abhiraut
commented
4 years ago Closed tnqn closed 4 years ago
abhiraut
commented
4 years ago 
tnqn
commented
4 years ago Tested K8s networkpolicy e2e with the above PRs: Almost all named port tests can pass except the below:
[Fail] [sig-network] NetworkPolicy [LinuxOnly] NetworkPolicy between server and client [It] should allow egress access on one named port [Feature:NetworkPolicy]
/workspace/anago-v1.17.0-rc.2.10+70132b0f130acc/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/test/e2e/network/network_policy.go:1420It's because the test doesn't set To (which means all addresses) and expects a client Pod can access a server Pod's named port, but antrea uses 0.0.0.0 for all addresses so can't resolve the named port. To support this case, allowing all addresses should be converted to a group selecting all Pods in all Namespaces plus IPBlock 0.0.0.0/0.
abhiraut
commented
4 years ago Do you think we can open a separate bug for this particular test case?
tnqn
commented
4 years ago Do you think we can open a separate bug for this particular test case?
@abhiraut Yes, I think it's not a common use case and only requires antrea-controller change of how it converts an allow-all policy. Better to make the change with a separate PR. Would you take care of it?
abhiraut
commented
4 years ago im filing a separate issue for it and assign it to myself https://github.com/vmware-tanzu/antrea/issues/343
Describe the bug Currently NetworkPolicyController skips handling named port, it should be supported.
To Reproduce Create a NetworkPolicy with rules that have named port define
Expected Named port in NetworkPolicy should be supported.
Actual behavior Named port doesn't take effect.
Versions: Please provide the following information:
Additional context Design: https://docs.google.com/document/d/1qm2LndGhC6c-on_A63TNCvjcr7aUFwDtaa5aqrAxd0s/edit#
PRs needed to support named ports: