You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We are runnning OpenShift 4.10 on baremetal servers with the Cisco ACI CNI plugin version 5.2.3.4 and ACI 5.2(5c). When we apply a NetworkPolicy.networking.k8s.io/v1 of type egress, we cannot get the DNS service working as expected.
HOW TO REPRODUCE
Deploy the yamls added to this issue. This will deploy:
nginx instance in namespace na-nettest-nginx, exposed on a service on port 8080
pod with curl in namespace na-nettest-curlclient
egress policies in namespace na-nettest-curlclient that will
default deny all egress traffic
allow egress traffice to namespace na-nettest-nginx for the nginx pod on port 8080
allow egress traffic to namespace openshift-dns on port 5353 and 53 (the dns pods are running 5353, actually we think this should be sufficient)
> oc describe netpol allow-curler
Name: allow-curler
Namespace: na-nettest-curlclient
Created on: 2023-01-25 16:29:42 +0100 CET
Labels: <none>
Annotations: <none>
Spec:
PodSelector: app=curl-green
Not affecting ingress traffic
Allowing egress traffic:
To Port: 8080/TCP
To:
NamespaceSelector: kubernetes.io/metadata.name=na-nettest-nginx
PodSelector: app=nginx-green
----------
To Port: 5353/TCP
To Port: 5353/UDP
To Port: 53/TCP
To Port: 53/UDP
To:
NamespaceSelector: kubernetes.io/metadata.name=openshift-dns
Policy Types: Egress
The curl pod will continuously curl nginx-green.na-nettest-nginx.svc.cluster.local:8080.
ACTUAL RESULT
"curl: (28) Resolving timed out after 5000 milliseconds" Dns traffic is not working.
Drop logs on curl pod reveal:
Warning Acc-SEC_GROUP_OUT_TABLE MISS(Security Drop) 17s (x2 over 2m22s) aci-containers-host IPv4 packet from na-nettest-curlclient/curl-green-6b9686457f-vzmlk to 10.122.0.10 was dropped
This is the IP address of the Cluster DNS service.
> oc get svc -n openshift-dns
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
dns-default ClusterIP 10.122.0.10 <none> 53/UDP,53/TCP,9154/TCP 89d
In the APIC in the HostProtection profile we see that there are no rules created that target the DNS service.
EXPECTED RESULT
The curl is expected to resolve the address and output the nginx result, http code 200.
It is expected than when we target the namespace of the DNS pods and the ports of the pods, that communication to the DNS service is permitted.
IS THERE A WORKAROUND?
We found that if we explicitly add the ip address of the DNS service as ipBlock to the egress, DNS traffic is working. However, we do not see that this is necessary with other network plugins. As stated earlier, targeting the pods should enable the services as well.
What is strange, if we test with the workaround, the egress policy to target the nginx pods for the curl is working flawlessly, even if we have the ports of service and pod deviating. We see in the APIC that a rule is added for the IP address of the nginx service. We really wonder why the same principle is not working for the DNS service.
We are runnning OpenShift 4.10 on baremetal servers with the Cisco ACI CNI plugin version 5.2.3.4 and ACI 5.2(5c). When we apply a NetworkPolicy.networking.k8s.io/v1 of type egress, we cannot get the DNS service working as expected.
HOW TO REPRODUCE
Deploy the yamls added to this issue. This will deploy:
The curl pod will continuously curl nginx-green.na-nettest-nginx.svc.cluster.local:8080.
ACTUAL RESULT
"curl: (28) Resolving timed out after 5000 milliseconds" Dns traffic is not working.
Drop logs on curl pod reveal:
Warning Acc-SEC_GROUP_OUT_TABLE MISS(Security Drop) 17s (x2 over 2m22s) aci-containers-host IPv4 packet from na-nettest-curlclient/curl-green-6b9686457f-vzmlk to 10.122.0.10 was dropped
This is the IP address of the Cluster DNS service.
In the APIC in the HostProtection profile we see that there are no rules created that target the DNS service.
EXPECTED RESULT
The curl is expected to resolve the address and output the nginx result, http code 200.
It is expected than when we target the namespace of the DNS pods and the ports of the pods, that communication to the DNS service is permitted.
IS THERE A WORKAROUND?
We found that if we explicitly add the ip address of the DNS service as ipBlock to the egress, DNS traffic is working. However, we do not see that this is necessary with other network plugins. As stated earlier, targeting the pods should enable the services as well.
What is strange, if we test with the workaround, the egress policy to target the nginx pods for the curl is working flawlessly, even if we have the ports of service and pod deviating. We see in the APIC that a rule is added for the IP address of the nginx service. We really wonder why the same principle is not working for the DNS service.
KUBERNETES RESSOURCES
The text was updated successfully, but these errors were encountered: