[NPM] port not in defined in named port list is reachable in Kubernetes

[mainred]

Is this an ISSUE or FEATURE REQUEST? (choose one):

ISSUE

Which release version?:

v1.0.33

Which component (CNI/IPAM/CNM/CNS):

CNI & NPM

Which Operating System (Linux/Windows):

Linux

For Linux: Include Distro and kernel version using "uname -a"

Linux aks-nodepool1-85368712-vmss000000 4.15.0-1071-azure #76-Ubuntu SMP Wed Feb 12 03:02:44 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

Which Orchestrator and version (e.g. Kubernetes, Docker)

Kubernetes

What happened:

I have a server with 80 and 81 ports exposed outside, and only expose port 80 per portname through network policy, but it turns out both 80 and 81 are reachable from outside this POD.

I tesed this by wget service_name.service_namespace:80(1) is a client pod.

What you expected to happen:

only 80 should be reachable from outside server POD.

How to reproduce it (as minimally and precisely as possible):

apiVersion: v1
kind: Pod
metadata:
  generateName: access-server
  labels:
    app: server
  name: access-serverbxhl4
  namespace: e2e-bqhboou21s78hj9mnud0
spec:
  containers:
  - args:
    - python -m SimpleHTTPServer 80
    command:
    - sh
    - -c
    image: python:2.7.11-alpine
    imagePullPolicy: IfNotPresent
    name: pod-container-80
    ports:
    - containerPort: 80
      name: serve-80
      protocol: TCP
  - args:
    - python -m SimpleHTTPServer 81
    command:
    - sh
    - -c
    image: python:2.7.11-alpine
    imagePullPolicy: IfNotPresent
    name: pod-container-81
    ports:
    - containerPort: 81
      name: serve-81
      protocol: TCP
---
apiVersion: v1
kind: Service
metadata:
  creationTimestamp: "2020-04-24T10:16:03Z"
  generateName: svc-access-server
  name: svc-access-serverdt46q
  namespace: e2e-bqhboou21s78hj9mnud0
  resourceVersion: "122092"
  selfLink: /api/v1/namespaces/e2e-bqhboou21s78hj9mnud0/services/svc-access-serverdt46q
  uid: ade02506-ef2b-4a97-8984-1870a03cfe90
spec:
  clusterIP: 10.0.134.123
  ports:
  - name: serve-80
    port: 80
    protocol: TCP
    targetPort: 80
  - name: serve-81
    port: 81
    protocol: TCP
    targetPort: 81
  selector:
    app: server
  sessionAffinity: None
  type: ClusterIP
status:
  loadBalancer: {}

---

// network policy allows only port 80
apiVersion: extensions/v1beta1
kind: NetworkPolicy
metadata:
  creationTimestamp: "2020-04-24T10:16:03Z"
  generation: 2
  name: allow-client-a-via-named-port-ingress-rule
  namespace: e2e-bqhboou21s78hj9mnud0
  resourceVersion: "140074"
  selfLink: /apis/extensions/v1beta1/namespaces/e2e-bqhboou21s78hj9mnud0/networkpolicies/allow-client-a-via-named-port-ingress-rule
  uid: 87b55251-fad2-456d-8e5c-2186f232546d
spec:
  ingress:
  - ports:
    - port: serve-80
      protocol: TCP
  podSelector:
    matchLabels:
      app: server
  policyTypes:
  - Ingress

Anything else we need to know:

---

[jaer-tsun]

Hi @mainred , named ports are currently not supported.