Details
-
Bug
-
Resolution: Done-Errata
-
Major
-
None
-
4.13
-
+
-
Important
-
No
-
SDN Sprint 237, SDN Sprint 238
-
2
-
Rejected
-
False
-
Description
Description of problem:
NetworkPolicy do not work as expected when allowing inbound traffic from any namespace
Version-Release number of selected component (if applicable):
4.13.0
How reproducible:
100%
Steps to Reproduce:
1. Create a new project
# oc new-project ingress-test
2. Deploy application pods
# oc new-app --image quay.io/redhattraining/hello-world-nginx
3. Exposed the service
# oc expose svc hello-world-nginx
4. Create a NetworkPolicy object using below manifest
~~~
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: allow-from-every-namespace
spec:
podSelector:
matchLabels:
deployment: hello-world-nginx
ingress:
- ports:
- protocol: TCP
port: 8080
from:
- namespaceSelector: {}
policyTypes:
- Ingress
~~~
5. Try to hit the route
# curl -sI `oc get route hello-world-nginx -ojsonpath='{.spec.host}'`
Actual results:
The application is not accessible over the route. If we add the below block to the existing networkpolicy object it then start working.
~~~
- ports:
- protocol: TCP
port: 8080
from:
- namespaceSelector:
matchLabels:
policy-group.network.openshift.io/ingress: ''
~~~
Expected results:
The access to the application via route should work, as the same networkpolicy definition works with OCP version 4.10,4.11 and 4.12
Additional info:
Attachments
Issue Links
- is cloned by
-
-
- Closed
-
- is depended on by
-
-
- Closed
-
- links to
-
RHSA-2023:5006
OpenShift Container Platform 4.14.z security update
