-
Bug
-
Resolution: Unresolved
-
Major
-
None
-
4.17.z, 4.16.z, 4.18.0
Hello Team,
When we deploy the HyperShift cluster with OpenShift Virtualization by specifying NodePort strategy for services, the requests to ignition, oauth, connectivity (for oc rsh, oc logs, oc exec), virt-launcher-hypershift-node-pool pod fails as by default following netpols get created automatically and restricting the traffic on on all other ports.
$ oc get netpol NAME POD-SELECTOR AGE kas app=kube-apiserver 153m openshift-ingress <none> 153m openshift-monitoring <none> 153m same-namespace <none> 153m
I resolved
$ cat ingress-netpol apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: ingress spec: ingress: - ports: - port: 31032 protocol: TCP podSelector: matchLabels: kubevirt.io: virt-launcher policyTypes: - Ingress $ cat oauth-netpol apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: oauth spec: ingress: - ports: - port: 6443 protocol: TCP podSelector: matchLabels: app: oauth-openshift hypershift.openshift.io/control-plane-component: oauth-openshift policyTypes: - Ingress $ cat ignition-netpol apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: nodeport-ignition-proxy spec: ingress: - ports: - port: 8443 protocol: TCP podSelector: matchLabels: app: ignition-server-proxy policyTypes: - Ingress $ cat konn-netpol apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: konn spec: ingress: - ports: - port: 8091 protocol: TCP podSelector: matchLabels: app: kube-apiserver hypershift.openshift.io/control-plane-component: kube-apiserver policyTypes: - Ingress
The bug for ignition netpol has already been reported.
--> https://issues.redhat.com/browse/OCPBUGS-39158
--> https://issues.redhat.com/browse/OCPBUGS-39317
It would be helpful if these policies get created automatically as well or maybe we get an option in HyperShift to disable the automatic management of network policies where we can manually take care of the network policies.
