-
Bug
-
Resolution: Done-Errata
-
Major
-
None
-
4.13
-
+
-
Important
-
No
-
SDN Sprint 237, SDN Sprint 238
-
2
-
Rejected
-
False
-
Description of problem:
NetworkPolicy do not work as expected when allowing inbound traffic from any namespace
Version-Release number of selected component (if applicable):
4.13.0
How reproducible:
100%
Steps to Reproduce:
1. Create a new project # oc new-project ingress-test 2. Deploy application pods # oc new-app --image quay.io/redhattraining/hello-world-nginx 3. Exposed the service # oc expose svc hello-world-nginx 4. Create a NetworkPolicy object using below manifest ~~~ kind: NetworkPolicy apiVersion: networking.k8s.io/v1 metadata: name: allow-from-every-namespace spec: podSelector: matchLabels: deployment: hello-world-nginx ingress: - ports: - protocol: TCP port: 8080 from: - namespaceSelector: {} policyTypes: - Ingress ~~~ 5. Try to hit the route # curl -sI `oc get route hello-world-nginx -ojsonpath='{.spec.host}'`
Actual results:
The application is not accessible over the route. If we add the below block to the existing networkpolicy object it then start working. ~~~ - ports: - protocol: TCP port: 8080 from: - namespaceSelector: matchLabels: policy-group.network.openshift.io/ingress: '' ~~~
Expected results:
The access to the application via route should work, as the same networkpolicy definition works with OCP version 4.10,4.11 and 4.12
Additional info:
- is cloned by
-
OCPBUGS-15586 [4.13] NetworkPolicy not working as expected when allowing inbound traffic from any namespace
- Closed
- is depended on by
-
OCPBUGS-15586 [4.13] NetworkPolicy not working as expected when allowing inbound traffic from any namespace
- Closed
- links to
-
RHSA-2023:5006 OpenShift Container Platform 4.14.z security update