Created default NetworkPolicies do not work when service port is different then target port

TomVgw commented 7 months ago

Bug Report

What did you do?

We have upgrade our OpenLibertyOperator. Due to the upgrade, the operator started creating Network Policies.
For the creation of the Network policies, it uses utils from the runtime-component-operator. Creation is done here, function definition here.

The specs of the service that was created by the operator looks like this: `spec: clusterIP: 10.141.199.72 ipFamilies:

IPv4 ports:
name: http protocol: TCP port: 80 targetPort: 9080
name: https protocol: TCP port: 443 targetPort: 9443 internalTrafficPolicy: Cluster clusterIPs:
10.141.199.72 type: ClusterIP ipFamilyPolicy: SingleStack sessionAffinity: None selector: app.kubernetes.io/instance: organisatiestructuur-service-dev`

What did you expect to see?

We expected the Networkpolicies to allow ingress traffic., so no impact to a route defined within the OLA. Within the network policies being created, we expected to find the ports of the pods, not the ports of the service.

We expected the following code: `spec: podSelector: matchLabels: apps.openliberty.io/name: organisatiestructuur-service-dev ingress:

ports:
- protocol: TCP port: 9080
- protocol: TCP port: 94433 from:
- namespaceSelector: matchLabels: policy-group.network.openshift.io/ingress: ''
- namespaceSelector: matchLabels: network.openshift.io/policy-group: ingress
- podSelector: matchLabels: app.kubernetes.io/part-of: organisatiestructuur-service-dev namespaceSelector: matchLabels: kubernetes.io/metadata.name: system-development-dev
- namespaceSelector: matchLabels: network.openshift.io/policy-group: monitoring policyTypes:
Ingress`

What did you see instead?

The created network policy mentions the port of the service. Therefor, the defined routes failed. Created network policy rules: `spec: podSelector: matchLabels: apps.openliberty.io/name: organisatiestructuur-service-dev ingress:

ports:
- protocol: TCP port: 80
- protocol: TCP port: 443 from:
- namespaceSelector: matchLabels: policy-group.network.openshift.io/ingress: ''
- namespaceSelector: matchLabels: network.openshift.io/policy-group: ingress
- podSelector: matchLabels: app.kubernetes.io/part-of: organisatiestructuur-service-dev namespaceSelector: matchLabels: kubernetes.io/metadata.name: system-development-dev
- namespaceSelector: matchLabels: network.openshift.io/policy-group: monitoring policyTypes:
Ingress`

It seems the ports of the service are used in stead of the targeted ports (pod ports)

Environment

Openshift version v4.12.46 and Open Liberty Operator v1.3.0

Possible solution

This function needs to be adjusted. In stead of ba.GetService().GetPort()) one should use ba.GetService().GetTargetPort())

[x] RCO
[x] WLO
[x] OLO
[ ] Tests
[x] Docs

TomVgw commented 7 months ago

Better overview of code this time....

Details of the service that was created by the OLA;

spec: 
  clusterIP: 10.141.199.72
  ipFamilies:
    - IPv4
  ports:
    - name: http
      protocol: TCP
      port: 80
      targetPort: 9080
    - name: https
      protocol: TCP
      port: 443
      targetPort: 9443
  internalTrafficPolicy: Cluster
  clusterIPs:
    - 10.141.199.72
  type: ClusterIP
  ipFamilyPolicy: SingleStack
  sessionAffinity: None
  selector:
    app.kubernetes.io/instance: organisatiestructuur-service-dev

Expected Network policies:

spec:
  podSelector:
    matchLabels:
      apps.openliberty.io/name: organisatiestructuur-service-dev
  ingress:
    - ports:
        - protocol: TCP
          port: 9080
        - protocol: TCP
          port: 9443
      from:
        - namespaceSelector:
            matchLabels:
              policy-group.network.openshift.io/ingress: ''
        - namespaceSelector:
            matchLabels:
              network.openshift.io/policy-group: ingress
        - podSelector:
            matchLabels:
              app.kubernetes.io/part-of: organisatiestructuur-service-dev
          namespaceSelector:
            matchLabels:
              kubernetes.io/metadata.name: system-development-dev
        - namespaceSelector:
            matchLabels:
              network.openshift.io/policy-group: monitoring
  policyTypes:
    - Ingress

Created Network policies:

spec:
  podSelector:
    matchLabels:
      apps.openliberty.io/name: organisatiestructuur-service-dev
  ingress:
    - ports:
        - protocol: TCP
          port: 80
        - protocol: TCP
          port: 443
      from:
        - namespaceSelector:
            matchLabels:
              policy-group.network.openshift.io/ingress: ''
        - namespaceSelector:
            matchLabels:
              network.openshift.io/policy-group: ingress
        - podSelector:
            matchLabels:
              app.kubernetes.io/part-of: organisatiestructuur-service-dev
          namespaceSelector:
            matchLabels:
              kubernetes.io/metadata.name: system-development-dev
        - namespaceSelector:
            matchLabels:
              network.openshift.io/policy-group: monitoring
  policyTypes:
    - Ingress

kabicin commented 1 month ago

@leochr tests and doc update ready for review. For tests to pass, I see that the required RCO dependency is already picked up by the OLO/WLO 1.3.3 changes.

leochr commented 1 month ago

@kabicin Thank you. Merged the doc update and assigned the review of tests PR to Melissa.

Please open an issue to update WLO docs for network policy with the same.

Note that the ID team has requested to open WLO doc issues in a different repo going-forward: https://github.ibm.com/websphere/liberty-docs/issues Please tag issues with Operator label. Thank you.

leochr commented 3 weeks ago

Merged tests and doc PRs. WLO docs have also been updated by workitem https://github.ibm.com/websphere/liberty-docs/issues/3983. Closing as completed.

leochr commented 3 weeks ago

@TomVgw This was included in the recent 1.3.3 release. Thank you for reporting this.

application-stacks / runtime-component-operator