Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Release-1.28] - Network Policy rke2-flannel-host-networking when cis-1.23 and calico #5358

Closed
brandond opened this issue Feb 7, 2024 · 1 comment
Closed

[Release-1.28] - Network Policy rke2-flannel-host-networking when cis-1.23 and calico #5358

brandond opened this issue Feb 7, 2024 · 1 comment
Assignees
@brandond @ShylajaDevadiga
Milestone
v1.28.7+rke2r1

Comments

@brandond
Copy link
Member

brandond commented Feb 7, 2024

Backport fix for Network Policy rke2-flannel-host-networking when cis-1.23 and calico
@brandond brandond self-assigned this Feb 7, 2024
@brandond brandond added this to the v1.28.7+rke2r1 milestone Feb 7, 2024
@brandond brandond mentioned this issue Feb 12, 2024
Merged
@brandond brandond mentioned this issue Feb 21, 2024
Merged
@ShylajaDevadiga
Copy link
Contributor

Validated using rke2 version v1.28.7-rc2+rke2r1

Environment Details

Infrastructure
Cloud EC2 instance

Node(s) CPU architecture, OS, and Version:

cat /etc/os-release 
NAME="SLES"
VERSION="15-SP4"
VERSION_ID="15.4"
PRETTY_NAME="SUSE Linux Enterprise Server 15 SP4"
ID="sles"
ID_LIKE="suse"

Cluster Configuration:
Multi node, 3 server 1 agent

Config.yaml:

write-kubeconfig-mode: "0644"
tls-san:
  - fake.fqdn.value
node-name: ip-172-31-12-13.us-east-2.compute.internal
profile: cis-1.23
cni: calico

Steps to reproduce

  1. Copy config.yaml
  2. Install rke2
  3. Check for existence of policy on a new cluster
  4. Confirm ingress works as expected

Validation results:
Network Policy rke2-flannel-host-networking does not exist when cni: calico is used

ec2-user@ip-172-31-12-13:~> kubectl get netpol -A |grep flannel
ec2-user@ip-172-31-12-13:~>

ec2-user@ip-172-31-12-13:~> kubectl apply -f ing
namespace/test-ingress created
networkpolicy.networking.k8s.io/ingress-to-backends created
ingress.networking.k8s.io/test-ingress created
service/nginx-ingress-svc created
replicationcontroller/test-ingress created
networkpolicy.networking.k8s.io/allow-all-ingress created

Network Policy rke2-flannel-host-networking exists when cni: canal (default cni) is used

ec2-user@ip-172-31-11-46:~> cat /etc/rancher/rke2/config.yaml
write-kubeconfig-mode: "0644"
tls-san:
  - fake.fqdn.value
node-name: ip-172-31-11-46.us-east-2.compute.internal
profile: cis-1.23

ec2-user@ip-172-31-11-46:~> kubectl get networkpolicy -A |grep flannel
default       rke2-flannel-host-networking             <none>                                      21h
kube-public   rke2-flannel-host-networking             <none>                                      21h
kube-system   rke2-flannel-host-networking             <none>                                      21h

Network Policy rke2-flannel-host-networking does not exist when cni: cilium is used

ec2-user@ip-172-31-10-150:~> cat /etc/rancher/rke2/config.yaml
write-kubeconfig-mode: "0644"
tls-san:
  - fake.fqdn.value
node-name: ip-172-31-10-150.us-east-2.compute.internal
profile: cis-1.23
cni: cilium

ec2-user@ip-172-31-10-150:~> kubectl get networkpolicy -A|grep flannel
ec2-user@ip-172-31-10-150:~>

ec2-user@ip-172-31-10-150:~> kubectl apply -f ing
namespace/test-ingress created
networkpolicy.networking.k8s.io/ingress-to-backends created
ingress.networking.k8s.io/test-ingress created
service/nginx-ingress-svc created
replicationcontroller/test-ingress created
networkpolicy.networking.k8s.io/allow-all-ingress created

@shindebshekhar shindebshekhar mentioned this issue Apr 19, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@brandond brandond

@ShylajaDevadiga ShylajaDevadiga

Labels
None yet
Projects
None yet
Milestone
v1.28.7+rke2r1
Development

No branches or pull requests
2 participants
@brandond @ShylajaDevadiga