kube-ovn
kube-ovn copied to clipboard
kubeovn
"portRangeMax" Configuration Does Not Work When "all" Protocol is Set in Security Group
Bug Report
"portRangeMax" Configuration Does Not Work When "all" Protocol is Set in Security Group
Expected Behavior
For "tcp" protocol...
Actual Behavior
For "all" protocol...
Steps to Reproduce the Problem
- create a kube-virt virtual machine (Not sure if it works correctly in normal pod)
- create a sg like following and bind it to the virtual machine
apiVersion: kubeovn.io/v1
kind: SecurityGroup
metadata:
creationTimestamp: "2024-04-16T03:10:32Z"
generation: 28
name: user-2355-i-njwpuvj7k528-firewall-sg
resourceVersion: "558026169"
uid: 53d72488-993e-4c73-ad44-6a13421f2559
spec:
ingressRules:
- ipVersion: ipv4
policy: allow
portRangeMax: 8000
portRangeMin: 8000
priority: 101
protocol: all
remoteAddress: 0.0.0.0/0
remoteType: address
- you will find if you set protocol as "all", the portRangeMax/Min seems not working.
Additional Info
-
Kubernetes version:
Output of
kubectl version:
Server Version: v1.26.9
- kube-ovn version:
```bash
v1.12.8
-
operation-system/kernel version:
5.15.0-71-generic
<!-- Any other additional information -->
apiVersion: kubeovn.io/v1 kind: SecurityGroup metadata: creationTimestamp: "2024-04-16T03:10:32Z" generation: 29 name: user-2355-i-njwpuvj7k528-firewall-sg resourceVersion: "558092262" uid: 53d72488-993e-4c73-ad44-6a13421f2559 spec: ingressRules:
- ipVersion: ipv4 policy: allow portRangeMax: 8000 portRangeMin: 8000 priority: 101 protocol: all remoteAddress: 0.0.0.0/0 remoteType: address
- ipVersion: ipv4 policy: deny priority: 161 protocol: ALL remoteAddress: 0.0.0.0/0 remoteType: address
- ipVersion: ipv4 policy: allow priority: 160 protocol: ALL remoteAddress: 172.16.0.0/11 remoteType: address
- ipVersion: ipv4 policy: allow priority: 160 protocol: ALL remoteAddress: 10.0.0.0/8 remoteType: address status: allowSameGroupTraffic: false egressLastSyncSuccess: true egressMd5: d751713988987e9331980363e24189ce ingressLastSyncSuccess: true ingressMd5: e4fc8be826456f64c73f9a848abb560f portGroup: ovn.sg.user.2355.i.njwpuvj7k528.firewall.sg
The same time I can ssh connect to 22 port, which should be blocked by the ingress rules. However, if you change "all" to "tcp", the ssh will be disconnected immediately.
could you please show the
telnet ip:8000?
your image means the 8000 port is ok , which is works, do i miss something ?
could you please show the
telnet ip:8000?your image means the 8000 port is ok , which is works, do i miss something ?
The real problem is if you set a server listen to port 7000, it works either. I just do telnet ip 8000 as you demand.
could you please show the
telnet ip:8000?your image means the 8000 port is ok , which is works, do i miss something ?
The real problem is if you set a server listen to port 7000, it works either. I just do telnet ip 8000 as you demand.
ok, i get it.
if you do not set the 8000 allow ingressRules, do ip:8000 could be accessed?
if you do not set the
8000 allow ingressRules, do ip:8000 could be accessed?
No. Because I have a rule with lower priority to deny all ingress traffic.
ipVersion: ipv4
policy: deny
priority: 161
protocol: ALL
remoteAddress: 0.0.0.0/0
remoteType: address
I wish to only allow port 8000 ingress traffic by set another rule, however, it seems to allow all ports. But if you set "udp" or "tcp", it will work as expected.
Interesting. So shall we open an issue to OVN? Is there any way to fix it temprorally? BTW, if there are some interested issue you think I can help, you can assign it to me. I would like to help. Recently, I'm hoping to get more familiar with kube-ovn.
Is there any way to fix it temprorally? use TCP or udp, not all, as you said.
After gaining some background knowledge, I think the standard security group simply don't allow "all" protocol work with port range. Since "ICMP" isn't related to any port.