Description of problem: A network policy using both podSelector and NamespaceSelector is configured in a project. Ingress rules are created to match project and pod labels both which works fine. When another project label was overwritten to match networkpolicy, it didn't work. Version-Release number of selected component (if applicable):4.2.0-0.nightly-2019-09-11-202233 How reproducible:Always Steps to Reproduce: 1.Create 3 projects z1,z2 and z3 # oc label namespace z2 team=operations # oc label namespace z3 team=openshift 2. Create pods in each project 3. Apply networkpolicy defined in "Additional Info" to project z1 4. create pods in all 3 projects which will have test-pods as labels #oc create -f https://raw.githubusercontent.com/openshift-qe/v3-testfiles/master/networking/list_for_pods.json 5. Try to access pod in z1 from project z3. Should fail # oc rsh -n z3 pod $ ping $z1_pod_ip 6. Label the project z3 to match networkpolicy in defined in "Additional info" # oc label namespace z3 team=operations --overwrite 7. Try to access pod in project z1 from project z3. Should pass # oc rsh -n z3 pod $ ping $z1_pod_ip 8. Egress rule also fails but guess egress is not supported in OVN yet. Pls confirm Actual results: Step 7 fails Expected results:Step 7 should pass Additional info: kind: NetworkPolicy apiVersion: extensions/v1beta1 metadata: name: namespace-pod-selector spec: podSelector: matchLabels: name: test-pods policyTypes: - Ingress - Egress ingress: - from: - namespaceSelector: matchLabels: team: operations podSelector: matchLabels: name: test-pods egress: - to: - namespaceSelector: matchLabels: team: openshift podSelector: matchLabels: name: hello-pod
> 8. Egress rule also fails but guess egress is not supported in OVN yet. Pls confirm Egress rules (and CIDR rules) *should* work in ovn-kubernetes.
Could you please retest I tested with 4.3.0-0.ci-2019-11-22-122829 and did not see this issue.
What's the status of this?
This is delayed based on an upcoming redesign of the network policy code. Once the code redesign gets created and merged I will make sure that this bug is fixed or fix it.
Thanks @jtanenba for fixing it. It seems good on 4.7.0-0.nightly-2020-11-30-133734 as per steps followed from testcase OCP-21866 linked in this bug. Ready for backport to earlier releases now :)
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.7.0 security, bug fix, and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2020:5633