-
Bug
-
Resolution: Unresolved
-
Normal
-
None
-
4.18
-
Quality / Stability / Reliability
-
False
-
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
Description of problem:
[1] I would like to clarify what the customer is referring. The customer is using the allow-from-openshift-ingress NetworkPolicy as referenced in Documentation.
[2]The network policy will behave differently depending on the empty PodSelector field. That means, the following NP as per the docs does work:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-from-openshift-ingress
spec:
ingress:
- from:
- namespaceSelector:
matchLabels:
policy-group.network.openshift.io/ingress: ""
podSelector: {}
policyTypes:
- Ingress
[3] When you slightly modify the NP to include an empty PodSelector, the network policy does not allow the ingress traffic to work.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-from-openshift-ingress
spec:
ingress:
- from:
- podSelector: {}
namespaceSelector:
matchLabels:
policy-group.network.openshift.io/ingress: ""
podSelector: {}
policyTypes:
- Ingress
[4] Upon following the CRD explanation:
oc explain networkpolicy.spec.ingress.from.podSelector
GROUP: networking.k8s.io
KIND: NetworkPolicy
VERSION: v1
FIELD: podSelector <LabelSelector>
DESCRIPTION:
podSelector is a label selector which selects pods. This field follows
standard label selector semantics; if present but empty, it selects all
pods.
If namespaceSelector is also set, then the NetworkPolicyPeer as a whole
selects the pods matching podSelector in the Namespaces selected by
NamespaceSelector. Otherwise it selects the pods matching podSelector in the
policy's own namespace.
A label selector is a label query over a set of resources. The result of
matchLabels and matchExpressions are ANDed. An empty label selector matches
all objects. A null label selector matches no objects.
FIELDS:
matchExpressions <[]LabelSelectorRequirement>
matchExpressions is a list of label selector requirements. The requirements
are ANDed.
matchLabels <map[string]string>
matchLabels is a map of {key,value} pairs. A single {key,value} in the
matchLabels map is equivalent to an element of matchExpressions, whose key
field is "key", the operator is "In", and the values array contains only
"value". The requirements are ANDed.
Following the important part:
podSelector is a label selector which selects pods. This field follows standard label selector semantics; if present but empty, it selects all pods.
[5]It should not make a difference if the podSelector is not present or if the podSelector is present and empty (which should include all pods).
Version-Release number of selected component (if applicable):
4.18
How reproducible:
Yes
Steps to Reproduce:
- We are trying to permit only specific pods in a project to connect to the ingress namespace.
- But default (when creating the NetworkPolicy though the WebUI Form view) the spec -> ingress -> from: -> podSelector is empty ( just `{}`).
- When we try to access the pods trough a secure route, the network traffic is not allowed, thus timing out.
- If we remove the podSelector from the from key, then it works correctly.
Actual results:
The documentation states, that an empty podSelector should select all pods from that namespace, contradicting this behavior.
Expected results:
The network policy should not behave differently depending on the empty PodSelector field as mentioned in the documentation.
Additional info:
According to the documentation to make pods accept connections from other pods in the same project, but reject all other connections from pods in other projects, add the following NetworkPolicy object:
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: allow-same-namespace
spec:
podSelector: {}
ingress:
- from:
- podSelector: {}
