Bug 1732885

Summary: Wrong iptables rules are saved during upgrades
Product: OpenShift Container Platform Reporter: Borja Aranda <farandac>
Component: InstallerAssignee: Russell Teague <rteague>
Installer sub component: openshift-ansible QA Contact: Johnny Liu <jialiu>
Status: CLOSED WONTFIX Docs Contact:
Severity: medium    
Priority: unspecified CC: fgrosjea, sdodson
Version: 3.11.0   
Target Milestone: ---   
Target Release: 3.11.z   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-10-15 13:37:18 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Borja Aranda 2019-07-24 15:34:50 UTC 
Description of problem:

The installer uses the os_firewall to add rules to iptables during upgrades/installations, and that leads under certain circumstances to persist rules that shouldn't be persisted, such as "-A KUBE-SERVICES" or "-A KUBE-SVC-X".

The playbooks calls https://github.com/openshift/openshift-ansible/blob/release-3.11/roles/openshift_node/tasks/firewall.yml#L5-L11

This initializes the module, which saves the current iptables rules in https://github.com/openshift/openshift-ansible/blob/release-3.11/roles/lib_utils/library/os_firewall_manage_iptables.py#L67

This gen_save_cmd saves all the current iptables rules:
~~~
def gen_save_cmd(self):  # pylint: disable=no-self-use
  return ['/usr/libexec/iptables/iptables.init', 'save']
~~~

That could lead to saving iptables rules that shouldn't be saved, as stated earlier, for example:
~~~
-A KUBE-SEP-CNQERSD3TC7SLBPT -s 10.74.178.134/32 -m comment --comment "default/router:80-tcp" -j KUBE-MARK-MASQ
-A KUBE-SEP-CNQERSD3TC7SLBPT -p tcp -m comment --comment "default/router:80-tcp" -m tcp -j DNAT --to-destination 10.74.178.134:80
-A KUBE-SEP-CXODZIVCMSLDI3N7 -s 10.74.178.148/32 -m comment --comment "default/kubernetes:dns" -j KUBE-MARK-MASQ
-A KUBE-SEP-CXODZIVCMSLDI3N7 -p udp -m comment --comment "default/kubernetes:dns" -m udp -j DNAT --to-destination 10.74.178.148:8053
-A KUBE-SERVICES ! -s 10.128.0.0/14 -d 172.30.14.144/32 -p tcp -m comment --comment "default/registry-console:registry-console cluster IP" -m tcp --dport 9000 -j KUBE-MARK-MASQ
-A KUBE-SERVICES -d 172.30.14.144/32 -p tcp -m comment --comment "default/registry-console:registry-console cluster IP" -m tcp --dport 9000 -j KUBE-SVC-DEGCXZMVXZMJS2KL
~~~

Those rules should be dinamically created by the kubelet and never saved in /etc/sysconfig/iptables

Version-Release number of the following components:
All 3.11.X

How reproducible:
Always

Actual results:
Please include the entire output from the last TASK line through the end of output if an error is generated

Expected results:
Comment 1 Scott Dodson 2019-10-15 13:37:18 UTC 
Customer case has closed. Ultimately the SDN should be reconciling these as part of its operation but it may not happen immediately.