[k8s-R5.0]: Network Policy does not get applied over k8s Ingress

Bug #1776253 reported by Pulkit Tandon on 2018-06-11
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Juniper Openstack
Status tracked in Trunk
R5.0
Fix Released
High
Dinesh Bakiaraj
Trunk
Fix Released
High
Dinesh Bakiaraj

Bug Description

Facing an issue with Network Policy behavior for K8s Ingress.

2 Namespaces are created (Both Non isolated.)
A network Policy is created for namespace NS1 and only Namespace NS2 is allowed as INgress.

```
apiVersion: extensions/v1beta1
kind: NetworkPolicy
metadata:
  creationTimestamp: 2018-06-11T09:54:26Z
  generation: 1
  name: ingress-on-k8s-ingress-fanout
  namespace: ctest-new-default-61382091
  resourceVersion: "51880"
  selfLink: /apis/extensions/v1beta1/namespaces/ctest-new-default-61382091/networkpolicies/ingress-on-k8s-ingress-fanout
  uid: 6d36c4e8-6d5d-11e8-92e8-002590c3afaa
spec:
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          site_for_ns: ctest-non-default-12933858
  podSelector: {}
  policyTypes:
  - Ingress
```

wget from a Pod of NS2 to Ingress in NS1 fails.
Its hitting the k8s-denyall policy

The reason debugged by Dinesh is that the tag on VMI for ingress has cluster-name("k8s") prepended as
"k8s-ctest-new-default-61382091-testingress"

The fw policy created does not have the cluster name prefix:
ingress=ctest-new-default-61382091-testingress>k8s-svc=ctest-nginx-svc-21407555

Review in progress for https://review.opencontrail.org/43765
Submitter: Dinesh Bakiaraj (<email address hidden>)

Review in progress for https://review.opencontrail.org/43766
Submitter: Dinesh Bakiaraj (<email address hidden>)

Reviewed: https://review.opencontrail.org/43766
Committed: http://github.com/Juniper/contrail-controller/commit/27eb68f4da28eee83af07f57f1d8a0b79a651ede
Submitter: Zuul v3 CI (<email address hidden>)
Branch: R5.0

commit 27eb68f4da28eee83af07f57f1d8a0b79a651ede
Author: dineshb-jnpr <email address hidden>
Date: Tue Jun 12 16:26:06 2018 -0700

Rename Ingress FW rule to prepend Cluster name

Contrail Security Firewall created for Ingress objects in K8s
should be prepended with name of the cluster for multi-cluster
support.

Change-Id: I5d0d65cd5acb0fe3400c73b3d951d4e2d970ee88
Closes-Bug: #1776253

OpenContrail Admin (ci-admin-f) wrote :

Reviewed: https://review.opencontrail.org/43765
Committed: http://github.com/Juniper/contrail-controller/commit/45e5f47c7ff7d6fd5c4af9f729ae007155cb89b3
Submitter: Zuul v3 CI (<email address hidden>)
Branch: master

commit 45e5f47c7ff7d6fd5c4af9f729ae007155cb89b3
Author: dineshb-jnpr <email address hidden>
Date: Tue Jun 12 16:26:06 2018 -0700

Rename Ingress FW rule to prepend Cluster name

Contrail Security Firewall created for Ingress objects in K8s
should be prepended with name of the cluster for multi-cluster
support.

Change-Id: I5d0d65cd5acb0fe3400c73b3d951d4e2d970ee88
Closes-Bug: #1776253

Pulkit Tandon (pulkitt) wrote :

Fixed long back. Many sanity runs happened after the fix and problem not observed.
Latest runs to refer are R5.0-132 and master-174.

Closing the bug

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers