Skip to main content

Customer Advisory - Incorrect Network Policy Application - D2iQ-2021-0001

Dustin Nemes
  • Updated

Customer Advisory

Advisory ID:D2IQ-2021-0001
Defect Severity:Critical
Defect ID:COPS-6839
Synopsis:Upgrading Kommander applies the restrictive network policy default to existing projects
Affected Products & Versions

Kommander 1.3.0, Kommander 1.3.1

Issue date:2021-03-02
Updated on:2021-03-02


Problem Description

Customers upgrading from earlier versions of Kommander will encounter this problem, as the default behavior of 1.3.0 introduced new network policies on all existing projects.


When upgrading, existing workloads in existing federated namespaces, under Kommanders' projects, will receive a new NetworkPolicy object, that blocks all network ingress to the pods in that namespace.


Pods in affected namespaces will be blocked from all ingress. When customers are using Ingress, this will interfere with the Ingress Controller's proxy reaching the back-end application pods in a Project. Similarly, Istio and other network services will be inhibited from reaching the pods in the Project namespace.


Context & Symptoms

This only affects customers upgrading from earlier versions of Kommander. New installations will have new Projects, and customers will configure their Projects to open the network policy according to their application needs.


Workaround/Solution

Workaround 1:

Pre-configure an allow-all network policy in the managed cluster for the project namespace:

  1. Point kubectl to the managed cluster
  2. cat <
  3. Repeat steps 1 & 2 for all projects and managed clusters

Workaround 2:

Customers can configure their network policies to open access to all other pods in all other namespaces, or otherwise confined to suit their application requirements. This is required for all projects that need ingress from other namespaces or external to the cluster.

  1. Edit the network policy
  2. Remove the existing ingress rule
  3. Add a new empty ingress rule (don't change any details)
The screenshot below outlines configuring a completely open policy:netpol

This bug is assessed as a critical impact, and will be addressed immediately in a Kommander 1.3 patch release as soon as possible.


How to Identify Affected Products

This affects version 1.3.0 of Kommander and all previous 1.3 release candidates or betas.


For More Information

If you require further assistance, or if you have any further questions regarding this field notice, please submit a ticket at support.d2iq.com.