-
Notifications
You must be signed in to change notification settings - Fork 431
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Network policy E2E fails #2206
Comments
=====================================================================
是一类问题, 用port name的acl规则 可以见到tcp.dst == 0没有解析到端口号,需要kube-ovn增加解析 =====================================================================
比如case 1
规则如上 脚本期望: poda 访问podb不能通, 实际结果: poda 访问podb通了 对于kube-ovn的行为来说: |
第一类问题算是功能缺失,需要考虑怎么加上 named port 支持。 第二类问题测试是没问题的,如果不能访问某个 pod 那么通过 service 也不应该能访问。这个可能和 ovn 里的逻辑有关,有可能是先做的 acl 后做的 svc ,不知道后端 ip 导致的。这个可能要考虑下 networkpolicy 的 acl 该怎么加,可以参考下 ovn-kubernetes 这块是怎么实现的 |
ovn acl中加options:apply-after-lb="true" 可以先dnat 后 acl |
Namedport is still WIP |
Expected Behavior
Actual Behavior
Steps to Reproduce the Problem
Additional Info
Kubernetes version:
Output of
kubectl version
:kube-ovn version:
operation-system/kernel version:
Output of
awk -F '=' '/PRETTY_NAME/ { print $2 }' /etc/os-release
:Output of
uname -r
:The text was updated successfully, but these errors were encountered: