Customer Advisory
Advisory ID: | D2IQ-2021-0001 |
---|---|
Defect Severity: | Critical |
Defect ID: | COPS-6839 |
Synopsis: | Upgrading Kommander applies the restrictive network policy default to existing projects |
Affected Products & Versions |
Kommander 1.3.0, Kommander 1.3.1 |
Issue date: | 2021-03-02 |
Updated on: | 2021-03-02 |
Problem Description
Customers upgrading from earlier versions of Kommander will encounter this problem, as the default behavior of 1.3.0 introduced new network policies on all existing projects.
When upgrading, existing workloads in existing federated namespaces, under Kommanders' projects, will receive a new NetworkPolicy object, that blocks all network ingress to the pods in that namespace.
Pods in affected namespaces will be blocked from all ingress. When customers are using Ingress, this will interfere with the Ingress Controller's proxy reaching the back-end application pods in a Project. Similarly, Istio and other network services will be inhibited from reaching the pods in the Project namespace.
Context & Symptoms
This only affects customers upgrading from earlier versions of Kommander. New installations will have new Projects, and customers will configure their Projects to open the network policy according to their application needs.
Workaround/Solution
Workaround 1:
Pre-configure an allow-all network policy in the managed cluster for the project namespace:
- Point kubectl to the managed cluster
-
cat <
- Repeat steps 1 & 2 for all projects and managed clusters
Workaround 2:
Customers can configure their network policies to open access to all other pods in all other namespaces, or otherwise confined to suit their application requirements. This is required for all projects that need ingress from other namespaces or external to the cluster.
- Edit the network policy
- Remove the existing ingress rule
- Add a new empty ingress rule (don't change any details)
This bug is assessed as a critical impact, and will be addressed immediately in a Kommander 1.3 patch release as soon as possible.
How to Identify Affected Products
This affects version 1.3.0 of Kommander and all previous 1.3 release candidates or betas.