Bug 1930017 - [kuryr] Egress network policy with namespaceSelector in Kuryr behaves differently than in OVN-Kubernetes
Summary: [kuryr] Egress network policy with namespaceSelector in Kuryr behaves differe...
Keywords:
Status: CLOSED DUPLICATE of bug 1941941
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Networking
Version: 4.7
Hardware: Unspecified
OS: Unspecified
high
medium
Target Milestone: ---
: 4.7.z
Assignee: rdobosz
QA Contact: GenadiC
URL:
Whiteboard:
Depends On: 1921878
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-02-18 08:02 UTC by rdobosz
Modified: 2021-03-23 08:46 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Clone Of: 1921878
: 1941941 (view as bug list)
Environment:
Last Closed: 2021-03-23 08:46:25 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift kuryr-kubernetes pull 460 0 None open [release-4.7] Bug 1930017: Narrow connection to the cluster only on namespaceSelector 2021-02-25 01:00:28 UTC

Comment 3 rlobillo 2021-03-15 14:45:47 UTC
Failed on 4.7.0-0.nightly-2021-03-14-223051 over OSP16.1 (RHOS-16.1-RHEL-8-20201214.n.3) using OVN-Octavia.


$ oc new-project test
$ oc run --image kuryr/demo demo
$ oc expose pod/demo --port 80 --target-port 8080
$ oc new-project test2
$ oc run --image kuryr/demo demo2
$ oc expose pod/demo2 --port 80 --target-port 8080

Loading below manifest on test project:

kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: np-bz1921878
spec:
  podSelector:
    matchLabels:
      run: demo
  policyTypes:
  - Egress
  - Ingress
  ingress:
  - from:
    - podSelector: {}
  egress:
  - to:
    - namespaceSelector: {}

np shows below:
$ oc get knp/np-bz1921878 -o json | jq .spec
{
  "egressSgRules": [
    {
      "sgRule": {
        "description": "Kuryr-Kubernetes NetPolicy SG rule",
        "direction": "egress",
        "ethertype": "IPv4",
        "port_range_max": 65535,
        "port_range_min": 1,
        "protocol": "tcp",
        "remote_ip_prefix": "10.128.0.0/14"
      }
    }
  ],
  "ingressSgRules": [
    {
      "namespace": "default",
      "sgRule": {
        "description": "Kuryr-Kubernetes NetPolicy SG rule",
        "direction": "ingress",
        "ethertype": "IPv4",
        "port_range_max": 65535,
        "port_range_min": 1,
        "protocol": "tcp",
        "remote_ip_prefix": "10.128.76.0/23"
      }
    },
    {
      "sgRule": {
        "description": "Kuryr-Kubernetes NetPolicy SG rule",
        "direction": "ingress",
        "ethertype": "IPv4",
        "remote_ip_prefix": "10.196.0.0/16"
      }
    }
  ],
  "podSelector": {
    "matchLabels": {
      "run": "demo"
    }
  },
  "policyTypes": [
    "Egress",
    "Ingress"
  ]
}

^ missing the svc network (172.30.0.0/15).

As a consequence, pod on project test cannot reach the service on project test2:

$ oc get all -n test
NAME       READY   STATUS    RESTARTS   AGE
pod/demo   1/1     Running   0          53m
NAME           TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)   AGE
service/demo   ClusterIP   172.30.120.87   <none>        80/TCP    53m
$ oc get all -n test2 -o wide
NAME        READY   STATUS    RESTARTS   AGE   IP              NODE                          NOMINATED NODE   READINESS GATES
pod/demo2   1/1     Running   0          52m   10.128.128.99   ostest-858gf-worker-0-w6psd   <none>           <none>
NAME            TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)   AGE   SELECTOR
service/demo2   ClusterIP   172.30.120.252   <none>        80/TCP    52m   run=demo2
$ oc rsh -n test pod/demo
~ $ curl 10.128.128.99:8080
demo2: HELLO! I AM ALIVE!!!
~ $ curl 172.30.120.252
<NOT WORKING>

Comment 6 Michał Dulko 2021-03-23 08:46:25 UTC
I need to close this due to procedural reasons, see https://issues.redhat.com/browse/ART-2801.

*** This bug has been marked as a duplicate of bug 1941941 ***


Note You need to log in before you can comment on or make changes to this bug.