-
Bug
-
Resolution: Not a Bug
-
Major
-
None
-
4.19
-
None
-
Quality / Stability / Reliability
-
False
-
-
None
-
Important
-
No
-
None
-
Proposed
-
None
-
+
-
None
-
None
-
None
-
None
-
None
-
None
-
None
Description of problem:
Version-Release number of selected component (if applicable):
EndPort can not be configured in MultiNetworkPolicy
How reproducible:
Always
Steps to Reproduce:
Enable MultiNetworkPolicy
$ oc patch networks.operator.openshift.io cluster --type=merge -p '{"spec":{"useMultiNetworkPolicy":true}}'
network.operator.openshift.io/cluster patched
$ oc get networks.operator.openshift.io cluster -o jsonpath={.spec.useMultiNetworkPolicy}
true
$ cat bridge_macvlan.yaml
apiVersion: "k8s.cni.cncf.io/v1"
kind: NetworkAttachmentDefinition
metadata:
name: bridge-macvlan
spec:
config: '{
"cniVersion": "0.4.0",
"type": "macvlan",
"mode": "bridge",
"ipam": {
"type": "whereabouts",
"range": "192.168.210.0/24"
}
}'
$ cat test_pod_client.yaml
apiVersion: v1
kind: ReplicationController
metadata:
name: test-pod-client
spec:
replicas: 1
template:
metadata:
labels:
name: blue
annotations:
k8s.v1.cni.cncf.io/networks: macvlan-bridge-whereabouts
spec:
containers:
- name: test-pod-client
image: quay.io/openshifttest/hello-sdn@sha256:c89445416459e7adea9a5a416b3365ed3d74f2491beb904d61dc8d1eb89a72a4
securityContext:
capabilities:
add:
- NET_ADMIN
privileged: true
nodeName: ip-10-0-69-200.us-east-2.compute.internal
$ cat test_pod_server.yaml
apiVersion: v1
kind: ReplicationController
metadata:
name: test-pod-server
spec:
replicas: 1
template:
metadata:
labels:
name: blue
annotations:
k8s.v1.cni.cncf.io/networks: macvlan-bridge-whereabouts
spec:
containers:
- name: test-pod-server
image: quay.io/openshifttest/hello-sdn@sha256:c89445416459e7adea9a5a416b3365ed3d74f2491beb904d61dc8d1eb89a72a4
ports:
- containerPort: 32768
protocol: TCP
- containerPort: 32768
protocol: UDP
- containerPort: 32768
protocol: SCTP
- containerPort: 32000
protocol: TCP
- containerPort: 32000
protocol: UDP
- containerPort: 32000
protocol: SCTP
- containerPort: 32500
protocol: TCP
- containerPort: 32500
protocol: UDP
- containerPort: 32500
protocol: SCTP
- containerPort: 32001
protocol: TCP
- containerPort: 32001
protocol: UDP
- containerPort: 32001
protocol: SCTP
- containerPort: 32769
protocol: TCP
- containerPort: 32769
protocol: UDP
- containerPort: 32769
protocol: SCTP
env:
- name: RESPONSE
value: test-pod-server
securityContext:
capabilities:
add:
- NET_ADMIN
privileged: true
nodeName: ip-10-0-69-200.us-east-2.compute.internal
$ oc get pod
NAME READY STATUS RESTARTS AGE
test-pod-client-7j4fd 1/1 Running 0 5m25s
test-pod-server-q7ss8 1/1 Running 0 5m24s$ cat mnp_ingress_endport.yaml
apiVersion: k8s.cni.cncf.io/v1beta1
kind: MultiNetworkPolicy
metadata:
name: ingress-policy
annotations:
k8s.v1.cni.cncf.io/policy-for: macvlan-bridge-whereabouts
spec:
podSelector: {}
policyTypes:
- Ingress
ingress:
- from: []
ports:
- protocol: TCP
port: 32000
endPort: 32768
- protocol: UDP
port: 32000
endPort: 32768
- protocol: SCTP
port: 32000
endPort: 32768
$ oc describe multi-networkpolicy ingress-policy
Name: ingress-policy
Namespace: green-network
Labels: <none>
Annotations: k8s.v1.cni.cncf.io/policy-for: macvlan-bridge-whereabouts
API Version: k8s.cni.cncf.io/v1beta1
Kind: MultiNetworkPolicy
Metadata:
Creation Timestamp: 2025-04-04T20:22:48Z
Generation: 1
Resource Version: 127872
UID: 7f74fb6d-31af-4cdb-903a-c8470733819f
Spec:
Ingress:
From:
Ports:
End Port: 32768
Port: 32000
Protocol: TCP
End Port: 32768
Port: 32000
Protocol: UDP
End Port: 32768
Port: 32000
Protocol: SCTP
Pod Selector:
Policy Types:
Ingress
Events: <none>
Actual results:
tcp/upd/sctp passed for ports 32000 udp passed for ports 32768, 32500, 31999 and 32769 tcp and sctp fail for ports 32768, 32500, 31999 and 32769
Expected results:
tcp/upd/sctp should pass for ports 32000, 32768, 32500 tcp/upd/sctp should fail for ports 31999 and 32769
Additional info:
- relates to
-
CORENET-5645 Support EndPort in MultiNetworkPolicy
-
- Closed
-
