NetworkPolicy: unable to allow ingress by CIDR #1764

mattfenwick · 2021-01-20T13:25:21Z

Describe the bug

A NetworkPolicy which allows ingress traffic by an IPBlock/CIDR does not allow traffic from the IPBlock on a KinD cluster running antrea-0.12.0.

To Reproduce

Create a KinD cluster:

#!/usr/bin/env bash

set -xv
set -e

CLUSTER=${CLUSTER:-netpol-antrea}

if [[ ! -d antrea ]] ; then
  git clone https://github.com/vmware-tanzu/antrea.git
fi
pushd antrea
  git checkout v0.12.0
  pushd ci/kind
    ./kind-setup.sh create "$CLUSTER"
  popd
popd

netpol.yaml:

NOTE: the cidr is chosen so that the first three octets match the first three octets of the IP of at least one of the pods in the setup

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: vary-ingress-28-0-0-0-10
  namespace: x
spec:
  ingress:
  - from:
    - ipBlock:
        cidr: 10.10.1.12/24
    ports:
    - port: 80
      protocol: TCP
  podSelector:
    matchLabels:
      pod: a
  policyTypes:
  - Ingress

Create netpol and pods and run probe using Cyclonus:

download cyclonus 0.0.5
run probe using cyclonus_0.0.5 probe --noisy=true --policy-path netpol.yaml

Namespace/pods:

Namespace x

labels: {"ns": "x"}
pods:
- pod a
  - labels {"pod": "a"}
  - ip: 10.10.1.11
- pod b
  - labels {"pod": "b"}
  - ip: 10.10.2.26
- pod c
  - labels {"pod": "c"}
  - ip: 10.10.2.25
    Namespace y
labels: {"ns": "y"}
pods:
- pod a
  - labels {"pod": "a"}
  - ip: 10.10.1.12
- pod b
  - labels {"pod": "b"}
  - ip: 10.10.2.27
- pod c
  - labels {"pod": "c"}
  - ip: 10.10.2.28
    Namespace z
labels: {"ns": "z"}
pods:
- pod a
  - labels {"pod": "a"}
  - ip: 10.10.2.22
- pod b
  - labels {"pod": "b"}
  - ip: 10.10.2.23
- pod c
  - labels {"pod": "c"}
  - ip: 10.10.2.24

Expected

Expected connectivity matrix:

There are 9 pods, so 9x9 = 81 possible requests from pod to pod.
The pod issuing the request is in the left column; the pod receiving the request is in the top row.
An X means the request was denied; a . means the request was allowed.

+-----+-----+-----+-----+-----+-----+-----+-----+-----+-----+
|  -  | X/A | X/B | X/C | Y/A | Y/B | Y/C | Z/A | Z/B | Z/C |
+-----+-----+-----+-----+-----+-----+-----+-----+-----+-----+
| x/a | .   | .   | .   | .   | .   | .   | .   | .   | .   |
| x/b | X   | .   | .   | .   | .   | .   | .   | .   | .   |
| x/c | X   | .   | .   | .   | .   | .   | .   | .   | .   |
| y/a | .   | .   | .   | .   | .   | .   | .   | .   | .   |
| y/b | X   | .   | .   | .   | .   | .   | .   | .   | .   |
| y/c | X   | .   | .   | .   | .   | .   | .   | .   | .   |
| z/a | X   | .   | .   | .   | .   | .   | .   | .   | .   |
| z/b | X   | .   | .   | .   | .   | .   | .   | .   | .   |
| z/c | X   | .   | .   | .   | .   | .   | .   | .   | .   |
+-----+-----+-----+-----+-----+-----+-----+-----+-----+-----+

Actual behavior

Connectivity on kube/antrea:

+-----+-----+-----+-----+-----+-----+-----+-----+-----+-----+
|  -  | X/A | X/B | X/C | Y/A | Y/B | Y/C | Z/A | Z/B | Z/C |
+-----+-----+-----+-----+-----+-----+-----+-----+-----+-----+
| x/a | X   | .   | .   | .   | .   | .   | .   | .   | .   |
| x/b | X   | .   | .   | .   | .   | .   | .   | .   | .   |
| x/c | X   | .   | .   | .   | .   | .   | .   | .   | .   |
| y/a | X   | .   | .   | .   | .   | .   | .   | .   | .   |
| y/b | X   | .   | .   | .   | .   | .   | .   | .   | .   |
| y/c | X   | .   | .   | .   | .   | .   | .   | .   | .   |
| z/a | X   | .   | .   | .   | .   | .   | .   | .   | .   |
| z/b | X   | .   | .   | .   | .   | .   | .   | .   | .   |
| z/c | X   | .   | .   | .   | .   | .   | .   | .   | .   |
+-----+-----+-----+-----+-----+-----+-----+-----+-----+-----+

Versions:
Please provide the following information:

Antrea version: v0.12.0
KinD version 0.9.0

Kubernetes version:

 kubectl version
 Client Version: version.Info{Major:"1", Minor:"19", GitVersion:"v1.19.4", GitCommit:"d360454c9bcd1634cf4cc52d1867af5491dc9c5f", GitTreeState:"clean", BuildDate:"2020-11-12T01:08:32Z", GoVersion:"go1.15.4", Compiler:"gc", Platform:"darwin/amd64"}
 Server Version: version.Info{Major:"1", Minor:"19", GitVersion:"v1.19.1", GitCommit:"206bcadf021e76c27513500ca24182692aabd17e", GitTreeState:"clean", BuildDate:"2020-09-14T07:30:52Z", GoVersion:"go1.15", Compiler:"gc", Platform:"linux/amd64"}

Container runtime: containerd from KinD v0.9.0
Linux kernel version on the Kubernetes Nodes (uname -r): 4.19.121-linuxkit

Additional context

The text was updated successfully, but these errors were encountered:

tnqn · 2021-01-20T16:55:41Z

@mattfenwick Thanks for catching it!
This was caused by the non-standard CIDR 10.10.1.12/24 used in the policy. Apparently K8s allows it, however, OVS rejects it and it was then ignored:

E0120 16:44:25.220545       1 entry.go:314] Received OpenFlow1.3 error: OFPBMC_BAD_WILDCARDS on message OFPT_EXPERIMENTER

I've made a quick fix #1767 for it.

mattfenwick · 2021-01-20T18:01:11Z

🎉 🎉 😄

mattfenwick added the kind/bug Categorizes issue or PR as related to a bug. label Jan 20, 2021

tnqn mentioned this issue Jan 20, 2021

Normalize non standard CIDRs to fix OVS error #1767

Merged

tnqn added this to the Antrea v0.13.0 release milestone Jan 20, 2021

tnqn closed this as completed in #1767 Jan 22, 2021

mattfenwick mentioned this issue Feb 13, 2021

normalize CIDRs in ip blocks mattfenwick/cyclonus#20

Closed

mattfenwick mentioned this issue Mar 21, 2021

collect cyclonus data across a variety of clusters and CNIs mattfenwick/cyclonus#46

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

NetworkPolicy: unable to allow ingress by CIDR #1764

NetworkPolicy: unable to allow ingress by CIDR #1764

mattfenwick commented Jan 20, 2021 •

edited

Loading

tnqn commented Jan 20, 2021

mattfenwick commented Jan 20, 2021

NetworkPolicy: unable to allow ingress by CIDR #1764

NetworkPolicy: unable to allow ingress by CIDR #1764

Comments

mattfenwick commented Jan 20, 2021 • edited Loading

tnqn commented Jan 20, 2021

mattfenwick commented Jan 20, 2021

mattfenwick commented Jan 20, 2021 •

edited

Loading