Description of problem: Customer needs to allow pods with hostNetwork: true to connect to pods with networkPolicy restrictions. In OCP 3.x this could be achieved by allowing the default net namespace which had vnid: 0 by default, so it would create an entry allowing traffic where reg0=0 Version-Release number of selected component (if applicable): 4.1.X How reproducible: Always Steps to Reproduce: 1. Create a pod with hostNetwork in namespace X 2. Create a pod in namespace Y allowing only traffic from namespace X 3. Try to connect from pod in namespace X to pod in namespace Y. Won't work unless both pods are on the same node Actual results: - Expected results: - Workaround: 1. create a project hn-workaround 2- oc get netnamespace hn-workaround -o yaml | sed 's/netid:.*/netid: 0' | oc replace -f- Patches don't seem to work, I haven't bothered enough to investigate why, but oc replace works fine 3- restart every sdn pod (I also tried creating the netnamespace before the projcut but either way seems to need a restart, again, I haven't bothered to understand why).
This is a pretty fundamental limitation of how k8s network policy works - you generally can't grant access to host network pods, because they generally don't source traffic from their PodIP. It's interesting to see that this worked in 3.x. In other words, that *all* hosts could access *all* endpoints. I'm not sure if this is as expected. Then again, perhaps it's a reasonable expansion. We already say that a host can access all of the pods running on that host. Dan, thoughts?
NetworkPolicy-vs-hostNetwork worked exactly the same in 3.x as it does in 4.x. The original problem, from the support case is: > After creating an allow-from-openshift-ingress network policy object, the > openshift router can't access the pod anymore. It seems that traffic coming > from the openshift-ingress namespace is not considered coming from the > openshift-ingress namespace but from the openshift node itself because the > router uses the host network. Routers are not hostNetwork by default in 4.1. This is an alternate mode. Our documented instructions for making routers work assume that you're not using that mode. So we should fix that. After that, from what I can see, the customer reported that they had allowed traffic from VNID 0 and that *did* fix the problem for them (and then they closed the case).
Perhaps we should also label the default namespace with something like "network.openshift.io/policy-group: host-network"
*** This bug has been marked as a duplicate of bug 1768608 ***