Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-8397

egress firewall only createas 1 acl for long namespace names

XMLWordPrintable

    • +
    • No
    • SDN Sprint 233
    • 1
    • Rejected
    • False
    • Hide

      None

      Show
      None

      Description of problem:

      when egress firewall is applied in a namespace which name is longer than 43 symbols, acl names gets cropped and all acls for the same egress firewall object are considered equivalent. It is a known problem that we faced for network policies too.

      Version-Release number of selected component (if applicable):

       

      How reproducible:

       

      Steps to Reproduce:

      1. Create egress firewall object with > 1 rule, e.g.
      kind: EgressFirewall
      apiVersion: k8s.ovn.org/v1
      metadata:
        name: default
      spec:
        egress:
        - type: Allow
          to:
            cidrSelector: <pod ip>/32                                                                                                  
        - type: Deny
          to:
            cidrSelector: 0.0.0.0/0 
      2. Check only last rule is applied: all traffic will be dropped, even if you try to ping allowed <pod ip>
      3. check in the nbdb there is only 1 egress firewall acl (should be 2 as the number of rules)
      ovn-nbctl find acl| grep egressFirewall=
      

      Actual results:

       

      Expected results:

       

      Additional info:

       

              npinaeva@redhat.com Nadia Pinaeva
              npinaeva@redhat.com Nadia Pinaeva
              Jean Chen Jean Chen
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated:
                Resolved: