"cf network-policies" returns 500 error with message "filter policies failed"
Article ID: 399189
Updated On:
Products
VMware Tanzu Platform
Issue/Introduction
In specific versions of TAS, there is a bug that can results in users receiving a 500 error with "filter policies failed" when running
NOTE: This issue does not affect the ability to create new network policies, or the enforcement of network policies on applications. This issue does not affect Application Security Groups. Only the API call for listing Containeer-to-Container Networking Policies is affected.
cf network-policies or cf remove-network-policy. This will only happen for CF users who have more than 100 roles associated with their account, unless they also have the network.admin UAA scope.NOTE: This issue does not affect the ability to create new network policies, or the enforcement of network policies on applications. This issue does not affect Application Security Groups. Only the API call for listing Containeer-to-Container Networking Policies is affected.
Environment
TAS Versions:
- 4.0.34 - 4.0.37
- 6.0.14 - 6.0.17
- 10.0.4 - 10.0.7
- 10.2.0
cf-networking-release v3.67.0 - v3.70.0
Cause
cf-networking-release v3.67.0 - v3.70.0 introduced a bug that breaks pagination for listing container-to-container (c2c) network policies when a user has more than 100 roles, as is often the case for a user involved in automated provisioning of CF spaces. This bug only affects listing networking policies and not enforcing those policies. A fix is actively being developed.
Affected TAS versions:
- 4.0.34 - 4.0.37
- 6.0.14 - 6.0.17
- 10.0.4 - 10.0.7
- 10.2.0
Resolution
Once a fix has been released, we will update this KB with the fixed versions. In the mean time, any of the following workarounds can be attempted:
- Remove excess roles from the user this fails for, until they have under 100 roles.
- Use a user with fewer than 100 roles for listing/deleting the network policies.
- Contact Support for assistance in rolling back to a previous version of cf-networking-release.
- Use an admin user for the policy listing and removal. NOTE: This should be used with caution as it will grant full access to modify all CF resources across the platform.
- Grant the user the
network.adminrole in the UAA. NOTE: This should be used with caution as it will grant full access to modify C2C network policies across the platform.
Feedback
Yes
No
Powered by
