1964319 – Network policy "deny all" interpreted as "allow all" in description page

Bug 1964319 - Network policy "deny all" interpreted as "allow all" in description page

Summary: Network policy "deny all" interpreted as "allow all" in description page

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Management Console
Sub Component:
Version:	4.7
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Target Release:	4.8.0
Assignee:	Joel Takvorian
QA Contact:	Yadan Pei
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2021-05-25 08:15 UTC by Joel Takvorian
Modified:	2021-07-27 23:10 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-07-27 23:10:05 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	openshift console pull 9032	0	None	open	Bug 1962569: Show NetworkPolicy egress rules	2021-05-25 15:11:10 UTC
Red Hat Product Errata	RHSA-2021:2438	0	None	None	None	2021-07-27 23:10:27 UTC

Description Joel Takvorian 2021-05-25 08:15:32 UTC

Description of problem:

When a "deny all" policy is created (this is done by having empty ingress rules), in the policy details page it is interpreted as the opposite, alleging all is allowed.

The spec states explicitly: "If this field [ingress] is empty then this NetworkPolicy does not allow any traffic (and serves solely to ensure that the pods it selects are isolated by default)" ( https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.21/#networkpolicy-v1-networking-k8s-io )

Having tested the actual behaviour (with CNI OpenShiftSDN), I can confirm that traffic is blocked when this deny-all rule is set.


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. Create a network policy using sample n.2 "Deny all non-whitelisted traffic in the current namespace"
2. Check network policy details, under "Ingress rules" it states "All traffic is allowed to Pods in default".

Optionally, create a pod and a service to expose it under the same namespace to ensure connectivity is actually denied.

Actual results:

Text says traffic is allowed


Expected results:

Text should say traffic is denied

Additional info:

Comment 1 Joel Takvorian 2021-05-26 07:50:51 UTC

Bug is fixed via https://github.com/openshift/console/pull/9032 (for bug https://bugzilla.redhat.com/show_bug.cgi?id=1962569 )

Comment 2 Yadan Pei 2021-05-26 09:18:37 UTC

1. Create two NetworkPolicies, one denies all ingress the other denies all egress
deny all ingress
....
spec:
  policyTypes:
    - Ingress


deny all egress
....
spec:
  policyTypes:
    - Egress


2. Check NetworkPolicy details page -> Ingress rules table
For deny all ingress networkpolicy, it shows `All incoming traffic is denied to Pods in yapei`
For deny all egress networkpolicy, it shows `All outgoing traffic is denied from Pods in yapei`

the text is showing correct meaning

Verified on 4.8.0-0.nightly-2021-05-26-021757

Comment 5 errata-xmlrpc 2021-07-27 23:10:05 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.8.2 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:2438

Note You need to log in before you can comment on or make changes to this bug.