Bug 2002958 - [OVN]After upgrade 4.7 to 4.8 which is locate-gateway cluster, the egressfirewall blocked the dns service
Summary: [OVN]After upgrade 4.7 to 4.8 which is locate-gateway cluster, the egressfire...
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Networking
Version: 4.8
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ---
: ---
Assignee: Riccardo Ravaioli
QA Contact: Anurag saxena
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-09-10 08:49 UTC by huirwang
Modified: 2021-09-13 16:37 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-09-13 16:18:26 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description huirwang 2021-09-10 08:49:28 UTC 
Description of problem:
Upgrade from 4.7.28 to build from cluster-bot including PR:https://github.com/openshift/ovn-kubernetes/pull/722 

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. Setup 4.7 cluster with local-gateway mode by adding this during installation.
Make sure you add a manifest file say "manifest_cluster-network-00-gateway-mode.yaml"

# Example ConfigMap to use if wanting to use local gateway mode instead of the default shared mode
apiVersion: v1
kind: ConfigMap
metadata:
    name: gateway-mode-config
    namespace: openshift-network-operator
data:
    mode: "local"
immutable: true


2. Create 3 namespaces and 3 egressfirewalls in each namespace.
oc get egressfirewall --all-namespaces
NAMESPACE   NAME      EGRESSFIREWALL STATUS
test1       default   EgressFirewall Rules applied
test2       default   EgressFirewall Rules applied
test3       default   EgressFirewall Rules applied

For test1, there are some duplicated egress firewall rules.
...
 spec:
    egress:
    - to:
        dnsName: www.test.com
      type: Allow
    - to:
        dnsName: www.test.com
      type: Allow
    - ports:
      - port: 80
        protocol: TCP
      to:
        dnsName: yahoo.com
      type: Allow
    - to:
        cidrSelector: 220.181.38.251/32
      type: Allow
    - to:
        cidrSelector: 220.181.38.251/32
      type: Allow
    - to:
        cidrSelector: 0.0.0.0/0
      type: Deny
  status:
    status: EgressFirewall Rules applied
.....


3. Then upgrade to 4.8 , upgrade finished.
4. Then check the egressfirewall
oc get egressfirewall --all-namespaces
NAMESPACE   NAME      EGRESSFIREWALL STATUS
test1       default   EgressFirewall Rules applied
test2       default   EgressFirewall Rules applied
test3       default   EgressFirewall Rules applied
5. From project test1, check if egressfirewall worked.


Actual results:
oc get pods -n test1
NAME            READY   STATUS    RESTARTS   AGE
test-rc-b225k   1/1     Running   0          61m
test-rc-jb8k7   1/1     Running   0          68m
oc rsh -n test1 test-rc-jb8k7
~ $ curl www.test.com
curl: (6) Could not resolve host: www.test.com
~ $ nslookup www.test.com
;; connection timed out; no servers could be reached

$ oc rsh -n test1 test-rc-jb8k7
~ $ curl -v 172.30.0.10:53
*   Trying 172.30.0.10:53...
^C


Expected results:
The egressfirewall should not block dns service

Additional info:
if adding new egressfirewall, still not work.
Note You need to log in before you can comment on or make changes to this bug.