[K8s-R5.0] Specific policies for ingress and egress deny/allow all rules are having an exception for same namespace

Bug #1750501 reported by Pulkit Tandon
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Juniper Openstack
Won't Fix
High
Dinesh Bakiaraj
Trunk
Won't Fix
High
Dinesh Bakiaraj

Bug Description

Configuration:
K8s 1.9.2
R5.0-Newton-ubuntu16-175. Dev build patched for K8s NW Policy code.

Setup:
5 node setup.
1 Kube master. 3 Controller.
2 Agent+ K8s slaves

For following 2 policies, most of the things work fine except the behavior for the own namespace.

Policy 1:
Egress allow all and Ingress deny all (policy applied on namespace "ns1"):
spec:
  egress:
  - {}
  podSelector: {}
  policyTypes:
  - Ingress
  - Egress

With this policy, following FW rules get created:
1st rule: Allow "ns1" > "any" (This is because of egress allow all)
2nd rule Deny any > "ns1" (This is because of ingress deny all)

In this case, even if our intent was deny all ingress but we are able to ping from a pod of ns1 to another pod of ns1 because of 1st rule. This case is an exception to deny all Ingress to ns1

Policy 2:
Ingress allow all and Egress deny all (policy applied on namespace "ns1"):
spec:
  ingress:
  - {}
  podSelector: {}
  policyTypes:
  - Ingress
  - Egress

With this policy, following FW rules get created:
1st rule: Allow any > "ns1" (This is because of egress allow all)
2nd rule Deny "ns1" > any (This is because of ingress deny all)

In this case, even if our intent was deny all egress but we are able to ping from a pod of ns1 to another pod of ns1 because of 1st rule. This case is an exception to deny all Egress from ns1

Need to find out the expectation here.

Pulkit Tandon (pulkitt)
summary: [K8s-R5.0] Specific policies for ingress and egress deny/allow all
- rules are having a exception for same namespace
+ rules are having an exception for same namespace
Revision history for this message
Dinesh Bakiaraj (dineshb) wrote :

Pulkit,

The behavior you are observing is the behavior we intend to implement in Contrail.
Please refer to this wiki for additional literature. Thanks.
https://github.com/Juniper/contrail-controller/wiki/Kubernetes:-Implementing-Network-Policy-with-Contrail-FW-Policy#cluster-wide-action-enforcement

Changed in juniperopenstack:
status: New → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.