Bug 1985512 - allow-from-router feature doesn't work on v6 only single stack cluster [NEEDINFO]
Summary: allow-from-router feature doesn't work on v6 only single stack cluster
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Networking
Version: 4.8
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
: 4.9.0
Assignee: Aniket Bhat
QA Contact: zhaozhanqi
URL:
Whiteboard:
Depends On:
Blocks: 1985514
TreeView+ depends on / blocked
 
Reported: 2021-07-23 19:02 UTC by Aniket Bhat
Modified: 2021-10-18 17:41 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1985514 (view as bug list)
Environment:
Last Closed: 2021-10-18 17:40:56 UTC
Target Upstream Version:
mifiedle: needinfo? (zzhao)


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift ovn-kubernetes pull 623 0 None closed Bug 1985512: Add v6 management interface address for host network policy 2021-07-28 21:04:59 UTC
Red Hat Product Errata RHSA-2021:3759 0 None None None 2021-10-18 17:41:15 UTC

Description Aniket Bhat 2021-07-23 19:02:35 UTC
Description of problem:

In a v6 only ovn-k cluster, the management interface IP is not added to the address set used for classifying host network traffic. This causes the allow-from-router network policy to not work correctly on platforms where the endpoint publishing strategy is "HostNetwork"

Version-Release number of selected component (if applicable):


How reproducible:
Always


Steps to Reproduce:
1.Create a single stack v6 cluster on vsphere or a platform where the endpoint publishing strategy is HostNetwork
2.Create allow from ingress network policy
3.try external access to service in the cluster that is v6

Actual results:
service is not reliably accessible since the v6 management IP is not added to the address set for classifying host network traffic

Expected results:
External access to a service in a single stack v6 cluster works reliably. 


Additional info:

Comment 1 Mike Fiedler 2021-07-23 21:52:55 UTC
@weliang@redhat.com or @zzhao   Please verify FastFix bz

Comment 3 Weibin Liang 2021-07-26 18:29:44 UTC
Tested and verified in 4.9.0-0.nightly-2021-07-26-071921

[root@ocp-edge50 auth]# oc get networkpolicy
NAME                POD-SELECTOR   AGE
allow-from-router   <none>         44m
deny-by-default     <none>         45m
[root@ocp-edge50 auth]# oc describe networkpolicy deny-by-default 
Name:         deny-by-default
Namespace:    test
Created on:   2021-07-26 20:38:15 +0300 IDT
Labels:       <none>
Annotations:  <none>
Spec:
  PodSelector:     <none> (Allowing the specific traffic to all pods in this namespace)
  Allowing ingress traffic:
    <none> (Selected pods are isolated for ingress connectivity)
  Not affecting egress traffic
  Policy Types: Ingress
[root@ocp-edge50 auth]# oc describe networkpolicy allow-from-router
Name:         allow-from-router
Namespace:    test
Created on:   2021-07-26 20:38:39 +0300 IDT
Labels:       <none>
Annotations:  <none>
Spec:
  PodSelector:     <none> (Allowing the specific traffic to all pods in this namespace)
  Allowing ingress traffic:
    To Port: <any> (traffic allowed to all ports)
    From:
      NamespaceSelector: policy-group.network.openshift.io/ingress=
  Not affecting egress traffic
  Policy Types: Ingress
[root@ocp-edge50 auth]# oc get svc
NAME                   TYPE        CLUSTER-IP   EXTERNAL-IP   PORT(S)    AGE
default-svc            ClusterIP   fd02::12fe   <none>        8080/TCP   24m
singlestack-ipv6-svc   ClusterIP   fd02::9969   <none>        8080/TCP   24m
[root@ocp-edge50 auth]# oc get route
NAME                   HOST/PORT                                                             PATH   SERVICES               PORT   TERMINATION   WILDCARD
default-svc            default-svc-test.apps.ocp-edge-cluster-0.qe.lab.redhat.com                   default-svc            8080                 None
singlestack-ipv6-svc   singlestack-ipv6-svc-test.apps.ocp-edge-cluster-0.qe.lab.redhat.com          singlestack-ipv6-svc   8080                 None

[root@ocp-edge50 auth]# nslookup -type=AAAA singlestack-ipv6-svc-test.apps.ocp-edge-cluster-0.qe.lab.redhat.com 
Server:		127.0.0.1
Address:	127.0.0.1#53

Name:	singlestack-ipv6-svc-test.apps.ocp-edge-cluster-0.qe.lab.redhat.com
Address: fd2e:6f44:5dd8::a

[root@ocp-edge50 auth]# curl -gv nslookup -type=AAAA singlestack-ipv6-svc-test.apps.ocp-edge-cluster-0.qe.lab.redhat.com 
* Rebuilt URL to: nslookup/
* Could not resolve host: nslookup
* Closing connection 0
curl: (6) Could not resolve host: nslookup
* Rebuilt URL to: singlestack-ipv6-svc-test.apps.ocp-edge-cluster-0.qe.lab.redhat.com/
*   Trying fd2e:6f44:5dd8::a...
* TCP_NODELAY set
* Connected to singlestack-ipv6-svc-test.apps.ocp-edge-cluster-0.qe.lab.redhat.com (fd2e:6f44:5dd8::a) port 80 (#1)
> GET / HTTP/1.1
> Host: singlestack-ipv6-svc-test.apps.ocp-edge-cluster-0.qe.lab.redhat.com
> User-Agent: curl/7.61.1
> Accept: */*
> 
< HTTP/1.1 200 OK
< date: Mon, 26 Jul 2021 18:25:47 GMT
< content-length: 14
< content-type: text/plain; charset=utf-8
< set-cookie: 988aee3ad24dc23f66048dc9bc1ee617=9abde5a59a9399cf873ec25ec3ff79ec; path=/; HttpOnly
< cache-control: private
< 
dualstack-pod
* Connection #1 to host singlestack-ipv6-svc-test.apps.ocp-edge-cluster-0.qe.lab.redhat.com left intact
[root@ocp-edge50 auth]#

Comment 4 Weibin Liang 2021-07-26 20:09:53 UTC
Tried two labels in the policies and both worked fine:

matchLabels:
          policy-group.network.openshift.io/ingress: ""


matchLabels:
          network.openshift.io/policy-group: ingress

Comment 7 errata-xmlrpc 2021-10-18 17:40:56 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.9.0 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:3759


Note You need to log in before you can comment on or make changes to this bug.