Skip to content

Fix harness egress NetworkPolicy blocking DNS on Kind (Connection timeout)#126

Merged
pdettori merged 1 commit into
kagenti:mainfrom
pdettori:fix-harness-egress-dns-kind
Jul 15, 2026
Merged

Fix harness egress NetworkPolicy blocking DNS on Kind (Connection timeout)#126
pdettori merged 1 commit into
kagenti:mainfrom
pdettori:fix-harness-egress-dns-kind

Conversation

@pdettori

Copy link
Copy Markdown
Member

Problem

Following deploy/knative/README-authbridge.md, leaf-smoke.sh fails every claim that requires an actual LLM call — H1-allow and Claims 2, 3, 4, 6, 7 — all with {"error":"Error: Connection timeout"}. The H2 sandbox-egress claims pass.

Root cause

The harness (serverless-harness) egress NetworkPolicy allowed DNS egress only to the openshift-dns namespace on port 5353 — an OVN-Kubernetes post-DNAT-specific rule (issue #102) — on the documented assumption that "kindnet does not enforce NetworkPolicy egress."

That assumption is no longer true: modern kindnet enforces egress policy. On Kind, CoreDNS lives in kube-system on the standard port 53, so the harness pod's DNS was fully blocked. It could not resolve authbridge-ab1 (or redis), so every LLM call died in the connect phase with "Connection timeout."

Evidence (live Kind cluster)

  • From inside the harness pod: dns.lookup for authbridge-ab1, redis → all EAI_AGAIN (blocked).
  • Direct TCP to the AB1 pod IP :8080 (bypassing DNS) → succeeds.
  • AB1 gateway logs during a failing request → empty (the request never resolved, so it never left the harness).
  • H2 passes because sandbox pods aren't covered by this policy (they egress via their local AB2 proxy).

Fix

Add a second DNS egress entry allowing UDP+TCP 53 to the kube-system namespace, alongside the existing openshift-dns:5353 entry, in both:

  • deploy/knative/harness-egress-policy.yaml (base / flag-off path)
  • deploy/knative/authbridge/harness-egress-ab1.yaml (tightened AB1 variant)

NetworkPolicy egress rules are additive, so both platforms are covered and the non-matching entry is inert on each. The stale "kindnet does not enforce" comments are corrected, and manifest-shape tests asserting the Kind DNS rule are added for both policy variants.

Verification

  • Manifest-shape tests: harness-egress-policy.test.ts + authbridge-manifests.test.ts62 passed (incl. 2 new Kind-DNS assertions).
  • Live Kind: after adding the kube-system:53 rule, the same /runs request that previously timed out returns a valid verdict ({"status":"done","verdict":{...}}).

Assisted-By: Claude Code

…eout)

The harness egress NetworkPolicy allowed DNS egress ONLY to the openshift-dns
namespace on port 5353 (an OVN-Kubernetes post-DNAT specific rule, issue kagenti#102),
on the documented assumption that kindnet does not enforce NetworkPolicy egress.
That assumption is no longer true: modern kindnet enforces egress policy. On
Kind, CoreDNS runs in kube-system on the standard port 53, so the harness pod's
DNS was fully blocked — it could not resolve authbridge-ab1 or redis, and every
LLM call (SH_AUTHBRIDGE=1 /runs and leaf-smoke H1-allow / Claims 2,3,4,6,7)
failed with "Connection timeout". The request never reached AB1 (AB1 logs were
empty); a direct TCP dial to the AB1 pod IP, bypassing DNS, succeeded.

Add a second DNS egress entry allowing UDP+TCP 53 to the kube-system namespace
alongside the existing openshift-dns:5353 entry, in both the base policy
(harness-egress-policy.yaml) and the tightened AB1 variant
(authbridge/harness-egress-ab1.yaml). NetworkPolicy egress rules are additive,
so both platforms are covered and the non-matching entry is inert on each.
Correct the stale "kindnet does not enforce" comments, and add manifest-shape
tests asserting the Kind DNS rule in both policy variants.

Verified on a live Kind cluster: after adding the kube-system:53 rule, the same
/runs request that previously timed out returns a valid verdict.

Assisted-By: Claude (Anthropic AI) <noreply@anthropic.com>
Signed-off-by: Paolo Dettori <dettori@us.ibm.com>
@pdettori
pdettori merged commit 6eaa327 into kagenti:main Jul 15, 2026
10 checks passed
@pdettori
pdettori deleted the fix-harness-egress-dns-kind branch July 15, 2026 14:57
pdettori added a commit that referenced this pull request Jul 15, 2026
The Hop-2 "see it yourself" allow-path command could never succeed:
  - it sent no Authorization header, so AB2's static-inject had nothing to
    swap and returned 401 static-inject.missing-auth; and
  - it used the FQDN echo-target.default.svc.cluster.local, but static-inject
    keys the credential off the Host (key_by: host) and the secret is keyed
    `echo-target`, so the FQDN resolved to 401 static-inject.unresolved-key.
Use the short host `echo-target` and carry the placeholder token ($ECHO_CRED),
matching leaf-smoke.sh's H2-inject claim (verified live: HTTP 200, real token
reflected). Correct the expected-output comment to the actual JSON echo-target
returns.

Also correct two stale statements repeating the false "kindnet does not enforce
NetworkPolicy egress" premise (disproved by #126): the Prerequisites note and
the DNS troubleshooting row, which was framed OCP-only but applies to Kind too
(the harness DNS rule needs kube-system:53 on Kind alongside openshift-dns:5353
on OCP).

Verified: leaf-smoke.sh now reports 16 passed, 0 failed on Kind, and every
other manual "see it yourself" command was checked against a live cluster and
matches its documented output.

Assisted-By: Claude (Anthropic AI) <noreply@anthropic.com>
Signed-off-by: Paolo Dettori <dettori@us.ibm.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant