Uploaded image for project: 'Network Observability'
  1. Network Observability
  2. NETOBSERV-1933

Deployed network policy has rule listed twice

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Minor Minor
    • netobserv-1.8
    • netobserv-1.7, netobserv-1.7-candidate
    • None
    • Quality / Stability / Reliability
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • NetObserv - Sprint 260, NetObserv - Sprint 261
    • None
    • None
    • Hide
      Previously, when deploying the default network policy, namespaces "openshift-console" and "openshift-monitoring" were set by default in the "additionalNamespaces" field, resulting in duplicated rules.
      Now there is no additional namespace set by default, which avoid getting duplicated rules.
      Show
      Previously, when deploying the default network policy, namespaces "openshift-console" and "openshift-monitoring" were set by default in the "additionalNamespaces" field, resulting in duplicated rules. Now there is no additional namespace set by default, which avoid getting duplicated rules.

      Description of problem:

      When deploying netobserv network policy, the ingress rule for allowing openshift-console ingress connection is listed twice (once with a port restriction, another without).

      Steps to Reproduce:

      1. Install netobserv + FlowCollector with networkPolicy.enable=true and additional namespace left unset
2. check policy (oc get netpol netobserv -oyaml)
3.

      Actual results:

        ingress:
  - from:
    - podSelector: {}
    - namespaceSelector:
        matchLabels:
          kubernetes.io/metadata.name: netobserv-privileged
  - from:
    - namespaceSelector:
        matchLabels:
          kubernetes.io/metadata.name: openshift-console
    ports:
    - port: 9001
      protocol: TCP
  - from:
    - namespaceSelector:
        matchLabels:
          kubernetes.io/metadata.name: openshift-user-workload-monitoring
  - from:
    - namespaceSelector:
        matchLabels:
          kubernetes.io/metadata.name: openshift-console
  - from:
    - namespaceSelector:
        matchLabels:
          kubernetes.io/metadata.name: openshift-monitoring

      Expected results:

      no duplicate section for openshift-console

              jtakvori Joel Takvorian
              jtakvori Joel Takvorian
              None
              None
              None
              None
              None
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: