Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-17493

EgressFirewall not working properly

XMLWordPrintable

    • Moderate
    • No
    • SDN Sprint 240
    • 1
    • Rejected
    • False
    • Hide

      None

      Show
      None

      Description of problem:

      OVN doesn't fix the issue by itself when wrong EgressFirewall is created and afterwards it's deleted and re-created by correct one.

      Version-Release number of selected component (if applicable):

      OCP 4.13 and older versions

      How reproducible:

      Everytime

      Steps to Reproduce:

      $ oc project test

$ cat egress-firewall 
kind: EgressFirewall
apiVersion: k8s.ovn.org/v1
metadata:
  name: default
spec:
  egress:
  - type: Deny
    to:
      cidrSelector: 8.8.8.8      <-------


$ oc create -f egress-firewall 
egressfirewall.k8s.ovn.org/default created


$ oc get EgressFirewall
NAME      EGRESSFIREWALL STATUS
default

      --> I have created an EgressFirewall in "test" namespace to Deny traffic to IP address "8.8.8.8" and intentionally didn't specify the correct CIDR which was "8.8.8.8/32". Due to which the EgressFirewall wasn't applied as mentioned above.

      $ oc project ayush-nad

$ cat new-egressfirewall 
kind: EgressFirewall
apiVersion: k8s.ovn.org/v1
metadata:
  name: default
spec:
  egress:
  - ports:
    - port: 8080
      protocol: TCP
    to:
      cidrSelector: 167.211.174.23/32
    type: Allow
  - ports:
    - port: 443
      protocol: TCP
    to:
      cidrSelector: 10.222.210.146/32
...

$ oc create -f new-egressfirewall 
egressfirewall.k8s.ovn.org/default created


$ oc get EgressFirewall
NAME      EGRESSFIREWALL STATUS
default   

$ oc get EgressFirewall -A
NAMESPACE   NAME      EGRESSFIREWALL STATUS
ayush-nad   default   
test        default

      --> Now, I tried to create the correct EgressFirewall which was provided by you in other namespace which also got stuck. I believe now it's happening due to that earlier wrong EgressFirewall maybe it's an OVN behaviour not allowing to create new EgressFirewall if any wrong EgressFirewall stuck already.

      $ oc project ayush-nad
$ oc create -f new-egressfirewall 
egressfirewall.k8s.ovn.org/default created

$ oc project test
$ oc delete -f egress-firewall 
egressfirewall.k8s.ovn.org "default" deleted

$ oc get EgressFirewall -A
No resources found

$ oc create -f new-egressfirewall 
egressfirewall.k8s.ovn.org/default created

$ oc get EgressFirewall
NAME      EGRESSFIREWALL STATUS
default   

$ oc get EgressFirewall -A
NAMESPACE   NAME      EGRESSFIREWALL STATUS
test        default

      --> Further on, I deleted both the EgressFirewall and created the correct EgressFirewall but somehow it was stuck even when there was no pending EgressFirewall in cluster.

      I was able to resolve the issue after deleting the pods from "openshift-ovn-kubernetes" namespace.

      $ oc get EgressFirewall -A
NAMESPACE   NAME      EGRESSFIREWALL STATUS
ayush-nad   default   EgressFirewall Rules not correctly added
test        default   EgressFirewall Rules applied

      --> Just to verify once more, I tried the same use case again by creating the wrong EgressFirewall first and afterward the correct one. What I observed was this time the wrong one showed the correct message and was not applied while the correct one got applied.

       

      Actual results:

      ACLs for EgressFirewall aren't there as expected.

      Expected results:

      ACLs for EgressFirewall should be re-created and deleted automatically by OVN without manual intervention.

       

            npinaeva@redhat.com Nadia Pinaeva
            rhn-support-aygarg Ayush Garg
            Huiran Wang Huiran Wang
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: