Uploaded image for project: 'OpenShift Logging'
  1. OpenShift Logging
  2. LOG-8109

When forwarding logs to http output via http proxy and enable RestrictIngressEgress network policy, the traffic to the http proxy is not allowed.

XMLWordPrintable

    • Incidents & Support
    • False
    • Hide

      None

      Show
      None
    • False
    • NEW
    • NEW
    • Before this update, the network policy omitted the required port for the HTTP proxy URL defined in an HTTP output. With this release, the network policy is updated to correctly include the defined HTTP proxy port.
    • Bug Fix
    • Logging - Sprint 279
    • Moderate

      Description of problem:

      When forwarding logs to http output via http proxy with RestrictIngressEgress network policy, the traffic to the http proxy is not allowed.

      CLF: 

      apiVersion: observability.openshift.io/v1
kind: ClusterLogForwarder
metadata:
  name: http-output-with-proxy
  namespace: openshift-logging
spec:
  collector:
    networkPolicy:
      ruleSet: RestrictIngressEgress
  managementState: Managed
  outputs:
  - http:
      headers:
        h1: v1
        h2: v2
      method: POST
      proxyURL: http://proxy-user2:fake@35.222.186.143:3128
      url: http://fluentdtest-e2e-test-logfwdhttp-th79n.apps.test.com/logs/audit
    name: httpout-audit
    type: http
  pipelines:
  - inputRefs:
    - audit
    name: audit-logs
    outputRefs:
    - httpout-audit
  serviceAccount:
    name: http-output-with-proxy

      NetworkPolicy:

      spec:
  egress:
  - ports:
    - port: dns
      protocol: UDP
    - port: 6443
      protocol: TCP
    - port: 80
      protocol: TCP
  ingress:
  - ports:
    - port: metrics
      protocol: TCP
  podSelector:
    matchLabels:
      app.kubernetes.io/component: collector
      app.kubernetes.io/instance: http-output-with-proxy
      app.kubernetes.io/managed-by: cluster-logging-operator
      app.kubernetes.io/name: vector
      app.kubernetes.io/part-of: cluster-logging
  policyTypes:
  - Ingress
  - Egress

      Version-Release number of selected component (if applicable):

      cluster-logging.v6.4.0

      How reproducible:

      Always

      Steps to Reproduce:

      1. Create CLF with above yaml
      2. Check networkpolicy

      Actual results:

      The traffic to the http proxy(port 3128) is not allowed, making vector pods can't forward logs to http output.

      Expected results:

      Vector pods can forward logs to http output via http proxy when RestrictIngressEgress network policy is enabled.

      Additional info:

      Workaround:
      Create below networkpolicy manually:

      apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  labels:
    app.kubernetes.io/component: collector
    app.kubernetes.io/instance: http-output-with-proxy
    app.kubernetes.io/managed-by: cluster-logging-operator
    app.kubernetes.io/name: vector
    app.kubernetes.io/part-of: cluster-logging
    app.kubernetes.io/version: 6.4.0
  name: enable-proxy-traffic-for-vector
  namespace: openshift-logging
spec:
  egress:
  - ports:
    - port: 3128
      protocol: TCP
  podSelector:
    matchLabels:
      app.kubernetes.io/component: collector
      app.kubernetes.io/instance: http-output-with-proxy
      app.kubernetes.io/managed-by: cluster-logging-operator
      app.kubernetes.io/name: vector
      app.kubernetes.io/part-of: cluster-logging
  policyTypes:
  - Ingress
  - Egress

              rh-ee-calee Calvin Lee
              qitang@redhat.com Qiaoling Tang
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated: