-
Bug
-
Resolution: Unresolved
-
Major
-
None
-
4.21
-
None
Description of problem: Running regression QE multi-network-policy test case
"Ingress/Egress Allow access only to a specific port/protocol", reportxml.ID("70040") on cluster using nftables in place of iptables. MultNetworkPolicy is not properly being deployed into nftables.
Version-Release number of selected component (if applicable): 4.21
How reproducible:
Steps to Reproduce:
1. Deploy image from link
2. Deploy multinetworkplocy supplied below
3. Verify on ip netns to see policy
A. crictl pods
B. crictl inspectp 3b002f74fa725 | grep "/var/run/netns" | grep path | awk '{print $2}'
C. ip netns exec 4cbab47d-859e-4ef5-9a6f-608195bf4a63nft list ruleset
Actual results:
The multinetworkpolicy was only pushed to the pod on worker0
Expected results:
The multinetworkpolicy will be translated to all pods in the namespace.
Additional info:
$ oc get multi-networkpolicies.k8s.cni.cncf.io -A -o yaml
apiVersion: v1
items:
- apiVersion: k8s.cni.cncf.io/v1beta1
kind: MultiNetworkPolicy
metadata:
annotations:
k8s.v1.cni.cncf.io/policy-for: sriovnetpolicy
creationTimestamp: "2025-12-08T09:09:45Z"
generation: 1
name: verificationpolicy
namespace: policy-tests
resourceVersion: "1848110"
uid: 4d3a59bf-0474-458f-a386-dd3db2d577f4
spec:
egress:
- ports:
- port: 5001
protocol: SCTP
to:
- ipBlock:
cidr: 2001:1db8:85a3::3/128
podSelector:
matchLabels:
pod: pod3
ingress:
- from:
- podSelector:
matchLabels:
pod: pod2
ports:
- port: 5001
protocol: SCTP
podSelector:
matchLabels:
pod: pod1
policyTypes:
- Ingress
- Egress
kind: List
metadata:
resourceVersion: ""