Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-37230

[enterprise-4.16] Deny all ingress traffic AdminNetworkPolicy is not working

XMLWordPrintable

    • None
    • False
    • Hide

      None

      Show
      None

      Description of problem:

      Deny all ingress traffic via route is not working as expected    

      Version-Release number of selected component (if applicable):

          4.16

      How reproducible:

          100% fully reproducible

      Steps to Reproduce:

       Create the below admin network policy, 

      [root@bastion temp]# cat zanpnetpol.yaml 
      apiVersion: policy.networking.k8s.io/v1alpha1
      kind: AdminNetworkPolicy
      metadata:
        name: sample-anand-anp-deny-pass-rules 
      spec:
        priority: 50 
        subject:
          namespaces:
            matchLabels:
                kubernetes.io/metadata.name: tenant2
        ingress: 
        - name: "deny-all-ingress-tenant-2" 
          action: "Deny"
          from:
          - pods:
              namespaceSelector:
                matchLabels:
                  policy-group.network.openshift.io/ingress: ""
              podSelector: {}
      
      [root@bastion temp]# oc apply -f zanpnetpol.yaml 
      adminnetworkpolicy.policy.networking.k8s.io/sample-anand-anp-deny-pass-rules created

       

      Actual results:

      [root@bastion ~]# curl -skviI httpd-tenant2.apps.ocp4.anand.com
      *   Trying 10.74.249.102:80...
      * Connected to httpd-tenant2.apps.ocp4.anand.com (10.74.249.102) port 80 (#0)
      > HEAD / HTTP/1.1
      > Host: httpd-tenant2.apps.ocp4.anand.com
      > User-Agent: curl/7.76.1
      > Accept: */*
      > 
      * Mark bundle as not supporting multiuse
      < HTTP/1.1 403 Forbidden
      HTTP/1.1 403 Forbidden
      < date: Thu, 18 Jul 2024 08:34:46 GMT
      date: Thu, 18 Jul 2024 08:34:46 GMT
      < server: Apache/2.4.37 (Red Hat Enterprise Linux) OpenSSL/1.1.1k
      server: Apache/2.4.37 (Red Hat Enterprise Linux) OpenSSL/1.1.1k
      < last-modified: Mon, 12 Jul 2021 19:36:32 GMT
      last-modified: Mon, 12 Jul 2021 19:36:32 GMT
      < etag: "133f-5c6f23d09f000"
      etag: "133f-5c6f23d09f000"
      < accept-ranges: bytes
      accept-ranges: bytes
      < content-length: 4927
      content-length: 4927
      < content-type: text/html; charset=UTF-8
      content-type: text/html; charset=UTF-8
      < set-cookie: 6c940d49452052c4e26888700a466e34=1b8eef7c680e5a5f0921b8cf3bd7647a; path=/; HttpOnly
      set-cookie: 6c940d49452052c4e26888700a466e34=1b8eef7c680e5a5f0921b8cf3bd7647a; path=/; HttpOnly
      < 
      * Connection #0 to host httpd-tenant2.apps.ocp4.anand.com left intact
      [root@bastion ~]#
      
      
      [root@bastion ~]# oc -n tenant1 exec deploy/httpd -- curl -skviI httpd-tenant2.apps.ocp4.anand.com
      * Rebuilt URL to: httpd-tenant2.apps.ocp4.anand.com/
      *   Trying 10.74.249.102...
      * TCP_NODELAY set
      * Connected to httpd-tenant2.apps.ocp4.anand.com (10.74.249.102) port 80 (#0)
      > HEAD / HTTP/1.1
      > Host: httpd-tenant2.apps.ocp4.anand.com
      > User-Agent: curl/7.61.1
      > Accept: */*
      > 
      < HTTP/1.1 403 Forbidden
      < date: Thu, 18 Jul 2024 08:20:14 GMT
      < server: Apache/2.4.37 (Red Hat Enterprise Linux) OpenSSL/1.1.1k
      < last-modified: Mon, 12 Jul 2021 19:36:32 GMT
      < etag: "133f-5c6f23d09f000"
      < accept-ranges: bytes
      < content-length: 4927
      < content-type: text/html; charset=UTF-8
      < set-cookie: 6c940d49452052c4e26888700a466e34=1b8eef7c680e5a5f0921b8cf3bd7647a; path=/; HttpOnly
      < 
      * Connection #0 to host httpd-tenant2.apps.ocp4.anand.com left intact    

      Expected results:

      The connection should be blocked while accessing the app through route.     

      Additional info: The same was working as expected while using NetworkPolicy. 

      1. Created an network policy deny-by-default 
      
      [root@bastion temp]# cat denybydefault.yaml 
      kind: NetworkPolicy
      apiVersion: networking.k8s.io/v1
      metadata:
        name: deny-by-default
      spec:
        podSelector: {}
        ingress: []
      
      [root@bastion ~]#  curl -skviI httpd-tenant2.apps.ocp4.anand.com
      *   Trying 10.74.249.102:80...
      * Connected to httpd-tenant2.apps.ocp4.anand.com (10.74.249.102) port 80 (#0)
      > HEAD / HTTP/1.1
      > Host: httpd-tenant2.apps.ocp4.anand.com
      > User-Agent: curl/7.76.1
      > Accept: */*
      > 
      * Mark bundle as not supporting multiuse
      * HTTP 1.0, assume close after body
      < HTTP/1.0 503 Service Unavailable
      HTTP/1.0 503 Service Unavailable
      < pragma: no-cache
      pragma: no-cache
      < cache-control: private, max-age=0, no-cache, no-store
      cache-control: private, max-age=0, no-cache, no-store
      < content-type: text/html
      content-type: text/html
      < 
      * Closing connection 0    
      
      2. After creating an allow-by-ingress policy, the URL can be accessed. 
      
      [root@bastion temp]# cat netpol.yaml 
      apiVersion: networking.k8s.io/v1
      kind: NetworkPolicy
      metadata:
        name: anand
        namespace: tenant2
      spec:
        ingress:
        - from:
          - namespaceSelector:
              matchLabels:
                network.openshift.io/policy-group: ingress
        podSelector: {}
        policyTypes:
        - Ingress
      
      
      

              sseethar Surya Seetharaman
              rhn-support-anr Anand R
              Arti Sood Arti Sood
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated: