Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1367364 - [networking_public_244] Traffics won't be dropped immediately when merge the project without egressnetworkpolicy to the project with egressnetworkpolicy
Summary: [networking_public_244] Traffics won't be dropped immediately when merge the ...
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Networking
Version: 3.3.0
Hardware: Unspecified
OS: Unspecified
medium
low
Target Milestone: ---
: ---
Assignee: Dan Winship
QA Contact: Meng Bo
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-08-16 09:32 UTC by Yan Du
Modified: 2017-10-18 16:43 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-10-18 16:43:18 UTC


Attachments (Terms of Use)

Description Yan Du 2016-08-16 09:32:41 UTC
Description of problem:
Traffics won't be dropped immediately when merge the project without egressnetworkpolicy to the project with egressnetworkpolicy


Version-Release number of selected component (if applicable):
openshift v3.3.0.21
kubernetes v1.3.0+507d3a7
etcd 2.3.0+git



How reproducible:
Always



Steps to Reproduce:
1. Create two projects: p5, p6
# oc get netnamespace
NAME               NETID
p5                 17
p6                 19

2. Create pod in two projects

3. Create egressnetworkpolicy in project p1 by cluster admin and check the openflow
{
    "kind": "EgressNetworkPolicy",
    "apiVersion": "v1",
    "metadata": {
        "name": "default"
    },
    "spec": {
        "egress": [
            {
                "type": "Allow",
                "to": {
                    "cidrSelector": "10.66.128.0/24"
                }
            },
            {
                "type": "Deny",
                "to": {
                    "cidrSelector": "10.66.140.0/24"
                }
            }
        ]
    }
}

# ovs-ofctl dump-flows br0 -O openflow13
 cookie=0x0, duration=3.726s, table=9, n_packets=0, n_bytes=0, priority=2,ip,reg0=0x11,nw_dst=10.66.128.0/24 actions=output:2
 cookie=0x0, duration=3.719s, table=9, n_packets=0, n_bytes=0, priority=1,ip,reg0=0x11,nw_dst=10.66.140.0/24 actions=drop
 
4. Join the project without egressnetworkpolicy(p6) to the project with egressnetworkpolicy(p5) by cluster admin
# oadm pod-network join-projects  --to=p5 p6
# oc get netnamespace
p5                 17
p6                 17

5. Check the node log and openflow
 cookie=0x0, duration=80.067s, table=9, n_packets=0, n_bytes=0, priority=2,ip,reg0=0x11,nw_dst=10.66.128.0/24 actions=output:2
 cookie=0x0, duration=80.060s, table=9, n_packets=0, n_bytes=0, priority=1,ip,reg0=0x11,nw_dst=10.66.140.0/24 actions=drop

6. Enter the pod in each project and try to connect the IP address which in the allow/deny list in egressnetworkpolicy

7. Wait a few minutes, check the node log and openflow



Actual results:
5. Could not get the warning: EgressNetworkPolicy not allowed in shared NetNamespace dropping all traffic in node log, and openflow is the same as before join-projects

6. The policy still take effect after join projects, and can/can't connect the ip address in allow/deny list.

7. We could get the warning message "EgressNetworkPolicy not allowed in shared NetNamespace (p6, p5); dropping all traffic" after a few minutes, log attached in Additional info


Expected results:
5. Could get the warning message in node log immediately
6. All the traffic will drop after join-projects immediately

Additional info:
Node log as below:
Aug  16 17:04:20 ose-node1.bmeng.local atomic-openshift-node[8492]: I0816  17:04:20.591823    8492 vnids.go:114] Associate netid 17 to namespace  "p5"
Aug  16 17:04:22 ose-node1.bmeng.local atomic-openshift-node[8492]: I0816  17:04:22.032268    8492 vnids.go:114] Associate netid 19 to namespace  "p6"
Aug  16 17:05:08 ose-node1.bmeng.local atomic-openshift-node[8492]: I0816  17:05:08.192495    8492 vnids.go:114] Associate netid 17 to namespace  "p6"
Aug  16 17:10:31 ose-node1.bmeng.local atomic-openshift-node[8492]: E0816  17:10:31.163152    8492 controller.go:447] EgressNetworkPolicy not  allowed in shared NetNamespace (p5, p6); dropping all traffic



If we join the project with egressnetworkpolicy(p5) to the project without egressnetworkpolicy(p6)
# oadm pod-network join-projects  --to=p6 p5
we could get the warning message "EgressNetworkPolicy not allowed in shared NetNamespace (p6, p5); dropping all traffic" in node log immediately

Comment 1 Dan Winship 2016-08-16 20:23:07 UTC
I'm not sure this should really count as a bug (or at least a blocker); merging namespaces containing EgressNetworkPolicies is undefined behavior. The traffic dropping is there to call attention to the fact that you've done something wrong and force you to change it. (And the fix would require changing some code elsewhere in a slightly messy way, and wouldn't really help anything other than making this error case work better.)

Comment 2 Eric Paris 2016-08-17 19:57:36 UTC
As they say, this will eventually work correctly and is documented as unspecified behaviour.  This should be better in 3.4 is NetworkPolicy lands. Will push from 3.3.

Comment 3 Ben Bennett 2016-08-24 13:10:46 UTC
*** Bug 1369750 has been marked as a duplicate of this bug. ***

Comment 4 Meng Bo 2016-08-31 06:13:37 UTC
Reduce the severity due to comment#1

Comment 5 Dan Winship 2017-10-18 16:43:18 UTC
The eventual "fix" for this is that eventually everyone will be using NetworkPolicy not multitenant. We're not likely to improve the behavior in the multitenant case (particularly since, as noted, the behavior is explicitly documented as undefined).


Note You need to log in before you can comment on or make changes to this bug.