Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-45559

OAuth, Konnectivity, Ingress, Ignition fails due to netpol in HCP deployed with NodePort via KubeVirt

XMLWordPrintable

    • Important
    • None
    • Proposed
    • False
    • Hide

      None

      Show
      None
    • Release Note Not Required
    • In Progress

      This is a clone of issue OCPBUGS-44522. The following is the description of the original issue:

      This is a clone of issue OCPBUGS-43973. The following is the description of the original issue:

      This is a clone of issue OCPBUGS-42879. The following is the description of the original issue:

      This is a clone of issue OCPBUGS-42579. The following is the description of the original issue:

      Hello Team,

      When we deploy the HyperShift cluster with OpenShift Virtualization by specifying NodePort strategy for services, the requests to ignition, oauth, connectivity (for oc rsh, oc logs, oc exec), virt-launcher-hypershift-node-pool pod fails as by default following netpols get created automatically and restricting the traffic on on all other ports.

       

      $ oc get netpol
      NAME                      POD-SELECTOR           AGE
      kas                       app=kube-apiserver     153m
      openshift-ingress         <none>                 153m
      openshift-monitoring      <none>                 153m
      same-namespace            <none>                 153m 

      I resolved

      $ cat ingress-netpol
      apiVersion: networking.k8s.io/v1
      kind: NetworkPolicy
      metadata:
        name: ingress
      spec:
        ingress:
        - ports:
          - port: 31032
            protocol: TCP
        podSelector:
          matchLabels:
            kubevirt.io: virt-launcher
        policyTypes:
        - Ingress
      
      
      $ cat oauth-netpol
      apiVersion: networking.k8s.io/v1
      kind: NetworkPolicy
      metadata:
        name: oauth
      spec:
        ingress:
        - ports:
          - port: 6443
            protocol: TCP
        podSelector:
          matchLabels:
            app: oauth-openshift
            hypershift.openshift.io/control-plane-component: oauth-openshift
        policyTypes:
        - Ingress
      
      
      $ cat ignition-netpol
      apiVersion: networking.k8s.io/v1
      kind: NetworkPolicy
      metadata:
        name: nodeport-ignition-proxy
      spec:
        ingress:
        - ports:
          - port: 8443
            protocol: TCP
        podSelector:
          matchLabels:
            app: ignition-server-proxy
        policyTypes:
        - Ingress
      
      
      $ cat konn-netpol
      apiVersion: networking.k8s.io/v1
      kind: NetworkPolicy
      metadata:
        name: konn
      spec:
        ingress:
        - ports:
          - port: 8091
            protocol: TCP
        podSelector:
          matchLabels:
            app: kube-apiserver
            hypershift.openshift.io/control-plane-component: kube-apiserver
        policyTypes:
        - Ingress

      The bug for ignition netpol has already been reported.

      --> https://issues.redhat.com/browse/OCPBUGS-39158

      --> https://issues.redhat.com/browse/OCPBUGS-39317

       

      It would be helpful if these policies get created automatically as well or maybe we get an option in HyperShift to disable the automatic management of network policies where we can manually take care of the network policies.

       

              ocohen@redhat.com Oren Cohen
              openshift-crt-jira-prow OpenShift Prow Bot
              Liangquan Li Liangquan Li
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated: