Created cluster with PR openshift/console#9610 Issues found so far: - Creating policy fails with either Ingress or Egress Rules. Executing Test OCP-41858: https://polarion.engineering.redhat.com/polarion/#/project/OSE/workitem?id=OCP-41858 https://polarion.engineering.redhat.com/polarion/#/project/OSE/workitem?id=OCP-43358 Steps: 1. User goes to Networking -> NetworkPolicies page, click on 'Create NetworkPolicy' button - PASS a. Upon loading form two radio buttons are loaded to switch between Form View and YAML View. 2. Set value for Policy name, Policy namespace, leave other files untouched a. Create 3 projects, test1, test2 and test3 :workspaces/cluster_bot % for i in {1..3} ; do oc new-project test$i ; done Now using project "test1" on server "https://api.ci-ln-nntkjwb-f76d1.origin-ci-int-gce.dev.openshift.com:6443". You can add applications to this project with the 'new-app' command. For example, try: oc new-app rails-postgresql-example to build a new example application in Ruby. Or use kubectl to deploy a simple Kubernetes application: kubectl create deployment hello-node --image=k8s.gcr.io/serve_hostname Now using project "test2" on server "https://api.ci-ln-nntkjwb-f76d1.origin-ci-int-gce.dev.openshift.com:6443". You can add applications to this project with the 'new-app' command. For example, try: oc new-app rails-postgresql-example to build a new example application in Ruby. Or use kubectl to deploy a simple Kubernetes application: kubectl create deployment hello-node --image=k8s.gcr.io/serve_hostname Now using project "test3" on server "https://api.ci-ln-nntkjwb-f76d1.origin-ci-int-gce.dev.openshift.com:6443". You can add applications to this project with the 'new-app' command. For example, try: oc new-app rails-postgresql-example to build a new example application in Ruby. Or use kubectl to deploy a simple Kubernetes application: kubectl create deployment hello-node --image=k8s.gcr.io/serve_hostname :workspaces/cluster_bot % b. Create pods and wait for all pods is Running in all projects :workspaces/cluster_bot % for i in {1..3}; do oc create -f list_for_pods.json -n test$i; done replicationcontroller/test-rc created service/test-service created replicationcontroller/test-rc created service/test-service created replicationcontroller/test-rc created service/test-service created :workspaces/cluster_bot % c. Navigate to NetworkPolicy creation form for project test1, only set Policy name and Policy namespace and Create d.Repeat step c. for project test2 - Created policies for test1 and test2 projects with just Policy name set. Note that by default Ingress policy is created when nothing is specified i.e. it will block all ingress traffic for all pods in that project which confirms step e. kind: NetworkPolicy apiVersion: networking.k8s.io/v1 metadata: name: memodi-test2-policy namespace: test2 uid: a28f4834-eff0-40ae-8f94-6e04ba0ee21f resourceVersion: '48804' generation: 1 creationTimestamp: '2021-08-11T15:15:19Z' managedFields: - manager: Mozilla operation: Update apiVersion: networking.k8s.io/v1 time: '2021-08-11T15:15:19Z' fieldsType: FieldsV1 fieldsV1: 'f:spec': 'f:policyTypes': {} spec: podSelector: {} policyTypes: - Ingress e. Until now, we have add default deny NetworkPolicy for project test1 and test2 f: Check the connections on pod1 in project1 ### Try to visit pod2 in project1 // the same project :workspaces/oc_scripts % ./display_project_info.sh test2 =================================================================== PROJECT: test2 POD NAME IP ADDRESS test-rc-przql 10.129.2.11 test-rc-tw9mj 10.131.0.12 SERVICE NAME CLUSTER-IP test-service 172.30.151.193 ROUTE NAME HOSTNAME PORT =================================================================== :workspaces/oc_scripts % ./display_project_info.sh test1 =================================================================== PROJECT: test1 POD NAME IP ADDRESS test-rc-9g9rr 10.128.2.26 test-rc-d4fsl 10.131.0.11 SERVICE NAME CLUSTER-IP test-service 172.30.109.164 ROUTE NAME HOSTNAME PORT =================================================================== :workspaces/oc_scripts % oc rsh test-rc-9g9rr curl 10.129.2.11:8080 -m 5 curl: (28) Connection timed out after 5000 milliseconds command terminated with exit code 28 :workspaces/oc_scripts % oc project Using project "test1" on server "https://api.ci-ln-8vifn6t-f76d1.origin-ci-int-gce.dev.openshift.com:6443". :workspaces/oc_scripts % :workspaces/oc_scripts % oc rsh test-rc-9g9rr ~ $ ~ $ curl 10.131.0.11:8080 ^C ~ $ curl 10.131.0.11:8080 -m 5 curl: (28) Connection timed out after 5001 milliseconds ~ $ ### Try to visit pod1 in project2 //across project :workspaces/oc_scripts % oc project test2 Now using project "test2" on server "https://api.ci-ln-8vifn6t-f76d1.origin-ci-int-gce.dev.openshift.com:6443". :workspaces/oc_scripts % oc rsh test-rc-przql curl 10.131.0.11:8080 ^C :workspaces/oc_scripts % oc rsh test-rc-przql curl 10.131.0.11:8080 -m 5 curl: (28) Connection timed out after 5001 milliseconds command terminated with exit code 28 :workspaces/oc_scripts % :workspaces/oc_scripts % ./display_project_info.sh test3 =================================================================== PROJECT: test3 POD NAME IP ADDRESS test-rc-prfc6 10.129.2.12 test-rc-rl4n5 10.131.0.13 SERVICE NAME CLUSTER-IP test-service 172.30.152.83 ROUTE NAME HOSTNAME PORT =================================================================== :workspaces/oc_scripts % oc rsh test-rc-przql curl 10.129.2.12:8080 Hello OpenShift! :workspaces/oc_scripts % workspaces/oc_scripts % oc get pods --all-namespaces | grep -i test- | awk '{print $1, $2}' test1 test-rc-9g9rr test1 test-rc-d4fsl test2 test-rc-przql test2 test-rc-tw9mj test3 test-rc-prfc6 test3 test-rc-rl4n5 :workspaces/oc_scripts % f. Check the connections on pod1 in project1 ### Try to visit pod2 in project1 // the same project g. Check connections on pod1 in project2 ### Try to visit pod1 in project2 //across project h. Check connections on pod1 in project3 ### Try to visit pod1 in project3 // across project workspaces/oc_scripts % oc get pods --all-namespaces | grep -i test- | awk '{print $1, $2}' test1 test-rc-9g9rr test1 test-rc-d4fsl test2 test-rc-przql test2 test-rc-tw9mj test3 test-rc-prfc6 test3 test-rc-rl4n5 :workspaces/oc_scripts % :workspaces/oc_scripts % cat ocp_41858_step1.sh #!/bin/zsh i=0 for pod in test-rc-9g9rr test-rc-przql test-rc-prfc6 do i=$((i+1)) oc project "test$i" for other_pod in test-rc-d4fsl test-rc-tw9mj test-rc-rl4n5 do echo "checking other pod $other_pod" ip=`oc get pods -A -o wide | egrep $other_pod | awk '{print $7}'` oc rsh $pod curl $ip:8080 -m 5; done done :workspaces/oc_scripts % :workspaces/oc_scripts % ./ocp_41858_step1.sh Already on project "test1" on server "https://api.ci-ln-8vifn6t-f76d1.origin-ci-int-gce.dev.openshift.com:6443". checking other pod test-rc-d4fsl curl: (28) Connection timed out after 5001 milliseconds command terminated with exit code 28 checking other pod test-rc-tw9mj curl: (28) Connection timed out after 5000 milliseconds command terminated with exit code 28 checking other pod test-rc-rl4n5 Hello OpenShift! Now using project "test2" on server "https://api.ci-ln-8vifn6t-f76d1.origin-ci-int-gce.dev.openshift.com:6443". checking other pod test-rc-d4fsl curl: (28) Connection timed out after 5001 milliseconds command terminated with exit code 28 checking other pod test-rc-tw9mj curl: (28) Connection timed out after 5001 milliseconds command terminated with exit code 28 checking other pod test-rc-rl4n5 Hello OpenShift! Now using project "test3" on server "https://api.ci-ln-8vifn6t-f76d1.origin-ci-int-gce.dev.openshift.com:6443". checking other pod test-rc-d4fsl curl: (28) Connection timed out after 5001 milliseconds command terminated with exit code 28 checking other pod test-rc-tw9mj curl: (28) Connection timed out after 5001 milliseconds command terminated with exit code 28 checking other pod test-rc-rl4n5 Hello OpenShift! :workspaces/oc_scripts % Step 3. try to create a Deny all ingress or Deny all egress networkpolicy via form Created such policy in project 3: kind: NetworkPolicy apiVersion: networking.k8s.io/v1 metadata: name: memodi-test3-policy namespace: test3 uid: cc5032dc-50e6-494b-8140-e2a22931931b resourceVersion: '76220' generation: 1 creationTimestamp: '2021-08-11T20:20:30Z' managedFields: - manager: Mozilla operation: Update apiVersion: networking.k8s.io/v1 time: '2021-08-11T20:20:30Z' fieldsType: FieldsV1 fieldsV1: 'f:spec': 'f:policyTypes': {} spec: podSelector: {} policyTypes: - Ingress - Egress Verified traffic to project test3 is also denied, I.e. curl is timing out for project 3 pods: :workspaces/oc_scripts % ./ocp_41858_step1.sh Now using project "test1" on server "https://api.ci-ln-8vifn6t-f76d1.origin-ci-int-gce.dev.openshift.com:6443". checking other pod test-rc-d4fsl curl: (28) Connection timed out after 5001 milliseconds command terminated with exit code 28 checking other pod test-rc-tw9mj curl: (28) Connection timed out after 5006 milliseconds command terminated with exit code 28 checking other pod test-rc-rl4n5 curl: (28) Connection timed out after 5001 milliseconds command terminated with exit code 28 Now using project "test2" on server "https://api.ci-ln-8vifn6t-f76d1.origin-ci-int-gce.dev.openshift.com:6443". checking other pod test-rc-d4fsl curl: (28) Connection timed out after 5001 milliseconds command terminated with exit code 28 checking other pod test-rc-tw9mj curl: (28) Connection timed out after 5001 milliseconds command terminated with exit code 28 checking other pod test-rc-rl4n5 curl: (28) Connection timed out after 5001 milliseconds command terminated with exit code 28 Now using project "test3" on server "https://api.ci-ln-8vifn6t-f76d1.origin-ci-int-gce.dev.openshift.com:6443". checking other pod test-rc-d4fsl curl: (28) Connection timed out after 5001 milliseconds command terminated with exit code 28 checking other pod test-rc-tw9mj curl: (28) Connection timed out after 5000 milliseconds command terminated with exit code 28 checking other pod test-rc-rl4n5 curl: (28) Connection timed out after 5001 milliseconds command terminated with exit code 28 :workspaces/oc_scripts % Sub-step in Step 3: - A `deny-all-egress` networkpolicy should be created with following YAML ..... spec: podSelector: {} policyTypes: - Egress If only egress type of rule appears in the networkpolicy then the networkpolicy will not take effect, that's the case in step3, the deny-all-egress networkpolicy doesn't take effect :workspaces/oc_scripts % ./ocp_41858_step1.sh Now using project "test1" on server "https://api.ci-ln-8vifn6t-f76d1.origin-ci-int-gce.dev.openshift.com:6443". checking other pod test-rc-d4fsl Hello OpenShift! checking other pod test-rc-tw9mj curl: (28) Connection timed out after 5000 milliseconds command terminated with exit code 28 checking other pod test-rc-rl4n5 Hello OpenShift! Now using project "test2" on server "https://api.ci-ln-8vifn6t-f76d1.origin-ci-int-gce.dev.openshift.com:6443". checking other pod test-rc-d4fsl Hello OpenShift! checking other pod test-rc-tw9mj curl: (28) Connection timed out after 5001 milliseconds command terminated with exit code 28 checking other pod test-rc-rl4n5 Hello OpenShift! Now using project "test3" on server "https://api.ci-ln-8vifn6t-f76d1.origin-ci-int-gce.dev.openshift.com:6443". checking other pod test-rc-d4fsl Hello OpenShift! checking other pod test-rc-tw9mj curl: (28) Connection timed out after 5000 milliseconds command terminated with exit code 28 checking other pod test-rc-rl4n5 Hello OpenShift! :workspaces/oc_scripts % Verified traffic can flow outside of project 3. I.e. only deny egress traffic policy doesn't take effect. Step 4: try to create a `Deny all ingress and egress` networkpolicy via form,verify the functionality by testing real pods connections Covered by step 3. Step 5. Create all kinds of Ingress rules using form, for each networkpolicy, use pods to test actual connenctions - deny-all-ingress - allow-ingress-from-specific-pod-matching-pod-selector-in-same-ns :workspaces/oc_scripts % oc get pods -l=name NAME READY STATUS RESTARTS AGE test-rc-przql 1/1 Running 0 134m test-rc-tw9mj 1/1 Running 0 134m :workspaces/oc_scripts % Created policy: spec: podSelector: {} ingress: - from: - podSelector: matchLabels: name: test-pods policyTypes: - Ingress :workspaces/oc_scripts % ./display_project_info.sh test1 =================================================================== PROJECT: test1 POD NAME IP ADDRESS test-rc-9g9rr 10.128.2.26 test-rc-d4fsl 10.131.0.11 SERVICE NAME CLUSTER-IP test-service 172.30.109.164 ROUTE NAME HOSTNAME PORT =================================================================== :workspaces/oc_scripts % oc rsh test-rc-9g9rr curl 10.131.0.11:8080 Hello OpenShift! :workspaces/oc_scripts % - allow-ingress-from-any-pods-only-matching-namespace-selector (rename this to: allow-ingress-from-any-pods-in-same-project) Created policy: etadata: name: memodi-test-policy namespace: test1 uid: 6d9d41a2-c6d0-4f1f-a122-c1846cc6fbf5 resourceVersion: '60089' generation: 1 creationTimestamp: '2021-08-12T15:18:21Z' managedFields: - manager: Mozilla operation: Update apiVersion: networking.k8s.io/v1 time: '2021-08-12T15:18:21Z' fieldsType: FieldsV1 fieldsV1: 'f:spec': 'f:ingress': {} 'f:policyTypes': {} spec: podSelector: {} ingress: - from: - podSelector: {} policyTypes: - Ingress :workspaces/oc_scripts % ./ocp_41858_step1.sh Now using project "test1" on server "https://api.ci-ln-5y2vcvk-f76d1.origin-ci-int-gce.dev.openshift.com:6443". ============================ checking other pod to test-rc-jf8j7 from pod test-rc-772sb in project 1 Hello OpenShift! checking other pod to test-rc-dctxj from pod test-rc-772sb in project 1 Hello OpenShift! checking other pod to test-rc-sv68x from pod test-rc-772sb in project 1 Hello OpenShift! ----------------------------- Now using project "test2" on server "https://api.ci-ln-5y2vcvk-f76d1.origin-ci-int-gce.dev.openshift.com:6443". ============================ checking other pod to test-rc-jf8j7 from pod test-rc-64p5b in project 2 curl: (28) Connection timed out after 5001 milliseconds command terminated with exit code 28 checking other pod to test-rc-dctxj from pod test-rc-64p5b in project 2 Hello OpenShift! checking other pod to test-rc-sv68x from pod test-rc-64p5b in project 2 Hello OpenShift! ----------------------------- Now using project "test3" on server "https://api.ci-ln-5y2vcvk-f76d1.origin-ci-int-gce.dev.openshift.com:6443". ============================ checking other pod to test-rc-jf8j7 from pod test-rc-l4hrr in project 3 curl: (28) Connection timed out after 5001 milliseconds command terminated with exit code 28 checking other pod to test-rc-dctxj from pod test-rc-l4hrr in project 3 Hello OpenShift! checking other pod to test-rc-sv68x from pod test-rc-l4hrr in project 3 Hello OpenShift! ----------------------------- :workspaces/oc_scripts % Verified traffic to pods in project test1 from other projects is denied, while from traffic from pods in same project is accepted. - allow-ingress-from-any-pods-only-matching-pod-selector Edited label for pod test-rc-jf8j7 in project test1 to have label as test-mod-pod. Pods in other projects have label has test-pod Created policy in project test1 to have ingress traffic from all projects with labels as test-pod: spec: podSelector: {} ingress: - from: - podSelector: matchLabels: name: test-pods namespaceSelector: {} policyTypes: - Ingress :workspaces/oc_scripts % ./ocp_41858_step1.sh Now using project "test1" on server "https://api.ci-ln-5y2vcvk-f76d1.origin-ci-int-gce.dev.openshift.com:6443". ============================ checking other pod to test-rc-jf8j7 from pod test-rc-772sb in project 1 curl: (28) Connection timed out after 5001 milliseconds command terminated with exit code 28 checking other pod to test-rc-dctxj from pod test-rc-772sb in project 1 Hello OpenShift! checking other pod to test-rc-sv68x from pod test-rc-772sb in project 1 Hello OpenShift! ----------------------------- Now using project "test2" on server "https://api.ci-ln-5y2vcvk-f76d1.origin-ci-int-gce.dev.openshift.com:6443". ============================ checking other pod to test-rc-jf8j7 from pod test-rc-64p5b in project 2 curl: (28) Connection timed out after 5001 milliseconds command terminated with exit code 28 checking other pod to test-rc-dctxj from pod test-rc-64p5b in project 2 Hello OpenShift! checking other pod to test-rc-sv68x from pod test-rc-64p5b in project 2 Hello OpenShift! ----------------------------- Now using project "test3" on server "https://api.ci-ln-5y2vcvk-f76d1.origin-ci-int-gce.dev.openshift.com:6443". ============================ checking other pod to test-rc-jf8j7 from pod test-rc-l4hrr in project 3 curl: (28) Connection timed out after 5000 milliseconds command terminated with exit code 28 checking other pod to test-rc-dctxj from pod test-rc-l4hrr in project 3 Hello OpenShift! checking other pod to test-rc-sv68x from pod test-rc-l4hrr in project 3 Hello OpenShift! ----------------------------- :workspaces/oc_scripts % Modified above policy: - podSelector: matchLabels: name: test-mod-pods :workspaces/oc_scripts % oc rsh test-rc-772sb curl 10.128.2.14:8080 -m 5 curl: (28) Connection timed out after 5001 milliseconds command terminated with exit code 28 :workspaces/oc_scripts % Verified traffic to pod test-rc-jf8j7 from any pod that does not have label test-mod-pods is denied, below :workspaces/oc_scripts % ./display_project_info.sh test1 =================================================================== PROJECT: test1 POD NAME IP ADDRESS test-rc-772sb 10.129.2.12 test-rc-jf8j7 10.128.2.14 test-rc-xbkjx 10.129.2.30 SERVICE NAME CLUSTER-IP test-service 172.30.130.227 ROUTE NAME HOSTNAME PORT =================================================================== :workspaces/oc_scripts % :workspaces/oc_scripts % oc rsh test-rc-772sb curl 10.128.2.14:8080 -m 5 curl: (28) Connection timed out after 5001 milliseconds command terminated with exit code 28 :workspaces/oc_scripts % - allow-ingress-matching-pod-and-namespace-selector, single pod & ns selector kind: NetworkPolicy apiVersion: networking.k8s.io/v1 metadata: name: memodi-test-policy namespace: test1 uid: 4fac3a9a-1df5-4736-bb11-f646a0e35862 resourceVersion: '69702' generation: 1 creationTimestamp: '2021-08-12T15:44:21Z' managedFields: - manager: Mozilla operation: Update apiVersion: networking.k8s.io/v1 time: '2021-08-12T15:44:21Z' fieldsType: FieldsV1 fieldsV1: 'f:spec': 'f:ingress': {} 'f:policyTypes': {} spec: podSelector: {} ingress: - from: - podSelector: matchLabels: name: test-pods namespaceSelector: matchLabels: kubernetes.io/metadata.name: test2 policyTypes: - Ingress :workspaces/oc_scripts % ./ocp_41858_step1.sh Now using project "test1" on server "https://api.ci-ln-5y2vcvk-f76d1.origin-ci-int-gce.dev.openshift.com:6443". ============================ checking other pod to test-rc-772sb from pod test-rc-772sb in project 1 Hello OpenShift! checking other pod to test-rc-jf8j7 from pod test-rc-772sb in project 1 curl: (28) Connection timed out after 5000 milliseconds command terminated with exit code 28 checking other pod to test-rc-dctxj from pod test-rc-772sb in project 1 Hello OpenShift! checking other pod to test-rc-sv68x from pod test-rc-772sb in project 1 Hello OpenShift! ----------------------------- Now using project "test2" on server "https://api.ci-ln-5y2vcvk-f76d1.origin-ci-int-gce.dev.openshift.com:6443". ============================ checking other pod to test-rc-772sb from pod test-rc-64p5b in project 2 Hello OpenShift! checking other pod to test-rc-jf8j7 from pod test-rc-64p5b in project 2 Hello OpenShift! checking other pod to test-rc-dctxj from pod test-rc-64p5b in project 2 Hello OpenShift! checking other pod to test-rc-sv68x from pod test-rc-64p5b in project 2 Hello OpenShift! ----------------------------- Now using project "test3" on server "https://api.ci-ln-5y2vcvk-f76d1.origin-ci-int-gce.dev.openshift.com:6443". ============================ checking other pod to test-rc-772sb from pod test-rc-l4hrr in project 3 curl: (28) Connection timed out after 5000 milliseconds command terminated with exit code 28 checking other pod to test-rc-jf8j7 from pod test-rc-l4hrr in project 3 curl: (28) Connection timed out after 5000 milliseconds command terminated with exit code 28 checking other pod to test-rc-dctxj from pod test-rc-l4hrr in project 3 Hello OpenShift! checking other pod to test-rc-sv68x from pod test-rc-l4hrr in project 3 Hello OpenShift! ----------------------------- :workspaces/oc_scripts % Verified pods in project test1 are only reachable from pods in project test2 - allow-ingress-matching-pod-and-namespace-selector, multiple pod & ns selector Created pod in project test3 with label app: httpd Created policy in project test1: metadata: name: memodi-test-policy namespace: test1 uid: f0fe99d6-30e1-4ef3-87c9-6092f47e9b7c resourceVersion: '75333' generation: 1 creationTimestamp: '2021-08-12T15:59:33Z' managedFields: - manager: Mozilla operation: Update apiVersion: networking.k8s.io/v1 time: '2021-08-12T15:59:33Z' fieldsType: FieldsV1 fieldsV1: 'f:spec': 'f:ingress': {} 'f:policyTypes': {} spec: podSelector: {} ingress: - from: - podSelector: matchLabels: app: httpd namespaceSelector: matchLabels: kubernetes.io/metadata.name: test3 - podSelector: matchLabels: name: test-pods namespaceSelector: matchLabels: kubernetes.io/metadata.name: test2 policyTypes: - Ingress :workspaces/oc_scripts % ./ocp_41858_step1.sh Now using project "test1" on server "https://api.ci-ln-5y2vcvk-f76d1.origin-ci-int-gce.dev.openshift.com:6443". ============================ checking other pod to test-rc-772sb from pod test-rc-772sb in project 1 Hello OpenShift! checking other pod to test-rc-jf8j7 from pod test-rc-772sb in project 1 curl: (28) Connection timed out after 5001 milliseconds command terminated with exit code 28 checking other pod to test-rc-dctxj