Uploaded image for project: 'OpenShift SDN'
  1. OpenShift SDN
  2. SDN-3910

Improve DNS name-based traffic filtering

XMLWordPrintable

    • Icon: Epic Epic
    • Resolution: Done
    • Icon: Major Major
    • openshift-4.16
    • None
    • None
    • Improve DNS name based traffic filtering
    • False
    • None
    • False
    • Not Selected
    • To Do
    • OCPSTRAT-523 - [Tech Preview] Improve CoreDNS Integration with EgressFirewall
    • 0% To Do, 0% In Progress, 100% Done
    • M
    • Hide

      Testing Complete!
      [QE] May 29
      Post-merge testing done. The bugs are not release blocker, and will be tracked by themselves.
      https://issues.redhat.com/browse/OCPBUGS-34524
      [QE] May 23
      https://issues.redhat.com/browse/OCPBUGS-34303
      [QE] May 16
      https://issues.redhat.com/browse/OCPBUGS-33750

      [QE] May 13, 2024
      1. pre-merge testing with openshift/ovn-kubernetes#2138,openshift/cluster-network-operator#2131,openshift/cluster-dns-operator#394
      2. Test plan and test cases https://docs.google.com/document/d/1u269ZQEYngSoSoV9MkWhRtuxtNmxXk09ngOw0ahdwcE/edit
      [QE] Mar 27, 2024 - No QE stories planned in Sprint 252

      [QE] Mar 27, 2024 - No QE stories planned in Sprint 251

      [QE] Mar 06, 2024 - No QE stories planned in Sprint 250

      Show
      Testing Complete! [QE] May 29 Post-merge testing done. The bugs are not release blocker, and will be tracked by themselves. https://issues.redhat.com/browse/OCPBUGS-34524 [QE] May 23 https://issues.redhat.com/browse/OCPBUGS-34303 [QE] May 16 https://issues.redhat.com/browse/OCPBUGS-33750 [QE] May 13, 2024 1. pre-merge testing with openshift/ovn-kubernetes#2138,openshift/cluster-network-operator#2131,openshift/cluster-dns-operator#394 2. Test plan and test cases https://docs.google.com/document/d/1u269ZQEYngSoSoV9MkWhRtuxtNmxXk09ngOw0ahdwcE/edit [QE] Mar 27, 2024 - No QE stories planned in Sprint 252 [QE]  Mar 27, 2024 - No QE stories planned in Sprint 251 [QE] Mar 06, 2024 - No QE stories planned in Sprint 250
    • ---
    • 0
    • 0

      While trying to block requests going from the pods to different domain names, for example:

      • registry.access.redhat.com
      • registry.access.redhat.com.edgekey.net
      • registry-1.docker.io

      Here, the egressnetworkpolicy is working out for `registry.access.redhat.com` and `registry.access.redhat.com.edgekey.net`, however, for `registry-1.docker.io`, it is not denying access despite giving the deny entry.

      "Domain name updates are polled based on the TTL (time to live) value of the domain returned by the local non-authoritative servers. The pod should also resolve the domain from the same local nameservers when necessary, otherwise, the IP addresses for the domain perceived by the egress network policy controller and the pod will be different, and the egress network policy may not be enforced as expected. Since egress network policy controller and pod are asynchronously polling the same local nameserver, there could be a race condition where pod may get the updated IP before the egress controller. Due to this current limitation, domain name usage in EgressNetworkPolicy is only recommended for domains with infrequent IP address changes."

      [1] https://docs.openshift.com/container-platform/3.11/admin_guide/managing_networking.html#admin-guide-limit-pod-access-egress

      Aim of this feature is to fix this and also support wildcard entries for EgressNetwork Policy

            npinaeva@redhat.com Nadia Pinaeva
            npinaeva@redhat.com Nadia Pinaeva
            Huiran Wang Huiran Wang
            Jesse Dohmann Jesse Dohmann
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

              Created:
              Updated:
              Resolved: