[OCPBUGS-8501] [4.12] egress firewall only createas 1 acl for long namespace names

Type: Bug
Resolution: Done
Priority: Critical
Fix Version/s: 4.12.z
Affects Version/s: 4.12
Component/s: Networking / ovn-kubernetes
Labels:
- ServiceDeliveryImpact

Test Coverage:

+
Regression:
No
Sprint:
SDN Sprint 233
sprint_count:
1
Release Blocker:
Rejected
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Target Version:

4.12.z

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Description of problem:

when egress firewall is applied in a namespace which name is longer than 43 symbols, acl names gets cropped and all acls for the same egress firewall object are considered equivalent. It is a known problem that we faced for network policies too.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:

1.
2.
3.

Actual results:

Expected results:

Additional info:

clones

OCPBUGS-8471 [4.13] egress firewall only createas 1 acl for long namespace names

Closed

depends on

OCPBUGS-8471 [4.13] egress firewall only createas 1 acl for long namespace names

Closed

links to

openshift/ovn-kubernetes#1559: OCPBUGS-8506,OCPBUGS-8508,OCPBUGS-8501: [release-4.12] Fix EFW's name truncation logic & make EFW ACLs unique using extIDs

Errata Tool added a comment - 2023/03/21 11:34 AM

Since the problem described in this issue should be resolved in a recent advisory, it has been closed.

For information on the advisory (OpenShift Container Platform 4.12.8 bug fix update), and where to find the updated files, follow the link below.

If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHBA-2023:1269

Errata Tool added a comment - 2023/03/21 11:34 AM Since the problem described in this issue should be resolved in a recent advisory, it has been closed. For information on the advisory (OpenShift Container Platform 4.12.8 bug fix update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2023:1269

Jean Chen added a comment - 2023/03/15 5:05 PM

Created OCP-61176 and OCP-61177, will automate it later: https://issues.redhat.com/browse/OCPQE-14400

Jean Chen added a comment - 2023/03/15 5:05 PM Created OCP-61176 and OCP-61177, will automate it later: https://issues.redhat.com/browse/OCPQE-14400

Huiran Wang added a comment - 2023/03/09 3:08 AM

npinaeva@redhat.com Thanks for confirming!

Huiran Wang added a comment - 2023/03/09 3:08 AM npinaeva@redhat.com Thanks for confirming!

Nadia Pinaeva added a comment - 2023/03/08 9:19 AM

huirwang thanks for verifying! yes, the name should be truncated, but externalIDs should have full name

Nadia Pinaeva added a comment - 2023/03/08 9:19 AM huirwang thanks for verifying! yes, the name should be truncated, but externalIDs should have full name

Huiran Wang added a comment - 2023/03/08 2:29 AM

npinaeva@redhat.com Just confirming the name of acls still could be truncated, this is as expected, right? From above testing, acl names are truncated (from abcdefghigklmnopqrstuvwxyzabcdefghigklmnopqrstuvwxye to abcdefghigklmnopqrstuvwxyzabcdefghigklmnopqrstuv), but externalIDs are unique, and function works well.

Huiran Wang added a comment - 2023/03/08 2:29 AM npinaeva@redhat.com Just confirming the name of acls still could be truncated, this is as expected, right? From above testing, acl names are truncated (from abcdefghigklmnopqrstuvwxyzabcdefghigklmnopqrstuvwxye to abcdefghigklmnopqrstuvwxyzabcdefghigklmnopqrstuv), but externalIDs are unique, and function works well.

