Bug 1828388 - NPs on svc not enforced when exposed port and target are different
Summary: NPs on svc not enforced when exposed port and target are different
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Networking
Version: 4.4
Hardware: Unspecified
OS: Unspecified
urgent
urgent
Target Milestone: ---
: 4.4.z
Assignee: Luis Tomas Bolivar
QA Contact: Jon Uriarte
URL:
Whiteboard:
Depends On: 1828387
Blocks: 1828699
TreeView+ depends on / blocked
 
Reported: 2020-04-27 16:06 UTC by Luis Tomas Bolivar
Modified: 2020-05-20 19:58 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Clone Of: 1828387
: 1828699 (view as bug list)
Environment:
Last Closed: 2020-05-18 13:35:03 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Github openshift kuryr-kubernetes pull 223 None closed [release-4.4] Bug 1828388: Ensure NP are enforced on SVC with different port and target port 2020-06-10 08:02:59 UTC
Red Hat Product Errata RHBA-2020:2133 None None None 2020-05-18 13:35:19 UTC

Description Luis Tomas Bolivar 2020-04-27 16:06:14 UTC
+++ This bug was initially created as a clone of Bug #1828387 +++

NP rules are not properly updated on LoadBalancer security groups when the exposed port and the target port does not match

Comment 3 Jon Uriarte 2020-05-11 11:10:15 UTC
Verified in 4.4.0-0.nightly-2020-05-08-224132 on top of OSP 16 compose RHOS_TRUNK-16.0-RHEL-8-20200506.n.2 (with OVS and amphora-driver).

After creating a service that exposes a different port than the one in the pod behind, if a network policy is created for blocking the ingress
traffic to the pod, the security rules are now applied in the load balancer and the service is not reachable.

Comment 5 errata-xmlrpc 2020-05-18 13:35:03 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:2133


Note You need to log in before you can comment on or make changes to this bug.