Uploaded image for project: 'OpenShift SDN'
  1. OpenShift SDN
  2. SDN-3910

Improve DNS name-based traffic filtering

XMLWordPrintable

    • Icon: Epic Epic
    • Resolution: Done
    • Icon: Major Major
    • openshift-4.16
    • None
    • None
    • Improve DNS name based traffic filtering
    • Strategic Product Work
    • False
    • None
    • False
    • Not Selected
    • To Do
    • OCPSTRAT-523 - [Tech Preview] Improve CoreDNS Integration with EgressFirewall
    • 0% To Do, 0% In Progress, 100% Done
    • M
    • Hide

      Testing Complete!
      [QE] May 29
      Post-merge testing done. The bugs are not release blocker, and will be tracked by themselves.
      https://issues.redhat.com/browse/OCPBUGS-34524
      [QE] May 23
      https://issues.redhat.com/browse/OCPBUGS-34303
      [QE] May 16
      https://issues.redhat.com/browse/OCPBUGS-33750

      [QE] May 13, 2024
      1. pre-merge testing with openshift/ovn-kubernetes#2138,openshift/cluster-network-operator#2131,openshift/cluster-dns-operator#394
      2. Test plan and test cases https://docs.google.com/document/d/1u269ZQEYngSoSoV9MkWhRtuxtNmxXk09ngOw0ahdwcE/edit
      [QE] Mar 27, 2024 - No QE stories planned in Sprint 252

      [QE] Mar 27, 2024 - No QE stories planned in Sprint 251

      [QE] Mar 06, 2024 - No QE stories planned in Sprint 250

      Show
      Testing Complete! [QE] May 29 Post-merge testing done. The bugs are not release blocker, and will be tracked by themselves. https://issues.redhat.com/browse/OCPBUGS-34524 [QE] May 23 https://issues.redhat.com/browse/OCPBUGS-34303 [QE] May 16 https://issues.redhat.com/browse/OCPBUGS-33750 [QE] May 13, 2024 1. pre-merge testing with openshift/ovn-kubernetes#2138,openshift/cluster-network-operator#2131,openshift/cluster-dns-operator#394 2. Test plan and test cases https://docs.google.com/document/d/1u269ZQEYngSoSoV9MkWhRtuxtNmxXk09ngOw0ahdwcE/edit [QE] Mar 27, 2024 - No QE stories planned in Sprint 252 [QE]  Mar 27, 2024 - No QE stories planned in Sprint 251 [QE] Mar 06, 2024 - No QE stories planned in Sprint 250
    • ---
    • 0
    • 0

      While trying to block requests going from the pods to different domain names, for example:

      • registry.access.redhat.com
      • registry.access.redhat.com.edgekey.net
      • registry-1.docker.io

      Here, the egressnetworkpolicy is working out for `registry.access.redhat.com` and `registry.access.redhat.com.edgekey.net`, however, for `registry-1.docker.io`, it is not denying access despite giving the deny entry.

      "Domain name updates are polled based on the TTL (time to live) value of the domain returned by the local non-authoritative servers. The pod should also resolve the domain from the same local nameservers when necessary, otherwise, the IP addresses for the domain perceived by the egress network policy controller and the pod will be different, and the egress network policy may not be enforced as expected. Since egress network policy controller and pod are asynchronously polling the same local nameserver, there could be a race condition where pod may get the updated IP before the egress controller. Due to this current limitation, domain name usage in EgressNetworkPolicy is only recommended for domains with infrequent IP address changes."

      [1] https://docs.openshift.com/container-platform/3.11/admin_guide/managing_networking.html#admin-guide-limit-pod-access-egress

      Aim of this feature is to fix this and also support wildcard entries for EgressNetwork Policy

              npinaeva@redhat.com Nadia Pinaeva
              npinaeva@redhat.com Nadia Pinaeva
              Huiran Wang Huiran Wang
              Jesse Dohmann Jesse Dohmann
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: