Bug 2111362 - After disable acl logging, still generate logs for egressfirewall
Summary: After disable acl logging, still generate logs for egressfirewall
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Networking
Version: 4.12
Hardware: Unspecified
OS: Unspecified
low
high
Target Milestone: ---
: ---
Assignee: Andreas Karis
QA Contact: huirwang
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-07-27 07:20 UTC by huirwang
Modified: 2024-04-30 18:04 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2024-04-30 18:04:53 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift ovn-kubernetes pull 1267 0 None Merged [DownstreamMerge] 9-12-22 merge 2022-09-21 11:59:09 UTC
Github ovn-org ovn-kubernetes pull 3104 0 None open ACL logging: rename and rewrite oc.aclLoggingCanEnable 2022-08-02 10:48:33 UTC

Description huirwang 2022-07-27 07:20:42 UTC 
Description of problem:


Version-Release number of selected component (if applicable):
4.12.0-0.nightly-2022-07-26-131732 

How reproducible:
Always

Steps to Reproduce:
1. Create namespace with yaml
kind: Namespace
apiVersion: v1
metadata:
name: audit-logging
  annotations:
    k8s.ovn.org/acl-logging: '{ "deny": "info", "allow": "info" }'

2. Create test pod and egressfirewall in namespace audit-logging
$ oc get egressfirewall -n audit-logging -o yaml
apiVersion: v1
items:
- apiVersion: k8s.ovn.org/v1
  kind: EgressFirewall
  metadata:
    creationTimestamp: "2022-07-27T06:33:51Z"
    generation: 2
    name: default
    namespace: audit-logging
    resourceVersion: "86980"
    uid: 2aca6e82-b044-499a-a356-fe799d1cb856
  spec:
    egress:
    - to:
        cidrSelector: 0.0.0.0/0
      type: Deny
  status:
    status: EgressFirewall Rules applied
kind: List
metadata:
  resourceVersion: ""
  selfLink: ""
3. From test pod to access www.google.com
4. Check audit logs, can get audit logs as expected.
$ oc exec -it ovnkube-node-z725l -n openshift-ovn-kubernetes -- tail -4 /var/log/ovn/acl-audit-log.log
Defaulted container "ovn-controller" out of: ovn-controller, ovn-acl-logging, kube-rbac-proxy, kube-rbac-proxy-ovn-metrics, ovnkube-node
2022-07-27T06:55:38.281Z|00019|acl_log(ovn_pinctrl0)|INFO|name="egressFirewall_audit-logging_10000", verdict=drop, severity=info, direction=to-lport: tcp,vlan_tci=0x0000,dl_src=0a:58:64:40:00:01,dl_dst=0a:58:64:40:00:07,nw_src=10.129.2.27,nw_dst=142.251.32.4,nw_tos=0,nw_ecn=0,nw_ttl=63,tp_src=41118,tp_dst=80,tcp_flags=syn
2022-07-27T07:04:32.498Z|00020|acl_log(ovn_pinctrl0)|INFO|name="egressFirewall_audit-logging_10000", verdict=drop, severity=info, direction=to-lport: tcp,vlan_tci=0x0000,dl_src=0a:58:64:40:00:01,dl_dst=0a:58:64:40:00:07,nw_src=10.129.2.27,nw_dst=142.251.32.4,nw_tos=0,nw_ecn=0,nw_ttl=63,tp_src=44766,tp_dst=80,tcp_flags=syn
2022-07-27T07:04:33.512Z|00021|acl_log(ovn_pinctrl0)|INFO|name="egressFirewall_audit-logging_10000", verdict=drop, severity=info, direction=to-lport: tcp,vlan_tci=0x0000,dl_src=0a:58:64:40:00:01,dl_dst=0a:58:64:40:00:07,nw_src=10.129.2.27,nw_dst=142.251.32.4,nw_tos=0,nw_ecn=0,nw_ttl=63,tp_src=44766,tp_dst=80,tcp_flags=syn
2022-07-27T07:04:35.560Z|00022|acl_log(ovn_pinctrl0)|INFO|name="egressFirewall_audit-logging_10000", verdict=drop, severity=info, direction=to-lport: tcp,vlan_tci=0x0000,dl_src=0a:58:64:40:00:01,dl_dst=0a:58:64:40:00:07,nw_src=10.129.2.27,nw_dst=142.251.32.4,nw_tos=0,nw_ecn=0,nw_ttl=63,tp_src=44766,tp_dst=80,tcp_flags=syn

5. Follow docs https://docs.openshift.com/container-platform/4.10/networking/network_policy/logging-network-policy.html#nw-networkpolicy-audit-disable_logging-network-policy to disable acl logging
$ oc annotate --overwrite namespace audit-logging k8s.ovn.org/acl-logging={}
namespace/audit-logging annotated

$ oc describe ns audit-logging
Name:         audit-logging
Labels:       kubernetes.io/metadata.name=audit-logging
              pod-security.kubernetes.io/audit=restricted
              pod-security.kubernetes.io/audit-version=v1.24
              pod-security.kubernetes.io/warn=restricted
              pod-security.kubernetes.io/warn-version=v1.24
Annotations:  k8s.ovn.org/acl-logging: {}
              openshift.io/sa.scc.mcs: s0:c26,c20
              openshift.io/sa.scc.supplemental-groups: 1000690000/10000
              openshift.io/sa.scc.uid-range: 1000690000/10000
Status:       Active

No resource quota.

No LimitRange resource.

6. From pod to access www.google.com again

Actual results:
Still get new acl logs generated.
$ oc exec -it ovnkube-node-z725l -n openshift-ovn-kubernetes -- tail -4 /var/log/ovn/acl-audit-log.log
Defaulted container "ovn-controller" out of: ovn-controller, ovn-acl-logging, kube-rbac-proxy, kube-rbac-proxy-ovn-metrics, ovnkube-node
2022-07-27T07:07:04.360Z|00024|acl_log(ovn_pinctrl0)|INFO|name="egressFirewall_audit-logging_10000", verdict=drop, severity=info, direction=to-lport: tcp,vlan_tci=0x0000,dl_src=0a:58:64:40:00:01,dl_dst=0a:58:64:40:00:07,nw_src=10.129.2.27,nw_dst=142.251.32.4,nw_tos=0,nw_ecn=0,nw_ttl=63,tp_src=45694,tp_dst=80,tcp_flags=syn
2022-07-27T07:07:06.408Z|00025|acl_log(ovn_pinctrl0)|INFO|name="egressFirewall_audit-logging_10000", verdict=drop, severity=info, direction=to-lport: tcp,vlan_tci=0x0000,dl_src=0a:58:64:40:00:01,dl_dst=0a:58:64:40:00:07,nw_src=10.129.2.27,nw_dst=142.251.32.4,nw_tos=0,nw_ecn=0,nw_ttl=63,tp_src=45694,tp_dst=80,tcp_flags=syn
2022-07-27T07:07:10.440Z|00026|acl_log(ovn_pinctrl0)|INFO|name="egressFirewall_audit-logging_10000", verdict=drop, severity=info, direction=to-lport: tcp,vlan_tci=0x0000,dl_src=0a:58:64:40:00:01,dl_dst=0a:58:64:40:00:07,nw_src=10.129.2.27,nw_dst=142.251.32.4,nw_tos=0,nw_ecn=0,nw_ttl=63,tp_src=45694,tp_dst=80,tcp_flags=syn
2022-07-27T07:07:18.696Z|00027|acl_log(ovn_pinctrl0)|INFO|name="egressFirewall_audit-logging_10000", verdict=drop, severity=info, direction=to-lport: tcp,vlan_tci=0x0000,dl_src=0a:58:64:40:00:01,dl_dst=0a:58:64:40:00:07,nw_src=10.129.2.27,nw_dst=142.251.32.4,nw_tos=0,nw_ecn=0,nw_ttl=63,tp_src=45694,tp_dst=80,tcp_flags=syn

Expected results:
After disable acl logging, should no new acl logs generated.

Additional info:
I did another check with below , still can get new acl logs.
oc annotate --overwrite namespace audit-logging k8s.ovn.org/acl-logging=null
Comment 2 Andreas Karis 2022-08-02 10:51:15 UTC 
Just for the record, setting:
~~~
k8s.ovn.org/acl-logging: {}
~~~

Never worked if one wanted to disable logging, not even for NetworkPolicies. Instead, logging could either be disabled by removing the annotation, or by setting it to "".

Nevertheless, I pushed a fix upstream with a small refactor and I also updated some of our upstream E2E tests.
Comment 3 Andreas Karis 2022-09-21 12:00:06 UTC 
Merged with https://github.com/openshift/ovn-kubernetes/pull/1267
Comment 4 Andreas Karis 2022-09-21 12:01:54 UTC 
And is in 4.12:
~~~
[akaris@linux ovn-kubernetes ((dfc53f947...))]$ git checkout downstream/release-4.12
HEAD is now at dfc53f947 Merge pull request #1267 from oribon/9-12-22_merge
[akaris@linux ovn-kubernetes ((dfc53f947...))]$ git log --oneline | grep "ACL logging" | head -1
23de47422 ACL logging: rename and rewrite oc.aclLoggingCanEnable
~~~
Comment 6 Rory Thrasher 2024-04-30 18:04:53 UTC 
OCP is no longer using Bugzilla and this bug appears to have been left in an orphaned state. If the bug is still relevant, please open a new issue in the OCPBUGS Jira project: https://issues.redhat.com/projects/OCPBUGS/summary
Note You need to log in before you can comment on or make changes to this bug.