-
Notifications
You must be signed in to change notification settings - Fork 39.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
NetworkPolicy not working with SCTP protocol. #87305
Comments
/sig network These SIGs are my best guesses for this issue. Please comment 🤖 I am a bot run by vllry. 👩🔬 |
/triage unresolved Comment 🤖 I am a bot run by vllry. 👩🔬 |
Please note that K8s is not involved in ensuring NetworkPolicies, it is the CNI-plugin that does that. You should probably raise an issue also to Calico. |
probably True: re this is a calico issue, but that said, i think we are missing NetworkPolicy e2e test coverage for ports, even for ports 80, 81 which we use in |
should this be closed then and follow up on the test coverage in a new issue? |
/assign @caseydavenport |
Yeah, this should be closed and a corresponding Calico issue should be opened. Note that Calico did not have support for SCTP ports in policy rules until Calico v3.12 /close |
@caseydavenport: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
What happened:
I am trying to setup a Network Policy for my Pods. I need to only allow Port 3301(on SCTP) & 443(TCP) as ingress. But Once NP is created , rule is not working.
NP.yaml==>
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: custom-networkpolicy
namespace: alpha
spec:
podSelector:
matchLabels:
role: web
policyTypes:
ingress:
matchLabels:
app.kubernetes.io/traffic-policy: ingress-allow
podSelector:
matchLabels:
app.kubernetes.io/web-ingress: allowed
ports:
port: 3301
Kubernetes configuration to enable SCTP support ==>
../manifests/kube-apiserver.yaml: - --feature-gates=AllAlpha=false,SCTPSupport=true
../manifests/kube-controller-manager.yaml: - --feature-gates=AllAlpha=false,SCTPSupport=true
../manifests/kube-scheduler.yaml: - --feature-gates=AllAlpha=false,SCTPSupport=true
What you expected to happen:
As per NP, only port 443 & 3301 should be reachable from other pods with or other namspace set with required labels.
How to reproduce it (as minimally and precisely as possible):
Issue still exists.
Anything else we need to know?:
Once I removed the SCTP protocol from Ingress , rules immediately start working for other node.
I have tried to create separate rule for SCTP only but not luck.
Environment:
Kubernetes version (use
kubectl version
):Client Version: version.Info{Major:"1", Minor:"15", GitVersion:"v1.15.3", GitCommit:"2d3c76f9091b6bec110a5e63777c332469e0cba2", GitTreeState:"clean", BuildDate:"2019-08-20T11:45:27Z", GoVersion:"go1.12.9", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"15", GitVersion:"v1.15.3", GitCommit:"2d3c76f9091b6bec110a5e63777c332469e0cba2", GitTreeState:"clean", BuildDate:"2019-08-20T11:40:58Z", GoVersion:"go1.12.9", Compiler:"gc", Platform:"linux/amd64"}
Cloud provider or hardware configuration:
HP Blade 360
OS (e.g:
cat /etc/os-release
):eccduser@seliics03523:~/akash/NP> cat /etc/os-release
NAME="SLES"
VERSION="15"
VERSION_ID="15"
PRETTY_NAME="SUSE Linux Enterprise Server 15"
ID="sles"
ID_LIKE="suse"
ANSI_COLOR="0;32"
CPE_NAME="cpe:/o:suse:sles:15"
Kernel (e.g.
uname -a
):Linux machine1 4.12.14-23-default Unit test coverage in Kubelet is lousy. (~30%) #1 SMP Tue May 29 21:04:44 UTC 2018 (cd0437b) x86_64 x86_64 x86_64 GNU/Linux
Install tools:
Network plugin and version (if this is a network-related bug):
Calico
Others:
The text was updated successfully, but these errors were encountered: