Bug 1461155

Summary: [RFE] Provide services and cluster network cidr check disablement configuration option
Product: OpenShift Container Platform Reporter: Dave Sullivan <dsulliva>
Component: RFEAssignee: Marc Curry <mcurry>
Status: CLOSED WONTFIX QA Contact: Meng Bo <bmeng>
Severity: high Docs Contact:
Priority: unspecified    
Version: 3.5.1CC: aos-bugs, bbennett, bmeng, jokerman, mmccomas
Target Milestone: ---Keywords: RFE
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-07-17 13:12:15 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Dave Sullivan 2017-06-13 16:41:12 UTC 
Description of problem:

Large enterprises may already have routes established across the core RFC 1918 private subnets.

They can utilize a vendor's IPAM solution to validate unused space.

For example given 10.0.0.0/8 private subnet space they can validate from IPAM that 10.125.0.0/21 is unsed.

Now in IaaS Infrastructures that bridge customers networks 

e.g. AWS with VPC it's relative simple to add a routing table with a small number of entries to cover RFC 1918 private subnets.

10.0.0.0/8
172.16.0.0/12

But it can be infeasible to provide a 1:1 with networks that have thousands of routes.

In short customers who trust the IPAM allocation solution should be able to trust identification of subnets inside that don't provide ambiguous ip addressing and routing.

And thus the request here is to provide a configuration knob to disable the network check.

This will allow customers to set the services and network address network cidrs based on IPAM and then use route summarization in their IaaS solution and avoid OpenSDN setup failure.


Version-Release number of selected component (if applicable):

Current latest 3.5


How reproducible:

Create routing on aws vpc 10.0.0.0/8 

Set cluster network to ip cidr block inside the above cidr, OpenShift SDN will not get created.


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 1 Ben Bennett 2017-06-22 12:24:06 UTC 
I'm sorry... I'm missing something fundamental here.  Whose IPAM are you using?  And what network plugin?

The network SDN addresses and the service network addresses are managed by the networking plugin and by OpenShift respectively.  They are two separate allocators.  If we were to disable the check that the ranges were separate, there would be no guarantee that the same address was not allocated to a pod and to a service, and bad things would ensue.

I'm not sure what you are trying to do when you add routes to the VPC to allow Amazon to access the private network.  Can you please provide more details?

Thanks
Comment 2 Dave Sullivan 2017-07-17 13:11:15 UTC 
I'm going to close this, I incorrectly misunderstood the abilities of the OpenShift network cidr check (I think).  

My understanding is that it mainly looks at what the local host system routing table is (I think).  


The actual problem that I was encountering is that the network subnet length was too large for the CIDR range.  This in turn caused failure in hostsubnet allocation.

With that said I still think an IPAM plugin validation modules would be nice to have for OpenShift to validate CIDR ranges.

One example is Infoblox.

Where if validates further then just the hosts routing tables.

Mainly because people will later change routing tables and potential open up IaaS/PaaS environments which may then accidentally lead to duplicate ip mappings.

Having PaaS integrate with IPAM solutions would help alleviate human error.