Bug 1942555 - Network policies in ovn-kubernetes don't support external traffic from router when the endpoint publishing strategy is HostNetwork
Summary: Network policies in ovn-kubernetes don't support external traffic from router...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Networking
Version: 4.7
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: 4.8.0
Assignee: Aniket Bhat
QA Contact: Arti Sood
URL:
Whiteboard:
Depends On:
Blocks: 1942603
TreeView+ depends on / blocked
 
Reported: 2021-03-24 14:32 UTC by Aniket Bhat
Modified: 2021-09-27 18:56 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1942603 (view as bug list)
Environment:
Last Closed: 2021-07-27 22:55:12 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift cluster-network-operator pull 1062 0 None open Bug 1942555: Rely on status for ingress controller for endpointPublishingStrategy 2021-04-16 18:31:39 UTC
Red Hat Product Errata RHSA-2021:2438 0 None None None 2021-07-27 22:55:34 UTC

Description Aniket Bhat 2021-03-24 14:32:56 UTC 
Description of problem:
Network policies in ovn-kubernetes don't support external traffic from router when the endpoint publishing strategy is HostNetwork

Version-Release number of selected component (if applicable):
OCP with ovn-kubernetes (all versions of ovn-k).

How reproducible:
Always

Steps to Reproduce:
1. Create a cluster with default router's endpoint publishing strategy as HostNetwork
2. Create an application with a route in a test namespace
3. Try reaching the application using a route from outside.

Actual results:
Access will be denied with the default network policies in place. 

Expected results:
External traffic should be allowed to reach the application if the publishing strategy is host network.

Additional info:
Comment 2 Alexander Constantinescu 2021-04-14 14:45:52 UTC 
Hi Aniket

We know you have created and merged the dependent ovn-kube and CNO PRs..this bug is still in ASSIGNED, do we need an update here? 

/Alex
Comment 8 Arti Sood 2021-04-19 19:30:13 UTC 
Was unable to revive the cluster created with image registry.build01.ci.openshift.org/ci-ln-igjdgk2/release:latest.

Build another image registry.build01.ci.openshift.org/ci-ln-b0mrw5k/release:latest and installed cluster. (https://mastern-jenkins-csb-openshift-qe.apps.ocp4.prod.psi.redhat.com/job/ocp-common/job/Flexy-install/14282/) 

Was successfully able to access the service with network policy applied on the namespace.

1.Create a namespace arti-test
2.Deploy the service and expose it.
oc create -f https://raw.githubusercontent.com/openshift/verification-tests/master/testdata/networking/list_for_pods.json
oc expose service <service name>
oc get route

3. Access the service
curl test-service-arti-test.apps.asood-dev-build.qe.devcluster.openshift.com
Hello OpenShift!

 
4. oc create -f ~/Documents/test-yaml/SDN-1340/AllFromRouterNew.yaml 
networkpolicy.networking.k8s.io/deny-by-default created
networkpolicy.networking.k8s.io/allow-from-router created
networkpolicy.networking.k8s.io/allow-from-openshift-monitoring created
networkpolicy.networking.k8s.io/allow-same-namespace created

5. Access the service
curl test-service-arti-test.apps.asood-dev-build.qe.devcluster.openshift.com
Hello OpenShift!

Looks good.
Comment 14 errata-xmlrpc 2021-07-27 22:55:12 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.8.2 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:2438
Comment 15 Mehul Modi 2021-09-27 18:56:10 UTC 
Arti Sood confirmed testcase already added in polarian and test is automated.
Note You need to log in before you can comment on or make changes to this bug.