Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-54250

AWS: Hosted control plane deploys NetworkPolicies affected by Cilium known issue

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Minor Minor
    • None
    • 4.19
    • HyperShift
    • Quality / Stability / Reliability
    • False
    • Hide

      None

      Show
      None
    • None
    • Low
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None

      Description of problem:

          Creating a hosted cluster on a management cluster with Cilium CNI on AWS also deploys network policies "management-kas" and "private-router" that use ipBlock.cidr. This block is used to allow egress traffic to all IP addresses except the Kube APIServer of the management cluster.
          This policy works correctly unless the traffic is targeting an IP address of a specific Pod. It correctly allows traffic to any IP addresses outside the cluster, to addresses of Services or Endpoints. The only issue is when connecting directly to Pod IP address. The CIDR block doesn't allow direct traffic to the Pod if the Pod IP falls within the range.
          This is caused by a known Cilium issue https://github.com/cilium/cilium/issues/9209.
          Setting the severity to "low" because I haven't seen any connection issues in Pods within the HCP namespace. The hosted cluster also starts correctly without any issues.
          However, this might be a problem in the future when some Pods need to communicate directly with other pods in other namespaces.
      In this case, the network policies would prevent the traffic.

      Version-Release number of selected component (if applicable):

          4.19

      How reproducible:

          By running conformance test suite for NetworkPolicies which fails a few tests related to CIDR block.

      Steps to Reproduce:

          1. Install a management cluster with Cilium CNI
          2. Checkout https://github.com/openshift/origin
          3. Build the test binary: make WHAT=cmd/openshift-tests
          4. Run a specific NetworkPolicy test against the management cluster: 
      cmd/openshift-tests run-test "[sig-network] Netpol NetworkPolicy between server and client should enforce except clause while egress access to server in CIDR block [Feature:NetworkPolicy] [Suite:openshift/conformance/parallel] [Suite:k8s]"     

      Actual results:

          fail [k8s.io/kubernetes/test/e2e/network/netpol/test_helper.go:129]: Had 7 wrong results in reachability matrix
      
          Can be seen in this run: https://prow.ci.openshift.org/view/gs/test-platform-results/pr-logs/pull/openshift_release/62019/rehearse-62019-periodic-ci-openshift-hypershift-release-4.19-periodics-e2e-aws-conformance-cilium/1899372285446328320

      Expected results:

          The test passes.

      Additional info:

          

              Unassigned Unassigned
              mgencur@redhat.com Martin Gencur
              None
              None
              Martin Gencur Martin Gencur
              None
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated: