Description of problem: In a v6 only ovn-k cluster, the management interface IP is not added to the address set used for classifying host network traffic. This causes the allow-from-router network policy to not work correctly on platforms where the endpoint publishing strategy is "HostNetwork" Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1.Create a single stack v6 cluster on vsphere or a platform where the endpoint publishing strategy is HostNetwork 2.Create allow from ingress network policy 3.try external access to service in the cluster that is v6 Actual results: service is not reliably accessible since the v6 management IP is not added to the address set for classifying host network traffic Expected results: External access to a service in a single stack v6 cluster works reliably. Additional info:
@weliang or @zzhao Please verify FastFix bz
Tested and verified in 4.9.0-0.nightly-2021-07-26-071921 [root@ocp-edge50 auth]# oc get networkpolicy NAME POD-SELECTOR AGE allow-from-router <none> 44m deny-by-default <none> 45m [root@ocp-edge50 auth]# oc describe networkpolicy deny-by-default Name: deny-by-default Namespace: test Created on: 2021-07-26 20:38:15 +0300 IDT Labels: <none> Annotations: <none> Spec: PodSelector: <none> (Allowing the specific traffic to all pods in this namespace) Allowing ingress traffic: <none> (Selected pods are isolated for ingress connectivity) Not affecting egress traffic Policy Types: Ingress [root@ocp-edge50 auth]# oc describe networkpolicy allow-from-router Name: allow-from-router Namespace: test Created on: 2021-07-26 20:38:39 +0300 IDT Labels: <none> Annotations: <none> Spec: PodSelector: <none> (Allowing the specific traffic to all pods in this namespace) Allowing ingress traffic: To Port: <any> (traffic allowed to all ports) From: NamespaceSelector: policy-group.network.openshift.io/ingress= Not affecting egress traffic Policy Types: Ingress [root@ocp-edge50 auth]# oc get svc NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE default-svc ClusterIP fd02::12fe <none> 8080/TCP 24m singlestack-ipv6-svc ClusterIP fd02::9969 <none> 8080/TCP 24m [root@ocp-edge50 auth]# oc get route NAME HOST/PORT PATH SERVICES PORT TERMINATION WILDCARD default-svc default-svc-test.apps.ocp-edge-cluster-0.qe.lab.redhat.com default-svc 8080 None singlestack-ipv6-svc singlestack-ipv6-svc-test.apps.ocp-edge-cluster-0.qe.lab.redhat.com singlestack-ipv6-svc 8080 None [root@ocp-edge50 auth]# nslookup -type=AAAA singlestack-ipv6-svc-test.apps.ocp-edge-cluster-0.qe.lab.redhat.com Server: 127.0.0.1 Address: 127.0.0.1#53 Name: singlestack-ipv6-svc-test.apps.ocp-edge-cluster-0.qe.lab.redhat.com Address: fd2e:6f44:5dd8::a [root@ocp-edge50 auth]# curl -gv nslookup -type=AAAA singlestack-ipv6-svc-test.apps.ocp-edge-cluster-0.qe.lab.redhat.com * Rebuilt URL to: nslookup/ * Could not resolve host: nslookup * Closing connection 0 curl: (6) Could not resolve host: nslookup * Rebuilt URL to: singlestack-ipv6-svc-test.apps.ocp-edge-cluster-0.qe.lab.redhat.com/ * Trying fd2e:6f44:5dd8::a... * TCP_NODELAY set * Connected to singlestack-ipv6-svc-test.apps.ocp-edge-cluster-0.qe.lab.redhat.com (fd2e:6f44:5dd8::a) port 80 (#1) > GET / HTTP/1.1 > Host: singlestack-ipv6-svc-test.apps.ocp-edge-cluster-0.qe.lab.redhat.com > User-Agent: curl/7.61.1 > Accept: */* > < HTTP/1.1 200 OK < date: Mon, 26 Jul 2021 18:25:47 GMT < content-length: 14 < content-type: text/plain; charset=utf-8 < set-cookie: 988aee3ad24dc23f66048dc9bc1ee617=9abde5a59a9399cf873ec25ec3ff79ec; path=/; HttpOnly < cache-control: private < dualstack-pod * Connection #1 to host singlestack-ipv6-svc-test.apps.ocp-edge-cluster-0.qe.lab.redhat.com left intact [root@ocp-edge50 auth]#
Tried two labels in the policies and both worked fine: matchLabels: policy-group.network.openshift.io/ingress: "" matchLabels: network.openshift.io/policy-group: ingress
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.9.0 bug fix and security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:3759
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 500 days