Bug 1733114

Summary: Add openflow rule whitelisting DNS port 53 for cloud provider metdata IP
Product: OpenShift Container Platform Reporter: Alexander Constantinescu <aconstan>
Component: NetworkingAssignee: Alexander Constantinescu <aconstan>
Status: CLOSED WONTFIX QA Contact: zhaozhanqi <zzhao>
Severity: high Docs Contact:
Priority: unspecified    
Version: 4.2.0CC: aos-bugs, danw, nagrawal
Target Milestone: ---   
Target Release: 4.2.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-08-20 15:53:00 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Alexander Constantinescu 2019-07-25 09:01:50 UTC 
Description of problem:

Today, as to un-block the GCP team urgently, we had to whitelist the DNS port 53 in SDN. However, for the moment the matching openflow rule has not been defined. 

Version-Release number of selected component (if applicable):

Target version is 4.2.0

How reproducible:

Rule should be defined in "pkg/network/node/ovscontroller.go" in openshift/sdn


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 1 Alexander Constantinescu 2019-08-20 15:53:00 UTC 
Hi

After discussion within the team, we've come to the conclusion to not create this ovs rule, complementing the already existing iptables rules. 

The iptables rules already block all tcp/udp connections to 169.254.169.254 on all ports except port 53. Complementary OVS rules are not needed and add additional technical complexity not worth the effort (OVS rules do not support negated conditions, ex: "block all ! port 53"). 

If there are any arguments against this, please re-open the bug and assign to me.

Best regards
Alexander