Undefined Description of problem:
Multi-NetworkPolicy when defined with protocol defined and port undefined, we expect it to match all ports with defined protocol (as per documentation). But policy is not being applied and it allows all traffic.
Error Message in multus-networkpolicy logs:
E1127 12:12:22.098844 1 server.go:661] sync rules failed for pod [policy-ns1/pod1]: exit status 2: iptables-restore v1.8.10 (nf_tables): invalid port/service `<nil>' specified
Error occurred at line: 30
https://docs.openshift.com/container-platform/4.17/rest_api/network_apis/multinetworkpolicy-k8s-cni-cncf-io-v1beta1.html#spec-egress-ports-2
Version-Release number of selected component (if applicable):
4.18.ec2
How reproducible:
--> Apply below policy. ports array should have only protocol defined but not port.
apiVersion: k8s.cni.cncf.io/v1beta1
kind: MultiNetworkPolicy
metadata:
annotations:
k8s.v1.cni.cncf.io/policy-for: policy-test-ns1/bond-nad,policy-test-ns2/bond-nad
name: egress-port
namespace: policy-test-ns1
spec:
podSelector:
matchLabels:
app: pod1
policyTypes:
- Egress
egress:
- ports:
- protocol: TCP
Steps to Reproduce:
1. Create SRIOV VFs, bond NAD and create pods that attach to bond NAD
2. Apply MultiNetworkPolicy as mentioned above.
3. Test egress traffic.
Actual results:
Egress works as if no policy is applied.
Expected results:
Egress should work only for TCP protocol to all ports
Additional info:
Must gather : https://drive.google.com/drive/folders/1Le1PdIGiOt965Hqr2xTUXyeDAUGhYYiN?usp=sharing
