Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Named ports in ingress are resolved via source pods instead of destination pods #52

Closed
vicinus opened this issue Nov 28, 2023 · 3 comments
Closed

Named ports in ingress are resolved via source pods instead of destination pods #52

vicinus opened this issue Nov 28, 2023 · 3 comments
Assignees
@haouc
Labels
bug Something isn't working

Comments

@vicinus
Copy link

vicinus commented Nov 28, 2023

What happened:

Named ports in ingress rules in network policies are resolved via the ports on the source pods instead of the ports on the destination pods.

What you expected to happen:

In my opinion it makes no sense to resolve the named ports via the ports on the source pods and instead the destination pods should be used.

How to reproduce it (as minimally and precisely as possible):

Apply the following K8S setup. The destination port should in my opinion be 80 and not 666.

apiVersion: v1
kind: Namespace

metadata:
  name: test-server

---
apiVersion: v1
kind: Pod

metadata:
  name: webserver
  namespace: test-server
spec:
  containers:
  - name: webserver
    image: nginx:latest
    ports:
    - containerPort: 80
      name: test-port-name
      protocol: TCP

---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: test-server-default-deny
  namespace: test-server
spec:
  podSelector: {}
  policyTypes:
  - Ingress

---
apiVersion: v1
kind: Namespace

metadata:
  name: test-client

---
apiVersion: v1
kind: Pod

metadata:
  name: client
  namespace: test-client
spec:
  containers:
  - name: webserver
    image: nginx:latest
    ports:
    - containerPort: 666
      name: test-port-name
      protocol: TCP

---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: ingress-nginx-allow-test-client
  namespace: test-server
spec:
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          kubernetes.io/metadata.name: test-client
    ports:
    - port: test-port-name
      protocol: TCP
  podSelector: {}
  policyTypes:
  - Ingress

Environment:

  • Kubernetes version (use kubectl version): 1.27
  • CNI Version: 1.15.4
@vicinus vicinus added the bug Something isn't working label Nov 28, 2023
@haouc haouc self-assigned this Nov 28, 2023
@achevuru
Copy link
Contributor

@vicinus Yes, it should resolve to dest port always. We will check and get back to you. Moving this bug over to Network Policy controller repo as that component is responsible for resolving the Network policies.

@achevuru achevuru transferred this issue from aws/aws-network-policy-agent Nov 28, 2023
@haouc haouc mentioned this issue Dec 1, 2023
Merged
haouc added a commit that referenced this issue Dec 7, 2023
@haouc
fix ingress dest ports issue (#58)
d131836 
<!--  Thanks for sending a pull request!  Here are some tips for you:
1. Ensure you have added the unit tests for your changes.
2. Ensure you have included output of manual testing done in the Testing
section.
3. Ensure number of lines of code for new or existing methods are within
the reasonable limit.
4. Ensure your change works on existing clusters after upgrade.
-->
**What type of PR is this?**
Fixing an issue for ingress port in policyendpoints
<!--
Add one of the following:
bug
cleanup
documentation
feature
-->
bug
**Which issue does this PR fix**:
#52 

**What does this PR do / Why do we need it**:
The controller shouldn't use src port in PE's ingress endpoint.

**If an issue # is not available please add steps to reproduce and the
controller logs**:


**Testing done on this change**:
<!--
output of manual testing/integration tests results and also attach logs
showing the fix being resolved
-->

**Automation added to e2e**:
<!--
List the e2e tests you added as part of this PR.
If no, create an issue with enhancement/testing label
-->

**Will this PR introduce any new dependencies?**:
<!--
e.g. new K8s API
-->

**Will this break upgrades or downgrades. Has updating a running cluster
been tested?**:


**Does this PR introduce any user-facing change?**:
<!--
If yes, a release note update is required:
Enter your extended release note in the block below. If the PR requires
additional actions
from users switching to the new release, include the string "action
required".
-->

```release-note

```

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.
@haouc
Copy link
Contributor

haouc commented Dec 23, 2023
edited
Loading

We are making a release to correct this issue and will update when the release is available to all EKS clusters. Thanks.

@haouc
Copy link
Contributor

haouc commented Jan 9, 2024

@vicinus EKS has updated platform version which include the latest version of this controller. Please check the regarding your clusters' platform version in the release note and verify if the issue is resolved. Thanks.

@haouc haouc closed this as completed Jan 14, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@haouc haouc

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@vicinus @haouc @achevuru