[OCPBUGS-44354] Multi-NetworkPolicy not working for default port field with protocol field defined - Red Hat Issue Tracker

Type: Bug
Resolution: Unresolved
Priority: Undefined
Fix Version/s: None
Affects Version/s: 4.18
Component/s: Networking / SR-IOV
Labels:
None

Severity:
Important
Regression:
No
Sprint:
CNF Network Sprint 263, CNF Network Sprint 264, CNF Network Sprint 266, CNF Network Sprint 267, CNF Network Sprint 268, CNF Network Sprint 269
sprint_count:
6
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Release Note Text:
Before this update, a MultiNetworkPolicy was not enforced when the `protocol` field was specified and the `port` field was not. With this update, the policy allows connections from/to all the ports for the specified protocol only.
Release Note Type:
Bug Fix
Release Note Status:
Proposed
Internal Whiteboard:
RH Private Keywords:
Target Version:

4.19
Target Backport Versions:

4.18.z

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Description of problem:

    Multi-NetworkPolicy when defined with protocol defined and port undefined, we expect it to match all ports with defined protocol (as per documentation). But policy is not being applied and it allows all traffic.

Error Message in multus-networkpolicy logs:
E1127 12:12:22.098844       1 server.go:661] sync rules failed for pod [policy-ns1/pod1]: exit status 2: iptables-restore v1.8.10 (nf_tables): invalid port/service `<nil>' specified
Error occurred at line: 30

https://docs.openshift.com/container-platform/4.17/rest_api/network_apis/multinetworkpolicy-k8s-cni-cncf-io-v1beta1.html#spec-egress-ports-2

Version-Release number of selected component (if applicable):

    4.18.ec2

How reproducible:

    --> Apply below policy. ports array should have only protocol defined but not port.

apiVersion: k8s.cni.cncf.io/v1beta1
kind: MultiNetworkPolicy
metadata:
  annotations:
    k8s.v1.cni.cncf.io/policy-for: policy-test-ns1/bond-nad,policy-test-ns2/bond-nad
  name: egress-port
  namespace: policy-test-ns1
spec:
  podSelector:
    matchLabels:
      app: pod1
  policyTypes:
  - Egress
  egress:
  - ports:
     - protocol: TCP

Steps to Reproduce:

    1. Create SRIOV VFs, bond NAD and create pods that attach to bond NAD
    2. Apply MultiNetworkPolicy as mentioned above.
    3. Test egress traffic.

Actual results:

    Egress works as if no policy is applied.

Expected results:

    Egress should work only for TCP protocol to all ports

Additional info:

    Must gather : https://drive.google.com/drive/folders/1Le1PdIGiOt965Hqr2xTUXyeDAUGhYYiN?usp=sharing

blocks

OCPBUGS-54939 Multi-NetworkPolicy not working for default port field with protocol field defined

is cloned by

OCPBUGS-54939 Multi-NetworkPolicy not working for default port field with protocol field defined

links to

openshift/multus-networkpolicy#66: OCPBUGS-44354: Sync 20250204

u/s - k8snetworkplumbingwg/multi-networkpolicy-iptables/pull/71

Assignee:: Andrea Panattoni

Reporter:: Anvesh Jaggapatruni

QA Contact:: Anvesh Jaggapatruni

Votes:: 0 Vote for this issue

Watchers:: 6 Start watching this issue

Created:: 2024/11/08 6:30 AM

Updated:: 2025/04/15 12:14 AM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates