Loading...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Minor
Fix Version/s: None
Affects Version/s: 4.19
Component/s: HyperShift
Labels:
- triaged

Activity Type:
Quality / Stability / Reliability
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Story Points:
None
Severity:
Low
Regression:
None

Target Backport Versions:
None
Target Version:
None
Release Blocker:
None
Sprint:
None

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Release Note Status:
None
Release Note Type:
None
Release Note Text:
None

Escape Reason:
None
Escape Impact:
None
Corrective Measures:
None
SDLC stage when should've been found:
None

Description of problem:

    Creating a hosted cluster on a management cluster with Cilium CNI on AWS also deploys network policies "management-kas" and "private-router" that use ipBlock.cidr. This block is used to allow egress traffic to all IP addresses except the Kube APIServer of the management cluster.
    This policy works correctly unless the traffic is targeting an IP address of a specific Pod. It correctly allows traffic to any IP addresses outside the cluster, to addresses of Services or Endpoints. The only issue is when connecting directly to Pod IP address. The CIDR block doesn't allow direct traffic to the Pod if the Pod IP falls within the range.
    This is caused by a known Cilium issue https://github.com/cilium/cilium/issues/9209.
    Setting the severity to "low" because I haven't seen any connection issues in Pods within the HCP namespace. The hosted cluster also starts correctly without any issues.
    However, this might be a problem in the future when some Pods need to communicate directly with other pods in other namespaces.
In this case, the network policies would prevent the traffic.

Version-Release number of selected component (if applicable):

    4.19

How reproducible:

    By running conformance test suite for NetworkPolicies which fails a few tests related to CIDR block.

Steps to Reproduce:

    1. Install a management cluster with Cilium CNI
    2. Checkout https://github.com/openshift/origin
    3. Build the test binary: make WHAT=cmd/openshift-tests
    4. Run a specific NetworkPolicy test against the management cluster: 
cmd/openshift-tests run-test "[sig-network] Netpol NetworkPolicy between server and client should enforce except clause while egress access to server in CIDR block [Feature:NetworkPolicy] [Suite:openshift/conformance/parallel] [Suite:k8s]"

Actual results:

    fail [k8s.io/kubernetes/test/e2e/network/netpol/test_helper.go:129]: Had 7 wrong results in reachability matrix

    Can be seen in this run: https://prow.ci.openshift.org/view/gs/test-platform-results/pr-logs/pull/openshift_release/62019/rehearse-62019-periodic-ci-openshift-hypershift-release-4.19-periodics-e2e-aws-conformance-cilium/1899372285446328320

Expected results:

    The test passes.

Additional info:

Assignee:: Unassigned

Reporter:: Martin Gencur

Need Info From:: None

Contributors:: None

QA Contact:: Martin Gencur

Doc Contact:: None

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Created:: 2025/03/26 12:35 PM

Updated:: 2025/07/14 1:30 PM

Details

Description

Attachments

Easy Agile Planning Poker

Activity

People

Dates