Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-18909

Admin network policy for protocol does not block traffic as required

XMLWordPrintable

    • No
    • SDN Sprint 243, SDN Sprint 244, SDN Sprint 245, SDN Sprint 246, SDN Sprint 247, SDN Sprint 248, SDN Sprint 249, SDN Sprint 250
    • 8
    • Rejected
    • False
    • Hide

      None

      Show
      None

      Description of problem:

      Expected ingress TCP policy to allow TCP traffic to specific port, should allow traffic for only that port not other ports.
      
      

      Version-Release number of selected component (if applicable):

      4.14

      How reproducible:

      Attempted twice so far.

      Steps to Reproduce:

      1. Create two project test and test1.
      In the test project create services as follows:-
      oc get svc -n test
      NAME          TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)            AGE
      hello-idle    ClusterIP   172.30.138.119   <none>        8000/TCP           70m
      sctpservice   NodePort    172.30.3.89      <none>        30102:30229/SCTP   62m
      udp-pod       NodePort    172.30.55.161    <none>        8080:30116/UDP     65m
      
      oc get pods -n test -owide
      NAME               READY   STATUS    RESTARTS   AGE    IP            NODE                                                      NOMINATED NODE   READINESS GATES
      hello-idle-85gxc   1/1     Running   0          73m    10.128.2.18   asood-9121-qhnjc-worker-c-gdtzb.c.openshift-qe.internal   <none>           <none>
      hello-idle-j5rgc   1/1     Running   0          73m    10.129.2.48   asood-9121-qhnjc-worker-b-hp48t.c.openshift-qe.internal   <none>           <none>
      sctpserver         1/1     Running   0          65m    10.129.2.49   asood-9121-qhnjc-worker-b-hp48t.c.openshift-qe.internal   <none>           <none>
      udp-pod            1/1     Running   0          142m   10.128.2.17   asood-9121-qhnjc-worker-c-gdtzb.c.openshift-qe.internal   <none>           <none>
      
      A client pod in test1
      oc get pod -n test1 -owide
      NAME     READY   STATUS    RESTARTS   AGE   IP            NODE                                                      NOMINATED NODE   READINESS GATES
      client   1/1     Running   0          59m   10.129.2.51   asood-9121-qhnjc-worker-b-hp48t.c.openshift-qe.internal   <none>           <none>
        2. Test out network connectivity from client pod to various services in test.
      TCP
      oc exec -it client -- curl -I 172.30.138.119:8000 --connect-timeout 5
      HTTP/1.1 200 OK
      Date: Tue, 12 Sep 2023 20:32:19 GMT
      Content-Length: 11
      Content-Type: text/plain; charset=utf-8
      
      SCTP 
      Listen on server side on port 30102 to see client send over data successfully
      Server
      oc -n test rsh sctpserver
      / # ncat -v -l 30102
      Ncat: Version 7.91 ( https://nmap.org/ncat )
      Ncat: Listening on :::30102
      Ncat: Listening on 0.0.0.0:30102
      Ncat: Connection from 10.129.2.51.
      Ncat: Connection from 10.129.2.51:46256.
      hello
      / # exit
      Client
      oc rsh client
      / # echo hello | ncat -v 10.129.2.49 30102
      Ncat: Version 7.91 ( https://nmap.org/ncat )
      Ncat: Connected to 10.129.2.49:30102.
      Ncat: 6 bytes sent, 0 bytes received in 0.01 seconds.
      / # exit
      
      UDP
      Server
       oc -n test rsh udp-pod
      ~ $ ncat -v -l 8080
      Ncat: Version 7.91 ( https://nmap.org/ncat )
      Ncat: Listening on :::8080
      Ncat: Listening on 0.0.0.0:8080
      Ncat: Connection from 10.129.2.51.
      Ncat: Connection from 10.129.2.51:60004.
      hello
      
      Client
      oc rsh client
      / # echo hello | ncat -v 10.128.2.17 8080
      Ncat: Version 7.91 ( https://nmap.org/ncat )
      Ncat: Connected to 10.128.2.17:8080.
      Ncat: 6 bytes sent, 0 bytes received in 0.01 seconds.
      
