Juniper Openstack

[k8s] SG is not created when networkpolicy is created with namespace filter only

Bug #1682700 reported by Vedamurthy Joshi on 2017-04-14

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Juniper Openstack	Status tracked in Trunk
	Trunk	Fix Committed	High	Yuvaraja Mariappan	Juniper Openstack r4.0.0.0-fcs "r4.0.0.0"

Bug Description

R4.0 3049, with kube-manager latest code

Steps :
            Create a web-label pod S2 in namespace ns1
            Create client labeled-pod C1 in namespace ns1
            Create client labeled-pod C1 in namespace ns2
            Enable namespace isolation in ns0
            HTTP from C1 to S1 and C2 to S1 should fail
            HTTP from C1 to S2 and C2 to S2 should pass
            Create a network policy in ns0 to allow traffic from namespace ns1
                pods on tcp/80
            HTTP from C1 to S1 should pass

After creating the network policy, it is seen that a corresponding SG is not created at all. Traffic is failing

policy object details are shown below

(Pdb) ns0= c1.v1_beta_h.read_namespaced_network_policy('ctest-np--82798207', 'ns0')
(Pdb) print ns0
{'api_version': 'extensions/v1beta1',
'kind': 'NetworkPolicy',
'metadata': {'annotations': None,
              'cluster_name': None,
              'creation_timestamp': u'2017-04-13T18:52:12Z',
              'deletion_grace_period_seconds': None,
              'deletion_timestamp': None,
              'finalizers': None,
              'generate_name': None,
              'generation': 1,
              'labels': None,
              'name': 'ctest-np--82798207',
              'namespace': 'ns0',
              'owner_references': None,
              'resource_version': '1958961',
              'self_link': '/apis/extensions/v1beta1/namespaces/ns0/networkpolicies/ctest-np--82798207',
              'uid': '4e25e5cd-207a-11e7-9677-525400010001'},
'spec': {'ingress': [{'_from': [{'namespace_selector': {'match_expressions': None,
                                                         'match_labels': {u'project': 'ns1'}},
                                  'pod_selector': None}],
                       'ports': [{'port': u'80', 'protocol': 'tcp'}]}],
          'pod_selector': {'match_expressions': None, 'match_labels': None}}}

Tags:

Yuvaraja Mariappan (ymariappan) on 2017-04-14

Changed in juniperopenstack:
assignee:	Yuvaraja Mariappan (ymariappan-u) → ymariappan (ymariappan)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2017-04-14: [Review update] master

Review in progress for https://review.opencontrail.org/30447
Submitter: Yuvaraja Mariappan

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2017-04-17: A change has been merged

Reviewed: https://review.opencontrail.org/30447
Committed: http://github.org/Juniper/contrail-controller/commit/68d7ee809f50b45d209c6c45e7dd47da5ed600c2
Submitter: Zuul (<email address hidden>)
Branch: master

commit 68d7ee809f50b45d209c6c45e7dd47da5ed600c2
Author: Yuvaraja Mariappan <email address hidden>
Date: Fri Apr 14 09:36:10 2017 -0700

Fixed select_all issue in network policy in k8s

Fixed select_all issue in network policy in k8s
Closes-bug: #1682700

Change-Id: I2f119da3b702a06b5dbfeb44140422396d1c35c4

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.