[K8s-R5.0] Specific policies for ingress and egress deny/allow all rules are having an exception for same namespace
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Juniper Openstack |
Won't Fix
|
High
|
Dinesh Bakiaraj | ||
Trunk |
Won't Fix
|
High
|
Dinesh Bakiaraj |
Bug Description
Configuration:
K8s 1.9.2
R5.0-Newton-
Setup:
5 node setup.
1 Kube master. 3 Controller.
2 Agent+ K8s slaves
For following 2 policies, most of the things work fine except the behavior for the own namespace.
Policy 1:
Egress allow all and Ingress deny all (policy applied on namespace "ns1"):
spec:
egress:
- {}
podSelector: {}
policyTypes:
- Ingress
- Egress
With this policy, following FW rules get created:
1st rule: Allow "ns1" > "any" (This is because of egress allow all)
2nd rule Deny any > "ns1" (This is because of ingress deny all)
In this case, even if our intent was deny all ingress but we are able to ping from a pod of ns1 to another pod of ns1 because of 1st rule. This case is an exception to deny all Ingress to ns1
Policy 2:
Ingress allow all and Egress deny all (policy applied on namespace "ns1"):
spec:
ingress:
- {}
podSelector: {}
policyTypes:
- Ingress
- Egress
With this policy, following FW rules get created:
1st rule: Allow any > "ns1" (This is because of egress allow all)
2nd rule Deny "ns1" > any (This is because of ingress deny all)
In this case, even if our intent was deny all egress but we are able to ping from a pod of ns1 to another pod of ns1 because of 1st rule. This case is an exception to deny all Egress from ns1
Need to find out the expectation here.
summary: |
[K8s-R5.0] Specific policies for ingress and egress deny/allow all - rules are having a exception for same namespace + rules are having an exception for same namespace |
Pulkit,
The behavior you are observing is the behavior we intend to implement in Contrail. /github. com/Juniper/ contrail- controller/ wiki/Kubernetes :-Implementing- Network- Policy- with-Contrail- FW-Policy# cluster- wide-action- enforcement
Please refer to this wiki for additional literature. Thanks.
https:/