-
Bug
-
Resolution: Can't Do
-
Normal
-
None
-
4.16
-
Important
-
No
-
SDN Sprint 254
-
1
-
Rejected
-
False
-
Description of problem:
EgressFirewall doesn't take precedence over BaselineAdminNetworkPolicy
Version-Release number of selected component (if applicable):
4.16.0-0.nightly-2024-05-19-083311
How reproducible:
Always
Steps to Reproduce:
1.Created a test namespace and test pods 2.Created an egressfirewall apiVersion: v1 items: - apiVersion: k8s.ovn.org/v1 kind: EgressFirewall metadata: creationTimestamp: "2024-05-21T05:07:45Z" generation: 2 name: default namespace: test resourceVersion: "60575" uid: 6b2c0a0e-80fa-44fd-80d3-e7fdd9d2107b spec: egress: - to: cidrSelector: 173.194.196.147/32 type: Allow - to: cidrSelector: 0.0.0.0/0 type: Deny status: messages: - 'hrw-0521a-8jzmk-worker-a-hdr26: EgressFirewall Rules applied' - 'hrw-0521a-8jzmk-worker-c-zbnlh: EgressFirewall Rules applied' - 'hrw-0521a-8jzmk-worker-b-x96nl: EgressFirewall Rules applied' - 'hrw-0521a-8jzmk-master-2.us-central1-a.c.openshift-qe.internal: EgressFirewall Rules applied' - 'hrw-0521a-8jzmk-master-1.us-central1-b.c.openshift-qe.internal: EgressFirewall Rules applied' - 'hrw-0521a-8jzmk-master-0.us-central1-c.c.openshift-qe.internal: EgressFirewall Rules applied' status: EgressFirewall Rules applied kind: List metadata: resourceVersion: "" 3. From test pod to access allowed IP % oc rsh -n test test-rc-44m4l ~ $ curl 173.194.196.147 <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"> <TITLE>301 Moved</TITLE></HEAD><BODY> <H1>301 Moved</H1> The document has moved <A HREF="http://www.google.com/">here</A>. </BODY></HTML> 4. Created a BANP % oc get banp -o yaml apiVersion: v1 items: - apiVersion: policy.networking.k8s.io/v1alpha1 kind: BaselineAdminNetworkPolicy metadata: creationTimestamp: "2024-05-21T05:09:16Z" generation: 1 name: default resourceVersion: "60729" uid: e7e7358e-9e4a-4679-b47d-0859795dc41e spec: egress: - action: Deny name: default-deny-egress to: - networks: - 0.0.0.0/0 subject: namespaces: matchLabels: kubernetes.io/metadata.name: test status: conditions: - lastTransitionTime: "2024-05-21T05:09:16Z" message: Setting up OVN DB plumbing was successful reason: SetupSucceeded status: "True" type: Ready-In-Zone-hrw-0521a-8jzmk-master-1.us-central1-b.c.openshift-qe.internal - lastTransitionTime: "2024-05-21T05:09:16Z" message: Setting up OVN DB plumbing was successful reason: SetupSucceeded status: "True" type: Ready-In-Zone-hrw-0521a-8jzmk-master-0.us-central1-c.c.openshift-qe.internal - lastTransitionTime: "2024-05-21T05:09:16Z" message: Setting up OVN DB plumbing was successful reason: SetupSucceeded status: "True" type: Ready-In-Zone-hrw-0521a-8jzmk-worker-a-hdr26 - lastTransitionTime: "2024-05-21T05:09:16Z" message: Setting up OVN DB plumbing was successful reason: SetupSucceeded status: "True" type: Ready-In-Zone-hrw-0521a-8jzmk-master-2.us-central1-a.c.openshift-qe.internal - lastTransitionTime: "2024-05-21T05:09:16Z" message: Setting up OVN DB plumbing was successful reason: SetupSucceeded status: "True" type: Ready-In-Zone-hrw-0521a-8jzmk-worker-c-zbnlh - lastTransitionTime: "2024-05-21T05:09:16Z" message: Setting up OVN DB plumbing was successful reason: SetupSucceeded status: "True" type: Ready-In-Zone-hrw-0521a-8jzmk-worker-b-x96nl kind: List metadata: resourceVersion: "" 5. From test pod, access 173.194.196.147 again
Actual results:
% oc rsh -n test test-rc-44m4l ~ $ curl 173.194.196.147 --connect-timeout 5 curl: (28) Connection timeout after 5001 ms
Expected results:
Should be able to access the allowed IP configured in EgressFirewall
Additional info:
- depends on
-
FDP-625 ACL Tiers are not holistic across ingress/egress pipelines; thus breaking CMS expectations
- Closed