Description of problem: When a "deny all" policy is created (this is done by having empty ingress rules), in the policy details page it is interpreted as the opposite, alleging all is allowed. The spec states explicitly: "If this field [ingress] is empty then this NetworkPolicy does not allow any traffic (and serves solely to ensure that the pods it selects are isolated by default)" ( https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.21/#networkpolicy-v1-networking-k8s-io ) Having tested the actual behaviour (with CNI OpenShiftSDN), I can confirm that traffic is blocked when this deny-all rule is set. Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. Create a network policy using sample n.2 "Deny all non-whitelisted traffic in the current namespace" 2. Check network policy details, under "Ingress rules" it states "All traffic is allowed to Pods in default". Optionally, create a pod and a service to expose it under the same namespace to ensure connectivity is actually denied. Actual results: Text says traffic is allowed Expected results: Text should say traffic is denied Additional info:
Bug is fixed via https://github.com/openshift/console/pull/9032 (for bug https://bugzilla.redhat.com/show_bug.cgi?id=1962569 )
1. Create two NetworkPolicies, one denies all ingress the other denies all egress deny all ingress .... spec: policyTypes: - Ingress deny all egress .... spec: policyTypes: - Egress 2. Check NetworkPolicy details page -> Ingress rules table For deny all ingress networkpolicy, it shows `All incoming traffic is denied to Pods in yapei` For deny all egress networkpolicy, it shows `All outgoing traffic is denied from Pods in yapei` the text is showing correct meaning Verified on 4.8.0-0.nightly-2021-05-26-021757
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.8.2 bug fix and security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:2438