-
Bug
-
Resolution: Done
-
Major
-
None
-
4.12.z
-
Quality / Stability / Reliability
-
False
-
-
None
-
None
-
No
-
None
-
None
-
Rejected
-
SDN Sprint 242
-
1
-
None
-
None
-
None
-
None
-
None
-
None
-
None
Description of problem:
Following the steps to enable OVN audit logs as per this [documentation|https://docs.openshift.com/container-platform/4.12/networking/ovn_kubernetes_network_provider/logging-network-policy.html#nw-networkpolicy-audit-configure_logging-network-policy] with a test namespace.
The namespace has two rhel tool pods and the following network policies:
{noformat}
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: deny-all
spec:
podSelector:
matchLabels:
policyTypes:
- Ingress
- Egress
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-from-same-namespace
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
ingress:
- from:
- podSelector: {}
egress:
- to:
- namespaceSelector:
matchLabels:
namespace: verify-audit-logging
{noformat}
However running ping test as per the OCP docs results in the traffic being blocked by the default
However, after running curl from a pod from a different namespace or from the same namespace I created results in the traffic being blocked by 'egressDefaultDeny' or 'ingressDefaultDeny' network policies. The traffic should be controlled using the network policies created instead of respecting the default network policies.
Version-Release number of selected component (if applicable):
How reproducible:
Consistently reproducible by following the steps in https://docs.openshift.com/container-platform/4.12/networking/ovn_kubernetes_network_provider/logging-network-policy.html#nw-networkpolicy-audit-configure_logging-network-policy on a 4.12.30 cluster.
Actual results:
The ACL logs looks like this which shows that packets are being dropped due to the default deny network policies:
IngressDeny:
07T03:25:13.824Z|00006|acl_log(ovn_pinctrl0)|INFO|name="verify-audit-logging_ingressDefaultDeny", verdict=drop, severity=alert, direction=to-lport: icmp,vlan_tci=0x0000,dl_src=0a:58:0a:80:02:01,dl_dst=0a:58:0a:80:02:06,nw_src=10.131.0.16,nw_dst=10.128.2.6,nw_tos=0,nw_ecn=0,nw_ttl=63,nw_frag=no,icmp_type=8,icmp_code=0 2023-09-07T03:25:14.828Z|00007|acl_log(ovn_pinctrl0)|INFO|name="verify-audit-logging_ingressDefaultDeny", verdict=drop, severity=alert, direction=to-lport: icmp,vlan_tci=0x0000,dl_src=0a:58:0a:80:02:01,dl_dst=0a:58:0a:80:02:06,nw_src=10.131.0.16,nw_dst=10.128.2.6,nw_tos=0,nw_ecn=0,nw_ttl=63,nw_frag=no,icmp_type=8,icmp_code=0
EgresssDeny:
07T03:25:43.991Z|00043|acl_log(ovn_pinctrl0)|INFO|name="verify-audit-logging_egressDefaultDeny", verdict=drop, severity=alert, direction=from-lport: icmp,vlan_tci=0x0000,dl_src=0a:58:0a:83:00:11,dl_dst=0a:58:0a:83:00:01,nw_src=10.131.0.17,nw_dst=10.128.2.6,nw_tos=0,nw_ecn=0,nw_ttl=64,nw_frag=no,icmp_type=8,icmp_code=0 2023-09-07T03:25:45.035Z|00044|acl_log(ovn_pinctrl0)|INFO|name="verify-audit-logging_egressDefaultDeny", verdict=drop, severity=alert, direction=from-lport: icmp,vlan_tci=0x0000,dl_src=0a:58:0a:83:00:11,dl_dst=0a:58:0a:83:00:01,nw_src=10.131.0.17,nw_dst=10.128.2.6,nw_tos=0,nw_ecn=0,nw_ttl=64,nw_frag=no,icmp_type=8,icmp_code=0
Expected results:
The result should be that the network flows as per user defined network policies instead of the default network policies and this is reflected in the OVN ACL audit logs.
- relates to
-
-
- Closed
-