Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1764220

Summary: NetworkPolicies are unintuitive when trying to allow hostnetwork pods.
Product: OpenShift Container Platform Reporter: Samuel <smoro>
Component: DocumentationAssignee: Jason Boxman <jboxman>
Status: CLOSED DUPLICATE QA Contact: Xiaoli Tian <xtian>
Severity: urgent Docs Contact: Vikram Goyal <vigoyal>
Priority: unspecified    
Version: 4.2.0CC: aos-bugs, bbennett, cdc, jboxman, jokerman, robertodocampo
Target Milestone: ---   
Target Release: 4.3.0   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-01-28 22:53:28 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Samuel 2019-10-22 13:39:29 UTC 
Description of problem: NetworkPolicies broken when dealing with hostNetwork

Following up on https://bugzilla.redhat.com/show_bug.cgi?id=1748034, as I'm still waiting for an answer

Version-Release number of selected component (if applicable): OCP 4.2
3.X affected as well.


How reproducible: Always


Steps to Reproduce:
1. Create an application Pod, with a Route
2. Apply a NetworkPolicy allowing traffic from ingress to application
3. Connect to the Route

Actual results: Traffic blocked


Expected results: Traffic allowed


Additional info:

According to the docs -- https://docs.openshift.com/container-platform/4.2/networking/configuring-networkpolicy.html#nw-networkpolicy-about_configuring-networkpolicy-plugin

I would need to create a NetworkPolicy matching some label on the openshift-ingress namespace

```
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-from-openshift-ingress
spec:
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          network.openshift.io/policy-group: ingress
  podSelector: {}
  policyTypes:
  - Ingress
```


Though this can not work.

Ingress Pods are using hostNetwork.

From OVS point of view, any Pod using hostNetwork would have its traffic considered to be part of netid0.

Hence, that NetworkPolicy actually blocks traffic from ingress to application Pods.
Comment 1 Casey Callendrello 2019-10-22 15:40:09 UTC 
We certainly need to update the documentation for this.
Comment 2 Samuel 2019-10-22 17:47:00 UTC 
Are we sure this is an issue with the docs?

I've had the same issue with 3.11 a few weeks ago, I'm still waiting on an answer from support (https://access.redhat.com/support/cases/#/case/02458754).

Is it normal for hostNetwork Pods traffic, to belong to network id 0?
Kinda defeats the purpose of NetworkPolicies.
I would argue this is a bug: allowing routers in, we would actually trust any other hostNetwork Pod, regardless of its Project.

What about Kuryr? ACI? ... (in 3.x, though hopefully in 4 soon). Haven't had a chance to use those yet: is it a behavior we would reproduce with non-OVS SDN plugins?
Didn't we get any complaints?
Comment 3 Ben Bennett 2019-11-08 16:09:39 UTC 
There are two parts to this.

1) The router needs hostnetworking.  That will be addressed by https://bugzilla.redhat.com/show_bug.cgi?id=1768608
2) We need to clearly document that hostnetwork pods are not constrained by network policy
Comment 4 Jason Boxman 2019-11-28 21:37:20 UTC 
*** Bug 1750429 has been marked as a duplicate of this bug. ***
Comment 5 Jason Boxman 2020-01-28 22:53:28 UTC 
The 4.x documentation updates[0] for this are tracked in a different bz[1]. I'm going to close this and post updates there. The work for 3.11 documentation updates is tracked in a different bz[2].

[0] https://github.com/openshift/openshift-docs/pull/19360
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1768608
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1750429

*** This bug has been marked as a duplicate of bug 1768608 ***