Loading...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Minor
Fix Version/s: None
Affects Version/s: 4.19
Component/s: Documentation / CORENET
Labels:
- NetworkPolicy

Activity Type:
Quality / Stability / Reliability
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Story Points:
None
Severity:
None
Regression:
None

Target Backport Versions:
None
Target Version:
None
Release Blocker:
None
Sprint:
None

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

PX Review Complete:
PX Impact Score:

Release Note Status:
None
Release Note Type:
None
Release Note Text:
None

Escape Reason:
None
Escape Impact:
None
Corrective Measures:
None
SDLC stage when should've been found:
None

Description of problem: Network Policy does not work on port names.

Version-Release number of selected component (if applicable): 4.19

How reproducible: Always

Steps to Reproduce:

deployed 2 pods test-clt and test-srv, and a network policy for test-srv pod to allow ingress traffic on 8080 port number from test-clt pod. But when applied the network policy using the numeric port number it is working as expected but when I am applying the network policy using the named port( for port 8080 in this case) I am not getting the expected result i.e. the network policy is not applied.

Deployed 2 pods test-clt and test-srv

test-clt-959449bf8-7qjdx   1/1     Running   0          20m   name=test-clt,pod-template-hash=959449bf8
test-srv-c6cdf6979-ld5kg   1/1     Running   0          12m   name=test-srv,pod-template-hash=c6cdf6979

Given the named port to deployment test-srv

 ports:
    - containerPort: 8080
      name: http-alt
      protocol: TCP
    - containerPort: 8081
      protocol: TCP

applied the following network policy for test-srv pod which is allowing ingress traffic from test-clt pod on port 8080(in this scenerio named port "httpd-alt" is given assigned to 8080 port number)

$ oc describe netpol
Name:         netpol-test
Namespace:    test
Created on:   2025-09-30 02:39:58 -0400 EDT
Labels:       <none>
Annotations:  <none>
Spec:
  PodSelector:     name=test-srv
  Allowing ingress traffic:
    To Port: http-alt/TCP
    From:
      PodSelector: name=test-clt
  Not affecting egress traffic
  Policy Types: Ingress

the network policy applied above is not working for the named ports

$ oc rsh test-clt-959449bf8-7qjdx 
sh-4.4$ curl 10.129.3.169:8080
<html>
  <body>
    <h1>Hello, world from nginx!</h1>
  </body>
</html>
sh-4.4$ curl 10.129.3.169:8081
curl: (7) Failed to connect to 10.129.3.169 port 8081: Connection refused

But for same when I am applying the network policy using the numeric port number I network policy is working as intended

Network Policy (using numeric port)

$ oc describe netpol numeric-netpol 
Name:         numeric-netpol
Namespace:    test
Created on:   2025-09-30 03:17:53 -0400 EDT
Labels:       <none>
Annotations:  <none>
Spec:
  PodSelector:     name=test-srv
  Allowing ingress traffic:
    To Port: 8080/TCP
    From:
      PodSelector: name=test-clt
  Not affecting egress traffic
  Policy Types: Ingress

Output of the numeric port network policy

$ oc rsh test-clt-959449bf8-7qjdx 
osh-4.4$ curl 10.129.3.169:8080
<html>
  <body>
    <h1>Hello, world from nginx!</h1>
  </body>
</html>
sh-4.4$ curl 10.129.3.169:8081
curl: (7) Failed to connect to 10.129.3.169 port 8081: Connection timed out

Assignee:: OCP DocsBot

Reporter:: LALIT SAINI

Need Info From:: None

Contributors:: None

QA Contact:: Anurag Saxena

Doc Contact:: None

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Created:: 2025/09/30 10:21 AM

Updated:: 2025/10/02 9:55 PM

Details

Description

Attachments

Easy Agile Planning Poker

Activity

People

Dates

Hide