Loading...

XML

Word

Printable

Type: Bug
Resolution: Can't Do
Priority: Normal
Fix Version/s: None
Affects Version/s: 4.15.z
Component/s: Networking / ovn-kubernetes
Labels:

Activity Type:
Quality / Stability / Reliability
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Story Points:
8
Severity:
None
Regression:
No

Target Backport Versions:
None
Target Version:
None
Release Blocker:
None
Sprint:
None

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Release Note Status:
None
Release Note Type:
None
Release Note Text:
None

Escape Reason:
None
Escape Impact:
None
Corrective Measures:
None
SDLC stage when should've been found:
None

Description of problem:

  A deny all ingress traffic multi-network policy drops the return traffic of connections initiated by the pod - i.e. the ingress policy has impacts on egress.

Version-Release number of selected component (if applicable):

    4.15.Z

How reproducible:

    always

Steps to Reproduce:

    1. configure the underlay for a localnet topology ovn-k secondary network

"""
apiVersion: nmstate.io/v1
kind: NodeNetworkConfigurationPolicy
metadata:
  name: ovs-share-same-gw-bridge
spec:
  nodeSelector:
    node-role.kubernetes.io/worker: ''
  desiredState:
    ovn:
      bridge-mappings:
      - localnet: data-net
        bridge: breth0
"""

    2. provision a NAD for said secondary network

"""
apiVersion: k8s.cni.cncf.io/v1
kind: NetworkAttachmentDefinition
metadata:
  name: mynet
  namespace: default
spec:
    config: '{
        "cniVersion": "0.3.1",
        "name": "data-net",
        "netAttachDefName": "default/mynet",
        "topology": "localnet",
        "type": "ovn-k8s-cni-overlay",
        "vlanID": 123
    }'
"""

    2. apply an workload attached to the secondary network

"""
apiVersion: v1
kind: Pod
metadata:
  namespace: default
  name: pod1
  annotations:
    k8s.v1.cni.cncf.io/networks: '[
      {
        "name": "mynet",
        "ips": [ "192.168.200.10/24" ]
      }
    ]'
spec:
  containers:
  - name: centos
    image: docker.io/centos/tools:latest
    command:
    - /sbin/init
"""

    3. start an HTTP server on something outside the cluster in the secondary network subnet
    4. access from the client workload to the HTTP server
    5. apply deny-all multi-network policy

"""
apiVersion: k8s.cni.cncf.io/v1beta1
kind: MultiNetworkPolicy
metadata:
  name: block-all-ingress
  annotations:
    k8s.v1.cni.cncf.io/policy-for: default/mynet
spec:
  podSelector: {}
  ingress: []
  policyTypes:
  - Ingress
"""

Actual results:

the return traffic is dropped when reaching the client pod

Expected results:

    the return traffic is allowed

Additional info:

    If we provision an allow all egress policy the bug does not happen - the outgoing connection is conntracked, and the return traffic is not subject to policy.

    This does not happen for the cluster default network (i.e. a NetworkPolicy with only ingress blocking rules does not impact - at all - egress behavior).

Assignee:: Miguel Duarte de Mora Barroso

Reporter:: Miguel Duarte de Mora Barroso

Need Info From:: None

Contributors:: Tim Rozet

QA Contact:: Anurag Saxena

Doc Contact:: None

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Created:: 2024/04/19 1:56 PM

Updated:: 2025/07/23 5:30 AM

Resolved:: 2024/07/10 3:55 PM

Details

Description

Attachments

Easy Agile Planning Poker

Activity

People

Dates