NetworkPolicy not working with SCTP protocol. #87305
Comments
k8s-ci-robot
added
the
needs-sig
|
/sig network These SIGs are my best guesses for this issue. Please comment 🤖 I am a bot run by vllry. 👩🔬 |
k8s-ci-robot
added
sig/network
|
/triage unresolved Comment 🤖 I am a bot run by vllry. 👩🔬 |
k8s-ci-robot
added
the
triage/unresolved
|
Please note that K8s is not involved in ensuring NetworkPolicies, it is the CNI-plugin that does that. You should probably raise an issue also to Calico. |
|
probably True: re this is a calico issue, but that said, i think we are missing NetworkPolicy e2e test coverage for ports, even for ports 80, 81 which we use in |
|
should this be closed then and follow up on the test coverage in a new issue? |
|
/assign @caseydavenport |
k8s-ci-robot
removed
the
triage/unresolved
|
Yeah, this should be closed and a corresponding Calico issue should be opened. Note that Calico did not have support for SCTP ports in policy rules until Calico v3.12 /close |
|
@caseydavenport: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
What happened:
I am trying to setup a Network Policy for my Pods. I need to only allow Port 3301(on SCTP) & 443(TCP) as ingress. But Once NP is created , rule is not working.
NP.yaml==>
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: custom-networkpolicy
namespace: alpha
spec:
podSelector:
matchLabels:
role: web
policyTypes:
ingress:
matchLabels:
app.kubernetes.io/traffic-policy: ingress-allow
podSelector:
matchLabels:
app.kubernetes.io/web-ingress: allowed
ports:
port: 3301
Kubernetes configuration to enable SCTP support ==>
../manifests/kube-apiserver.yaml: - --feature-gates=AllAlpha=false,SCTPSupport=true
../manifests/kube-controller-manager.yaml: - --feature-gates=AllAlpha=false,SCTPSupport=true
../manifests/kube-scheduler.yaml: - --feature-gates=AllAlpha=false,SCTPSupport=true
What you expected to happen:
As per NP, only port 443 & 3301 should be reachable from other pods with or other namspace set with required labels.
How to reproduce it (as minimally and precisely as possible):
Issue still exists.
Anything else we need to know?:
Once I removed the SCTP protocol from Ingress , rules immediately start working for other node.
I have tried to create separate rule for SCTP only but not luck.
Environment:
Kubernetes version (use
kubectl version):Client Version: version.Info{Major:"1", Minor:"15", GitVersion:"v1.15.3", GitCommit:"2d3c76f9091b6bec110a5e63777c332469e0cba2", GitTreeState:"clean", BuildDate:"2019-08-20T11:45:27Z", GoVersion:"go1.12.9", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"15", GitVersion:"v1.15.3", GitCommit:"2d3c76f9091b6bec110a5e63777c332469e0cba2", GitTreeState:"clean", BuildDate:"2019-08-20T11:40:58Z", GoVersion:"go1.12.9", Compiler:"gc", Platform:"linux/amd64"}
Cloud provider or hardware configuration:
HP Blade 360
OS (e.g:
cat /etc/os-release):eccduser@seliics03523:~/akash/NP> cat /etc/os-release
NAME="SLES"
VERSION="15"
VERSION_ID="15"
PRETTY_NAME="SUSE Linux Enterprise Server 15"
ID="sles"
ID_LIKE="suse"
ANSI_COLOR="0;32"
CPE_NAME="cpe:/o:suse:sles:15"
Kernel (e.g.
uname -a):Linux machine1 4.12.14-23-default Unit test coverage in Kubelet is lousy. (~30%) #1 SMP Tue May 29 21:04:44 UTC 2018 (cd0437b) x86_64 x86_64 x86_64 GNU/Linux
Install tools:
Network plugin and version (if this is a network-related bug):
Calico
Others:
The text was updated successfully, but these errors were encountered: