Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Container probes fail because of NetworkPolicy dropping them #176

Closed
tnqn opened this issue Dec 3, 2019 · 1 comment · Fixed by #175
Closed

Container probes fail because of NetworkPolicy dropping them #176

tnqn opened this issue Dec 3, 2019 · 1 comment · Fixed by #175
Assignees
@wenyingd
Labels
kind/bug Categorizes issue or PR as related to a bug.

Comments

@tnqn
Copy link
Member

tnqn commented Dec 3, 2019

Describe the bug
If a Pod has readinessProbe defined, and there's Ingress NetworkPolicy selecting the pod but the allowed rule doesn't include the readinessProbe port, the Pod would be marked as NotReady forever because the readinessProbe traffic are all dropped.

This is caught by K8s test case

[Fail] [sig-network] NetworkPolicy [LinuxOnly] NetworkPolicy between server and client [It] should enforce updated policy [Feature:NetworkPolicy]

To Reproduce

  1. Define a Pod with two containers which listen on 80 and 81 separately, enable ReadinessProbe on 80 and 81 correspondingly.
  2. Create a service for the above Pod.
  3. Create a NetworkPolicy which allows clients to access port 80 and applies to the above Pod.
  4. Clients can't access the Pod via the service because the Pod's readiness probe fails and it is marked as NotReady.

Expected
The readiness probe should success regardless of what policy is defined.

Actual behavior
The readiness probe failed if the ingress rule doesn't include all ports being probed.

Versions:
Please provide the following information:

  • Antrea version (Docker image tag).
    0.1.1

Additional context
PR #104 appends the NodeIP to FromAddress of all NetworkPolicy rules, but it doesn't handle the case that the rule itself doesn't cover all probed ports.
@jianjuns proposed to add a flow to make traffic from Node bypass NetworkPolicy flows, which should be the proper approach.
@tnqn tnqn added the bug label Dec 3, 2019
@wenyingd wenyingd mentioned this issue Dec 3, 2019
Merged
@tnqn
Copy link
Member Author

tnqn commented Dec 3, 2019

Will revert #104 after #175 is merged

@antoninbas antoninbas mentioned this issue Dec 6, 2019
Closed
@McCodeman McCodeman added the kind/bug Categorizes issue or PR as related to a bug. label Jan 29, 2020
zyiou added a commit to zyiou/antrea that referenced this issue Jul 2, 2021
@zyiou
remove codecov token from script (antrea-io#176) (antrea-io#186)
19f992a
zyiou added a commit to zyiou/antrea that referenced this issue Jul 2, 2021
@zyiou
remove codecov token from script (antrea-io#176)
8cc18af
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@wenyingd wenyingd

Labels
kind/bug Categorizes issue or PR as related to a bug.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Allow Node probe all local Pods wenyingd/antrea
3 participants
@wenyingd @tnqn @McCodeman