from pod test-rc-772sb in project 1 Hello OpenShift! checking other pod to test-rc-sv68x from pod test-rc-772sb in project 1 Hello OpenShift! ----------------------------- Now using project "test2" on server "https://api.ci-ln-5y2vcvk-f76d1.origin-ci-int-gce.dev.openshift.com:6443". ============================ checking other pod to test-rc-772sb from pod test-rc-64p5b in project 2 Hello OpenShift! checking other pod to test-rc-jf8j7 from pod test-rc-64p5b in project 2 Hello OpenShift! checking other pod to test-rc-dctxj from pod test-rc-64p5b in project 2 Hello OpenShift! checking other pod to test-rc-sv68x from pod test-rc-64p5b in project 2 Hello OpenShift! ----------------------------- Now using project "test3" on server "https://api.ci-ln-5y2vcvk-f76d1.origin-ci-int-gce.dev.openshift.com:6443". ============================ checking other pod to test-rc-772sb from pod test-rc-l4hrr in project 3 curl: (28) Connection timed out after 5001 milliseconds command terminated with exit code 28 checking other pod to test-rc-jf8j7 from pod test-rc-l4hrr in project 3 curl: (28) Connection timed out after 5000 milliseconds command terminated with exit code 28 checking other pod to test-rc-dctxj from pod test-rc-l4hrr in project 3 Hello OpenShift! checking other pod to test-rc-sv68x from pod test-rc-l4hrr in project 3 Hello OpenShift! ----------------------------- :workspaces/oc_scripts % ./display_project_info.sh test3 =================================================================== PROJECT: test3 POD NAME IP ADDRESS example 10.128.2.38 test-rc-l4hrr 10.128.2.16 test-rc-sv68x 10.129.2.14 SERVICE NAME CLUSTER-IP test-service 172.30.169.235 ROUTE NAME HOSTNAME PORT =================================================================== :workspaces/oc_scripts % ./display_project_info.sh test1 =================================================================== PROJECT: test1 POD NAME IP ADDRESS test-rc-772sb 10.129.2.12 test-rc-jf8j7 10.128.2.14 test-rc-xbkjx 10.129.2.30 SERVICE NAME CLUSTER-IP test-service 172.30.130.227 ROUTE NAME HOSTNAME PORT =================================================================== :workspaces/oc_scripts % oc rsh example curl 10.129.2.12:8080 Hello OpenShift! :workspaces/oc_scripts % oc rsh example curl 10.128.2.14:8080 Hello OpenShift! :workspaces/oc_scripts % oc rsh example curl 10.129.2.30:8080 Hello OpenShift! :workspaces/oc_scripts % Verified from project test3 only traffic from pod with label app=httpd traffic is accepted in project test1 pods. - allow-ingress-from-ipblock :workspaces/oc_scripts % for i in test1 test2 test3 ; do ./display_project_info.sh $i ; done =================================================================== PROJECT: test1 POD NAME IP ADDRESS test-rc-772sb 10.129.2.12 test-rc-jf8j7 10.128.2.14 test-rc-xbkjx 10.129.2.30 SERVICE NAME CLUSTER-IP test-service 172.30.130.227 ROUTE NAME HOSTNAME PORT =================================================================== =================================================================== PROJECT: test2 POD NAME IP ADDRESS test-rc-64p5b 10.129.2.13 test-rc-dctxj 10.128.2.15 SERVICE NAME CLUSTER-IP test-service 172.30.203.77 ROUTE NAME HOSTNAME PORT =================================================================== =================================================================== PROJECT: test3 POD NAME IP ADDRESS example 10.128.2.38 test-rc-l4hrr 10.128.2.16 test-rc-sv68x 10.129.2.14 SERVICE NAME CLUSTER-IP test-service 172.30.169.235 ROUTE NAME HOSTNAME PORT =================================================================== :workspaces/oc_scripts % metadata: name: memodi-test-policy namespace: test1 uid: daddea03-55c6-4bcc-abb4-6ee6343e156f resourceVersion: '81582' generation: 1 creationTimestamp: '2021-08-12T16:16:11Z' managedFields: - manager: Mozilla operation: Update apiVersion: networking.k8s.io/v1 time: '2021-08-12T16:16:11Z' fieldsType: FieldsV1 fieldsV1: 'f:spec': 'f:ingress': {} 'f:policyTypes': {} spec: podSelector: {} ingress: - from: - ipBlock: cidr: 10.128.2.16/31 policyTypes: - Ingress This should only allow project test3 pod test-rc-l4hrr to connect to pods in project test1: :workspaces/oc_scripts % ./ocp_41858_step1.sh Now using project "test1" on server "https://api.ci-ln-5y2vcvk-f76d1.origin-ci-int-gce.dev.openshift.com:6443". ============================ checking other pod to test-rc-772sb from pod test-rc-772sb in project 1 Hello OpenShift! checking other pod to test-rc-jf8j7 from pod test-rc-772sb in project 1 curl: (28) Connection timed out after 5001 milliseconds command terminated with exit code 28 checking other pod to test-rc-sv68x from pod test-rc-772sb in project 1 Hello OpenShift! checking other pod to test-rc-sv68x from pod test-rc-772sb in project 1 Hello OpenShift! ----------------------------- Now using project "test2" on server "https://api.ci-ln-5y2vcvk-f76d1.origin-ci-int-gce.dev.openshift.com:6443". ============================ checking other pod to test-rc-772sb from pod test-rc-64p5b in project 2 curl: (28) Connection timed out after 5001 milliseconds command terminated with exit code 28 checking other pod to test-rc-jf8j7 from pod test-rc-64p5b in project 2 curl: (28) Connection timed out after 5000 milliseconds command terminated with exit code 28 checking other pod to test-rc-sv68x from pod test-rc-64p5b in project 2 Hello OpenShift! checking other pod to test-rc-sv68x from pod test-rc-64p5b in project 2 Hello OpenShift! ----------------------------- Now