deny-app-ingress doesn't work for me

[bkrannich]

Description

If found that in my deployment of SCF/Eirini, the deny-app-ingress K8s network policy prevents access to my apps from the gorouter, resulting in 502 Bad Gateway: Registered endpoint failed to handle the request. errors.

I think, the reason is that the network policy tries to restrict access to only allow access from the scf namespace (https://github.com/cloudfoundry-incubator/eirini-release/blob/master/helm/eirini/templates/networkpolicy.yml#L14 and https://github.com/cloudfoundry-incubator/eirini-release/blob/master/helm/eirini/templates/networkpolicy.yml#L20), but as far as I understood (see also kubernetes/kubernetes#47797) namespaceSelector/matchLabels indeed only filters for labels. At least in my setup (maybe I'm doing something wrong?), the scf namespace does not have a name=scf label.

Steps to reproduce

Deploy SCF and Eirini. Call an arbitrary CF app. Result for me is 502 Bad Gateway: Registered endpoint failed to handle the request..

What was expected to happen

Being able to call my CF app.

What actually happened

502 Bad Gateway: Registered endpoint failed to handle the request.

Suggested fix (optional)

Change the network policy to determine the source namespace based on some other criteria.

Additional information (optional)

As soon as I do

kubectl label namespace scf name=scf

, the access works properly.

[cf-gitbot]

We have created an issue in Pivotal Tracker to manage this:

https://www.pivotaltracker.com/story/show/167783069

The labels on this github issue will be updated when the story is started.

[alex-slynko]

Hi @bkrannich
Sorry for taking so long.
We rely on Helm for creating the namespaces. Helm adds the label to the namespace.
What would be the expected behaviour for you?

[bkrannich]

Hi @alex-slynko,

No worries. I think the issue was that Helm didn't create the namespace for me (not sure why). Looking forward, I think moving to Helm 3 might create a new situation: helm/helm#6794