Huiran Wang added a comment - 2023/03/08 2:24 AM - edited

Tested PR https://github.com/openshift/ovn-kubernetes/pull/1559,

1. Created two namespaces with 52 characters "abcdefghigklmnopqrstuvwxyzabcdefghigklmnopqrstuvwxyz" and "abcdefghigklmnopqrstuvwxyzabcdefghigklmnopqrstuvwxye", only last character is different.
Created one egressfirewall and test pod under above namespace.
 % oc get egressfirewall -n abcdefghigklmnopqrstuvwxyzabcdefghigklmnopqrstuvwxyz -o yaml
apiVersion: v1
items:
- apiVersion: k8s.ovn.org/v1
  kind: EgressFirewall
  metadata:
    creationTimestamp: "2023-03-08T01:54:37Z"
    generation: 2
    name: default
    namespace: abcdefghigklmnopqrstuvwxyzabcdefghigklmnopqrstuvwxyz
    resourceVersion: "49120"
    uid: 9a2bb60d-47ce-4800-8076-bf26fdc3d4a1
  spec:
    egress:
    - to:
        cidrSelector: 142.251.33.68/32
      type: Allow
    - ports:
      - port: 80
        protocol: TCP
      to:
        cidrSelector: 23.50.0.0/16
      type: Allow
    - to:
        cidrSelector: 0.0.0.0/0
      type: Deny
  status:
    status: EgressFirewall Rules applied
kind: List
metadata:
  resourceVersion: ""

% oc get egressfirewall -n abcdefghigklmnopqrstuvwxyzabcdefghigklmnopqrstuvwxye -o yaml
apiVersion: v1
items:
- apiVersion: k8s.ovn.org/v1
  kind: EgressFirewall
  metadata:
    creationTimestamp: "2023-03-08T02:10:07Z"
    generation: 2
    name: default
    namespace: abcdefghigklmnopqrstuvwxyzabcdefghigklmnopqrstuvwxye
    resourceVersion: "58404"
    uid: 6cdd5f57-3027-4640-bb9a-4200625545a4
  spec:
    egress:
    - to:
        cidrSelector: 142.251.33.68/32
      type: Allow
    - ports:
      - port: 80
        protocol: TCP
      to:
        cidrSelector: 23.50.0.0/16
      type: Allow
    - to:
        cidrSelector: 0.0.0.0/0
      type: Deny
  status:
    status: EgressFirewall Rules applied
kind: List
metadata:
  resourceVersion: ""

2. Verify egressfirewall functions works well for both namespace
% oc rsh -n abcdefghigklmnopqrstuvwxyzabcdefghigklmnopqrstuvwxye hello-pod
~ $ ^C
~ $ curl 142.251.33.68 -I
HTTP/1.1 301 Moved Permanently
Location: http://www.google.com/
Content-Type: text/html; charset=UTF-8
Date: Wed, 08 Mar 2023 02:11:04 GMT
Expires: Fri, 07 Apr 2023 02:11:04 GMT
Cache-Control: public, max-age=2592000
Server: gws
Content-Length: 219
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN

~ $  curl 23.50.17.43 -I
HTTP/1.0 400 Bad Request
Server: AkamaiGHost
Mime-Version: 1.0
Content-Type: text/html
Content-Length: 207
Expires: Wed, 08 Mar 2023 02:11:36 GMT
Date: Wed, 08 Mar 2023 02:11:36 GMT
Connection: close

~ $ curl www.yahoo.com -I
^C
~ $

% oc rsh -n abcdefghigklmnopqrstuvwxyzabcdefghigklmnopqrstuvwxyz hello-pod
~ $ curl 142.251.33.68 -I
HTTP/1.1 301 Moved Permanently
Location: http://www.google.com/
Content-Type: text/html; charset=UTF-8
Date: Wed, 08 Mar 2023 01:55:13 GMT
Expires: Fri, 07 Apr 2023 01:55:13 GMT
Cache-Control: public, max-age=2592000
Server: gws
Content-Length: 219
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN

~ $ curl ^C
~ $ curl 23.50.17.43 -I
HTTP/1.0 400 Bad Request
Server: AkamaiGHost
Mime-Version: 1.0
Content-Type: text/html
Content-Length: 207
Expires: Wed, 08 Mar 2023 01:55:32 GMT
Date: Wed, 08 Mar 2023 01:55:32 GMT
Connection: close

