-
Notifications
You must be signed in to change notification settings - Fork 366
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix NP not working on hairpin Service connection #5687
Conversation
It means that NetworkPolicy will never block hairpin connections. Is that right? |
9eb2b3b
to
ec176ee
Compare
Yes. But you still can use |
ec176ee
to
8fa3076
Compare
8fa3076
to
59c17d0
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
59c17d0
to
5206ad3
Compare
5206ad3
to
ef3bc33
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
The changed test is failing |
Fix antrea-io#5681 Network policy didn't work when using a server Pod to establish a connection to the service provided by itself. This hairpin service connection initiated through a local Pod will be SNATed to the gateway IP, which will prevent it from being correctly categorized by the network policy during the Ingress rule enforcement. This commit added a bypass flow to always allow the hairpin service connection to address this issue. Given we don't consider self-access blocking to be a valid case. Signed-off-by: graysonwu <wgrayson@vmware.com>
ef3bc33
to
70f3e1b
Compare
/test-all |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
@GraysonWu please backport it to 1.12-1.14 |
Fix #5681
Network policy didn't work when using a server Pod to establish a connection to the service provided by itself. This hairpin service connection initiated through a local Pod will be SNATed to the gateway IP, which will prevent it from being correctly categorized by the network policy during the Ingress rule enforcement.
This commit added a bypass flow to always allow the hairpin service connection to address this issue. Given we don't consider self-access blocking to be a valid case.