Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-18909

Admin network policy for protocol does not block traffic as required

XMLWordPrintable

    • No
    • SDN Sprint 243, SDN Sprint 244, SDN Sprint 245, SDN Sprint 246, SDN Sprint 247, SDN Sprint 248, SDN Sprint 249, SDN Sprint 250
    • 8
    • Rejected
    • False
    • Hide

      None

      Show
      None

      Description of problem:

      Expected ingress TCP policy to allow TCP traffic to specific port, should allow traffic for only that port not other ports.

      Version-Release number of selected component (if applicable):

      4.14

      How reproducible:

      Attempted twice so far.

      Steps to Reproduce:

      1. Create two project test and test1.
In the test project create services as follows:-
oc get svc -n test
NAME          TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)            AGE
hello-idle    ClusterIP   172.30.138.119   <none>        8000/TCP           70m
sctpservice   NodePort    172.30.3.89      <none>        30102:30229/SCTP   62m
udp-pod       NodePort    172.30.55.161    <none>        8080:30116/UDP     65m

oc get pods -n test -owide
NAME               READY   STATUS    RESTARTS   AGE    IP            NODE                                                      NOMINATED NODE   READINESS GATES
hello-idle-85gxc   1/1     Running   0          73m    10.128.2.18   asood-9121-qhnjc-worker-c-gdtzb.c.openshift-qe.internal   <none>           <none>
hello-idle-j5rgc   1/1     Running   0          73m    10.129.2.48   asood-9121-qhnjc-worker-b-hp48t.c.openshift-qe.internal   <none>           <none>
sctpserver         1/1     Running   0          65m    10.129.2.49   asood-9121-qhnjc-worker-b-hp48t.c.openshift-qe.internal   <none>           <none>
udp-pod            1/1     Running   0          142m   10.128.2.17   asood-9121-qhnjc-worker-c-gdtzb.c.openshift-qe.internal   <none>           <none>

A client pod in test1
oc get pod -n test1 -owide
NAME     READY   STATUS    RESTARTS   AGE   IP            NODE                                                      NOMINATED NODE   READINESS GATES
client   1/1     Running   0          59m   10.129.2.51   asood-9121-qhnjc-worker-b-hp48t.c.openshift-qe.internal   <none>           <none>
  2. Test out network connectivity from client pod to various services in test.
TCP
oc exec -it client -- curl -I 172.30.138.119:8000 --connect-timeout 5
HTTP/1.1 200 OK
Date: Tue, 12 Sep 2023 20:32:19 GMT
Content-Length: 11
Content-Type: text/plain; charset=utf-8

SCTP 
Listen on server side on port 30102 to see client send over data successfully
Server
oc -n test rsh sctpserver
/ # ncat -v -l 30102
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::30102
Ncat: Listening on 0.0.0.0:30102
Ncat: Connection from 10.129.2.51.
Ncat: Connection from 10.129.2.51:46256.
hello
/ # exit
Client
oc rsh client
/ # echo hello | ncat -v 10.129.2.49 30102
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Connected to 10.129.2.49:30102.
Ncat: 6 bytes sent, 0 bytes received in 0.01 seconds.
/ # exit

UDP
Server
 oc -n test rsh udp-pod
~ $ ncat -v -l 8080
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::8080
Ncat: Listening on 0.0.0.0:8080
Ncat: Connection from 10.129.2.51.
Ncat: Connection from 10.129.2.51:60004.
hello

Client
oc rsh client
/ # echo hello | ncat -v 10.128.2.17 8080
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Connected to 10.128.2.17:8080.
Ncat: 6 bytes sent, 0 bytes received in 0.01 seconds.


 3. Create BANP policy to see traffic to all the above services blocked.
apiVersion: policy.networking.k8s.io/v1alpha1
kind: BaselineAdminNetworkPolicy
metadata:
  name: default
spec:
  subject:
    namespaces:
      matchLabels:
          kubernetes.io/metadata.name: test
  ingress:
  - name: "default-deny-ns-test"
    action: "Deny"
    from:
    - namespaces:
        namespaceSelector:
          matchLabels:
            kubernetes.io/metadata.name: test1

4. Traffic from client to TCP service, SCTP server and UDP fails.

5. Create a ANP policy to allow ingress traffic to only TCP port 8000.
 apiVersion: policy.networking.k8s.io/v1alpha1
kind: AdminNetworkPolicy
metadata:
  name: ingress-tcp
spec:
  priority: 15
  subject:
    namespaces:
      matchLabels:
          kubernetes.io/metadata.name: test
  ingress:
  - name: "allow-from-test1"
    action: "Allow"
    from:
    - namespaces:
        namespaceSelector:
          matchLabels:
            kubernetes.io/metadata.name: test1
  - name: "deny-from-test2"
    action: "Deny"
    from:
    - namespaces:
        namespaceSelector:
          matchLabels:
            kubernetes.io/metadata.name: test2
  - name: "pass-from-test3"
    action: "Pass"
    from:
    - namespaces:
        namespaceSelector:
          matchLabels:
            kubernetes.io/metadata.name: test3
    ports:
      - portNumber:
          protocol: TCP
          port: 8000

      Actual results:

      Traffic to SCTP service in test is allowed from pod in test1

      Expected results:

      Traffic to SCTP service in test should not be allowed, only curl to TCP service listening on port 8000 should be accepted from test1.

      Additional info:

       oc version
Client Version: 4.13.0
Kustomize Version: v4.5.7
Server Version: 4.14.0-0.nightly-2023-09-12-024050
Kubernetes Version: v1.27.4+6eeca63


1. Creating SCTP service.
oc create -f https://raw.githubusercontent.com/openshift/verification-tests/master/testdata/networking/sctp/sctpserver.yaml
oc create -f https://raw.githubusercontent.com/openshift/verification-tests/master/testdata/networking/sctp/sctpservice.yaml

2. Create TCP service.
apiVersion: v1
kind: List
items:
- apiVersion: v1
  kind: ReplicationController
  metadata:
    labels:
      name: hello-idle
    name: hello-idle
  spec:
    replicas: 2
    selector:
      name: hello-idle
    template:
      metadata:
        labels:
          name: hello-idle
      spec:
          containers:
          - image: quay.io/openshifttest/hello-pod@sha256:04b6af86b03c1836211be2589db870dba09b7811c197c47c07fbbe33c7f80ef7
            name: hello-idle
            ports:
            - containerPort: 8080
              protocol: TCP
            resources:
              limits:
                cpu: 200m
                memory: 256Mi
              requests:
                cpu: 100m
                memory: 256Mi
            terminationMessagePath: /dev/termination-log
          dnsPolicy: ClusterFirst
          restartPolicy: Always
          securityContext: {}
          terminationGracePeriodSeconds: 30
- apiVersion: v1
  kind: Service
  metadata:
    name: hello-idle
    labels:
      environ: dev
  spec:
    ports:
    - port: 8000
      targetPort: 8080
      protocol: TCP
    selector:
      name: hello-idle    

3. Create UDP service
---
kind: Pod
apiVersion: v1
metadata:
  name: udp-pod
  labels:
    name: udp-pod
spec:
  securityContext:
    runAsNonRoot: true
    seccompProfile:
      type: RuntimeDefault
  containers:
    - name: udp-pod
      image: quay.io/openshifttest/hello-sdn@sha256:c89445416459e7adea9a5a416b3365ed3d74f2491beb904d61dc8d1eb89a72a4
      command:
        - "/usr/bin/ncat"
        - "-u"
        - "-l"
        - '8080'
        - "--keep-open"
        - "--exec"
        - "/bin/cat"
      securityContext:
        allowPrivilegeEscalation: false
        capabilities:
          drop: ["ALL"]    
  restartPolicy: Always 

Expose the service
 oc expose pod udp-pod -n test --type=NodePort --port=8080 --protocol=UDP
service/udp-pod exposed 

4. Client pod in test1
--
apiVersion: v1
kind: Pod
metadata:
  name: client
  labels:
    app: client
spec:
  containers:
    - name: client
      image: quay.io/openshifttest/hello-sdn@sha256:c89445416459e7adea9a5a416b3365ed3d74f2491beb904d61dc8d1eb89a72a4

            sseethar Surya Seetharaman
            rhn-support-asood Arti Sood
            Arti Sood Arti Sood
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: