-
Bug
-
Resolution: Done
-
Major
-
None
-
4.14
-
Important
-
No
-
2
-
OSDOCS Sprint 257
-
1
-
False
-
Description of problem:
Version-Release number of selected component (if applicable):
4.14
How reproducible:
Always reproducible with OVN CNI
Steps to Reproduce:
- Create a project with an EgressFirewall
$ oc new-project denyall-ef $ cat egressfirewall-default.yaml apiVersion: k8s.ovn.org/v1 kind: EgressFirewall metadata: name: default spec: egress: - to: cidrSelector: 0.0.0.0/0 type: Deny $ cat egressfirewall-default.yaml | oc create -f - egressfirewall.k8s.ovn.org/default created
- Deploy an app as DeploymentConfig
$ oc new-app httpd --as-deployment-config --> Found image 2edd334 (3 weeks old) in image stream "openshift/httpd" under tag "2.4-ubi8" for "httpd" Apache httpd 2.4 ---------------- ... --> Creating resources ... Warning: apps.openshift.io/v1 DeploymentConfig is deprecated in v4.14+, unavailable in v4.10000+ deploymentconfig.apps.openshift.io "httpd" created service "httpd" created --> Success Application is not exposed. You can expose services to the outside world by executing one or more of the commands below: 'oc expose service/httpd' Run 'oc status' to view your app.
- Check Status
$ oc get pods NAME READY STATUS RESTARTS AGE httpd-1-deploy 0/1 Error 0 2m36s $ oc logs httpd-1-deploy error: couldn't get deployment httpd-1: Get "https://172.30.0.1:443/api/v1/namespaces/denyall-ef/replicationcontrollers/httpd-1": dial tcp 172.30.0.1:443: i/o timeout
Actual results:
DploymentConfig fail because of the EgressFirewall deny all rule
Expected results:
Deploymentconfig to succeed
Additional info:
With SDN, the issue is not faced
- links to
(3 links to)
