NetworkPolicy does not take effect if NetworkPolicy name is too long. #59
Assignees
Labels
bug
Something isn't working
Comments
|
Moving this to network policy agent repo.. |
|
We don't enforce any limitations. We will check and get back on this. |
|
Network policy controller currently places a 64 char limit on the custom resources it creates based on the Network Policy name. We will try to relax this restriction in the next release. Moving this over to Network Policy controller repo. |
haouc
added a commit
that referenced
this issue
Dec 7, 2023
<!-- Thanks for sending a pull request! Here are some tips for you: 1. Ensure you have added the unit tests for your changes. 2. Ensure you have included output of manual testing done in the Testing section. 3. Ensure number of lines of code for new or existing methods are within the reasonable limit. 4. Ensure your change works on existing clusters after upgrade. --> **What type of PR is this?** <!-- Add one of the following: bug cleanup documentation feature --> bug **Which issue does this PR fix**: #59 **What does this PR do / Why do we need it**: We revert a label improvement which can cause PE creation failure when using long name for its network policy. **If an issue # is not available please add steps to reproduce and the controller logs**: **Testing done on this change**: <!-- output of manual testing/integration tests results and also attach logs showing the fix being resolved --> **Automation added to e2e**: <!-- List the e2e tests you added as part of this PR. If no, create an issue with enhancement/testing label --> **Will this PR introduce any new dependencies?**: <!-- e.g. new K8s API --> **Will this break upgrades or downgrades. Has updating a running cluster been tested?**: **Does this PR introduce any user-facing change?**: <!-- If yes, a release note update is required: Enter your extended release note in the block below. If the PR requires additional actions from users switching to the new release, include the string "action required". --> ```release-note ``` By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
|
We are making a release to correct this limitation and will update when the release is available to all EKS clusters. Thanks. |
|
@bakavets EKS has updated platform version which include the latest version of this controller. Please check the regarding your clusters' platform version in the release note and verify if the issue is resolved. Thanks. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
What happened: NetworkPolicy does not take effect if NetworkPolicy name is too long.
Attach logs: N/A
What you expected to happen: NetworkPolicy should work regardless of the name length.
How to reproduce it (as minimally and precisely as possible):
SSH to the pod and run the following commands inside it:
curl http://www.google.comandcurl https://www.google.comBoth commands will succeed on ports 80 and 443, but NetworkPolicy does not allow 80 port.
If you change the NetworkPolicy name from
allow-egress-evolution-reader-backend-evolution-reader-backend-devto the shorter one e.g.allow-egressNetworkPolicy will work and port 80 will not be allowed for egress traffic only 443.Network policy starts taking effect only if the name length is less or equal to 63.
Anything else we need to know?:
The issue was noticed after migrating Calico network policy enforcement to the native network policy engine of VPC CNI.
Network policies have been working before with Calico.
Calico was used in conjunction with VPC CNI only for the Network policy engine.
Environment:
kubectl version): Server Version:v1.27.7-eks-4f4795dv1.15.4-eksbuild.1cat /etc/os-release):uname -a):Linux x86_64 GNU/LinuxThe text was updated successfully, but these errors were encountered: