-
Notifications
You must be signed in to change notification settings - Fork 365
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
network policy doesn't work (even deny all) #1181
Comments
@nsxdemo thanks for reporting. However I cannot reproduce it with master builds. Could you share the status and the logs of antrea-controller and antrea-agent Pods? You may use |
Hi, I'm seeing a similar issue with v0.9.1. |
@yktsubo could you share logs? I cannot reproduce with 0.9.1 either.
|
The applied policy is
Here is the list of pods running in the namespace
What I found is that table60 doesn't have correct flows to block traffic on both node-1 and node-2. |
Here is the example from node1
From my understanding, node-1 should block traffic from 172.16.1.8 and 172.16.1.6 to outside. |
Thanks @yktsubo for sharing the information and providing a way to reproduce it. After dumping the goroutines, there was indeed a deadlock when updating a ClusterNetworkPolicy rule:
The mutex will be acquired two times if there are any stale openflow rules need to be deleted for a ClusterNetworkPolicy: Then all workers that were reconciling ClusterNetworkPolicies would be pending on the lock, causing normal NetworkPolicies cannot be reconciled as well. @Dyanngg could you consider a fix and check if there are other similar issues? |
Describe the bug
Simply define a deny-all network policy, but it doesn't work as expected
To Reproduce
in my environment, I delete Antrea add-on, Kubeadm reset on node, and re-init and apply add-on, having the same issue
Expected
block all traffic between pods
Actual behavior
NetworkPolicy is not configured via Antrea, and traffic doesn't block
Versions:
root@an01:/# antctl version
agentVersion: 0.10.0-dev-6be5e2f.clean
antctlVersion: v0.10.0-dev-6be5e2f
root@an01:/# antctl get networkpolicy
root@an01:/# antctl version
agentVersion: 0.10.0-dev-6be5e2f.clean
antctlVersion: v0.10.0-dev-6be5e2f
kubectl version
Client Version: version.Info{Major:"1", Minor:"19", GitVersion:"v1.19.0", GitCommit:"e19964183377d0ec2052d1f1fa930c4d7575bd50", GitTreeState:"clean", BuildDate:"2020-08-26T14:30:33Z", GoVersion:"go1.15", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"19", GitVersion:"v1.19.0", GitCommit:"e19964183377d0ec2052d1f1fa930c4d7575bd50", GitTreeState:"clean", BuildDate:"2020-08-26T14:23:04Z", GoVersion:"go1.15", Compiler:"gc", Platform:"linux/amd64"}
Additional context
<title>Welcome to nginx!</title> <style> body { width: 35em; margin: 0 auto; font-family: Tahoma, Verdana, Arial, sans-serif; } </style>barany@an01:
$ kubectl get pods --show-labels$ kubectl get pods -o wideNAME READY STATUS RESTARTS AGE LABELS
nginx10 1/1 Running 0 15m run=nginx10
web-96d5df5c8-bmfb2 1/1 Running 0 18m app=web,pod-template-hash=96d5df5c8
web-96d5df5c8-fnk8g 1/1 Running 0 18m app=web,pod-template-hash=96d5df5c8
web-96d5df5c8-q289m 1/1 Running 0 18m app=web,pod-template-hash=96d5df5c8
web-app02-75cb584798-h4p9d 1/1 Running 0 18m app=web-app02,pod-template-hash=75cb584798
web-app02-75cb584798-hwtkt 1/1 Running 0 18m app=web-app02,pod-template-hash=75cb584798
web-app02-75cb584798-rgskp 1/1 Running 0 18m app=web-app02,pod-template-hash=75cb584798
barany@an01:
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
nginx10 1/1 Running 0 16m 172.19.2.10 an03
web-96d5df5c8-bmfb2 1/1 Running 0 18m 172.19.1.2 an02
web-96d5df5c8-fnk8g 1/1 Running 0 18m 172.19.2.2 an03
web-96d5df5c8-q289m 1/1 Running 0 18m 172.19.2.3 an03
web-app02-75cb584798-h4p9d 1/1 Running 0 18m 172.19.1.7 an02
web-app02-75cb584798-hwtkt 1/1 Running 0 18m 172.19.1.6 an02
web-app02-75cb584798-rgskp 1/1 Running 0 18m 172.19.2.6 an03
barany@an01:
$ kubectl describe networkpolicy$ kubectl get networkpolicyName: denyall
Namespace: default
Created on: 2020-08-30 04:48:32 +0000 UTC
Labels:
Annotations:
Spec:
PodSelector: (Allowing the specific traffic to all pods in this namespace)
Allowing ingress traffic:
(Selected pods are isolated for ingress connectivity)
Allowing egress traffic:
(Selected pods are isolated for egress connectivity)
Policy Types: Ingress, Egress
barany@an01:
NAME POD-SELECTOR AGE
denyall 5m10s
barany@an01:~$ kubectl exec -it web-app02-75cb584798-hwtkt -- curl -i 172.19.2.10
HTTP/1.1 200 OK
Server: nginx/1.19.2
Date: Sun, 30 Aug 2020 04:54:08 GMT
Content-Type: text/html
Content-Length: 612
Last-Modified: Tue, 11 Aug 2020 14:50:35 GMT
Connection: keep-alive
ETag: "5f32b03b-264"
Accept-Ranges: bytes
Welcome to nginx!
If you see this page, the nginx web server is successfully installed and working. Further configuration is required.
For online documentation and support please refer to nginx.org.
Commercial support is available at nginx.com.
Thank you for using nginx.
barany@an01:~$The text was updated successfully, but these errors were encountered: