Skip to content

Presence of network policy breaks host network pod from connecting to a cluster network pod #10405

New issue
New issue
Closed
Closed
Presence of network policy breaks host network pod from connecting to a cluster network pod#10405
Assignees
tgraf
Labels
kind/bugThis is a bug in the Cilium logic.kind/community-reportThis was reported by a user in the Cilium community, eg via Slack.
@diversario

Description

@diversario
diversario
opened on Mar 2, 2020

Bug report

When a network policy exists in a namespace A that allows ingress from namespace B, pods with hostNetwork: true in namespace B cannot reach pods on cluster network in namespace A. Deleting network policy in namespace A allows ingress. Pods on cluster network in namespaces A and B are unaffected by this.

General Information

  • Cilium version (run cilium version)
Client: 1.7.0 adeaf8c04 2020-02-18T21:41:10+01:00 go version go1.13.8 linux/amd64
Daemon: 1.7.0 adeaf8c04 2020-02-18T21:41:10+01:00 go version go1.13.8 linux/amd64
  • Kernel version (run uname -a)
Linux ip-10-105-11-126 4.9.0-11-amd64 #1 SMP Debian 4.9.189-3+deb9u2 (2019-11-11) x86_64 x86_64 x86_64 GNU/Linux
  • Orchestration system version in use (e.g. kubectl version, Mesos, ...)
$ kubectl version
Client Version: version.Info{Major:"1", Minor:"16", GitVersion:"v1.16.0", GitCommit:"2bd9643cee5b3b3a5ecbd3af49d09018f0773c77", GitTreeState:"clean", BuildDate:"2019-09-18T14:36:53Z", GoVersion:"go1.12.9", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"15", GitVersion:"v1.15.6", GitCommit:"7015f71e75f670eb9e7ebd4b5749639d42e20079", GitTreeState:"clean", BuildDate:"2019-11-13T11:11:50Z", GoVersion:"go1.12.12", Compiler:"gc", Platform:"linux/amd64"}
  • Link to relevant artifacts (policies, deployments scripts, ...)
  • Upload a system dump (run curl -sLO https://github.com/cilium/cilium-sysdump/releases/latest/download/cilium-sysdump.zip && python cilium-sysdump.zip and then attach the generated zip file)
    cilium-sysdump-20200302-170851.zip

How to reproduce the issue

  1. Create namespaces, pods and netpols: https://gist.github.com/diversario/fd276abee55b8fbb7f39c9cd983adfba
  2. On the cluster-network/toolbox-cluster-network pod run nc -l -p 80 -s 0.0.0.0
  3. On the host-network/toolbox-host-network run curl <toolbox-cluster-network IP address>. Observe no activity in the toolbox-cluster-network pod.
  4. Remove the network policy from the cluster-network.
  5. Repeat steps 2 and 3. Observe activity in the toolbox-cluster-network pod.

Metadata

Metadata

Assignees

Labels

kind/bugThis is a bug in the Cilium logic.kind/community-reportThis was reported by a user in the Cilium community, eg via Slack.

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions