Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-29021

[SDN] allow-from-openshift-ingress networkpolicy does not work

XMLWordPrintable

    • No
    • False
    • Hide

      None

      Show
      None
    • cluster was re-installed as a work around

      Description of problem:

      allow-from-openshift-ingress networkpolicy does not work after cluster upgrade from 4.12.32 to 4.13.30

      Version-Release number of selected component (if applicable):

      4.13.30

      How reproducible:

      100%    

      Steps to Reproduce:

      1. cluster version:
      # oc version
      Client Version: 4.12.32
      Kustomize Version: v4.5.7
      Kubernetes Version: v1.25.12+26bab08
      
      2. Check the openshift-ingress project having appropriate labels:
      
      # oc describe ns openshift-ingress | grep "network.openshift.io"          network.openshift.io/policy-group=ingress
      policy-group.network.openshift.io/ingress=
      
      3. Check the labels for default project:
      # oc describe ns default 
      Name:         default
      Labels:       kubernetes.io/metadata.name=default
      Annotations:  openshift.io/sa.scc.mcs: s0:c7,c4
                    openshift.io/sa.scc.supplemental-groups: 1000050000/10000
                    openshift.io/sa.scc.uid-range: 1000050000/10000
      Status:       Active
           
      4. Create a sample deployment:
      # oc project
      Using project "test-netpol" on server "https://api.dpateriy412.lab.psi.pnq2.redhat.com:6443".
      
      # oc new-app --name hello-world-nginx  --image quay.io/redhattraining/hello-world-nginx
      
      # oc expose svc/hello-world-nginx
      
      # curl -sIv hello-world-nginx-test-netpol.apps.dpateriy412.lab.example.com 
      
      < HTTP/1.1 200 OK
      HTTP/1.1 200 OK
      < server: nginx/1.14.1
      server: nginx/1.14.1
      
      5. Apply allow-from-openshift-ingress networkpolicy:
      
      # cat netpol.yaml 
      apiVersion: networking.k8s.io/v1
      kind: NetworkPolicy
      metadata:
        name: allow-from-openshift-ingress
      spec:
        ingress:
        - from:
          - namespaceSelector:
              matchLabels:
                network.openshift.io/policy-group: ingress
        podSelector: {}
        policyTypes:
        - Ingress
      
      #  oc apply  -f netpol.yaml 
      networkpolicy.networking.k8s.io/allow-from-openshift-ingress created
      
      6. Route is accessible as expected:
      
      # curl -sIv  hello-world-nginx-test-netpol.apps.dpateriy412.lab.example.com
      < HTTP/1.1 200 OK
      HTTP/1.1 200 OK
      < server: nginx/1.14.1
      server: nginx/1.14.1
      
      7. Upgrade the cluster to 4.13.30:
      
      # oc adm upgrade  --to=4.13.30
       Requesting update to 4.13.30
      
      8. Cluster upgraded successfully:
      
      $ oc version
      Client Version: 4.12.32
      Kustomize Version: v4.5.7
      Server Version: 4.13.30
      Kubernetes Version: v1.26.12+dedb61b
      
      9. Route is not accessible now:
      
      # curl -sIv  hello-world-nginx-test-netpol.apps.dpateriy412.lab.example.com
      * About to connect() to hello-world-nginx-test-netpol.apps.dpateriy412.lab.example.com port 80 (#0)
      *   Trying 10.74.213.170...
      * Connected to hello-world-nginx-test-netpol.apps.dpateriy412.lab.example.com (10.74.213.170) port 80 (#0)
      > HEAD / HTTP/1.1
      > User-Agent: curl/7.29.0
      > Host: hello-world-nginx-test-netpol.apps.dpateriy412.lab.example.com
      > Accept: */*
      > 
      
      10. The openshift-ingress project has the same labels:
      
      # oc describe ns openshift-ingress | grep "network.openshift.io"
        network.openshift.io/policy-group=ingress
        policy-group.network.openshift.io/ingress=
      
      11. Add the label to default namespace:
      
      # oc label ns default "network.openshift.io/policy-group=ingress"
      namespace/default labeled
      
      12. The route is then accessible:
      
      # curl -sIv  hello-world-nginx-test-netpol.apps.dpateriy412.lab.example.com
      * About to connect() to hello-world-nginx-test-netpol.apps.dpateriy412.lab.example.com port 80 (#0)
      *   Trying 10.74.213.170...
      * Connected to hello-world-nginx-test-netpol.apps.dpateriy412.lab.example.com (10.74.213.170) port 80 (#0)
      > HEAD / HTTP/1.1
      > User-Agent: curl/7.29.0
      > Host: hello-world-nginx-test-netpol.apps.dpateriy412.lab.example.com
      > Accept: */*
      >
      < HTTP/1.1 200 OK
      HTTP/1.1 200 OK
      < server: nginx/1.14.1
      server: nginx/1.14.1
      

      Actual results:

      After cluster upgrade from OCP 4.12.32 to 4.13.30 the allow-from-openshift-ingress networkpolicy does not work. 

      Expected results:

       allow-from-openshift-ingress networkpolicy should always work as expecteed.

      Additional info:

      The customer facing issue where all the application routes not accessible after cluster upgrade because they use networkpolicy, after labeling the default ns with the label `network.openshift.io/policy-group=ingress` helped as a workaround.

            npinaeva@redhat.com Nadia Pinaeva
            rhn-support-dpateriy Divyam Pateriya
            Zhanqi Zhao Zhanqi Zhao
            Votes:
            0 Vote for this issue
            Watchers:
            14 Start watching this issue

              Created:
              Updated:
              Resolved: