Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1600403 - [converged] Should hide 'Default Network Policy' when networkplugin was not openshift-ovs-networkpolicy
Summary: [converged] Should hide 'Default Network Policy' when networkplugin was not o...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Management Console
Version: 3.11.0
Hardware: Unspecified
OS: Unspecified
low
low
Target Milestone: ---
: 3.11.0
Assignee: Samuel Padgett
QA Contact: Yadan Pei
URL:
Whiteboard:
Depends On:
Blocks: 1601750
TreeView+ depends on / blocked
 
Reported: 2018-07-12 07:51 UTC by shahan
Modified: 2018-07-17 07:43 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1601750 (view as bug list)
Environment:
Last Closed: 2018-07-13 15:42:26 UTC
Target Upstream Version:


Attachments (Terms of Use)

Description shahan 2018-07-12 07:51:48 UTC
Description of problem:

  When cluster network plugin is openshift-ovs-networkpolicy, setting project network policy to "Deny all inbound traffic" could block connection from other projects, however when cluster network plugin is not openshift-ovs-networkpolicy, "Deny all inbound traffic" will not take effect, that is "Deny all inbound traffic" only take effect for openshift-ovs-networkpolicy, so it's better to hide 'Default Network Policy' when networkplugin was not openshift-ovs-networkpolicy or give some info to indicate that it will not work without openshift-ovs-networkpolicy.

Version-Release number of selected component (if applicable):
docker.io/openshift/origin-console  05d4854074d5 

How reproducible:
Always

Steps to Reproduce:
1. using OpenShift cluster with network plugin set as openshift-ovs-subnet
2. create project test in projects page, select 'Deny all inbound traffic'
3. check if pods from other project could connect pods in project test successfully
  $ curl --connect-timeout 5  <pod-ip>:8080

Actual results:
3. pods from other projects could ping pods in project test, 'Deny all inbound traffic' policy doesn't take effect

Expected results:
  Should hide 'Default Network Policy' when networkplugin was not openshift-ovs-networkpolicy. Or give some warning to indicate current cluster actually not support networkpolicy.

Additional info:

Comment 1 Samuel Padgett 2018-07-12 14:17:19 UTC
We have no way to know what network plugin is enabled. I think the best course is to always hide it in the dialog, so it's not as front and center. It's still possible to create network policies later.

Comment 2 Samuel Padgett 2018-07-12 14:20:00 UTC
https://github.com/openshift/console/pull/230

Comment 3 Samuel Padgett 2018-07-12 15:07:23 UTC
Note that the dropdown is now always hidden in the create project regardless of what network plugin is enabled.

Comment 4 shahan 2018-07-13 07:01:17 UTC
Tested issue with the new build console, it has been fixed. There is no selection about networkpolicy setting while creating project


Note You need to log in before you can comment on or make changes to this bug.