Uploaded image for project: 'Maistra'
  1. Maistra
  2. MAISTRA-2578

Additional Ingress Gateway doesn't create NetworkPolicy to allow ingress traffic for new gateway pod

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major Major
    • maistra-2.1.0
    • maistra-2.0.5.1
    • openshift, operator
    • None
    • Sprint 8, Sprint 9

      When a new Ingress Gateway is created using spec.gateways.additionaIngress in SMCP, operator is not creating needed NetworkPolicy for the new Ingress Gateway like it does for the default istio-ingressgateway. This causes 503 from the route of the new gateway and it was very difficult to pinpoint the issue as documentation for `additionaIngress` is hard to find.

      SMCP change:

      spec:
....
  gateways:
    additionalIngress:
      istio-internal-ingressgateway:
        enabled: true
        service:
          metadata:
            labels:
              app: istio-internal-ingressgateway
              istio: internal-ingressgateway
          type: ClusterIP

      oc -n istio-system get svc -l app=istio-internal-ingressgateway,istio=internal-ingressgateway

NAME                            TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)                              AGE
istio-internal-ingressgateway   ClusterIP   172.21.176.240   <none>        15021/TCP,80/TCP,443/TCP,15443/TCP   15h

oc -n istio-system get po -l app=istio-internal-ingressgateway,istio=internal-ingressgateway
NAME                                            READY   STATUS    RESTARTS   AGE
istio-internal-ingressgateway-c849c648d-2wz5h   1/1     Running   0          15h

oc -n istio-system get route -l istio-internal-ingressgateway,istio=internal-ingressgateway
NAME                            HOST/PORT                                                                       PATH   SERVICES                        PORT   TERMINATION   WILDCARD
istio-internal-ingressgateway   istio-internal-ingressgateway-istio-system.xxx.upi.containers.appdomain.cloud          istio-internal-ingressgateway   8080                 None

      oc -n istio-system get networkpolicy -o custom-columns=NAME:.metadata.name,POD-SELECTOR:.spec.podSelector.matchLabels

NAME                          POD-SELECTOR
istio-expose-route-basic      map[maistra.io/expose-route:true]
istio-grafana-ingress         map[app:grafana]
istio-ingressgateway          map[istio:ingressgateway]
istio-istiod-basic            map[app:istiod istio.io/rev:basic]
istio-jaeger-ingress          map[app.kubernetes.io/instance:jaeger app.kubernetes.io/managed-by:jaeger-operator app.kubernetes.io/part-of:jaeger]
istio-kiali-ingress           map[app:kiali]
istio-mesh-basic              <none>
istio-prometheus-ingress      map[app:prometheus]

      Expected Result:
      A new NetworkPolicy is created for new Ingress gateway

      Work Around:
      Create NetworkPolicy manually in istio-system namespace

      apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: istio-internal-ingressgateway
  namespace: istio-system
spec:
  ingress:
  - {}
  podSelector:
    matchLabels:
      istio: internal-ingressgateway
  policyTypes:
  - Ingress

              jeesmon Jeesmon Jacob (Inactive)
              jeesmon Jeesmon Jacob (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: