Bug 1959711 - Egressnetworkpolicy doesn't work when configure the EgressIP
Summary: Egressnetworkpolicy doesn't work when configure the EgressIP
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Networking
Version: 4.8
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: 4.8.0
Assignee: Alexander Constantinescu
QA Contact: huirwang
Depends On:
Blocks: 1971669
TreeView+ depends on / blocked
Reported: 2021-05-12 07:33 UTC by huirwang
Modified: 2023-09-15 01:06 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2021-07-27 23:08:01 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Github openshift sdn pull 299 0 None open Bug 1959711: Reverse table order for egress IP and egress network policy set up 2021-05-14 14:12:00 UTC
Red Hat Product Errata RHSA-2021:2438 0 None None None 2021-07-27 23:08:18 UTC

Description huirwang 2021-05-12 07:33:52 UTC
Description of problem:
Egressnetworkpolicy  doesn't work when configure the EgressIP

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Create a namespace test and a pod under it.
2. Create a egressnetworkpolicy in project test
3. Check the egressnetworkpolicy take effect, the outbound traffic was blocked.
oc get egressnetworkpolicy -n test -o yaml
apiVersion: v1

    - to:
      type: Deny
oc rsh -n test hello-pod
/ # curl --connect-timeout 5
curl: (28) Connection timed out after 5001 milliseconds

4. Patch EgressIP to one node
5.Patch EgressIP to the namespace test
oc get hostsubnet
NAME              HOST              HOST IP          SUBNET          EGRESS CIDRS   EGRESS IPS
compute-0         compute-0                  [""]
compute-1         compute-1                  
compute-2         compute-2                  []
control-plane-0   control-plane-0                  []
control-plane-1   control-plane-1                  []
control-plane-2   control-plane-2                  []
oc get netnamespace test
test   4651997   [""]
6. Check the outbound traffic from project test

Actual results:
The outbound traffic was allowed. The egressnetworkpolicy doesn't take effect.
oc rsh -n test hello-pod
/ # curl --connect-timeout 5
/ # curl -I www.google.com
HTTP/1.1 200 OK
Content-Type: text/html; charset=ISO-8859-1
P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
Date: Wed, 12 May 2021 07:30:44 GMT
Server: gws
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
Transfer-Encoding: chunked
Expires: Wed, 12 May 2021 07:30:44 GMT
Cache-Control: private
Set-Cookie: 1P_JAR=2021-05-12-07; expires=Fri, 11-Jun-2021 07:30:44 GMT; path=/; domain=.google.com; Secure
Set-Cookie: NID=215=mWV_Per9VI4d1SH-QUE7InTiq11vrOneb8kqw3hHkeozRLHdvISpUplhLIscHcm3In2JX3ZAbGd7bvl0a0X_-RN1mFHU2Pntb7PsWmsivrQTJOZh8b0diRvKJJ9iQf6_S7HV2VjrFZM5aYWhlLy6wraVso6EV4eGGQ0LiB7LSfY; expires=Thu, 11-Nov-2021 07:30:44 GMT; path=/; domain=.google.com; HttpOnly

Expected results:
The egressnetworkpolicy works and outbound traffic is blocked.

Additional info:

Comment 1 Alexander Constantinescu 2021-05-12 12:52:34 UTC
@Jacob: I see you modified the action from `action: goto_table:101` (https://github.com/openshift/sdn/blob/release-4.7/pkg/network/node/ovscontroller.go#L792) to `action output:tun0` https://github.com/openshift/sdn/blob/master/pkg/network/node/ovscontroller.go#L795 

This breaks egress IP with egress network policy as this bug shows. Could you please have a look at that?

Comment 2 Alexander Constantinescu 2021-05-12 14:09:11 UTC
Expanding on my previous comment: I suspect you did that because the `goto_table` action is not allowed for OVS groups (I tested locally and verified the behavior). We (me and Winship) discussed this in the bug scrum and an idea was that we could have egress networkpolicy flows applied before egress IP ones, instead of the reverse as it was done before. 

I am marking this a blocker, since if we ship 4.8 with this it will raise a CVE. So if this can't be fixed until then we might need to revert the feature.

Comment 8 errata-xmlrpc 2021-07-27 23:08:01 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.8.2 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Comment 9 Red Hat Bugzilla 2023-09-15 01:06:26 UTC
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 500 days

Note You need to log in before you can comment on or make changes to this bug.