-
Bug
-
Resolution: Not a Bug
-
Major
-
None
-
4.12.z
-
Important
-
No
-
Rejected
-
False
-
-
-
-
No reproducer; openshift-sdn; not able to block ingress traffic; case is sev 2; see last comment; can close.
-
-
-
Description of problem:
* Customer has deployed an AWS 4.12.33 cluster and is observing that networkpolicy creation for target namespaces are not working as expected.
* A deny by default netpol does not prevent traffic from being routed to backends via router-default pods (route).
*
Version-Release number of selected component (if applicable):
* AWS
* 4.12.33
How reproducible:
* every time on this cluster and one other
*
Steps to Reproduce:
1. Create new namespace
2. deploy an application that serves a 200 response for looped curl handling
3. loop a curl to the route after exposing it for access testing:
while true; do curl --noproxy '*' -k -w "dnslookup: %\{time_namelookup} | connect: %\{time_connect} | appconnect: %\{time_appconnect} | pretransfer: %\{time_pretransfer} | starttransfer: %\{time_starttransfer} | total: %\{time_total} | size: %\{size_download} | response: %\{response_code}\n" -o /dev/null -s [https://URL;|https://url;/] sleep 1; done
4. Observe 200 responses from the route
5. Create a deny-by-default networkpolicy and apply it to the namespace:
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: deny-by-default
namespace: <test-namespace>
spec:
podSelector: {}
ingress: []{code}
6. netpol is applied successfully - traffic is not interrupted to route via looped curl (200's still available).
replicated on local test cluster internally - netpol above immediately stops the 200 response and starts to return a 503 (expected) on internal test platform.
Actual results:
* traffic is not obstructed/modified by netpols when routing via route
*
Expected results:
* traffic should be dropped unless explicitly set by netpol if even one netpol is applied successfully to a namespace
*
Additional info:
Please fill in the following template while reporting a bug and provide as much relevant information as possible. Doing so will give us the best chance to find a prompt resolution.
Affected Platforms:
* AWS (customer env observed- cannot replicate with resourcehub/quicklab)
Data available in first comment with specific findings + logs
