Bug 1962569 - NetworkPolicy details page should also show Egress rules
Summary: NetworkPolicy details page should also show Egress rules
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Management Console
Version: 4.8
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: 4.8.0
Assignee: Joel Takvorian
QA Contact: Yadan Pei
Depends On:
TreeView+ depends on / blocked
Reported: 2021-05-20 09:42 UTC by Yadan Pei
Modified: 2021-07-27 23:09 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Issue: When Network Provider "OVNKubernetes" is used instead of "OpenShiftSDN", NetworkPolicies can have an egress section. That egress section wasn't displayed in the corresponding details page of a NetworkPolicy. Fix / Result: Display the egress rules in a format similar to ingress rules.
Clone Of:
Last Closed: 2021-07-27 23:09:30 UTC
Target Upstream Version:

Attachments (Terms of Use)
Egress rules table on NetworkPolicy details page (110.66 KB, image/png)
2021-05-27 05:47 UTC, Yadan Pei
no flags Details

System ID Private Priority Status Summary Last Updated
Github openshift console pull 9032 0 None open Bug 1962569: Show NetworkPolicy egress rules 2021-05-25 09:27:03 UTC
Red Hat Product Errata RHSA-2021:2438 0 None None None 2021-07-27 23:09:55 UTC

Description Yadan Pei 2021-05-20 09:42:16 UTC
Description of problem:
NetworkPolicy details page only shows Ingress rule table, maybe we should also show Egress rules, only in this way user can have a complete view of networkpolicy object

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. create a networkpolicy with below YAML which defines ingress and egress rules
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
  name: test-network-policy
  namespace: default
      role: db
  - Ingress
  - Egress
  - from:
    - ipBlock:
    - namespaceSelector:
          project: myproject
    - podSelector:
          role: frontend
    - protocol: TCP
      port: 6379
  - to:
    - ipBlock:
    - protocol: TCP
      port: 5978
2. check networkpolicy details at Networking -> NetworkPolicies -> click on 'test-network-policy'

Actual results:
2. NetworkPolicy details page only shows 'Ingress rules' table, maybe we should also show 'Egress rules' table, Egress rules is also important part for NetworkPolicy and only in this way we have a complete view of networkpolicy rules

Expected results:

Additional info:

Comment 1 Joel Takvorian 2021-05-25 09:15:16 UTC
Note that, not showing egress rules made sense as long as openshift-sdn was the only possible CNI plugin, as it doesn't support egress.
Now, when ovn-k is used as a cni plugin, egress rules are supported. I suggest adding a small explanation text about when egress rules are supported or not, like it's done in https://issues.redhat.com/browse/NETOBSERV-4.

Note also that a RFE was created in order to expose information about CNI plugin in use: https://issues.redhat.com/browse/RFE-1873 ; when implemented, it will be possible to modify how egress rules are displayed (ie. hide it or show warning when there's an egress rule while openshift SDN is used - and remove the explanation text when ovn-k is used)

Comment 3 Yadan Pei 2021-05-27 05:46:21 UTC
with the fix now we show Egress rules table on NetworkPolicy details page, as described in comment #1 how egress rules can be displayed is not in the scope of this bug, so now everything is working as expected

Verified on 4.8.0-0.nightly-2021-05-26-172234

Comment 4 Yadan Pei 2021-05-27 05:47:29 UTC
Created attachment 1787475 [details]
Egress rules table on NetworkPolicy details page

Comment 7 errata-xmlrpc 2021-07-27 23:09:30 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.8.2 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.