Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-44354

Multi-NetworkPolicy not working for default port field with protocol field defined

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • None
    • 4.18
    • Networking / SR-IOV
    • None
    • Important
    • No
    • CNF Network Sprint 263, CNF Network Sprint 264, CNF Network Sprint 266, CNF Network Sprint 267, CNF Network Sprint 268, CNF Network Sprint 269
    • 6
    • False
    • Hide

      None

      Show
      None
    • Before this update, a MultiNetworkPolicy was not enforced when the `protocol` field was specified and the `port` field was not. With this update, the policy allows connections from/to all the ports for the specified protocol only.
    • Bug Fix
    • Proposed

      Description of problem:

          Multi-NetworkPolicy when defined with protocol defined and port undefined, we expect it to match all ports with defined protocol (as per documentation). But policy is not being applied and it allows all traffic.
      
      Error Message in multus-networkpolicy logs:
      E1127 12:12:22.098844       1 server.go:661] sync rules failed for pod [policy-ns1/pod1]: exit status 2: iptables-restore v1.8.10 (nf_tables): invalid port/service `<nil>' specified
      Error occurred at line: 30
      
      https://docs.openshift.com/container-platform/4.17/rest_api/network_apis/multinetworkpolicy-k8s-cni-cncf-io-v1beta1.html#spec-egress-ports-2
      
      

      Version-Release number of selected component (if applicable):

          4.18.ec2 

      How reproducible:

          --> Apply below policy. ports array should have only protocol defined but not port.
      
      apiVersion: k8s.cni.cncf.io/v1beta1
      kind: MultiNetworkPolicy
      metadata:
        annotations:
          k8s.v1.cni.cncf.io/policy-for: policy-test-ns1/bond-nad,policy-test-ns2/bond-nad
        name: egress-port
        namespace: policy-test-ns1
      spec:
        podSelector:
          matchLabels:
            app: pod1
        policyTypes:
        - Egress
        egress:
        - ports:
           - protocol: TCP

      Steps to Reproduce:

          1. Create SRIOV VFs, bond NAD and create pods that attach to bond NAD
          2. Apply MultiNetworkPolicy as mentioned above.
          3. Test egress traffic. 
          

      Actual results:

          Egress works as if no policy is applied. 

      Expected results:

          Egress should work only for TCP protocol to all ports

      Additional info:

          Must gather : https://drive.google.com/drive/folders/1Le1PdIGiOt965Hqr2xTUXyeDAUGhYYiN?usp=sharing
      
      

              apanatto@redhat.com Andrea Panattoni
              rh-ee-ajaggapa Anvesh Jaggapatruni
              Anvesh Jaggapatruni Anvesh Jaggapatruni
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated: