the 3.11 docs description: "EgressNetworkPolicy describes the current egress network policy for a Namespace" Version-Release number of selected component (if applicable): oc v4.0.0-alpha.0+62de992-802 kubernetes v1.11.0+62de992 features: Basic-Auth GSSAPI Kerberos SPNEGO How reproducible: always Steps to Reproduce: 1. Create one namespaces and create one egressnetworkpolicy oc create -f https://raw.githubusercontent.com/openshift-qe/v3-testfiles/master/networking/egress-ingress/dns-egresspolicy2.json -n test1 2. Create same one in namespaces test2 oc create -f https://raw.githubusercontent.com/openshift-qe/v3-testfiles/master/networking/egress-ingress/dns-egresspolicy2.json -n test2 3. Check the egressnetworkpolicy crd $ oc get crd egressnetworkpolicies.network.openshift.io -o yaml | grep scope scope: Cluster Actual results: step2. Cannot be created since step 1 had been created one already step3. the scope is Cluster $ oc get crd egressnetworkpolicies.network.openshift.io -o yaml apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: creationTimestamp: 2018-12-20T10:22:56Z generation: 1 name: egressnetworkpolicies.network.openshift.io ownerReferences: - apiVersion: networkoperator.openshift.io/v1 blockOwnerDeletion: true controller: true kind: NetworkConfig name: default uid: 124d5cf2-0441-11e9-804c-0a4124e70182 resourceVersion: "964" selfLink: /apis/apiextensions.k8s.io/v1beta1/customresourcedefinitions/egressnetworkpolicies.network.openshift.io uid: 37f41df0-0441-11e9-804c-0a4124e70182 spec: additionalPrinterColumns: - JSONPath: .metadata.creationTimestamp description: |- CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata name: Age type: date group: network.openshift.io names: kind: EgressNetworkPolicy listKind: EgressNetworkPolicyList plural: egressnetworkpolicies singular: egressnetworkpolicy scope: Cluster validation: openAPIV3Schema: properties: spec: properties: egress: items: properties: to: maxProperties: 1 minProperties: 1 properties: cidrSelector: pattern: ^(([0-9]|[0-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[0-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])/([1-9]|[12][0-9]|3[0-2])$ type: string dnsName: pattern: ^([A-Za-z0-9-]+\.)*[A-Za-z0-9-]+\.?$ type: string type: object type: pattern: ^Allow|Deny$ type: string type: object maxItems: 50 type: array type: object version: v1 versions: - name: v1 served: true storage: true status: acceptedNames: kind: EgressNetworkPolicy listKind: EgressNetworkPolicyList plural: egressnetworkpolicies singular: egressnetworkpolicy conditions: - lastTransitionTime: 2018-12-20T10:22:56Z message: no conflicts found reason: NoConflicts status: "True" type: NamesAccepted - lastTransitionTime: null message: the initial names have been accepted reason: InitialNamesAccepted status: "True" type: Established storedVersions: - v1 Expected results: the scope for egressnetworkpolicy should be namespaces level. Additional info:
Fixed in https://github.com/openshift/cluster-network-operator/pull/67
check this bug on payload 4.0.0-0.nightly-2019-01-25-214846 the issue had been fixed.
Verified this bug according to comment 2
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:0758