Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1750429

Summary: [3.11] SDN - migrating from multitenant to networkpolicy does not work
Product: OpenShift Container Platform Reporter: Jason Boxman <jboxman>
Component: DocumentationAssignee: Vikram Goyal <vigoyal>
Status: CLOSED WONTFIX QA Contact: Xiaoli Tian <xtian>
Severity: unspecified Docs Contact: Vikram Goyal <vigoyal>
Priority: unspecified    
Version: 3.11.0CC: aos-bugs, jokerman
Target Milestone: ---Keywords: Reopened
Target Release: 3.11.z   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-11-16 21:01:00 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jason Boxman 2019-09-09 15:13:25 UTC 
This bug was initially created as a copy of Bug #1748034

I am copying this bug because: 



Description of problem:


Working with some OpenShift 3.11.98 cluster originally deployed with multitenant network plugin. Now trying to reconfigure it, for networkpolicy



How reproducible:

Always
seen in OCP 3.11.98 with customer
reproduced on my own OKD 3.11


Steps to Reproduce:

1. Deploy OCP 3.11, with multitenant network plugin

2. Follow instructions migrating to networkpolicy [1]

3. label routers namespace [2]

4. Install the "allow-from-default-namespace" NetworkPolicy sample, copy-pasted from the docs [2]



[1]  https://docs.openshift.com/container-platform/3.11/install_config/configuring_sdn.html#migrating-between-sdn-plugins

[2] https://docs.openshift.com/container-platform/3.11/admin_guide/managing_networking.html#admin-guide-networking-networkpolicy



Actual results:

From a router Pod, I can not connect my application Pod


Expected results:

router Pod should be able to connect the application Pod


Additional info:

On the node hosting my application Pod, tcpdump confirms TCP handshake is broken, SYN arrives with no response back. Not forwarded to Pod.

Dumping OVS flows from table 80, I would have something like this:

cookie=0x0 table=80, n_packets=15691,  n_bytes=1345863, priority=300,ip,new_src=10.254.4.1 action=output:NXM_NX_REG2[]
cookie=0x0 table=80, n_packets=0, n_bytes=0, priority=150,tcp,reg0=0xce730,reg1=0xa40d05 action=output:NXM_NX_REG2[]
cookie=0x0 table=80, n_packets=0, n_bytes=0, priority=150,tcp,reg0=0xa40d05,reg1=0xa40d05 action=output:NXM_NX_REG2[]
cookie=0x0 table=80, n_packets=0, n_bytes=0, priority=50,reg1=0x737782 action=output:NXM_NX_REG2[]
cookie=0x0 table=80, n_packets=108076, n_bytes=9242321, priority=50,reg1=0xff02b action=output:NXM_NX_REG2[]
cookie=0x0 table=80, n_packets=1998, n_bytes=348855, priority=60, reg1=0x82cb64 actions=output:NXM_NX_REG2[]
cookie=0x0 table=80, n_packets=1084, n_bytes=80096, priority=0 action=drop


The second and third rule listed here seems to allow traffic from 0xce730 (netid for my routers project/non-default) to 0xa40d05 (netid for my app project), and from 0xa40d05 to 0xa40d05.
Note that reproducing on OKD, my routers are in the default namespace / 0x0. Customer setup is a little bit more complicated, although I doubt it is relevant right here.

Anyway, generating traffic from my routers, I can see the drop rule counters being incremented, while the second rule sticks to 0.
Generating traffic within my namespace, the third rule properly matches packets. Our issue only involves cross-namespace communications.


I'm pretty sure that setup should work - or at least it would have, had I deployed my cluster with networkpolicy to begin with.


Any help would be much appreciated.


Thanks,

Regards.
Comment 1 Jason Boxman 2019-11-28 21:37:20 UTC 
This is a duplicate of https://bugzilla.redhat.com/show_bug.cgi?id=1764220.

*** This bug has been marked as a duplicate of bug 1764220 ***
Comment 2 Jason Boxman 2020-01-28 22:48:05 UTC 
I'm going to reopen this to track work for 3.11.

The work for 4.x is tracked in: https://bugzilla.redhat.com/show_bug.cgi?id=1764220