~ $ curl www.yahoo.com -I connect-timeout 5

^C
~$

4. Check the ovn acls, only name was truncated, externalIDs were good. 
sh-4.4# ovn-nbctl --no-heading   find acl name=egressFirewall_abcdefghigklmnopqrstuvwxyzabcdefghigklmnopqrstuv
7ac58321-ce50-4c8f-89f6-5325acca77f7
allow
to-lport
{egressFirewall=abcdefghigklmnopqrstuvwxyzabcdefghigklmnopqrstuvwxyz, priority="10000"}
0
false
"(ip4.dst == 142.251.33.68/32) && ip4.src == $a9275935520880020708"
acl-logging
egressFirewall_abcdefghigklmnopqrstuvwxyzabcdefghigklmnopqrstuv
{}
10000
[]

4931a581-8155-4b59-a5bb-82ac5d6604fa
allow
to-lport
{egressFirewall=abcdefghigklmnopqrstuvwxyzabcdefghigklmnopqrstuvwxye, priority="10000"}
0
false
"(ip4.dst == 142.251.33.68/32) && ip4.src == $a17117126346041815175"
acl-logging
egressFirewall_abcdefghigklmnopqrstuvwxyzabcdefghigklmnopqrstuv
{}
10000
[]

8205e882-1f2f-4464-b15c-6c25b81d26ed
drop
to-lport
{egressFirewall=abcdefghigklmnopqrstuvwxyzabcdefghigklmnopqrstuvwxyz, priority="9998"}
0
false
"(ip4.dst == 0.0.0.0/0 && ip4.dst != 10.128.0.0/14) && ip4.src == $a9275935520880020708"
acl-logging
egressFirewall_abcdefghigklmnopqrstuvwxyzabcdefghigklmnopqrstuv
{}
9998
[]

c438ae92-ba02-4736-b724-2f12a0ecfed3
drop
to-lport
{egressFirewall=abcdefghigklmnopqrstuvwxyzabcdefghigklmnopqrstuvwxye, priority="9998"}
0
false
"(ip4.dst == 0.0.0.0/0 && ip4.dst != 10.128.0.0/14) && ip4.src == $a17117126346041815175"
acl-logging
egressFirewall_abcdefghigklmnopqrstuvwxyzabcdefghigklmnopqrstuv
{}
9998
[]

d636a442-8fac-4866-947a-1809ca488e85
allow
to-lport
{egressFirewall=abcdefghigklmnopqrstuvwxyzabcdefghigklmnopqrstuvwxyz, priority="9999"}
0
false
"(ip4.dst == 23.50.0.0/16) && ip4.src == $a9275935520880020708 && ((tcp && ( tcp.dst == 80 )))"
acl-logging
egressFirewall_abcdefghigklmnopqrstuvwxyzabcdefghigklmnopqrstuv
{}
9999
[]

60b312d4-ff51-45ba-abc5-b95fc6736830
allow
to-lport
{egressFirewall=abcdefghigklmnopqrstuvwxyzabcdefghigklmnopqrstuvwxye, priority="9999"}
0
false
"(ip4.dst == 23.50.0.0/16) && ip4.src == $a17117126346041815175 && ((tcp && ( tcp.dst == 80 )))"
acl-logging
egressFirewall_abcdefghigklmnopqrstuvwxyzabcdefghigklmnopqrstuv
{}
9999
[]
sh-4.4#

One more test. Looks good.
Created a long namespace and create egress firewall there same steps as above ^ then restart ovnkube-master, verify no "constraint violation" in master pod logs.

