-
Bug
-
Resolution: Unresolved
-
Major
-
None
-
4.16
-
None
-
False
-
Description of problem:
Deny all ingress traffic via route is not working as expected
Version-Release number of selected component (if applicable):
4.16
How reproducible:
100% fully reproducible
Steps to Reproduce:
Create the below admin network policy,
[root@bastion temp]# cat zanpnetpol.yaml apiVersion: policy.networking.k8s.io/v1alpha1 kind: AdminNetworkPolicy metadata: name: sample-anand-anp-deny-pass-rules spec: priority: 50 subject: namespaces: matchLabels: kubernetes.io/metadata.name: tenant2 ingress: - name: "deny-all-ingress-tenant-2" action: "Deny" from: - pods: namespaceSelector: matchLabels: policy-group.network.openshift.io/ingress: "" podSelector: {} [root@bastion temp]# oc apply -f zanpnetpol.yaml adminnetworkpolicy.policy.networking.k8s.io/sample-anand-anp-deny-pass-rules created
Actual results:
[root@bastion ~]# curl -skviI httpd-tenant2.apps.ocp4.anand.com * Trying 10.74.249.102:80... * Connected to httpd-tenant2.apps.ocp4.anand.com (10.74.249.102) port 80 (#0) > HEAD / HTTP/1.1 > Host: httpd-tenant2.apps.ocp4.anand.com > User-Agent: curl/7.76.1 > Accept: */* > * Mark bundle as not supporting multiuse < HTTP/1.1 403 Forbidden HTTP/1.1 403 Forbidden < date: Thu, 18 Jul 2024 08:34:46 GMT date: Thu, 18 Jul 2024 08:34:46 GMT < server: Apache/2.4.37 (Red Hat Enterprise Linux) OpenSSL/1.1.1k server: Apache/2.4.37 (Red Hat Enterprise Linux) OpenSSL/1.1.1k < last-modified: Mon, 12 Jul 2021 19:36:32 GMT last-modified: Mon, 12 Jul 2021 19:36:32 GMT < etag: "133f-5c6f23d09f000" etag: "133f-5c6f23d09f000" < accept-ranges: bytes accept-ranges: bytes < content-length: 4927 content-length: 4927 < content-type: text/html; charset=UTF-8 content-type: text/html; charset=UTF-8 < set-cookie: 6c940d49452052c4e26888700a466e34=1b8eef7c680e5a5f0921b8cf3bd7647a; path=/; HttpOnly set-cookie: 6c940d49452052c4e26888700a466e34=1b8eef7c680e5a5f0921b8cf3bd7647a; path=/; HttpOnly < * Connection #0 to host httpd-tenant2.apps.ocp4.anand.com left intact [root@bastion ~]# [root@bastion ~]# oc -n tenant1 exec deploy/httpd -- curl -skviI httpd-tenant2.apps.ocp4.anand.com * Rebuilt URL to: httpd-tenant2.apps.ocp4.anand.com/ * Trying 10.74.249.102... * TCP_NODELAY set * Connected to httpd-tenant2.apps.ocp4.anand.com (10.74.249.102) port 80 (#0) > HEAD / HTTP/1.1 > Host: httpd-tenant2.apps.ocp4.anand.com > User-Agent: curl/7.61.1 > Accept: */* > < HTTP/1.1 403 Forbidden < date: Thu, 18 Jul 2024 08:20:14 GMT < server: Apache/2.4.37 (Red Hat Enterprise Linux) OpenSSL/1.1.1k < last-modified: Mon, 12 Jul 2021 19:36:32 GMT < etag: "133f-5c6f23d09f000" < accept-ranges: bytes < content-length: 4927 < content-type: text/html; charset=UTF-8 < set-cookie: 6c940d49452052c4e26888700a466e34=1b8eef7c680e5a5f0921b8cf3bd7647a; path=/; HttpOnly < * Connection #0 to host httpd-tenant2.apps.ocp4.anand.com left intact
Expected results:
The connection should be blocked while accessing the app through route.
Additional info: The same was working as expected while using NetworkPolicy.
1. Created an network policy deny-by-default [root@bastion temp]# cat denybydefault.yaml kind: NetworkPolicy apiVersion: networking.k8s.io/v1 metadata: name: deny-by-default spec: podSelector: {} ingress: [] [root@bastion ~]# curl -skviI httpd-tenant2.apps.ocp4.anand.com * Trying 10.74.249.102:80... * Connected to httpd-tenant2.apps.ocp4.anand.com (10.74.249.102) port 80 (#0) > HEAD / HTTP/1.1 > Host: httpd-tenant2.apps.ocp4.anand.com > User-Agent: curl/7.76.1 > Accept: */* > * Mark bundle as not supporting multiuse * HTTP 1.0, assume close after body < HTTP/1.0 503 Service Unavailable HTTP/1.0 503 Service Unavailable < pragma: no-cache pragma: no-cache < cache-control: private, max-age=0, no-cache, no-store cache-control: private, max-age=0, no-cache, no-store < content-type: text/html content-type: text/html < * Closing connection 0 2. After creating an allow-by-ingress policy, the URL can be accessed. [root@bastion temp]# cat netpol.yaml apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: anand namespace: tenant2 spec: ingress: - from: - namespaceSelector: matchLabels: network.openshift.io/policy-group: ingress podSelector: {} policyTypes: - Ingress