Uploaded image for project: 'OpenShift Logging'
  1. OpenShift Logging
  2. LOG-8091

The `spec.egress[].ports[].port` of networkPolicy is set to `3100` when CLF has `spec.outputs[].loki.url: https://logs-prod3.grafana.net`

XMLWordPrintable

    • Incidents & Support
    • False
    • Hide

      None

      Show
      None
    • False
    • NEW
    • NEW
    • Before this change, enabling NetworkPolicy would block egress for a collector where http/https output types did not explicitly define a port. This fixes that by configuring the policy to use well-known port values for those network schemes.
    • Bug Fix
    • Logging - Sprint 279
    • Moderate

      Description of problem:

      Forwarding logs to Grafana loki with below yaml:

      apiVersion: observability.openshift.io/v1
kind: ClusterLogForwarder
metadata:
  name: clf-75298
spec:
  collector:
    networkPolicy:
      ruleSet: RestrictIngressEgress
  managementState: Managed
  outputs:
  - loki:
      authentication:
        password:
          key: password
          secretName: loki-client
        username:
          key: username
          secretName: loki-client
      url: https://logs-prod3.grafana.net
    name: loki-server
    type: loki
  pipelines:
  - inputRefs:
    - application
    name: to-loki
    outputRefs:
    - loki-server
  serviceAccount:
    name: test-clf-o1v7hg3m

      In the networkPolicy, the `spec.egress[].ports[].port` is set to `3100` making collector pods can't forward logs to Grafana Loki.

      apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  creationTimestamp: "2025-11-10T08:33:33Z"
  generation: 1
  labels:
    app.kubernetes.io/component: collector
    app.kubernetes.io/instance: clf-75298
    app.kubernetes.io/managed-by: cluster-logging-operator
    app.kubernetes.io/name: vector
    app.kubernetes.io/part-of: cluster-logging
    app.kubernetes.io/version: 6.4.0
  name: collector-clf-75298
  namespace: e2e-test-vector-loki-ext-xhfpx
  ownerReferences:
  - apiVersion: observability.openshift.io/v1
    controller: true
    kind: ClusterLogForwarder
    name: clf-75298
    uid: 9fccf9f5-90ca-4884-8898-45f3f852393d
  resourceVersion: "110210"
  uid: 40c84f05-853d-4cb5-806a-5ece1d5d39b1
spec:
  egress:
  - ports:
    - port: dns
      protocol: UDP
    - port: 6443
      protocol: TCP
    - port: 3100
      protocol: TCP
  ingress:
  - ports:
    - port: metrics
      protocol: TCP
  podSelector:
    matchLabels:
      app.kubernetes.io/component: collector
      app.kubernetes.io/instance: clf-75298
      app.kubernetes.io/managed-by: cluster-logging-operator
      app.kubernetes.io/name: vector
      app.kubernetes.io/part-of: cluster-logging
  policyTypes:
  - Ingress
  - Egress

      Version-Release number of selected component (if applicable):

      cluster-logging.v6.4.0

      How reproducible:

      Always

      Steps to Reproduce:

      1. Forward logs to Grafana Loki with above yaml
      2. Check networkPolicy

      Actual results:

      The egress port is set to 3100

      Expected results:

      The egress port should be 443.

      Additional info:

      Workaround: 

      Specify port when creating CLF:

        outputs:
  - loki:
      authentication:
        password:
          key: password
          secretName: loki-client
        username:
          key: username
          secretName: loki-client
      url: https://logs-prod3.grafana.net:443
    name: loki-server
    type: loki

              rh-ee-calee Calvin Lee
              qitang@redhat.com Qiaoling Tang
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated: