Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-34003

EgressFirewall doesn't take precedence over BaselineAdminNetworkPolicy

XMLWordPrintable

    • Important
    • No
    • SDN Sprint 254
    • 1
    • Rejected
    • False
    • Hide

      None

      Show
      None

      Description of problem:

      EgressFirewall doesn't take precedence over BaselineAdminNetworkPolicy
          

      Version-Release number of selected component (if applicable):

      4.16.0-0.nightly-2024-05-19-083311
      
          

      How reproducible:

      Always
          

      Steps to Reproduce:

          1.Created a test namespace and test pods
          2.Created an egressfirewall
      apiVersion: v1
      items:
      - apiVersion: k8s.ovn.org/v1
        kind: EgressFirewall
        metadata:
          creationTimestamp: "2024-05-21T05:07:45Z"
          generation: 2
          name: default
          namespace: test
          resourceVersion: "60575"
          uid: 6b2c0a0e-80fa-44fd-80d3-e7fdd9d2107b
        spec:
          egress:
          - to:
              cidrSelector: 173.194.196.147/32
            type: Allow
          - to:
              cidrSelector: 0.0.0.0/0
            type: Deny
        status:
          messages:
          - 'hrw-0521a-8jzmk-worker-a-hdr26: EgressFirewall Rules applied'
          - 'hrw-0521a-8jzmk-worker-c-zbnlh: EgressFirewall Rules applied'
          - 'hrw-0521a-8jzmk-worker-b-x96nl: EgressFirewall Rules applied'
          - 'hrw-0521a-8jzmk-master-2.us-central1-a.c.openshift-qe.internal: EgressFirewall
            Rules applied'
          - 'hrw-0521a-8jzmk-master-1.us-central1-b.c.openshift-qe.internal: EgressFirewall
            Rules applied'
          - 'hrw-0521a-8jzmk-master-0.us-central1-c.c.openshift-qe.internal: EgressFirewall
            Rules applied'
          status: EgressFirewall Rules applied
      kind: List
      metadata:
        resourceVersion: ""
          3. From test pod to access allowed IP
      % oc rsh -n test test-rc-44m4l
      ~ $ curl 173.194.196.147
      <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
      <TITLE>301 Moved</TITLE></HEAD><BODY>
      <H1>301 Moved</H1>
      The document has moved
      <A HREF="http://www.google.com/">here</A>.
      </BODY></HTML>
      
      4. Created a BANP 
      % oc get banp -o yaml
      apiVersion: v1
      items:
      - apiVersion: policy.networking.k8s.io/v1alpha1
        kind: BaselineAdminNetworkPolicy
        metadata:
          creationTimestamp: "2024-05-21T05:09:16Z"
          generation: 1
          name: default
          resourceVersion: "60729"
          uid: e7e7358e-9e4a-4679-b47d-0859795dc41e
        spec:
          egress:
          - action: Deny
            name: default-deny-egress
            to:
            - networks:
              - 0.0.0.0/0
          subject:
            namespaces:
              matchLabels:
                kubernetes.io/metadata.name: test
        status:
          conditions:
          - lastTransitionTime: "2024-05-21T05:09:16Z"
            message: Setting up OVN DB plumbing was successful
            reason: SetupSucceeded
            status: "True"
            type: Ready-In-Zone-hrw-0521a-8jzmk-master-1.us-central1-b.c.openshift-qe.internal
          - lastTransitionTime: "2024-05-21T05:09:16Z"
            message: Setting up OVN DB plumbing was successful
            reason: SetupSucceeded
            status: "True"
            type: Ready-In-Zone-hrw-0521a-8jzmk-master-0.us-central1-c.c.openshift-qe.internal
          - lastTransitionTime: "2024-05-21T05:09:16Z"
            message: Setting up OVN DB plumbing was successful
            reason: SetupSucceeded
            status: "True"
            type: Ready-In-Zone-hrw-0521a-8jzmk-worker-a-hdr26
          - lastTransitionTime: "2024-05-21T05:09:16Z"
            message: Setting up OVN DB plumbing was successful
            reason: SetupSucceeded
            status: "True"
            type: Ready-In-Zone-hrw-0521a-8jzmk-master-2.us-central1-a.c.openshift-qe.internal
          - lastTransitionTime: "2024-05-21T05:09:16Z"
            message: Setting up OVN DB plumbing was successful
            reason: SetupSucceeded
            status: "True"
            type: Ready-In-Zone-hrw-0521a-8jzmk-worker-c-zbnlh
          - lastTransitionTime: "2024-05-21T05:09:16Z"
            message: Setting up OVN DB plumbing was successful
            reason: SetupSucceeded
            status: "True"
            type: Ready-In-Zone-hrw-0521a-8jzmk-worker-b-x96nl
      kind: List
      metadata:
        resourceVersion: ""
      
      5. From test pod, access 173.194.196.147 again
          

      Actual results:

      % oc rsh -n test test-rc-44m4l        
      ~ $ curl 173.194.196.147 --connect-timeout 5
      curl: (28) Connection timeout after 5001 ms
      
          

      Expected results:

      Should be able to access the allowed IP configured in EgressFirewall
          

      Additional info:

      
          

              sseethar Surya Seetharaman
              huirwang Huiran Wang
              Huiran Wang Huiran Wang
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: