kube-router Stops Processing networkpolicy When IPv6 Address Added to ipBlock #1245
Comments
|
The netpol controller doesn't seem to handle ipv6 yet. Among other things it currently only creates ipsets for ipv4 addresses. e.g. https://github.com/cloudnativelabs/kube-router/blob/master/pkg/controllers/netpol/network_policy_controller.go#L561 the I think the code will need some work to also support ipv6. |
|
I have a working implementation of IPv4/IPv6 dual-stack for netpol controller here: The main reason why I didn't upstream it yet is that we only made a change in netpol, not in any other component. But since this issue is about network policy controller only, would you be fine with upstreaming it as it is? |
|
Also see #1249 (review) comment |
|
This will be fixed when #1386 makes it to a main release |
What happened?
A user on our system recently created a network policy with an egress networkpolicy that contained:
When this happened, kube-router stopped being able to sync networkpolicy to the host do to an ipset error:
What did you expect to happen?
Ideally kube-router would be able to handle both IPv4 and IPv6 addresses in NetworkPoicy. However, since kube-router isn't compatible with IPv6, I expected it to just ignore IPv6 addresses and still keep syncing the policy that it could.
It would also be nice if kube-router would log something if it encounters address types that it isn't able to process as a warning.
** System Information (please complete the following information):**
kube-router --version):v1.4.0--run-firewall=truekubectl version) :1.21.9The text was updated successfully, but these errors were encountered: