add the nodes local IP address to OVS rules for egressnetworkpolicy

[JacobTanenbaum]

this change adds the nodes local IP address to the ovs rules when using
egressnetworkpolicies to limit egress from the cluster. Adding the nodes
local IP allows for dns resolution when dns is accessable on the node.

bug 1458849 Link

[eparis]

I'm guessing there is no way to only allow only the ip+dns port combo huh?

[knobunc]

@eparis: This doesn't directly attempt to make DNS always work. What it does is to consider the external IP of the node to be allowed (since the SDN addresses on the node are always allowed too). We are explicitly not looking at their resolv.conf and allowing access to the DNS servers. If the system has a DNS server that is not on the node, then they will need to add that to the network policy to allow access. But the installer sets up a local split-hoirizon dnsmasq, and we would recommend people do that if they are not using our installer anyway.

[knobunc]

LGTM

But we should work out how to test this...

[knobunc]

@openshift/networking PTAL

[test][testextended][extended: networking]

[danwinship]

I'm guessing there is no way to only allow only the ip+dns port combo huh?

We can. Although we'd need two rules in that case, one with tcp, tcp_port=53 and one with udp, udp_port=53, to allow both UDP and TCP DNS

[danwinship]

You don't need a separate rule for each VNID. Just have a single rule (created in SetupOVS) with no reg0 match, with higher priority than any flow created by UpdateEgressNetworkPolicyRules. (An EgressNetworkPolicy can only have osapi.EgressNetworkPolicyMaxRules rules in it, so that plus 1 is high enough priority.)

[eparis]

Seems like the 2 rules would be a good idea if it is feasible. Means that the denial is only very specifically ignored instead of allow you to talk to the kubelet on 10250 and stuff like that...

[danwinship]

@eparis well, the other thing is that you can already always talk to the kubelet by using the SDN IP address (eg, 10.128.0.1) rather than the node's public IP address. So it's not really blocking much. (I should have remembered and mentioned this in the last comment...)

[eparis]

the blanket 'deny all the things' rule doesn't apply?

[danwinship]

EgressNetworkPolicy only applies to external traffic, so it doesn't apply to traffic directed at the node's SDN IP address

[eparis]

I wonder how hard it would be to point pods at the node sdn address for DNS instead of at the actual node DNS. And/Or is that is a good idea. Not this PR's problem.

[danwinship]

lgtm. please squash the two commits together though (plus the fix below)

[danwinship]

You can give them the same priority; one specifies "tcp" and the other specifies "udp" so there's no packet that could match both flows, so they don't need distinct priorities.

[danwinship]

[merge]

[openshift-bot]

Evaluated for origin merge up to 74f0baf

[JacobTanenbaum]

Flake #14043

[JacobTanenbaum]

Flake #14385

[JacobTanenbaum]

re[test]

[knobunc]

[test]

[knobunc]

[test] Last flake was AWS provisioning error.

[JacobTanenbaum]

Flake #13945

[JacobTanenbaum]

[test]

[openshift-bot]

Evaluated for origin test up to 74f0baf

[openshift-bot]

continuous-integration/openshift-jenkins/test SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pull_request_origin/2838/) (Base Commit: 342ccff) (PR Branch Commit: 74f0baf)

[eparis]

[merge]
[testextended]

[openshift-bot]

Evaluated for origin testextended up to 74f0baf

[openshift-bot]

continuous-integration/openshift-jenkins/testextended SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pull_request_origin_extended/799/) (Base Commit: b80c2fb) (PR Branch Commit: 74f0baf) (Extended Tests: networking)

[openshift-bot]

continuous-integration/openshift-jenkins/merge SUCCESS (https://ci.openshift.redhat.com/jenkins/job/merge_pull_request_origin/1184/) (Base Commit: 383de81) (PR Branch Commit: 74f0baf) (Image: devenv-rhel7_6413)