Verified in 4.6.0-0.nightly-2021-03-27-052141 on top of OSP 16.1.4 (RHOS-16.1-RHEL-8-20210311.n.1) with OVN-Octavia. SG rules generated by below NP resource definition allow egress traffic for all protocols and not only TCP: kind: NetworkPolicy apiVersion: networking.k8s.io/v1 metadata: name: np-bz1940141 spec: podSelector: matchLabels: run: demo policyTypes: - Egress - Ingress ingress: - from: - podSelector: {} egress: - to: - ipBlock: cidr: 0.0.0.0/0 Steps: 1. Create test and test2 projects both with kuryr/demo pod exposed by a service on port 80: $ oc new-project test $ oc run --image kuryr/demo demo $ oc expose pod/demo --port 80 --target-port 8080 $ oc get all -n test NAME READY STATUS RESTARTS AGE pod/demo 1/1 Running 0 44s NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE service/demo ClusterIP 172.30.100.174 <none> 80/TCP 14s $ oc new-project test2 $ oc run --image kuryr/demo demo2 $ oc expose pod/demo2 --port 80 --target-port 8080 $ oc get all -n test2 NAME READY STATUS RESTARTS AGE pod/demo2 1/1 Running 0 21s NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE service/demo2 ClusterIP 172.30.254.31 <none> 80/TCP 4s 2. Apply np on demo pod in test project: $ cat np_bz1940141.yaml kind: NetworkPolicy apiVersion: networking.k8s.io/v1 metadata: name: np-bz1940141 spec: podSelector: matchLabels: run: demo policyTypes: - Egress - Ingress ingress: - from: - podSelector: {} egress: - to: - ipBlock: cidr: 0.0.0.0/0 $ oc apply -f np_bz1940141.yaml -n test # knp resource generated includes Egress rule apply to IPv4 traffic, not only TCP, but also UDP $ oc -n test get knp/np-bz1940141 -o json | jq .spec { "egressSgRules": [ { "sgRule": { "description": "Kuryr-Kubernetes NetPolicy SG rule", "direction": "egress", "ethertype": "IPv4", "port_range_max": 65535, "port_range_min": 1, "remote_ip_prefix": "0.0.0.0/0" } }, { "sgRule": { "description": "Kuryr-Kubernetes NetPolicy SG rule", "direction": "egress", "ethertype": "IPv4", "remote_ip_prefix": "172.30.100.174" } } ], "ingressSgRules": [ { "namespace": "test", "sgRule": { "description": "Kuryr-Kubernetes NetPolicy SG rule", "direction": "ingress", "ethertype": "IPv4", "port_range_max": 65535, "port_range_min": 1, "remote_ip_prefix": "10.128.120.0/23" } }, { "sgRule": { "description": "Kuryr-Kubernetes NetPolicy SG rule", "direction": "ingress", "ethertype": "IPv4", "remote_ip_prefix": "10.196.0.0/16" } } ], "podSelector": { "matchLabels": { "run": "demo" } }, "policyTypes": [ "Egress", "Ingress" ] } 3. Test connectivity: $ oc rsh -n test demo 1. Ping to external domain: ~ $ curl -s www.google.com <!doctype html><html dir="rtl" itemscope="" itemtype="http://schema.org/ WebPage" lang="iw"><head><meta content="text/html; charset=UTF-8" http-e quiv="Content-Type"><meta content="/images/branding/googleg/1x/googleg_s tandard_color_128dp.png" itemprop="image"><title>Google</title><script n once="tmGrp9BOgBuSGdMD4i89gA==">(function(){window.google={kEI:'3IUzYKu_ IsmVsAfT8o6oDg',kEXPI:'0,18168,1284265[...] 2. Curl the other namespace: ~ $ curl 172.30.254.31 demo2: HELLO! I AM ALIVE!!!
Back to POST as we've found an issue caused by this patch.
Back to VERIFIED, I should better create a new bug.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (OpenShift Container Platform 4.6.25 bug fix update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2021:1153
*** Bug 1952429 has been marked as a duplicate of this bug. ***