      
       3. Create BANP policy to see traffic to all the above services blocked.
      apiVersion: policy.networking.k8s.io/v1alpha1
      kind: BaselineAdminNetworkPolicy
      metadata:
        name: default
      spec:
        subject:
          namespaces:
            matchLabels:
                kubernetes.io/metadata.name: test
        ingress:
        - name: "default-deny-ns-test"
          action: "Deny"
          from:
          - namespaces:
              namespaceSelector:
                matchLabels:
                  kubernetes.io/metadata.name: test1
      
      4. Traffic from client to TCP service, SCTP server and UDP fails.
      
      5. Create a ANP policy to allow ingress traffic to only TCP port 8000.
       apiVersion: policy.networking.k8s.io/v1alpha1
      kind: AdminNetworkPolicy
      metadata:
        name: ingress-tcp
      spec:
        priority: 15
        subject:
          namespaces:
            matchLabels:
                kubernetes.io/metadata.name: test
        ingress:
        - name: "allow-from-test1"
          action: "Allow"
          from:
          - namespaces:
              namespaceSelector:
                matchLabels:
                  kubernetes.io/metadata.name: test1
        - name: "deny-from-test2"
          action: "Deny"
          from:
          - namespaces:
              namespaceSelector:
                matchLabels:
                  kubernetes.io/metadata.name: test2
        - name: "pass-from-test3"
          action: "Pass"
          from:
          - namespaces:
              namespaceSelector:
                matchLabels:
                  kubernetes.io/metadata.name: test3
          ports:
            - portNumber:
                protocol: TCP
                port: 8000

      Actual results:

      Traffic to SCTP service in test is allowed from pod in test1

      Expected results:

      Traffic to SCTP service in test should not be allowed, only curl to TCP service listening on port 8000 should be accepted from test1.

      Additional info:

       oc version
      Client Version: 4.13.0
      Kustomize Version: v4.5.7
      Server Version: 4.14.0-0.nightly-2023-09-12-024050
      Kubernetes Version: v1.27.4+6eeca63
      
      
      1. Creating SCTP service.
      oc create -f https://raw.githubusercontent.com/openshift/verification-tests/master/testdata/networking/sctp/sctpserver.yaml
      oc create -f https://raw.githubusercontent.com/openshift/verification-tests/master/testdata/networking/sctp/sctpservice.yaml
      
      2. Create TCP service.
      apiVersion: v1
      kind: List
      items:
      - apiVersion: v1
        kind: ReplicationController
        metadata:
          labels:
            name: hello-idle
          name: hello-idle
        spec:
          replicas: 2
          selector:
            name: hello-idle
          template:
            metadata:
              labels:
                name: hello-idle
            spec:
                containers:
                - image: quay.io/openshifttest/hello-pod@sha256:04b6af86b03c1836211be2589db870dba09b7811c197c47c07fbbe33c7f80ef7
                  name: hello-idle
                  ports:
                  - containerPort: 8080
                    protocol: TCP
                  resources:
                    limits:
                      cpu: 200m
                      memory: 256Mi
                    requests:
                      cpu: 100m
                      memory: 256Mi
                  terminationMessagePath: /dev/termination-log
                dnsPolicy: ClusterFirst
                restartPolicy: Always
                securityContext: {}
                terminationGracePeriodSeconds: 30
      - apiVersion: v1
        kind: Service
        metadata:
          name: hello-idle
          labels:
            environ: dev
        spec:
          ports:
          - port: 8000
            targetPort: 8080
            protocol: TCP
          selector:
            name: hello-idle    
      
      3. Create UDP service
      ---
      kind: Pod
      apiVersion: v1
      metadata:
        name: udp-pod
        labels:
          name: udp-pod
      spec:
        securityContext:
          runAsNonRoot: true
          seccompProfile:
            type: RuntimeDefault
        containers:
          - name: udp-pod
            image: quay.io/openshifttest/hello-sdn@sha256:c89445416459e7adea9a5a416b3365ed3d74f2491beb904d61dc8d1eb89a72a4
            command:
              - "/usr/bin/ncat"
              - "-u"
              - "-l"
              - '8080'
              - "--keep-open"
              - "--exec"
              - "/bin/cat"
            securityContext:
              allowPrivilegeEscalation: false
              capabilities:
                drop: ["ALL"]    
        restartPolicy: Always 
      
      Expose the service
       oc expose pod udp-pod -n test --type=NodePort --port=8080 --protocol=UDP
      service/udp-pod exposed 
      
      4. Client pod in test1
      --
      apiVersion: v1
      kind: Pod
      metadata:
        name: client
        labels:
          app: client
      spec:
        containers:
          - name: client
            image: quay.io/openshifttest/hello-sdn@sha256:c89445416459e7adea9a5a416b3365ed3d74f2491beb904d61dc8d1eb89a72a4

              sseethar Surya Seetharaman
              rhn-support-asood Arti Sood
              Arti Sood Arti Sood
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: