Juniper Openstack

k8s:UNable to reach public /outisde netowrk unless custome tags are associated with __public__ netwrok

Bug #1794412 reported by Venkatesh Velpula
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Juniper Openstack
Status tracked in Trunk
R5.0
Fix Released
High
Dinesh Bakiaraj
Juniper Openstack r5.0.2
Trunk
Fix Committed
High
Dinesh Bakiaraj
Juniper Openstack r5.1.0

Bug Description

In case of the logical router enabled with SNAT ,pod reachability to the external networks(outside the cluster) is dropped unless we associate the custom tag to the __public__ vn

due to this, testcase :TestPod.test_pod_public_reachability_using_snat fails .

since association of the custom tag solving the issue ..hence not marking it as sanity blocker .

Build :5.0.263
Deployment :Ansible_deployer
HOST OS: CENTOS7.5
=======================

Topology
==================
vrouter +k8s_node:

      ip: nodec60
      ip: nodec61

config +control++kubemanager:

      ip: nodeg12(k8s_master)
      ip: nodeg31
      ip: nodec58

if __public__ is associated with custome tag namespace=default ...then it works fine .

letftnet(100.64.0.0/29) rightnet __public__(10.204.221.160/29)
pod -----------------SNATroutr------------------------ 10.84.5.120
10.47.255.251

[root@nodeg12 ~]# kubectl get pods --all-namespaces -o wide
NAMESPACE NAME READY STATUS RESTARTS AGE IP NODE
ctest-namespace-94298939 ctest-ubuntuapp-pod-60066249 1/1 Running 0 20m 10.47.255.251 nodec61

   434368<=>9744 10.47.255.251:204 1 (2)
                         10.84.5.120:0
(Gen: 1, K(nh):21, Action:F, Flags:, QOS:-1, S(nh):21, Stats:1/98, SPort 65505,
 TTL 0, Sinfo 3.0.0.0)

   359936<=>405536 10.84.5.120:186 1 (4)
                         10.47.255.251:0
(Gen: 1, K(nh):37, Action:F, Flags:, QOS:-1, S(nh):37, Stats:0/0, SPort 54224,
 TTL 0, Sinfo 0.0.0.0)

    86460<=>95204 10.204.221.164:132 1 (3)
                         10.84.5.120:0
(Gen: 1, K(nh):36, Action:D(FwPolicy), Flags:, QOS:-1, S(nh):36, Stats:3/294,
 SPort 61117, TTL 0, Sinfo 5.0.0.0)

    95204<=>86460 10.84.5.120:132 1 (3)
                         10.204.221.164:0
(Gen: 1, K(nh):36, Action:D(Unknown), Flags:, QOS:-1, S(nh):34, Stats:0/0,
 SPort 63555, TTL 0, Sinfo 0.0.0.0)

See original description
Venkatesh Velpula (vvelpula)
tags: added: contrail-security k8s
Venkatesh Velpula (vvelpula)
summary: - k8s:UNable to reach public /outisde netowrk unless custome tag are
+ k8s:UNable to reach public /outisde netowrk unless custome tags are
associated with __public__ netwrok
Venkatesh Velpula (vvelpula)
description: updated
Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] master

Review in progress for https://review.opencontrail.org/46967
Submitter: Dinesh Bakiaraj (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] R5.0

Review in progress for https://review.opencontrail.org/46969
Submitter: Dinesh Bakiaraj (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : A change has been merged

Reviewed: https://review.opencontrail.org/46969
Committed: http://github.com/Juniper/contrail-controller/commit/116331019c084810dd537aff8348dbed06cd3613
Submitter: Zuul v3 CI (<email address hidden>)
Branch: R5.0

commit 116331019c084810dd537aff8348dbed06cd3613
Author: dineshb-jnpr <email address hidden>
Date: Fri Oct 12 11:36:11 2018 -0700

Enforce K8s APS on Virtual Networks.

This change is to enforce Security Policy APS created for K8s at
the virtual-network level, rather than at Project level. This is
so that unrelated virtual-networks created in the same project will
not be affected by this APS.

In the case of Logical Routers, contrail infra creates a virtual-network
in the project where its enabled. Since the APS was being enforced at
project level, it was applied to this virtual network as well, resulting
in functionality breakage. This change addresses this issue by applying
APS on k8s created virtual-networks only.

Change-Id: I19e8876967aa4b40e5aad75b131ee2e206ebeccf
Closes-Bug: #1794412

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote :

Reviewed: https://review.opencontrail.org/46967
Committed: http://github.com/Juniper/contrail-controller/commit/f229a1a6e4dea883efd4e197a6dff7f302b3e438
Submitter: Zuul v3 CI (<email address hidden>)
Branch: master

commit f229a1a6e4dea883efd4e197a6dff7f302b3e438
Author: dineshb-jnpr <email address hidden>
Date: Fri Oct 12 11:36:11 2018 -0700

Enforce K8s APS on Virtual Networks.

This change is to enforce Security Policy APS created for K8s at
the virtual-network level, rather than at Project level. This is
so that unrelated virtual-networks created in the same project will
not be affected by this APS.

In the case of Logical Routers, contrail infra creates a virtual-network
in the project where its enabled. Since the APS was being enforced at
project level, it was applied to this virtual network as well, resulting
in functionality breakage. This change addresses this issue by applying
APS on k8s created virtual-networks only.

Change-Id: I19e8876967aa4b40e5aad75b131ee2e206ebeccf
Closes-Bug: #1794412

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.