1749844 – Need a way to allow ingress from hostsubnet pods in netpol

Bug 1749844 - Need a way to allow ingress from hostsubnet pods in netpol

Summary: Need a way to allow ingress from hostsubnet pods in netpol

Keywords:
Status:	CLOSED DUPLICATE of bug 1768608
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Networking
Sub Component:
Version:	4.1.z
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	low
Target Milestone:	---
Target Release:	---
Assignee:	Dan Mace
QA Contact:	Hongan Li
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2019-09-06 14:51 UTC by Juan Luis de Sousa-Valadas
Modified:	2023-09-07 20:33 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-11-28 14:49:32 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Juan Luis de Sousa-Valadas 2019-09-06 14:51:51 UTC

Description of problem:
Customer needs to allow pods with hostNetwork: true to connect to pods with networkPolicy restrictions.

In OCP 3.x this could be achieved by allowing the default net namespace which had vnid: 0 by default, so it would create an entry allowing traffic where reg0=0

Version-Release number of selected component (if applicable):
4.1.X

How reproducible:
Always

Steps to Reproduce:
1. Create a pod with hostNetwork in namespace X
2. Create a pod in namespace Y allowing only traffic from namespace X
3. Try to connect from pod in namespace X to pod in namespace Y. Won't work unless both pods are on the same node

Actual results:
- 

Expected results:
-

Workaround:
1. create a project hn-workaround
2- oc get netnamespace hn-workaround -o yaml | sed 's/netid:.*/netid: 0' | oc replace -f-
Patches don't seem to work, I haven't bothered enough to investigate why, but oc replace works fine
3- restart every sdn pod (I also tried creating the netnamespace before the projcut but either way seems to need a restart, again, I haven't bothered to understand why).

Comment 1 Casey Callendrello 2019-09-09 12:52:28 UTC

This is a pretty fundamental limitation of how k8s network policy works - you generally can't grant access to host network pods, because they generally don't source traffic from their PodIP.

It's interesting to see that this worked in 3.x. In other words, that *all* hosts could access *all* endpoints. I'm not sure if this is as expected.

Then again, perhaps it's a reasonable expansion. We already say that a host can access all of the pods running on that host.

Dan, thoughts?

Comment 2 Dan Winship 2019-09-10 12:34:35 UTC

NetworkPolicy-vs-hostNetwork worked exactly the same in 3.x as it does in 4.x.

The original problem, from the support case is:

> After creating an allow-from-openshift-ingress network policy object, the
> openshift router can't access the pod anymore. It seems that traffic coming
> from the openshift-ingress namespace is not considered coming from the
> openshift-ingress namespace but from the openshift node itself because the
> router uses the host network.

Routers are not hostNetwork by default in 4.1. This is an alternate mode. Our documented instructions for making routers work assume that you're not using that mode. So we should fix that.

After that, from what I can see, the customer reported that they had allowed traffic from VNID 0 and that *did* fix the problem for them (and then they closed the case).

Comment 3 Casey Callendrello 2019-10-24 08:13:11 UTC

Perhaps we should also label the default namespace with something like "network.openshift.io/policy-group: host-network"

Comment 5 Juan Luis de Sousa-Valadas 2019-11-28 14:49:32 UTC


*** This bug has been marked as a duplicate of bug 1768608 ***

Note You need to log in before you can comment on or make changes to this bug.