Loading...

XML

Word

Printable

Type: Bug
Resolution: Can't Do
Priority: Normal
Fix Version/s: None
Affects Version/s: 4.16
Component/s: Networking / ovn-kubernetes
Labels:
- SDN:OVNK:AdminNetworkPolicy

Severity:
Important
Regression:
No
Sprint:
SDN Sprint 254
sprint_count:
1
Release Blocker:
Rejected
Blocked:
False
Blocked Reason:

Hide

None

Show
None

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Description of problem:

EgressFirewall doesn't take precedence over BaselineAdminNetworkPolicy

Version-Release number of selected component (if applicable):

4.16.0-0.nightly-2024-05-19-083311

How reproducible:

Always

Steps to Reproduce:

    1.Created a test namespace and test pods
    2.Created an egressfirewall
apiVersion: v1
items:
- apiVersion: k8s.ovn.org/v1
  kind: EgressFirewall
  metadata:
    creationTimestamp: "2024-05-21T05:07:45Z"
    generation: 2
    name: default
    namespace: test
    resourceVersion: "60575"
    uid: 6b2c0a0e-80fa-44fd-80d3-e7fdd9d2107b
  spec:
    egress:
    - to:
        cidrSelector: 173.194.196.147/32
      type: Allow
    - to:
        cidrSelector: 0.0.0.0/0
      type: Deny
  status:
    messages:
    - 'hrw-0521a-8jzmk-worker-a-hdr26: EgressFirewall Rules applied'
    - 'hrw-0521a-8jzmk-worker-c-zbnlh: EgressFirewall Rules applied'
    - 'hrw-0521a-8jzmk-worker-b-x96nl: EgressFirewall Rules applied'
    - 'hrw-0521a-8jzmk-master-2.us-central1-a.c.openshift-qe.internal: EgressFirewall
      Rules applied'
    - 'hrw-0521a-8jzmk-master-1.us-central1-b.c.openshift-qe.internal: EgressFirewall
      Rules applied'
    - 'hrw-0521a-8jzmk-master-0.us-central1-c.c.openshift-qe.internal: EgressFirewall
      Rules applied'
    status: EgressFirewall Rules applied
kind: List
metadata:
  resourceVersion: ""
    3. From test pod to access allowed IP
% oc rsh -n test test-rc-44m4l
~ $ curl 173.194.196.147
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>301 Moved</TITLE></HEAD><BODY>
<H1>301 Moved</H1>
The document has moved
<A HREF="http://www.google.com/">here</A>.
</BODY></HTML>

4. Created a BANP 
% oc get banp -o yaml
apiVersion: v1
items:
- apiVersion: policy.networking.k8s.io/v1alpha1
  kind: BaselineAdminNetworkPolicy
  metadata:
    creationTimestamp: "2024-05-21T05:09:16Z"
    generation: 1
    name: default
    resourceVersion: "60729"
    uid: e7e7358e-9e4a-4679-b47d-0859795dc41e
  spec:
    egress:
    - action: Deny
      name: default-deny-egress
      to:
      - networks:
        - 0.0.0.0/0
    subject:
      namespaces:
        matchLabels:
          kubernetes.io/metadata.name: test
  status:
    conditions:
    - lastTransitionTime: "2024-05-21T05:09:16Z"
      message: Setting up OVN DB plumbing was successful
      reason: SetupSucceeded
      status: "True"
      type: Ready-In-Zone-hrw-0521a-8jzmk-master-1.us-central1-b.c.openshift-qe.internal
    - lastTransitionTime: "2024-05-21T05:09:16Z"
      message: Setting up OVN DB plumbing was successful
      reason: SetupSucceeded
      status: "True"
      type: Ready-In-Zone-hrw-0521a-8jzmk-master-0.us-central1-c.c.openshift-qe.internal
    - lastTransitionTime: "2024-05-21T05:09:16Z"
      message: Setting up OVN DB plumbing was successful
      reason: SetupSucceeded
      status: "True"
      type: Ready-In-Zone-hrw-0521a-8jzmk-worker-a-hdr26
    - lastTransitionTime: "2024-05-21T05:09:16Z"
      message: Setting up OVN DB plumbing was successful
      reason: SetupSucceeded
      status: "True"
      type: Ready-In-Zone-hrw-0521a-8jzmk-master-2.us-central1-a.c.openshift-qe.internal
    - lastTransitionTime: "2024-05-21T05:09:16Z"
      message: Setting up OVN DB plumbing was successful
      reason: SetupSucceeded
      status: "True"
      type: Ready-In-Zone-hrw-0521a-8jzmk-worker-c-zbnlh
    - lastTransitionTime: "2024-05-21T05:09:16Z"
      message: Setting up OVN DB plumbing was successful
      reason: SetupSucceeded
      status: "True"
      type: Ready-In-Zone-hrw-0521a-8jzmk-worker-b-x96nl
kind: List
metadata:
  resourceVersion: ""

5. From test pod, access 173.194.196.147 again

Actual results:

% oc rsh -n test test-rc-44m4l        
~ $ curl 173.194.196.147 --connect-timeout 5
curl: (28) Connection timeout after 5001 ms

Expected results:

Should be able to access the allowed IP configured in EgressFirewall

Additional info:

depends on

FDP-625 ACL Tiers are not holistic across ingress/egress pipelines; thus breaking CMS expectations

Closed

Assignee:: Surya Seetharaman

Reporter:: Huiran Wang

QA Contact:: Huiran Wang

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Created:: 2024/05/21 5:15 AM

Updated:: 2024/05/21 9:22 AM

Resolved:: 2024/05/21 8:47 AM

Details

Description

Attachments

Issue Links

Activity

People

Dates