Huiran Wang added a comment - 2023/03/08 2:24 AM - edited Tested PR https://github.com/openshift/ovn-kubernetes/pull/1559 , 1. Created two namespaces with 52 characters "abcdefghigklmnopqrstuvwxyzabcdefghigklmnopqrstuvwxyz" and "abcdefghigklmnopqrstuvwxyzabcdefghigklmnopqrstuvwxye" , only last character is different. Created one egressfirewall and test pod under above namespace. % oc get egressfirewall -n abcdefghigklmnopqrstuvwxyzabcdefghigklmnopqrstuvwxyz -o yaml apiVersion: v1 items: - apiVersion: k8s.ovn.org/v1 kind: EgressFirewall metadata: creationTimestamp: "2023-03-08T01:54:37Z" generation: 2 name: default namespace: abcdefghigklmnopqrstuvwxyzabcdefghigklmnopqrstuvwxyz resourceVersion: "49120" uid: 9a2bb60d-47ce-4800-8076-bf26fdc3d4a1 spec: egress: - to: cidrSelector: 142.251.33.68/32 type: Allow - ports: - port: 80 protocol: TCP to: cidrSelector: 23.50.0.0/16 type: Allow - to: cidrSelector: 0.0.0.0/0 type: Deny status: status: EgressFirewall Rules applied kind: List metadata: resourceVersion: "" % oc get egressfirewall -n abcdefghigklmnopqrstuvwxyzabcdefghigklmnopqrstuvwxye -o yaml apiVersion: v1 items: - apiVersion: k8s.ovn.org/v1 kind: EgressFirewall metadata: creationTimestamp: "2023-03-08T02:10:07Z" generation: 2 name: default namespace: abcdefghigklmnopqrstuvwxyzabcdefghigklmnopqrstuvwxye resourceVersion: "58404" uid: 6cdd5f57-3027-4640-bb9a-4200625545a4 spec: egress: - to: cidrSelector: 142.251.33.68/32 type: Allow - ports: - port: 80 protocol: TCP to: cidrSelector: 23.50.0.0/16 type: Allow - to: cidrSelector: 0.0.0.0/0 type: Deny status: status: EgressFirewall Rules applied kind: List metadata: resourceVersion: "" 2. Verify egressfirewall functions works well for both namespace % oc rsh -n abcdefghigklmnopqrstuvwxyzabcdefghigklmnopqrstuvwxye hello-pod ~ $ ^C ~ $ curl 142.251.33.68 -I HTTP/1.1 301 Moved Permanently Location: http: //www.google.com/ Content-Type: text/html; charset=UTF-8 Date: Wed, 08 Mar 2023 02:11:04 GMT Expires: Fri, 07 Apr 2023 02:11:04 GMT Cache-Control: public , max-age=2592000 Server: gws Content-Length: 219 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN ~ $ curl 23.50.17.43 -I HTTP/1.0 400 Bad Request Server: AkamaiGHost Mime-Version: 1.0 Content-Type: text/html Content-Length: 207 Expires: Wed, 08 Mar 2023 02:11:36 GMT Date: Wed, 08 Mar 2023 02:11:36 GMT Connection: close ~ $ curl www.yahoo.com -I ^C ~ $ % oc rsh -n abcdefghigklmnopqrstuvwxyzabcdefghigklmnopqrstuvwxyz hello-pod ~ $ curl 142.251.33.68 -I HTTP/1.1 301 Moved Permanently Location: http: //www.google.com/ Content-Type: text/html; charset=UTF-8 Date: Wed, 08 Mar 2023 01:55:13 GMT Expires: Fri, 07 Apr 2023 01:55:13 GMT Cache-Control: public , max-age=2592000 Server: gws Content-Length: 219 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN ~ $ curl ^C ~ $ curl 23.50.17.43 -I HTTP/1.0 400 Bad Request Server: AkamaiGHost Mime-Version: 1.0 Content-Type: text/html Content-Length: 207 Expires: Wed, 08 Mar 2023 01:55:32 GMT Date: Wed, 08 Mar 2023 01:55:32 GMT Connection: close ~ $ curl www.yahoo.com -I connect-timeout 5 ^C ~$ 4. Check the ovn acls, only name was truncated, externalIDs were good. sh-4.4# ovn-nbctl --no-heading find acl name=egressFirewall_abcdefghigklmnopqrstuvwxyzabcdefghigklmnopqrstuv 7ac58321-ce50-4c8f-89f6-5325acca77f7 allow to-lport {egressFirewall=abcdefghigklmnopqrstuvwxyzabcdefghigklmnopqrstuvwxyz, priority= "10000" } 0 false "(ip4.dst == 142.251.33.68/32) && ip4.src == $a9275935520880020708" acl-logging egressFirewall_abcdefghigklmnopqrstuvwxyzabcdefghigklmnopqrstuv {} 10000 [] 4931a581-8155-4b59-a5bb-82ac5d6604fa allow to-lport {egressFirewall=abcdefghigklmnopqrstuvwxyzabcdefghigklmnopqrstuvwxye, priority= "10000" } 0 false "(ip4.dst == 142.251.33.68/32) && ip4.src == $a17117126346041815175" acl-logging egressFirewall_abcdefghigklmnopqrstuvwxyzabcdefghigklmnopqrstuv {} 10000 [] 8205e882-1f2f-4464-b15c-6c25b81d26ed drop to-lport {egressFirewall=abcdefghigklmnopqrstuvwxyzabcdefghigklmnopqrstuvwxyz, priority= "9998" } 0 false "(ip4.dst == 0.0.0.0/0 && ip4.dst != 10.128.0.0/14) && ip4.src == $a9275935520880020708" acl-logging egressFirewall_abcdefghigklmnopqrstuvwxyzabcdefghigklmnopqrstuv {} 9998 [] c438ae92-ba02-4736-b724-2f12a0ecfed3 drop to-lport {egressFirewall=abcdefghigklmnopqrstuvwxyzabcdefghigklmnopqrstuvwxye, priority= "9998" } 0 false "(ip4.dst == 0.0.0.0/0 && ip4.dst != 10.128.0.0/14) && ip4.src == $a17117126346041815175" acl-logging egressFirewall_abcdefghigklmnopqrstuvwxyzabcdefghigklmnopqrstuv {} 9998 [] d636a442-8fac-4866-947a-1809ca488e85 allow to-lport {egressFirewall=abcdefghigklmnopqrstuvwxyzabcdefghigklmnopqrstuvwxyz, priority= "9999" } 0 false "(ip4.dst == 23.50.0.0/16) && ip4.src == $a9275935520880020708 && ((tcp && ( tcp.dst == 80 )))" acl-logging egressFirewall_abcdefghigklmnopqrstuvwxyzabcdefghigklmnopqrstuv {} 9999 [] 60b312d4-ff51-45ba-abc5-b95fc6736830 allow to-lport {egressFirewall=abcdefghigklmnopqrstuvwxyzabcdefghigklmnopqrstuvwxye, priority= "9999" } 0 false "(ip4.dst == 23.50.0.0/16) && ip4.src == $a17117126346041815175 && ((tcp && ( tcp.dst == 80 )))" acl-logging egressFirewall_abcdefghigklmnopqrstuvwxyzabcdefghigklmnopqrstuv {} 9999 [] sh-4.4# One more test. Looks good. Created a long namespace and create egress firewall there same steps as above ^ then restart ovnkube-master, verify no "constraint violation" in master pod logs.

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

Collapse comment: Errata Tool added a comment - 2023/03/21 11:34 AM

Expand comment: Errata Tool added a comment - 2023/03/21 11:34 AM

Collapse comment: Jean Chen added a comment - 2023/03/15 5:05 PM

Expand comment: Jean Chen added a comment - 2023/03/15 5:05 PM

Collapse comment: Huiran Wang added a comment - 2023/03/09 3:08 AM

Expand comment: Huiran Wang added a comment - 2023/03/09 3:08 AM

Collapse comment: Nadia Pinaeva added a comment - 2023/03/08 9:19 AM

Expand comment: Nadia Pinaeva added a comment - 2023/03/08 9:19 AM

Collapse comment: Huiran Wang added a comment - 2023/03/08 2:29 AM

Expand comment: Huiran Wang added a comment - 2023/03/08 2:29 AM

Collapse comment: Huiran Wang added a comment - 2023/03/08 2:24 AM, Edited by Huiran Wang - 2023/03/09 3:07 AM

Expand comment: Huiran Wang added a comment - 2023/03/08 2:24 AM, Edited by Huiran Wang - 2023/03/09 3:07 AM

People

Dates