Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-33173

OCP 4.12.33 - Netpol deny-all-default application does not block route access

XMLWordPrintable

    • Important
    • No
    • Rejected
    • False
    • Hide

      None

      Show
      None

      Description of problem:
       * Customer has deployed an AWS 4.12.33 cluster and is observing that networkpolicy creation for target namespaces are not working as expected.
       * A deny by default netpol does not prevent traffic from being routed to backends via router-default pods (route).
       *  

      Version-Release number of selected component (if applicable):
       * AWS
       * 4.12.33

      How reproducible:
       * every time on this cluster and one other
       *  

       

      Steps to Reproduce:

      1. Create new namespace

      2. deploy an application that serves a 200 response for looped curl handling

      3. loop a curl to the route after exposing it for access testing:

       while true; do curl --noproxy '*' -k -w "dnslookup: %\{time_namelookup} | connect: %\{time_connect} | appconnect: %\{time_appconnect} | pretransfer: %\{time_pretransfer} | starttransfer: %\{time_starttransfer} | total: %\{time_total} | size: %\{size_download} | response: %\{response_code}\n" -o /dev/null -s [https://URL;|https://url;/] sleep 1; done
      

      4. Observe 200 responses from the route

      5. Create a deny-by-default networkpolicy and apply it to the namespace:

      
      

      kind: NetworkPolicy
      apiVersion: networking.k8s.io/v1
      metadata:
        name: deny-by-default
        namespace: <test-namespace>
      spec:
        podSelector: {}
        ingress: []{code}
      6. netpol is applied successfully - traffic is not interrupted to route via looped curl (200's still available).

      replicated on local test cluster internally - netpol above immediately stops the 200 response and starts to return a 503 (expected) on internal test platform.

      Actual results:
       * traffic is not obstructed/modified by netpols when routing via route
       *  

      Expected results:
       * traffic should be dropped unless explicitly set by netpol if even one netpol is applied successfully to a namespace
       *  

      Additional info:

      Please fill in the following template while reporting a bug and provide as much relevant information as possible. Doing so will give us the best chance to find a prompt resolution.

      Affected Platforms:
       * AWS (customer env observed- cannot replicate with resourcehub/quicklab)

      Data available in first comment with specific findings + logs

              npinaeva@redhat.com Nadia Pinaeva
              rhn-support-wrussell Will Russell
              Zhanqi Zhao Zhanqi Zhao
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: