Bug 1379629

Summary: [dev-preview-stg] Should not allow user to create service which points to the pod ip or service ip
Product: OpenShift Online Reporter: Meng Bo <bmeng>
Component: NetworkingAssignee: Ben Bennett <bbennett>
Status: CLOSED CURRENTRELEASE QA Contact: Meng Bo <bmeng>
Severity: medium Docs Contact:
Priority: medium    
Version: 3.xCC: aos-bugs, danw, zhaliu
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-10-04 13:06:51 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Meng Bo 2016-09-27 09:23:22 UTC 
Description of problem:
Try to create service without selector and points to the other pod ip or service ip. The creation will succeed.

Version-Release number of selected component (if applicable):
dev-preview-stg
atomic-openshift-3.3.0.32-1.git.0.37bd7ea.el7.x86_64
docker-1.10.3-46.el7.14.x86_64
kernel-3.10.0-327.36.1.el7.x86_64

How reproducible:
always

Steps to Reproduce:
1. Create a pod and service
2. Create another service without selector and point to the above pod ip or service ip
3.

Actual results:
2. The service created successfully.

Expected results:
Should not allow the service to be created which point to the cluster CIDR or service CIDR

Additional info:
[root@fedora23 v3]# oc get svc 
NAME                    CLUSTER-IP       EXTERNAL-IP   PORT(S)     AGE
selector-less-service   172.30.25.191    <none>        10086/TCP   4m
service-unsecure        172.30.245.226   <none>        27017/TCP   16m
test-service            172.30.108.105   <none>        27017/TCP   16m
[root@fedora23 v3]# oc get endpoints 
NAME                    ENDPOINTS                       AGE
selector-less-service   172.30.245.226:8080             4m
service-unsecure        10.1.3.5:8080                   17m
test-service            10.1.3.11:8080,10.1.3.17:8080   16m
Comment 1 Ben Bennett 2016-09-27 15:43:14 UTC 
This doesn't feel like a bug to me.  You ought to be able to make a headless service and then assign whatever endpoints you want to it.

Now... the SDN isolation may not allow you to talk to the remote endpoints, but that's the user's problem.  (If you could bypass the isolation by doing this, then that's a real bug).
Comment 2 Meng Bo 2016-09-28 01:52:13 UTC 
No, It is a new change in 3.3.
Related PR: https://github.com/openshift/origin/pull/9383

cc danw
Comment 3 Dan Winship 2016-09-28 13:17:23 UTC 
Oh, the feature is working as expected, but maybe the acceptance criteria in Trello didn't get all the details; you can create such endpoints if you are logged in as a cluster admin user, but if you create an unprivileged account, it won't work:

    danw@w541:origin (master)> oc login -u foo -p foo
    Login successful.
    ...
    danw@w541:origin (master)> oc new-project foo
    Now using project "foo" on server "https://172.17.0.2:8443".
    ...
    danw@w541:origin (master)> oc create -f test-service.json 
    service "test-service" created
    danw@w541:origin (master)> oc create -f test-endpoint.json 
    Error from server: error when creating "test-endpoint.json": endpoints "test-service" is forbidden: endpoint address 10.129.0.2 is not allowed
Comment 4 Meng Bo 2016-09-29 02:09:56 UTC 
@danw
This feature is working well in the OCP env. But the bug is reported against the dev-preview-stg env. I am not sure what is the difference between the setup of the two. 

But I can use a normal user to create service with points to the IP in service CIDR or pod CIDR.
Comment 5 Meng Bo 2016-09-29 07:36:01 UTC 
I don't know what happened on dev-preview-stg env.
But the issue cannot be reproduced after the latest upgrade to 3.3.0.33.

[root@fedora23 v3]# oc create -f external_service_to_external_pod.json 
service "selector-less-service" created
Error from server: endpoints "selector-less-service" is forbidden: endpoint address 10.1.8.20 is not allowed

I will close this bug.