antrea-io / antrea

Kubernetes networking based on Open vSwitch
https://antrea.io
Apache License 2.0
1.67k stars 371 forks source link

NetworkPolicy rule with Protocol specified but no Port leads to a runtime error #877

Closed abhiraut closed 4 years ago

abhiraut commented 4 years ago

Describe the bug NetworkPolicy Rule with a Protocol set but no Port number leads to a runtime panic

"""
To:v1beta1.NetworkPolicyPeer{AddressGroups:[]string{"897fa5c3-e5b2-5fa7-809c-ba3b112dcf1e", "9b40ee88-1a90-5edb-aea6-fb96810f816a"}, IPBlocks:[]v1beta1.IPBlock(nil)}, Services:[]v1beta1.Service{v1beta1.Service{Protocol:(*v1beta1.Protocol)(0xc00071acd0), **Port:(*intstr.IntOrString)(nil)}}}}**
"""
1 reconciler.go:365] Installing ofRule 2 (Direction: Out, From: 1, To: 0, Service: 1)
E0626 18:15:20.756666       1 runtime.go:78] Observed a panic: "invalid memory address or nil pointer dereference" (runtime error: invalid memory address or nil pointer dereference)
goroutine 248 [running]:
k8s.io/apimachinery/pkg/util/runtime.logPanic(0x1aa62e0, 0x2f02c90)
    /go/pkg/mod/k8s.io/apimachinery@v0.18.4/pkg/util/runtime/runtime.go:74 +0xa3
k8s.io/apimachinery/pkg/util/runtime.HandleCrash(0x0, 0x0, 0x0)
    /go/pkg/mod/k8s.io/apimachinery@v0.18.4/pkg/util/runtime/runtime.go:48 +0x82
panic(0x1aa62e0, 0x2f02c90)
    /usr/local/go/src/runtime/panic.go:679 +0x1b2
github.com/vmware-tanzu/antrea/pkg/agent/openflow.(*clause).generateServicePortConjMatch(0xc0008f3e00, 0xc00071acd0, 0x0, 0x415dfa)
    /antrea/pkg/agent/openflow/network_policy.go:552 +0x64

To Reproduce

Create a NetworkPolicy with egress rule as follows:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: "pod-to-a-allowed-cnp"
spec:
  podSelector:
    matchLabels:
      name: pod-to-a-allowed-cnp
  policyTypes:
  - Egress
  egress:
  - to:
    - namespaceSelector:
        matchLabels:
          name: cni-validation
    ports:
    - protocol: UDP

Expected Policy should be applied to all Ports with Protocol UDP

Actual behavior Policy fails to apply and leads to an error.

tnqn commented 4 years ago

This is an important case we must support, @wenyingd could you come up with a fix before releasing 0.8.0?