Loading...

XML

Word

Printable

Type: Bug
Resolution: Done
Priority: Normal
Fix Version/s: None
Affects Version/s: 4.18.z
Component/s: Documentation / CORENET
Labels:
- sbr-triaged
- triaged

Activity Type:
Quality / Stability / Reliability
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Story Points:
2
Severity:
Important
Regression:
None

Target Backport Versions:
None
Target Version:
None
Release Blocker:
None
Sprint:
OSDOCS Sprint 271
sprint_count:
1

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

PX Impact Score:

Release Note Status:
None
Release Note Type:
None
Release Note Text:
None

Escape Reason:
None
Escape Impact:
None
Corrective Measures:
None
SDLC stage when should've been found:
None

Description of problem:
AdminNetworkPolicy changes the target selectors in .spec and does not honour the rule.

How reproducible: Always

Steps to Reproduce:
1. Create a dummy deny-all-egress networkpolicy.
2. Create a ANP to override the above networkpolicy to allow all egress connection to dns-default pods
3. Validate the ANP .spec section for the target selectors and test the connection to dns-default pods.

Actual results: ANP .spec section changes the target selectors in .spec section once the ANP is applied and does not honour the given allow rule.

Expected results: ANP should not change the target selectors in .spec section once the ANP is applied and should honour the given rules.

Is it a customer issue / SD

Additional info: Reproducer steps from my test lab.

I've been able to reproduce the issue as per the customer's scenario.
I've changed the cluster domain to ensure no actual hostnames are exposed.

Target namespace to test the ANP (dns pods on port 5353):

[quickcluster@upi-0 ~]$ oc get po --no-headers -l dns.operator.openshift.io/daemonset-dns=default -n openshift-dns -o wide | head -n1
dns-default-frw4d   2/2   Running   0     7d    10.129.0.20   master-2.ocptest.example.com   <none>   <none>

Source namespace where the ANP will act (subject of ANP):

[quickcluster@upi-0 ~]$ oc get ns -l tenant=true
NAME                STATUS   AGE
test-anp-04120206   Active   37m
[quickcluster@upi-0 ~]$ oc get po -o wide
NAME                      READY   STATUS    RESTARTS   AGE   IP             NODE                                       
test-a-679bd77bb4-dt5qn   1/1     Running   0          35m   10.128.2.198   worker-1.ocptest.example.com
[quickcluster@upi-0 ~]$ oc get netpol
No resources found in test-anp-04120206 namespace.
[quickcluster@upi-0 ~]$ oc rsh test-a-679bd77bb4-dt5qn
sh-4.4$ curl 10.129.0.20:5353 -v --connect-timeout 4
* Rebuilt URL to: 10.129.0.20:5353/
*   Trying 10.129.0.20...
* TCP_NODELAY set
* Connected to 10.129.0.20 (10.129.0.20) port 5353 (#0)
> GET / HTTP/1.1
> Host: 10.129.0.20:5353
> User-Agent: curl/7.61.1
> Accept: */*
>
* Empty reply from server
* Connection #0 to host 10.129.0.20 left intact
curl: (52) Empty reply from server
sh-4.4$

CREATING A DEFAULT-DENY-EGRESS RULE NOW:

[quickcluster@upi-0 ~]$ oc create -f netpol-deny.yaml
networkpolicy.networking.k8s.io/deny-all-egress created
[quickcluster@upi-0 ~]$ oc get netpol deny-all-egress -o yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  creationTimestamp: "2025-04-21T11:37:44Z"
  generation: 1
  name: deny-all-egress
  namespace: test-anp-04120206
  resourceVersion: "2320779"
  uid: 616bb069-3165-4d8a-9304-2875aa7dbe72
spec:
  podSelector: {}
  policyTypes:
  - Egress
[quickcluster@upi-0 ~]$

[quickcluster@upi-0 ~]$ oc rsh test-a-679bd77bb4-dt5qn
sh-4.4$ curl 10.129.0.20:5353 --connect-timeout 4 -v
* Rebuilt URL to: 10.129.0.20:5353/
*   Trying 10.129.0.20...
* TCP_NODELAY set
* Connection timed out after 4001 milliseconds
* Closing connection 0
curl: (28) Connection timed out after 4001 milliseconds
sh-4.4$

The above netpol denies all the egress traffic from the source pod.
Now creating a ANP to override the egress traffic and allow the egress connection to dns-default pods (Target)