using project "test3" on server "https://api.ci-ln-5y2vcvk-f76d1.origin-ci-int-gce.dev.openshift.com:6443". ============================ checking other pod to test-rc-772sb from pod test-rc-l4hrr in project 3 Hello OpenShift! checking other pod to test-rc-jf8j7 from pod test-rc-l4hrr in project 3 Hello OpenShift! checking other pod to test-rc-sv68x from pod test-rc-l4hrr in project 3 Hello OpenShift! checking other pod to test-rc-sv68x from pod test-rc-l4hrr in project 3 Hello OpenShift! ----------------------------- :workspaces/oc_scripts % - allow-ingress-from-multiple-ipblock kind: NetworkPolicy apiVersion: networking.k8s.io/v1 metadata: name: memodi-test-policy namespace: test1 uid: 7db74fbc-aba0-4c7c-86cc-70295be556dd resourceVersion: '84371' generation: 1 creationTimestamp: '2021-08-12T16:23:56Z' managedFields: - manager: Mozilla operation: Update apiVersion: networking.k8s.io/v1 time: '2021-08-12T16:23:56Z' fieldsType: FieldsV1 fieldsV1: 'f:spec': 'f:ingress': {} 'f:policyTypes': {} spec: podSelector: {} ingress: - from: - ipBlock: cidr: 10.128.2.16/31 - ipBlock: cidr: 10.129.2.12/31 policyTypes: - Ingress Now traffic to pods in project test1 from pod test-rc-64p5b in project test2 and project test3 should be accepted: :workspaces/oc_scripts % ./ocp_41858_step1.sh Now using project "test1" on server "https://api.ci-ln-5y2vcvk-f76d1.origin-ci-int-gce.dev.openshift.com:6443". ============================ checking other pod to test-rc-772sb from pod test-rc-772sb in project 1 Hello OpenShift! checking other pod to test-rc-jf8j7 from pod test-rc-772sb in project 1 Hello OpenShift! checking other pod to test-rc-sv68x from pod test-rc-772sb in project 1 Hello OpenShift! checking other pod to test-rc-sv68x from pod test-rc-772sb in project 1 Hello OpenShift! ----------------------------- Now using project "test2" on server "https://api.ci-ln-5y2vcvk-f76d1.origin-ci-int-gce.dev.openshift.com:6443". ============================ checking other pod to test-rc-772sb from pod test-rc-64p5b in project 2 Hello OpenShift! checking other pod to test-rc-jf8j7 from pod test-rc-64p5b in project 2 Hello OpenShift! checking other pod to test-rc-sv68x from pod test-rc-64p5b in project 2 Hello OpenShift! checking other pod to test-rc-sv68x from pod test-rc-64p5b in project 2 Hello OpenShift! ----------------------------- Now using project "test3" on server "https://api.ci-ln-5y2vcvk-f76d1.origin-ci-int-gce.dev.openshift.com:6443". ============================ checking other pod to test-rc-772sb from pod test-rc-l4hrr in project 3 Hello OpenShift! checking other pod to test-rc-jf8j7 from pod test-rc-l4hrr in project 3 Hello OpenShift! checking other pod to test-rc-sv68x from pod test-rc-l4hrr in project 3 Hello OpenShift! checking other pod to test-rc-sv68x from pod test-rc-l4hrr in project 3 Hello OpenShift! ----------------------------- :workspaces/oc_scripts % - allow-ingress-from-ipblock-but-with-exception - same as deny all since whole ipblock will be removed in OpenShiftSDN plugin cluster kind: NetworkPolicy apiVersion: networking.k8s.io/v1 metadata: name: memodi-test-policy namespace: test1 uid: 7f0eacf6-35ab-420b-87f6-9b232c19e188 resourceVersion: '86698' generation: 1 creationTimestamp: '2021-08-12T16:30:09Z' managedFields: - manager: Mozilla operation: Update apiVersion: networking.k8s.io/v1 time: '2021-08-12T16:30:09Z' fieldsType: FieldsV1 fieldsV1: 'f:spec': 'f:ingress': {} 'f:policyTypes': {} spec: podSelector: {} ingress: - from: - ipBlock: cidr: 10.128.2.16/31 except: - 10.128.2.16/32 policyTypes: - Ingress :workspaces/oc_scripts % ./ocp_41858_step1.sh Now using project "test1" on server "https://api.ci-ln-5y2vcvk-f76d1.origin-ci-int-gce.dev.openshift.com:6443". ============================ checking other pod to test-rc-772sb from pod test-rc-772sb in project 1 Hello OpenShift! checking other pod to test-rc-jf8j7 from pod test-rc-772sb in project 1 curl: (28) Connection timed out after 5001 milliseconds command terminated with exit code 28 checking other pod to test-rc-sv68x from pod test-rc-772sb in project 1 Hello OpenShift! checking other pod to test-rc-sv68x from pod test-rc-772sb in project 1 Hello OpenShift! ----------------------------- Now using project "test2" on server "https://api.ci-ln-5y2vcvk-f76d1.origin-ci-int-gce.dev.openshift.com:6443". ============================ checking other pod to test-rc-772sb from pod test-rc-64p5b in project 2 curl: (28) Connection timed out after 5001 milliseconds command terminated with exit code 28 checking other pod to test-rc-jf8j7 from pod test-rc-64p5b in project 2 curl: (28) Connection timed out after 5000 milliseconds command terminated with exit code 28 checking other pod to test-rc-sv68x from pod test-rc-64p5b in project 2 Hello OpenShift! checking other pod to test-rc-sv68x from pod test-rc-64p5b in project 2 Hello OpenShift! ----------------------------- Now using project "test3" on server "https://api.ci-ln-5y2vcvk-f76d1.origin-ci-int-gce.dev.openshift.com:6443". ============================ checking other pod to test-rc-772sb from pod test-rc-l4hrr in project 3 curl: (28) Connection timed out after 5001 milliseconds command terminated with exit code 28 checking other pod to test-rc-jf8j7 from pod test-rc-l4hrr in project 3 curl: (28) Connection timed out after 5001 milliseconds command terminated with exit code 28 checking other pod to test-rc-sv68x from pod test-rc-l4hrr in project 3 Hello OpenShift! checking other pod to test-rc-sv68x from pod test-rc-l4hrr in project 3 Hello OpenShift! Verified all ingress traffic to pods in project test1 is blocked when used exceptions with ipblock. - allow-ingress-targeting-specific-pods (s/specific-pods/specific-ports/g) kind: NetworkPolicy apiVersion: networking.k8s.io/v1 metadata: name: memodi-test-policy namespace: test1 uid: 338d2468-c5d5-4bb2-b231-5c80aaf9e48f resourceVersion: '89688' generation: 1 creationTimestamp: '2021-08-12T16:38:20Z' managedFields: - manager: Mozilla operation: Update apiVersion: networking.k8s.io/v1 time: '2021-08-12T16:38:20Z' fieldsType: FieldsV1 fieldsV1: 'f:spec': 'f:ingress': {} 'f:policyTypes': {} spec: podSelector: {} ingress: - ports: - protocol: TCP port: 80 from: - ipBlock: cidr: 10.128.2.16/31 Pods in project test1 is reachable only by pod in project test3 test-rc-l4hrr over port 80 :workspaces/oc_scripts % ./ocp_41858_step1.sh Now using project "test1" on server "https://api.ci-ln-5y2vcvk-f76d1.origin-ci-int-gce.dev.openshift.com:6443". ============================ checking other pod to test-rc-772sb from pod test-rc-772sb in project 1 Hello OpenShift! checking other pod to test-rc-jf8j7 from pod test-rc-772sb in project 1 curl: (28) Connection timed out after 5000 milliseconds command terminated with exit code 28 checking other pod to test-rc-sv68x from pod test-rc-772sb in project 1 Hello OpenShift! checking other pod to test-rc-sv68x from pod test-rc-772sb in project 1 Hello OpenShift! ----------------------------- Now using project "test2" on server "https://api.ci-ln-5y2vcvk-f76d1.origin-ci-int-gce.dev.openshift.com:6443". ============================ checking other pod to test-rc-772sb from pod test-rc-64p5b in project 2 curl: (28) Connection timed out after 5001 milliseconds command terminated with exit code 28 checking other pod to test-rc-jf8j7 from pod test-rc-64p5b in project 2 curl: (28) Connection timed out after 5000 milliseconds command terminated with exit code 28 checking other pod to test-rc-sv68x from pod test-rc-64p5b in project 2 Hello OpenShift! checking other pod to test-rc-sv68x from pod test-rc-64p5b in project 2 Hello OpenShift! ----------------------------- Now using project "test3" on server "https://api.ci-ln-5y2vcvk-f76d1.origin-ci-int-gce.dev.openshift.com:6443". ============================ checking other pod to test-rc-772sb from pod test-rc-l4hrr in project 3 curl: (28) Connection timed out after 5001 milliseconds command terminated with exit code 28 checking other pod to test-rc-jf8j7 from pod test-rc-l4hrr in project 3 curl: (28) Connection timed out after 5000 milliseconds command terminated with exit code 28 checking other pod to test-rc-sv68x from pod test-rc-l4hrr in project 3 Hello OpenShift! checking other pod to test-rc-sv68x from pod test-rc-l4hrr in project 3 Hello OpenShift! ----------------------------- :workspaces/oc_scripts % Above fails from project test3 because script is using port 8080 - allow-ingress-from-specific-multiple-ports kind: NetworkPolicy apiVersion: networking.k8s.io/v1 metadata: name: memodi-test-policy namespace: test1 uid: e3e74d86-209f-44c9-8ecd-942f9965f519 resourceVersion: '92278' generation: 1 creationTimestamp: '2021-08-12T16:45:16Z' managedFields: - manager: Mozilla operation: Update apiVersion: networking.k8s.io/v1 time: '2021-08-12T16:45:16Z' fieldsType: FieldsV1 fieldsV1: 'f:spec': 'f:ingress': {} 'f:policyTypes': {} spec: podSelector: {} ingress: - ports: - protocol: TCP port: 80 - protocol: TCP port: 8080 from: - ipBlock: cidr: 10.128.2.16/31 policyTypes: - Ingress :workspaces/oc_scripts % ./ocp_41858_step1.sh Now using project "test1" on server "https://api.ci-ln-5y2vcvk-f76d1.origin-ci-int-gce.dev.openshift.com:6443". ============================ checking other pod to test-rc-772sb from pod test-rc-772sb in project 1 Hello OpenShift! checking other pod to test-rc-jf8j7 from pod test-rc-772sb in project 1 curl: (28) Connection timed out after 5000 milliseconds command terminated with exit code 28 checking other pod to test-rc-sv68x from pod test-rc-772sb in project 1 Hello OpenShift! checking other pod to test-rc-sv68x from pod test-rc-772sb in project 1 Hello OpenShift! ----------------------------- Now using project "test2" on server "https://api.ci-ln-5y2vcvk-f76d1.origin-ci-int-gce.dev.openshift.com:6443". ============================ checking other pod to test-rc-772sb from pod test-rc-64p5b in project 2 curl: (28) Connection timed out after 5001 milliseconds command terminated with exit code 28 checking other pod to test-rc-jf8j7 from pod test-rc-64p5b in project 2 curl: (28) Connection timed out after 5001 milliseconds command terminated with exit code 28 checking other pod to test-rc-sv68x from pod test-rc-64p5b in project 2 Hello OpenShift! checking other pod to test-rc-sv68x from pod test-rc-64p5b in project 2 Hello OpenShift! ----------------------------- Now using project "test3" on server "https://api.ci-ln-5y2vcvk-f76d1.origin-ci-int-gce.dev.openshift.com:6443". ============================ checking other pod to test-rc-772sb from pod test-rc-l4hrr in project 3 Hello OpenShift! checking other pod to test-rc-jf8j7 from pod test-rc-l4hrr in project 3 Hello OpenShift! checking other pod to test-rc-sv68x from pod test-rc-l4hrr in project 3 Hello OpenShift! checking other pod to test-rc-sv68x from pod test-rc-l4hrr in project 3 Hello OpenShift! ----------------------------- :workspaces/oc_scripts % Verified pods in project test3 is able to connect to pods