-
Bug
-
Resolution: Duplicate
-
Major
-
None
-
4.13
-
Quality / Stability / Reliability
-
False
-
-
None
-
None
-
No
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
Description of problem:
allow-from-openshift-ingress networkpolicy does not work after cluster upgrade from 4.12.32 to 4.13.30
Version-Release number of selected component (if applicable):
4.13.30
How reproducible:
100%
Steps to Reproduce:
1. cluster version:
# oc version
Client Version: 4.12.32
Kustomize Version: v4.5.7
Kubernetes Version: v1.25.12+26bab08
2. Check the openshift-ingress project having appropriate labels:
# oc describe ns openshift-ingress | grep "network.openshift.io" network.openshift.io/policy-group=ingress
policy-group.network.openshift.io/ingress=
3. Check the labels for default project:
# oc describe ns default
Name: default
Labels: kubernetes.io/metadata.name=default
Annotations: openshift.io/sa.scc.mcs: s0:c7,c4
openshift.io/sa.scc.supplemental-groups: 1000050000/10000
openshift.io/sa.scc.uid-range: 1000050000/10000
Status: Active
4. Create a sample deployment:
# oc project
Using project "test-netpol" on server "https://api.dpateriy412.lab.psi.pnq2.redhat.com:6443".
# oc new-app --name hello-world-nginx --image quay.io/redhattraining/hello-world-nginx
# oc expose svc/hello-world-nginx
# curl -sIv hello-world-nginx-test-netpol.apps.dpateriy412.lab.example.com
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< server: nginx/1.14.1
server: nginx/1.14.1
5. Apply allow-from-openshift-ingress networkpolicy:
# cat netpol.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-from-openshift-ingress
spec:
ingress:
- from:
- namespaceSelector:
matchLabels:
network.openshift.io/policy-group: ingress
podSelector: {}
policyTypes:
- Ingress
# oc apply -f netpol.yaml
networkpolicy.networking.k8s.io/allow-from-openshift-ingress created
6. Route is accessible as expected:
# curl -sIv hello-world-nginx-test-netpol.apps.dpateriy412.lab.example.com
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< server: nginx/1.14.1
server: nginx/1.14.1
7. Upgrade the cluster to 4.13.30:
# oc adm upgrade --to=4.13.30
Requesting update to 4.13.30
8. Cluster upgraded successfully:
$ oc version
Client Version: 4.12.32
Kustomize Version: v4.5.7
Server Version: 4.13.30
Kubernetes Version: v1.26.12+dedb61b
9. Route is not accessible now:
# curl -sIv hello-world-nginx-test-netpol.apps.dpateriy412.lab.example.com
* About to connect() to hello-world-nginx-test-netpol.apps.dpateriy412.lab.example.com port 80 (#0)
* Trying 10.74.213.170...
* Connected to hello-world-nginx-test-netpol.apps.dpateriy412.lab.example.com (10.74.213.170) port 80 (#0)
> HEAD / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: hello-world-nginx-test-netpol.apps.dpateriy412.lab.example.com
> Accept: */*
>
10. The openshift-ingress project has the same labels:
# oc describe ns openshift-ingress | grep "network.openshift.io"
network.openshift.io/policy-group=ingress
policy-group.network.openshift.io/ingress=
11. Add the label to default namespace:
# oc label ns default "network.openshift.io/policy-group=ingress"
namespace/default labeled
12. The route is then accessible:
# curl -sIv hello-world-nginx-test-netpol.apps.dpateriy412.lab.example.com
* About to connect() to hello-world-nginx-test-netpol.apps.dpateriy412.lab.example.com port 80 (#0)
* Trying 10.74.213.170...
* Connected to hello-world-nginx-test-netpol.apps.dpateriy412.lab.example.com (10.74.213.170) port 80 (#0)
> HEAD / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: hello-world-nginx-test-netpol.apps.dpateriy412.lab.example.com
> Accept: */*
>
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< server: nginx/1.14.1
server: nginx/1.14.1
Actual results:
After cluster upgrade from OCP 4.12.32 to 4.13.30 the allow-from-openshift-ingress networkpolicy does not work.
Expected results:
allow-from-openshift-ingress networkpolicy should always work as expecteed.
Additional info:
The customer facing issue where all the application routes not accessible after cluster upgrade because they use networkpolicy, after labeling the default ns with the label `network.openshift.io/policy-group=ingress` helped as a workaround.