[quickcluster@upi-0 ~]$ cat anp.yaml
apiVersion: policy.networking.k8s.io/v1alpha1
kind: AdminNetworkPolicy
metadata:
  name: allow-to-ns-anp
spec:
  priority: 50
  subject:
    namespaces:
      matchLabels:
        tenant: "true"
  egress:
    - name: "allow-to-dns"
      action: "Allow"
      to:
      - pods:
          namespaceSelector:
            matchlabels:
              kubernetes.io/metadata.name: openshift-dns
          podSelector:
            matchlabels:
              dns.operator.openshift.io/daemonset-dns: default
      ports:
      - portNumber:
          protocol: UDP
          port: 5353
[quickcluster@upi-0 ~]$ oc create -f anp.yaml
adminnetworkpolicy.policy.networking.k8s.io/allow-to-ns-anp created
[quickcluster@upi-0 ~]$

Upon applying the above given ANP, the target selectors are changed !!!!

[quickcluster@upi-0 ~]$ oc get anp allow-to-ns-anp -o yaml
apiVersion: policy.networking.k8s.io/v1alpha1
kind: AdminNetworkPolicy
metadata:
  creationTimestamp: "2025-04-21T11:44:13Z"
  generation: 1
  name: allow-to-ns-anp
  resourceVersion: "2322309"
  uid: 151251ba-7d5f-47f1-a3ff-46d39d5b60cf
spec:
  egress:
  - action: Allow
    name: allow-to-dns
    ports:
    - portNumber:
        port: 5353
        protocol: UDP
    to:
    - pods:
        namespaceSelector: {}             <<<<<------------------- 
        podSelector: {}                   <<<<<------------------- 
  priority: 50
  subject:
    namespaces:
      matchLabels:
        tenant: "true"
status:
  conditions:
  - lastTransitionTime: "2025-04-21T11:44:13Z"
    message: Setting up OVN DB plumbing was successful
    reason: SetupSucceeded
    status: "True"
    type: Ready-In-Zone-master-2.ocptest.example.com
  - lastTransitionTime: "2025-04-21T11:44:13Z"
    message: Setting up OVN DB plumbing was successful
    reason: SetupSucceeded
    status: "True"
    type: Ready-In-Zone-master-0.ocptest.example.com
  - lastTransitionTime: "2025-04-21T11:44:13Z"
    message: Setting up OVN DB plumbing was successful
    reason: SetupSucceeded
    status: "True"
    type: Ready-In-Zone-worker-0.ocptest.example.com
  - lastTransitionTime: "2025-04-21T11:44:13Z"
    message: Setting up OVN DB plumbing was successful
    reason: SetupSucceeded
    status: "True"
    type: Ready-In-Zone-worker-2.ocptest.example.com
  - lastTransitionTime: "2025-04-21T11:44:13Z"
    message: Setting up OVN DB plumbing was successful
    reason: SetupSucceeded
    status: "True"
    type: Ready-In-Zone-master-1.ocptest.example.com
  - lastTransitionTime: "2025-04-21T11:44:13Z"
    message: Setting up OVN DB plumbing was successful
    reason: SetupSucceeded
    status: "True"
    type: Ready-In-Zone-worker-1.ocptest.example.com
[quickcluster@upi-0 ~]$

The doc has the label `app: dns` which does not exist by default, however I've given the correct label as shown in `anp.yaml`.

Testing the connection now.

[quickcluster@upi-0 ~]$ oc get netpol
NAME              POD-SELECTOR   AGE
deny-all-egress   <none>         12m
[quickcluster@upi-0 ~]$ oc get anp
NAME              PRIORITY   AGE
allow-to-ns-anp   50         6m1s
[quickcluster@upi-0 ~]$ oc rsh test-a-679bd77bb4-dt5qn
sh-4.4$ curl 10.129.0.20:5353 --connect-timeout 4 -v
* Rebuilt URL to: 10.129.0.20:5353/
*   Trying 10.129.0.20...
* TCP_NODELAY set
* Connection timed out after 4001 milliseconds
* Closing connection 0
curl: (28) Connection timed out after 4001 milliseconds
sh-4.4$

Still the connection is blocked ! irrespective of Allow rule in ANP.

Assignee:: Steven Smith

Reporter:: Rohit Jamadar (Inactive)

Need Info From:: None

Contributors:: None

QA Contact:: Arti Sood

Doc Contact:: None

Votes:: 0 Vote for this issue

Watchers:: 7 Start watching this issue

Created:: 2025/04/21 12:17 PM

Updated:: 2025/09/13 3:38 AM

Resolved:: 2025/05/29 12:39 PM

Details

Description

Attachments

Easy Agile Planning Poker

Activity

People

Dates

Hide