Description of problem: When creating a network policy with a pod selector, it's not getting applied to new pods created after the policy matching the pod selector. Version-Release number of selected component (if applicable): Client Version: v4.2.0 Server Version: 4.5.0-0.nightly-2020-03-16-004817 Kubernetes Version: v1.17.1 How reproducible: Always Steps to Reproduce: 1. Have three files: policy.yaml: --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: default-deny-ingress namespace: policytest spec: podSelector: matchLabels: app: policytest policyTypes: - Ingress - Egress server.yaml: apiVersion: v1 kind: Pod metadata: name: tcpserver namespace: policytest labels: app: policytest spec: containers: - name: server image: fedora:31 command: ["/bin/sh", "-c"] args: ["dnf install -y nc && sleep infinity"] ports: - containerPort: 30100 protocol: TCP client.yaml: apiVersion: v1 kind: Pod metadata: name: tcpclient namespace: policytest labels: app: policytest spec: containers: - name: client image: fedora:31 command: ["/bin/sh", "-c"] args: ["dnf install -y nc && sleep infinity"] 2. Create the namespace and apply them: oc create ns policytest oc create -f policy.yaml oc create -f server.yaml oc create -f client.yaml 3. pick the ip of the server with oc get pods -n policytest -o wide Bash into the pods: oc exec -it -n policytest tcpserver bash oc exec -it -n policytest tcpclient bash On the server side: nc -k -l -p 30100 On the client side, passing the server pod's address taken from oc get pod -o wide [root@tcpclient /]# echo aaa | nc 10.129.2.16 30100 Actual results: The message goes through: [root@tcpserver /]# nc -k -l -p 30100 aaa Expected results: Message not going through as the policy should block Additional info: If I create the pod and then create the policy, it works, and the message does not get through: oc create -f server.yaml oc create -f policy.yaml oc create -f client.yaml
Hi, Is this an issue in earlier versions (4.1 - 4.3) of OCP? If so, I can add a note to the docs. Thanks.
Yes, it is can be reproduced in 4.1/4.2/4.3 too.
Is there any workaround for this? Thanks!
Delete networkpolicy and create it again.
Verified in version 4.5.0-0.nightly-2020-03-20-044324 . Followed steps as description. The networkpolicy works. oc create ns policytest oc create -f policy.yaml oc create -f server.yaml oc create -f client.yaml oc get pods -o wide NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES tcpclient 1/1 Running 0 14s 10.130.2.17 ip-10-0-172-24.us-east-2.compute.internal <none> <none> tcpserver 1/1 Running 0 24s 10.129.2.9 ip-10-0-138-102.us-east-2.compute.internal <none> <none> huiran-mac:script hrwang$ oc rsh tcpserver sh-5.0# sh-5.0# sh-5.0# nc -k -l -p 30011 oc rsh tcpclient sh-5.0# echo aaa | nc 10.129.2.9 30011 Ncat: TIMEOUT.
I created a PR[0] to mention this in the docs, for customers that may not immediately upgrade to the latest version with a fix. [0] https://github.com/openshift/openshift-docs/pull/20691
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:2409