Hide Forgot
Failed on 4.7.0-0.nightly-2021-03-14-223051 over OSP16.1 (RHOS-16.1-RHEL-8-20201214.n.3) using OVN-Octavia. $ oc new-project test $ oc run --image kuryr/demo demo $ oc expose pod/demo --port 80 --target-port 8080 $ oc new-project test2 $ oc run --image kuryr/demo demo2 $ oc expose pod/demo2 --port 80 --target-port 8080 Loading below manifest on test project: kind: NetworkPolicy apiVersion: networking.k8s.io/v1 metadata: name: np-bz1921878 spec: podSelector: matchLabels: run: demo policyTypes: - Egress - Ingress ingress: - from: - podSelector: {} egress: - to: - namespaceSelector: {} np shows below: $ oc get knp/np-bz1921878 -o json | jq .spec { "egressSgRules": [ { "sgRule": { "description": "Kuryr-Kubernetes NetPolicy SG rule", "direction": "egress", "ethertype": "IPv4", "port_range_max": 65535, "port_range_min": 1, "protocol": "tcp", "remote_ip_prefix": "10.128.0.0/14" } } ], "ingressSgRules": [ { "namespace": "default", "sgRule": { "description": "Kuryr-Kubernetes NetPolicy SG rule", "direction": "ingress", "ethertype": "IPv4", "port_range_max": 65535, "port_range_min": 1, "protocol": "tcp", "remote_ip_prefix": "10.128.76.0/23" } }, { "sgRule": { "description": "Kuryr-Kubernetes NetPolicy SG rule", "direction": "ingress", "ethertype": "IPv4", "remote_ip_prefix": "10.196.0.0/16" } } ], "podSelector": { "matchLabels": { "run": "demo" } }, "policyTypes": [ "Egress", "Ingress" ] } ^ missing the svc network (172.30.0.0/15). As a consequence, pod on project test cannot reach the service on project test2: $ oc get all -n test NAME READY STATUS RESTARTS AGE pod/demo 1/1 Running 0 53m NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE service/demo ClusterIP 172.30.120.87 <none> 80/TCP 53m $ oc get all -n test2 -o wide NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES pod/demo2 1/1 Running 0 52m 10.128.128.99 ostest-858gf-worker-0-w6psd <none> <none> NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTOR service/demo2 ClusterIP 172.30.120.252 <none> 80/TCP 52m run=demo2 $ oc rsh -n test pod/demo ~ $ curl 10.128.128.99:8080 demo2: HELLO! I AM ALIVE!!! ~ $ curl 172.30.120.252 <NOT WORKING>
I need to close this due to procedural reasons, see https://issues.redhat.com/browse/ART-2801. *** This bug has been marked as a duplicate of bug 1941941 ***