in project test1 over port 8080. Step 6. Create all kinds for Egress rules using form, verify each egress functionality by testing real pod connections Note: - Egress rules need to be tested on a OVN cluster, since When using the OpenShift SDN cluster network provider, egress network policy is not supported - after each test scenaro, please remove the networkpolicy created to make sure no interference between network polcies Spun up OVN-K cluster: :workspaces/cluster_bot % oc get Network.config.openshift.io cluster -o json | jq '.spec.networkType' "OVNKubernetes" :workspaces/cluster_bot % :workspaces/cluster_bot % for i in {1..3}; do oc new-project test$i ; done Now using project "test1" on server "https://api.ci-ln-c5yy1pt-f76d1.origin-ci-int-gce.dev.openshift.com:6443". You can add applications to this project with the 'new-app' command. For example, try: oc new-app rails-postgresql-example to build a new example application in Ruby. Or use kubectl to deploy a simple Kubernetes application: kubectl create deployment hello-node --image=k8s.gcr.io/serve_hostname Now using project "test2" on server "https://api.ci-ln-c5yy1pt-f76d1.origin-ci-int-gce.dev.openshift.com:6443". You can add applications to this project with the 'new-app' command. For example, try: oc new-app rails-postgresql-example to build a new example application in Ruby. Or use kubectl to deploy a simple Kubernetes application: kubectl create deployment hello-node --image=k8s.gcr.io/serve_hostname Now using project "test3" on server "https://api.ci-ln-c5yy1pt-f76d1.origin-ci-int-gce.dev.openshift.com:6443". You can add applications to this project with the 'new-app' command. For example, try: oc new-app rails-postgresql-example to build a new example application in Ruby. Or use kubectl to deploy a simple Kubernetes application: kubectl create deployment hello-node --image=k8s.gcr.io/serve_hostname :workspaces/cluster_bot % :workspaces/cluster_bot % for i in {1..3}; do oc create -f list_for_pods.json -n test$i; done replicationcontroller/test-rc created service/test-service created replicationcontroller/test-rc created service/test-service created replicationcontroller/test-rc created service/test-service created :workspaces/cluster_bot % - deny-all-egress kind: NetworkPolicy apiVersion: networking.k8s.io/v1 metadata: name: memodi-test-policy namespace: test1 uid: 76c99b6e-6c00-4b7d-80ef-e197000d0209 resourceVersion: '48341' generation: 1 creationTimestamp: '2021-08-12T18:25:14Z' managedFields: - manager: Mozilla operation: Update apiVersion: networking.k8s.io/v1 time: '2021-08-12T18:25:14Z' fieldsType: FieldsV1 fieldsV1: 'f:spec': 'f:policyTypes': {} spec: podSelector: {} policyTypes: - Egress :workspaces/oc_scripts % ./ocp_41858_step1.sh Already on project "test1" on server "https://api.ci-ln-c5yy1pt-f76d1.origin-ci-int-gce.dev.openshift.com:6443". ============================ checking other pod to test-rc-rdjgg from pod test-rc-h6s4m in project 1 curl: (28) Connection timed out after 5001 milliseconds command terminated with exit code 28 checking other pod to test-rc-kjtfx from pod test-rc-h6s4m in project 1 curl: (28) Connection timed out after 5000 milliseconds command terminated with exit code 28 checking other pod to test-rc-ffw7x from pod test-rc-h6s4m in project 1 curl: (28) Connection timed out after 5000 milliseconds command terminated with exit code 28 ----------------------------- Now using project "test2" on server "https://api.ci-ln-c5yy1pt-f76d1.origin-ci-int-gce.dev.openshift.com:6443". ============================ checking other pod to test-rc-rdjgg from pod test-rc-2b2mq in project 2 Hello OpenShift! checking other pod to test-rc-kjtfx from pod test-rc-2b2mq in project 2 Hello OpenShift! checking other pod to test-rc-ffw7x from pod test-rc-2b2mq in project 2 Hello OpenShift! ----------------------------- Now using project "test3" on server "https://api.ci-ln-c5yy1pt-f76d1.origin-ci-int-gce.dev.openshift.com:6443". ============================ checking other pod to test-rc-rdjgg from pod test-rc-cggdt in project 3 Hello OpenShift! checking other pod to test-rc-kjtfx from pod test-rc-cggdt in project 3 Hello OpenShift! checking other pod to test-rc-ffw7x from pod test-rc-cggdt in project 3 Hello OpenShift! ----------------------------- :workspaces/oc_scripts % All Egress traffic is denied from pods in project 1 while ingress traffic is allowed. - allow-egress-to-specific-pod-matching-multiple-pod-selector-in-same-ns apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: memodi-test-policy namespace: test1 spec: podSelector: {} policyTypes: - Egress egress: - to: - podSelector: matchLabels: app: httpd - podSelector: matchLabels: name: test-mod-pods Created example pod with label app=httpd and test-rc-h6s4m name=test-mod-pods: :workspaces/oc_scripts % oc project; oc get pods -o wide Using project "test1" on server "https://api.ci-ln-c5yy1pt-f76d1.origin-ci-int-gce.dev.openshift.com:6443". NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES example 1/1 Running 0 3m29s 10.128.6.53 ci-ln-c5yy1pt-f76d1-k6mrn-worker-c-w6qxh test-rc-7r6kx 1/1 Running 0 2m43s 10.128.10.14 ci-ln-c5yy1pt-f76d1-k6mrn-worker-b-5llrv test-rc-h6s4m 1/1 Running 0 30m 10.128.10.12 ci-ln-c5yy1pt-f76d1-k6mrn-worker-b-5llrv test-rc-rdjgg 1/1 Running 0 30m 10.128.6.41 ci-ln-c5yy1pt-f76d1-k6mrn-worker-c-w6qxh :workspaces/oc_scripts % oc rsh test-rc-7r6kx curl 10.128.6.53:8080 | head Test Page for the HTTP Server on Red Hat Enterprise Linux