Loading...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Major
Fix Version/s: None
Affects Version/s: 4.16
Component/s: Networking / ovn-kubernetes
Labels:

Activity Type:
Quality / Stability / Reliability
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Story Points:
None
Severity:
None
Regression:
None

Target Backport Versions:
None
Target Version:
None
Release Blocker:
None
Sprint:
None

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

PX Impact Score:

Release Note Status:
None
Release Note Type:
None
Release Note Text:
None

Escape Reason:
None
Escape Impact:
None
Corrective Measures:
None
SDLC stage when should've been found:
None

Description of problem:

Deny all ingress traffic via route is not working as expected

Version-Release number of selected component (if applicable):

    4.16

How reproducible:

    100% fully reproducible

Steps to Reproduce:

Create the below admin network policy,

[root@bastion temp]# cat zanpnetpol.yaml 
apiVersion: policy.networking.k8s.io/v1alpha1
kind: AdminNetworkPolicy
metadata:
  name: sample-anand-anp-deny-pass-rules 
spec:
  priority: 50 
  subject:
    namespaces:
      matchLabels:
          kubernetes.io/metadata.name: tenant2
  ingress: 
  - name: "deny-all-ingress-tenant-2" 
    action: "Deny"
    from:
    - pods:
        namespaceSelector:
          matchLabels:
            policy-group.network.openshift.io/ingress: ""
        podSelector: {}

[root@bastion temp]# oc apply -f zanpnetpol.yaml 
adminnetworkpolicy.policy.networking.k8s.io/sample-anand-anp-deny-pass-rules created

Actual results:

[root@bastion ~]# curl -skviI httpd-tenant2.apps.ocp4.anand.com
*   Trying 10.74.249.102:80...
* Connected to httpd-tenant2.apps.ocp4.anand.com (10.74.249.102) port 80 (#0)
> HEAD / HTTP/1.1
> Host: httpd-tenant2.apps.ocp4.anand.com
> User-Agent: curl/7.76.1
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
< date: Thu, 18 Jul 2024 08:34:46 GMT
date: Thu, 18 Jul 2024 08:34:46 GMT
< server: Apache/2.4.37 (Red Hat Enterprise Linux) OpenSSL/1.1.1k
server: Apache/2.4.37 (Red Hat Enterprise Linux) OpenSSL/1.1.1k
< last-modified: Mon, 12 Jul 2021 19:36:32 GMT
last-modified: Mon, 12 Jul 2021 19:36:32 GMT
< etag: "133f-5c6f23d09f000"
etag: "133f-5c6f23d09f000"
< accept-ranges: bytes
accept-ranges: bytes
< content-length: 4927
content-length: 4927
< content-type: text/html; charset=UTF-8
content-type: text/html; charset=UTF-8
< set-cookie: 6c940d49452052c4e26888700a466e34=1b8eef7c680e5a5f0921b8cf3bd7647a; path=/; HttpOnly
set-cookie: 6c940d49452052c4e26888700a466e34=1b8eef7c680e5a5f0921b8cf3bd7647a; path=/; HttpOnly
< 
* Connection #0 to host httpd-tenant2.apps.ocp4.anand.com left intact
[root@bastion ~]#


[root@bastion ~]# oc -n tenant1 exec deploy/httpd -- curl -skviI httpd-tenant2.apps.ocp4.anand.com
* Rebuilt URL to: httpd-tenant2.apps.ocp4.anand.com/
*   Trying 10.74.249.102...
* TCP_NODELAY set
* Connected to httpd-tenant2.apps.ocp4.anand.com (10.74.249.102) port 80 (#0)
> HEAD / HTTP/1.1
> Host: httpd-tenant2.apps.ocp4.anand.com
> User-Agent: curl/7.61.1
> Accept: */*
> 
< HTTP/1.1 403 Forbidden
< date: Thu, 18 Jul 2024 08:20:14 GMT
< server: Apache/2.4.37 (Red Hat Enterprise Linux) OpenSSL/1.1.1k
< last-modified: Mon, 12 Jul 2021 19:36:32 GMT
< etag: "133f-5c6f23d09f000"
< accept-ranges: bytes
< content-length: 4927
< content-type: text/html; charset=UTF-8
< set-cookie: 6c940d49452052c4e26888700a466e34=1b8eef7c680e5a5f0921b8cf3bd7647a; path=/; HttpOnly
< 
* Connection #0 to host httpd-tenant2.apps.ocp4.anand.com left intact

Expected results:

The connection should be blocked while accessing the app through route.

Additional info: The same was working as expected while using NetworkPolicy.

1. Created an network policy deny-by-default 

[root@bastion temp]# cat denybydefault.yaml 
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: deny-by-default
spec:
  podSelector: {}
  ingress: []

[root@bastion ~]#  curl -skviI httpd-tenant2.apps.ocp4.anand.com
*   Trying 10.74.249.102:80...
* Connected to httpd-tenant2.apps.ocp4.anand.com (10.74.249.102) port 80 (#0)
> HEAD / HTTP/1.1
> Host: httpd-tenant2.apps.ocp4.anand.com
> User-Agent: curl/7.76.1
> Accept: */*
> 
* Mark bundle as not supporting multiuse
* HTTP 1.0, assume close after body
< HTTP/1.0 503 Service Unavailable
HTTP/1.0 503 Service Unavailable
< pragma: no-cache
pragma: no-cache
< cache-control: private, max-age=0, no-cache, no-store
cache-control: private, max-age=0, no-cache, no-store
< content-type: text/html
content-type: text/html
< 
* Closing connection 0    

2. After creating an allow-by-ingress policy, the URL can be accessed. 

[root@bastion temp]# cat netpol.yaml 
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: anand
  namespace: tenant2
spec:
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          network.openshift.io/policy-group: ingress
  podSelector: {}
  policyTypes:
  - Ingress

Assignee:: sdn-team bot

Reporter:: Anand R

Need Info From:: None

Contributors:: None

QA Contact:: Arti Sood

Doc Contact:: None

Votes:: 1 Vote for this issue

Watchers:: 6 Start watching this issue

Created:: 2024/07/18 8:50 AM

Updated:: 2025/07/22 5:38 AM

Details

Description

Attachments

Easy Agile Planning Poker

Activity

People

Dates

Hide