Bug 1953680 - ipBlock ignoring all other cidr's apart from the last one specified
Summary: ipBlock ignoring all other cidr's apart from the last one specified
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Networking
Version: 4.6
Hardware: Unspecified
OS: Unspecified
urgent
high
Target Milestone: ---
: 4.8.0
Assignee: Dan Winship
QA Contact: huirwang
URL:
Whiteboard:
Depends On:
Blocks: 1967132
TreeView+ depends on / blocked
 
Reported: 2021-04-26 16:08 UTC by Andy Bartlett
Modified: 2021-07-27 23:04 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: ovn-kubernetes handled some NetworkPolicies with multiple ipBlocks incorrectly Consequence: The ipBlocks after the first one would be ignored, resulting in pods not being able to reach all of the IPs they were supposed to be able to reach. Fix: Fixed the code for generating OVN ACLs from kubernetes NetworkPolicies Result: Policies with multiple ipBlocks work correctly
Clone Of:
: 1967132 (view as bug list)
Environment:
Last Closed: 2021-07-27 23:04:01 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift ovn-kubernetes pull 530 0 None closed Bug 1953680: policy: handle NetworkPolicies single "from" multiple "ipBlock" 2021-05-13 21:14:47 UTC
Github ovn-org ovn-kubernetes pull 2191 0 None closed policy: handle NetworkPolicies single "from" multiple "ipBlock" 2021-05-10 16:58:58 UTC
Red Hat Bugzilla 1950283 1 urgent CLOSED [SCALE] network policies at scale have a long delay until enforcement 2021-09-21 23:43:10 UTC
Red Hat Product Errata RHSA-2021:2438 0 None None None 2021-07-27 23:04:20 UTC

Description Andy Bartlett 2021-04-26 16:08:20 UTC 
Description of problem:

Hi,
 Created from BZ: 1950283

 Speaking to the customer today, they have observed that if you use:

# Source: networkpolicies-config-values/charts/networkpolicies-config/templates/networkpolicies.yaml
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: stex-rd-networkpolicies-config-allow-from-ic
  labels:
    helm.sh/chart: networkpolicies-config-0.1.0
    app.kubernetes.io/name: networkpolicies-config
    app.kubernetes.io/instance: stex-rd
    app.kubernetes.io/version: "1.16.0"
    app.kubernetes.io/managed-by: Helm
spec:
  podSelector:
    matchLabels:
      "nl.duo.networkpolicy.allow-ingress": 'true'
  ingress:
  - from:
    - ipBlock:
        cidr: 10.0.4.2/23
    - ipBlock:
        cidr: 10.1.2.2/23
    - ipBlock:
        cidr: 10.3.2.2/23
  policyTypes:
    - Ingress

In this case the ipBlock only uses the last cidr specified (cidr: 10.3.2.2/23) , so to get round this:

# Source: networkpolicies-config-values/charts/networkpolicies-config/templates/networkpolicies.yaml
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: stex-rd-networkpolicies-config-allow-from-ic
  labels:
    helm.sh/chart: networkpolicies-config-0.1.0
    app.kubernetes.io/name: networkpolicies-config
    app.kubernetes.io/instance: stex-rd
    app.kubernetes.io/version: "1.16.0"
    app.kubernetes.io/managed-by: Helm
spec:
  podSelector:
    matchLabels:
      "nl.duo.networkpolicy.allow-ingress": 'true'
  ingress:
  - from:
    - ipBlock:
        cidr: 10.0.4.2/23
  - from:
    - ipBlock:
        cidr: 10.1.2.2/23
  - from:
    - ipBlock:
        cidr: 10.3.2.2/23
  policyTypes:
    - Ingress


Version-Release number of selected component (if applicable):


How reproducible:

100%

Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 1 Ben Bennett 2021-04-26 16:14:10 UTC 
This will need to be backported to 4.6.
Comment 9 errata-xmlrpc 2021-07-27 23:04:01 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.8.2 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:2438
Note You need to log in before you can comment on or make changes to this bug.