Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-32486

multi-network policy egress behavior impacted by an egress policy

XMLWordPrintable

    • No
    • 8
    • False
    • Hide

      None

      Show
      None

      Description of problem:

        A deny all ingress traffic multi-network policy drops the return traffic of connections initiated by the pod - i.e. the ingress policy has impacts on egress.

      Version-Release number of selected component (if applicable):

          4.15.Z

      How reproducible:

          always

      Steps to Reproduce:

          1. configure the underlay for a localnet topology ovn-k secondary network

"""
apiVersion: nmstate.io/v1
kind: NodeNetworkConfigurationPolicy
metadata:
  name: ovs-share-same-gw-bridge
spec:
  nodeSelector:
    node-role.kubernetes.io/worker: ''
  desiredState:
    ovn:
      bridge-mappings:
      - localnet: data-net
        bridge: breth0
"""

    2. provision a NAD for said secondary network

"""
apiVersion: k8s.cni.cncf.io/v1
kind: NetworkAttachmentDefinition
metadata:
  name: mynet
  namespace: default
spec:
    config: '{
        "cniVersion": "0.3.1",
        "name": "data-net",
        "netAttachDefName": "default/mynet",
        "topology": "localnet",
        "type": "ovn-k8s-cni-overlay",
        "vlanID": 123
    }'
"""

    2. apply an workload attached to the secondary network

"""
apiVersion: v1
kind: Pod
metadata:
  namespace: default
  name: pod1
  annotations:
    k8s.v1.cni.cncf.io/networks: '[
      {
        "name": "mynet",
        "ips": [ "192.168.200.10/24" ]
      }
    ]'
spec:
  containers:
  - name: centos
    image: docker.io/centos/tools:latest
    command:
    - /sbin/init
"""

    3. start an HTTP server on something outside the cluster in the secondary network subnet
    4. access from the client workload to the HTTP server
    5. apply deny-all multi-network policy

"""
apiVersion: k8s.cni.cncf.io/v1beta1
kind: MultiNetworkPolicy
metadata:
  name: block-all-ingress
  annotations:
    k8s.v1.cni.cncf.io/policy-for: default/mynet
spec:
  podSelector: {}
  ingress: []
  policyTypes:
  - Ingress
"""

      Actual results:

      the return traffic is dropped when reaching the client pod

      Expected results:

          the return traffic is allowed

      Additional info:

          If we provision an allow all egress policy the bug does not happen - the outgoing connection is conntracked, and the return traffic is not subject to policy.

    This does not happen for the cluster default network (i.e. a NetworkPolicy with only ingress blocking rules does not impact - at all - egress behavior).

              mduarted@redhat.com Miguel Duarte de Mora Barroso
              mduarted@redhat.com Miguel Duarte de Mora Barroso
              Anurag Saxena Anurag Saxena
              Tim Rozet
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: