ipAddresses field to match TCP based traffic doesn't work as expected in Egress policy

[SomaSharathSurya]

Bug description: The "ipAddresses" field in the Egress policy is not being honored, and it is permitting TCP connections for all IP addresses, regardless of the configuration specified in the Egress policy below.

apiVersion: policy.openservicemesh.io/v1alpha1
kind: Egress
metadata:
  name:  allow-sql-egress-for-selected-ips
  namespace: xxx
spec:
  ipAddresses:
  - xx.xx.xx.xx/32
  ports:
  - number: 1433
    protocol: tcp
  sources:
  - kind: ServiceAccount
    name: ${name-of-the-sa-assigned-to-the-pod}
    namespace: xxx

Affected area (please mark with X where applicable):

• Install [ ]
• SMI Traffic Access Policy [ ]
• SMI Traffic Specs Policy [ ]
• SMI Traffic Split Policy [ ]
• Permissive Traffic Policy [ ]
• Ingress [ ]
• Egress [X]
• Envoy Control Plane [ ]
• CLI Tool [ ]
• Metrics [ ]
• Certificate Management [ ]
• Sidecar Injection [ ]
• Logging [ ]
• Debugging [ ]
• Tests [ ]
• Demo [ ]
• CI System [ ]

Expected behavior: You can reproduce the issue by following the below steps, and the expectation is that the "telnet portquiz.net 1433" should fail to connect as it's resolving ip isn't part of the ipAddresses list of the Egress policy.

Steps to reproduce the bug (as precisely as possible):

1. Make sure the enableEgressPolicy: true and enableEgress: false in the mesh config.
2. Run a pod in AKS cluster which has telnet installed on it (Ensure the osm envoy is injected onto the pod as a side container)
3. Assign the Egress policy to the pod. Make sure to replace ipAddress (in my case I've used an ipAddress of my database server) and service account name that is assigned to a pod.

apiVersion: policy.openservicemesh.io/v1alpha1
kind: Egress
metadata:
  name: allow-sql-egress-for-selected-ips
spec:
  ipAddresses:
  - xx.xx.xx.xx/32
  ports:
  - number: 1433
    protocol: tcp
  sources:
  - kind: ServiceAccount
    name: ${name-of-the-sa-assigned-to-the-pod}

4. Get into the shell of running container by executing "kubectl exec -it my-pod --container main-app -- sh"
5. Execute "telnet portquiz.net 1433" from the shell, and the expectation is that the connection should fail. But in our case the connection is successful.

How was OSM installed?: via AKS add-on

Anything else we need to know?: NA

Bug report archive:

Environment:

• OSM version (use osm version): v1.2.3
• Kubernetes version (use kubectl version): v1.25.6
• Size of cluster (number of worker nodes in the cluster): 2

[SomaSharathSurya]

3206

[github-actions[bot]]

This issue will be closed due to a long period of inactivity. If you would like this issue to remain open then please comment or update.

[github-actions[bot]]

Issue closed due to inactivity.