-
Bug
-
Resolution: Done
-
Major
-
None
-
4.13
-
None
-
No
-
SDN Sprint 234
-
1
-
Rejected
-
False
-
-
N/A
-
Bug Fix
-
Done
Description of problem:
nodeSelector in EgressFirewall doesn't work in dualstack cluster
Version-Release number of selected component (if applicable):
4.13.0-0.nightly-2023-03-05-104719
How reproducible:
Always
Steps to Reproduce:
1. create a namespace test and a pod in it
2. Get one node ipv4 and ipv6 addresses
oc describe node worker-00.jkuriakonew-0703.qe.devcluster.openshift.com | grep host-addresses
Annotations: k8s.ovn.org/host-addresses: ["147.75.55.145","2604:1380:4642:7e00::1f"]
3.Before apply egressfirewall, the both IP can be access from pod
% oc rsh -n test hello-pod
~ $ ping 147.75.55.145
PING 147.75.55.145 (147.75.55.145) 56(84) bytes of data.
64 bytes from 147.75.55.145: icmp_seq=1 ttl=56 time=1.62 ms
64 bytes from 147.75.55.145: icmp_seq=2 ttl=56 time=0.914 ms
^C
--- 147.75.55.145 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 0.914/1.267/1.621/0.353 ms
~ $ ping 2604:1380:4642:7e00::1f
PING 2604:1380:4642:7e00::1f(2604:1380:4642:7e00::1f) 56 data bytes
64 bytes from 2604:1380:4642:7e00::1f: icmp_seq=1 ttl=56 time=4.55 ms
64 bytes from 2604:1380:4642:7e00::1f: icmp_seq=2 ttl=56 time=1.38 ms
4. Apply egressfirewall to namespace test
% oc get egressfirewall -n test -o yaml
apiVersion: v1
items:
- apiVersion: k8s.ovn.org/v1
kind: EgressFirewall
metadata:
creationTimestamp: "2023-03-07T10:41:31Z"
generation: 1
name: default
namespace: test
resourceVersion: "167405"
uid: 1bd67ce0-02be-48cf-88d5-8de5bc62a639
spec:
egress:
- to:
nodeSelector:
matchLabels:
region: east
type: Allow
- to:
cidrSelector: 0.0.0.0/0
type: Deny
- to:
cidrSelector: ::/0
type: Deny
kind: List
metadata:
resourceVersion: ""
5. Label region=east to node
% oc label node worker-00.jkuriakonew-0703.qe.devcluster.openshift.com region=east
node/worker-00.jkuriakonew-0703.qe.devcluster.openshift.com labeled
6. Check ovn db, related acls added
sh-5.1# ovn-nbctl --data=bare --no-heading find acl external_ids=egressFirewall=test
7a1bc791-5c22-47ee-9236-e72764ae4cae
allow
to-lport
egressFirewall=test
0
false
(ip4.dst == 147.75.55.145 || ip4.dst == 2604:1380:4642:7e00::1f) && ip4.src == $a18302404499086943635
acl-logging
egressFirewall_test_10000
10000
588afdf4-58da-4446-93f6-0ea76591e1a7
drop
to-lport
egressFirewall=test
0
false
(ip4.dst == 0.0.0.0/0 && ip4.dst != 10.128.0.0/14) && ip4.src == $a18302404499086943635
acl-logging
egressFirewall_test_9999
9999
7b90e0f5-db47-404a-adb8-02c947c50bf2
drop
to-lport
egressFirewall=test
0
false
(ip6.dst == ::/0 && ip6.dst != fd01::/48) && ip6.src == $a18302406698110200057
acl-logging
egressFirewall_test_9998
9998
7. From pod to access both node addresses again
Actual results:
Got blocked. % oc rsh -n test hello-pod ~ $ ping 147.75.55.145 PING 147.75.55.145 (147.75.55.145) 56(84) bytes of data. ^C --- 147.75.55.145 ping statistics --- 3 packets transmitted, 0 received, 100% packet loss, time 2040ms ~ $ ping 2604:1380:4642:7e00::1f PING 2604:1380:4642:7e00::1f(2604:1380:4642:7e00::1f) 56 data bytes ^C --- 2604:1380:4642:7e00::1f ping statistics --- 2 packets transmitted, 0 received, 100% packet loss, time 1048ms
Expected results:
Should be able to access nodeIP
Additional info:
- clones
-
-
- Closed
-
- depends on
-
-
- Closed
-
- links to
