Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-44354

Multi-NetworkPolicy not working for default port field with protocol field defined

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done-Errata
    • Icon: Undefined Undefined
    • 4.19.0
    • 4.18
    • Networking / SR-IOV
    • None
    • Quality / Stability / Reliability
    • False
    • Hide

      None

      Show
      None
    • None
    • Important
    • No
    • None
    • CNF Network Sprint 263, CNF Network Sprint 264, CNF Network Sprint 266, CNF Network Sprint 267, CNF Network Sprint 268, CNF Network Sprint 269
    • 6
    • Done
    • Bug Fix
    • Hide
      * Previously, a `MultiNetworkPolicy` API was not enforced when the `protocol` parameter was specified, but the `port` parameter was not, in the cluster configuration. This situation caused all network traffic to reach the cluster. With this release, the `MultiNetworkPolicy` API policy only allows connections from and to the ports specified with the `protocol` parameter so that only specific traffic reaches the cluster. (link:https://issues.redhat.com/browse/OCPBUGS-44354[OCPBUGS-44354])
      Show
      * Previously, a `MultiNetworkPolicy` API was not enforced when the `protocol` parameter was specified, but the `port` parameter was not, in the cluster configuration. This situation caused all network traffic to reach the cluster. With this release, the `MultiNetworkPolicy` API policy only allows connections from and to the ports specified with the `protocol` parameter so that only specific traffic reaches the cluster. (link: https://issues.redhat.com/browse/OCPBUGS-44354 [ OCPBUGS-44354 ])
    • None
    • None
    • None
    • None

      Description of problem:

          Multi-NetworkPolicy when defined with protocol defined and port undefined, we expect it to match all ports with defined protocol (as per documentation). But policy is not being applied and it allows all traffic.

Error Message in multus-networkpolicy logs:
E1127 12:12:22.098844       1 server.go:661] sync rules failed for pod [policy-ns1/pod1]: exit status 2: iptables-restore v1.8.10 (nf_tables): invalid port/service `<nil>' specified
Error occurred at line: 30

https://docs.openshift.com/container-platform/4.17/rest_api/network_apis/multinetworkpolicy-k8s-cni-cncf-io-v1beta1.html#spec-egress-ports-2

      Version-Release number of selected component (if applicable):

          4.18.ec2

      How reproducible:

          --> Apply below policy. ports array should have only protocol defined but not port.

apiVersion: k8s.cni.cncf.io/v1beta1
kind: MultiNetworkPolicy
metadata:
  annotations:
    k8s.v1.cni.cncf.io/policy-for: policy-test-ns1/bond-nad,policy-test-ns2/bond-nad
  name: egress-port
  namespace: policy-test-ns1
spec:
  podSelector:
    matchLabels:
      app: pod1
  policyTypes:
  - Egress
  egress:
  - ports:
     - protocol: TCP

      Steps to Reproduce:

          1. Create SRIOV VFs, bond NAD and create pods that attach to bond NAD
    2. Apply MultiNetworkPolicy as mentioned above.
    3. Test egress traffic.

      Actual results:

          Egress works as if no policy is applied.

      Expected results:

          Egress should work only for TCP protocol to all ports

      Additional info:

          Must gather : https://drive.google.com/drive/folders/1Le1PdIGiOt965Hqr2xTUXyeDAUGhYYiN?usp=sharing

              apanatto@redhat.com Andrea Panattoni
              rh-ee-ajaggapa Anvesh Jaggapatruni
              None
              None
              Anvesh Jaggapatruni Anvesh Jaggapatruni
              None
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated:
                Resolved: