[k8s-R5.0-Network-policy]: Pod label with key as "Application" should not be used
Bug #1749902 reported by
Pulkit Tandon
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Juniper Openstack |
Won't Fix
|
Medium
|
Dinesh Bakiaraj | ||
Trunk |
Won't Fix
|
Medium
|
Dinesh Bakiaraj |
Bug Description
Configuration:
K8s 1.9.2
R5.0-Newton-
Setup:
5 node setup.
1 Kube master. 3 Controller.
2 Agent+ K8s slaves
The K8s Network policy implementation creates a dedicated APS object in contrail and associate an "Application" label with it which is the project label
If we create PODS (VMI objects) with label having key as "Application", the one at VMI will take precedence.
In that case, the APS will never get applied over the VMI.
Hence, it is recommended not to use the label key as "Application" for a pod in case you plan to use network policies.
I am not sure at this point whether some fix will come for it or not.
Hence keeping it open.
summary: |
- [k8s]: Pod label with key as "Application" should not be used + [k8s-R5.0-Network-policy]: Pod label with key as "Application" should + not be used |
tags: | added: contrail-kube-manager |
To post a comment you must log in.
Label with key "Application" is reserved keyword in Contrail and has special meaning and semantics. undefined. So the recommendation in release 5.0 is to not created Pod's with label key "Application".
If a pod has a label with key "Application", the enforcement of network policy specified for the Pod is not guaranteed/