Details
-
Story
-
Resolution: Unresolved
-
Normal
-
None
-
None
-
None
Description
It should be possible to use NetworkPolicy and/or EgressFirewall to allow multicast traffic between pods and/or from a pod to outside the OVN overlay. This would allow administrators to control outgoing/incoming multicast traffic, or to restrict multicast traffic between pods to only allowed MC groups.
We should add e2e tests downstream in OpenShift (since upstream Kube networking multicast policy is pretty much undefined) to verify our expected behavior. One test could block all traffic in a namespace but use an Egress type IPBlock to allow the specific MC group IP; pods in the namespace should still be able to send/receive MC traffic.
Notes:
- Ingress policies don't make sense for Multicast because they test the source IP, which is the normal pod IP address of the sender. Only Egress policies make sense for multicast because the destination IP of the packet is the multicast group IP, and that's what the admins would care about.
- For the same reason, pod selectors don't work here for egress policy types because those use the destination pod's IP, and multicast packets are sent to the multicast IP address not a pod IP. Thus you need IPBlock.
